bug(kubernetes): KSV001 FP

[nikpivkin]

The logic of the rule needs to be corrected.

Testcase:

test_allow_privilege_escalation_set_to_false_allowed {
        r := deny with input as {
                "apiVersion": "v1",
                "kind": "Pod",
                "metadata": {"name": "hello-privilege-escalation"},
                "spec": {"containers": [{
                        "command": [
                                "sh",
                                "-c",
                                "echo 'Hello' && sleep 1h",
                        ],
                        "image": "busybox",
                        "name": "hello",
                        "securityContext": {"allowPrivilegeEscalation": true},
                },
                {
                       "command": [
                               "sh",
                               "-c",
                               "echo 'Hello' && sleep 1h",
                       ],
                       "image": "busybox",
                       "name": "hello2",
                       "securityContext": {"allowPrivilegeEscalation": false},
                }]},
        }
        count(r) == 1
}

Discussed in #6152

^{Originally posted by pfrydids February 17, 2024}

Description

I have deployed version 2.26.0 of the ebs-csi-node helm chart.

trivy k8s daemonset/ebs-csi-node -n kube-system --compliance=k8s-nsa --report all | grep allowPrivilegeEscalation

results in

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'liveness-probe' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'node-driver-registrar' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Which I think is due to it not differentiating between containers (only 1 container allows privilege escalation).

The net result is a compliance report which is reporting far to many violations.

I have focused on the allowPrivilegeEscalation but I think it applies to many others.

Desired Behavior

The command to return

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Actual Behavior

MEDIUM: Container 'ebs-plugin' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'liveness-probe' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false
MEDIUM: Container 'node-driver-registrar' of DaemonSet 'ebs-csi-node' should set 'securityContext.allowPrivilegeEscalation' to false

Reproduction Steps

1. create an EKS cluster
2. helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
3. helm repo update 
3. helm upgrade --install aws-ebs-csi-driver \
    --namespace kube-system \
    aws-ebs-csi-driver/aws-ebs-csi-driver
4. trivy k8s daemonset/ebs-csi-node -n kube-system --compliance=k8s-nsa --report all | grep allowPrivilegeEscalation
...

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Debug Output

N/A

Operating System

Linux

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-16 12:10:36.125232797 +0000 UTC
  NextUpdate: 2024-02-16 18:10:36.125232236 +0000 UTC
  DownloadedAt: 2024-02-16 15:50:02.324521447 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
  NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
  DownloadedAt: 2024-02-12 09:56:34.090366145 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-16 15:50:03.057462809 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting