Feature/lab7#3
Open
raaller wants to merge 5 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Scan the OWASP Juice Shop v20.0.0 container image with Trivy, harden its Kubernetes deployment according to the Pod Security Standards
restrictedprofile, restrict network access with a NetworkPolicy, and implement a Conftest policy that rejects insecure workloads before deployment.Changes
submissions/lab7.mdreadOnlyRootFilesystemfailure analysis and remediationlabs/lab7/k8s/namespace.yamljuice-shopnamespaceenforce: restrictedwarn: restrictedaudit: restrictedlabs/lab7/k8s/serviceaccount.yamljuice-shop-saServiceAccountlabs/lab7/k8s/deployment.yamlRuntimeDefaultseccomp profileemptyDirvolumes for runtime datalabs/lab7/k8s/networkpolicy.yamlapp=juice-shopkube-systemon UDP port 53labs/lab7/policies/pod-hardening.regorunAsNonRoot: truereadOnlyRootFilesystem: trueallowPrivilegeEscalation: falseALLcapability setTesting
Trivy image scan
Results:
Dockerfile misconfiguration scan
trivy config labs/lab7/results \ --misconfig-scanners dockerfile \ --file-patterns 'dockerfile:.*Dockerfile-bad$' \ --severity HIGH,CRITICAL \ --format tableResults:
Detected rule:
Conftest on the hardened Deployment
conftest test \ labs/lab7/k8s/deployment.yaml \ --policy labs/lab7/policiesResults:
Conftest on an intentionally insecure Deployment
conftest test \ labs/lab7/results/bad-deployment.yaml \ --policy labs/lab7/policiesResults:
The policy correctly rejected the insecure Deployment for:
Kubernetes deployment
Results:
Pod Security Admission profile:
Trivy Kubernetes scan
Aggregated workload results:
The Kubernetes vulnerability totals are doubled because the same pinned Juice Shop image is used by both the init container and the main application container:
Runtime issue and remediation
Enabling
readOnlyRootFilesystem: trueinitially caused Juice Shop to enterCrashLoopBackOff.Mounting empty
emptyDirvolumes directly over application directories hid the original files shipped inside the image, including files required during startup.The final Deployment uses an init container to:
emptyDirvolumes;This keeps the main container root filesystem read-only while allowing Juice Shop to start successfully.
Artifacts
submissions/lab7.mdlabs/lab7/k8s/namespace.yamllabs/lab7/k8s/serviceaccount.yamllabs/lab7/k8s/deployment.yamllabs/lab7/k8s/networkpolicy.yamllabs/lab7/policies/pod-hardening.regoScanner-generated output under
labs/lab7/results/is intentionally not committed.Checklist
feat(labN): <topic>conventionsubmissions/lab7.md