diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..abe6317652 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update Kubernetes Core service metadata to new format [(#9676)](https://github.com/prowler-cloud/prowler/pull/9676) + --- diff --git a/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json index 5606c20d60..9a19a31adf 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json @@ -1,30 +1,40 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_admission_hostport_containers", - "CheckTitle": "Minimize the admission of containers which use HostPorts", + "CheckTitle": "Pod does not use HostPorts", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that require the use of HostPorts. This helps maintain network policy controls and reduce security risks.", - "Risk": "Permitting containers with HostPorts can bypass network policy controls, increasing the risk of unauthorized network access.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Kubernetes Pods** are inspected for any container declaring `ports[].hostPort`. The finding highlights workloads that bind container ports directly to the node's network stack via **HostPorts**.", + "Risk": "Using **HostPorts** exposes Pods on node IPs outside centralized Service/Ingress controls. Attackers can directly probe and access workloads (**confidentiality/integrity**). Port conflicts or saturation on nodes can disrupt traffic (**availability**). Network segmentation and some policies may be less effective.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://artifacthub.io/packages/kyverno/kyverno-policies/disallow-host-ports", + "https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/", + "https://developer.squareup.com/blog/kubernetes-pod-security-policies/", + "https://github.com/chipzoller/kyverno-pss", + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://www.armosec.io/glossary/pod-security-standards/", + "https://praneethreddybilakanti.medium.com/kubernetes-security-8af03eb1d11d" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_25#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open your Kubernetes Dashboard and go to Workloads\n2. Select the affected Deployment/DaemonSet/StatefulSet (or Pod) and click Edit\n3. In the YAML, remove every `hostPort` field under `spec.template.spec.containers[].ports[]` (or `spec.containers[]` for a standalone Pod)\n4. Save the changes; allow the workload to restart\n5. Verify the new Pods have no `hostPort` defined", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"nginx\"\n # Critical: do NOT set host_port; omitting it ensures no host port is used\n port { container_port = 80 }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Limit the use of HostPorts in Kubernetes containers to maintain network security.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Avoid `hostPort`; publish services via **ClusterIP** with **Ingress/LoadBalancer**. Enforce admission policies to deny `hostPort` by default, permitting only a narrowly justified allowlist. Apply **least privilege** network rules, segment nodes, and monitor for unexpected host port bindings as **defense in depth**.", + "Url": "https://hub.prowler.com/check/core_minimize_admission_hostport_containers" } }, "Categories": [ - "internet-exposed" + "internet-exposed", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json index ed0a577d6d..95b2dbbc55 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json @@ -1,26 +1,33 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_admission_windows_hostprocess_containers", - "CheckTitle": "Minimize the admission of Windows HostProcess Containers", + "CheckTitle": "Pod does not allow Windows HostProcess containers", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of Windows containers with the hostProcess flag set to true, thus reducing the risk of privilege escalation and security breaches.", - "Risk": "Allowing Windows containers with hostProcess can lead to increased security risks due to privileged access to Windows nodes.", - "RelatedUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/", + "ResourceType": "Pod", + "Description": "Pods are evaluated for Windows settings where `securityContext.windowsOptions.hostProcess` is set to `true`, indicating they can run **Windows HostProcess containers**.", + "Risk": "Enabling **HostProcess** grants containers direct access to the Windows node, eroding isolation. Attackers can read node data, tamper with services, capture credentials, and pivot across the cluster, impacting **confidentiality**, **integrity**, and **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kyverno.io/policies/pod-security/baseline/disallow-host-process/disallow-host-process/", + "https://github.com/kubernetes/enhancements/issues/2579", + "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/", + "https://hub.armosec.io/docs/c-0202", + "https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_1#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open your Kubernetes GUI (for example, Kubernetes Dashboard)\n2. Go to Workloads > Deployments/DaemonSets/StatefulSets (edit the owner of the Pod, not the Pod itself)\n3. Select the workload that creates the failing Pod and click Edit\n4. For each affected container, set: securityContext.windowsOptions.hostProcess to false (or remove the hostProcess field)\n5. Save the change to trigger a rollout; new Pods will be created without HostProcess\n6. Verify new Pods no longer contain securityContext.windowsOptions.hostProcess: true", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"busybox\"\n security_context {\n windows_options {\n host_process = false # critical: disables Windows HostProcess for this container\n }\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of Windows HostProcess containers unless essential for their operation.", - "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/" + "Text": "Disallow `hostProcess:true` by default using policy-based admission aligned with **Pod Security Standards**. Permit only in tightly controlled contexts; apply **least privilege**, dedicated namespaces, and restricted service accounts; enforce **separation of duties** and monitor usage.", + "Url": "https://hub.prowler.com/check/core_minimize_admission_windows_hostprocess_containers" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json index 89771c9a65..b3cf712cce 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json @@ -1,26 +1,34 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_allowPrivilegeEscalation_containers", - "CheckTitle": "Minimize the admission of containers with allowPrivilegeEscalation", + "CheckTitle": "Pod does not allow privilege escalation in any container", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that have the allowPrivilegeEscalation flag set to true, preventing processes within containers from gaining additional privileges.", - "Risk": "Allowing containers with allowPrivilegeEscalation can lead to elevated privileges within the container's context, posing a security risk.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Kubernetes pods** are evaluated for containers that enable `allowPrivilegeEscalation`. The finding highlights pods where any container permits processes to gain extra privileges; pods whose containers set `allowPrivilegeEscalation: false` are noted as not allowing escalation.", + "Risk": "Allowing privilege escalation lets processes acquire elevated rights, undermining container isolation. Attackers can abuse setuid paths and capabilities to tamper with workloads (**integrity**), read sensitive data (**confidentiality**), pivot within the cluster, or disrupt services (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", + "https://docs.starlingx.io/r/stx.7.0/security/kubernetes/pod-security-admission-controller-8e9e6994100f.html", + "https://www.apptio.com/topics/kubernetes/best-practices/pod-security-admission/", + "https://support.icompaas.com/support/solutions/articles/62000234205-minimize-the-admission-of-containers-with-allowprivilegeescalation", + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://www.wiz.io/academy/kubernetes-security-context-best-practices" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_19#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open your Kubernetes Dashboard (or your cloud provider's Kubernetes console) and locate the workload managing the failing Pod (Deployment/StatefulSet/DaemonSet)\n2. Click Edit to modify the manifest (YAML)\n3. For each container with securityContext.allowPrivilegeEscalation: true, set it to false (or add allowPrivilegeEscalation: false under securityContext)\n4. Save/Apply the changes to trigger a rollout\n5. Verify new Pods have securityContext.allowPrivilegeEscalation set to false", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"main\" {\n metadata {\n name = \"\"\n }\n spec {\n container {\n name = \"app\"\n image = \"nginx\"\n security_context {\n allow_privilege_escalation = false # Critical: explicitly disable privilege escalation for the container\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of allowPrivilegeEscalation in containers through admission control policies.", - "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + "Text": "Set `allowPrivilegeEscalation: false` by default and apply **least privilege**:\n- run as non-root; drop caps (`drop: [\"ALL\"]`)\n- avoid `privileged`; use `readOnlyRootFilesystem`\n- enforce via namespace admission policies (e.g., PSA/OPA) and monitor exceptions", + "Url": "https://hub.prowler.com/check/core_minimize_allowPrivilegeEscalation_containers" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json index 9adfd92311..651277ae3d 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json @@ -1,26 +1,29 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_containers_added_capabilities", - "CheckTitle": "Minimize the admission of containers with added capabilities", + "CheckTitle": "Pod has no containers with added capabilities", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with capabilities assigned beyond the default set, mitigating the risks of container breakout attacks.", - "Risk": "Allowing containers with additional capabilities increases the risk of security breaches and container breakout attacks.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "Kubernetes Pods and containers are evaluated for **added Linux capabilities** via `capabilities.add` in their security context; presence of added entries indicates elevated privileges beyond defaults.", + "Risk": "Extra capabilities expand the container's kernel-level permissions, enabling actions like raw socket use, file ownership changes, and mount operations. Compromise could enable node access, lateral movement, or tampering with workloads, impacting **confidentiality**, **integrity**, and **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl patch deployment -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"\",\"securityContext\":{\"capabilities\":{\"add\":[]}}}]}}}}'", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Open the manifest for the workload creating the Pod (e.g., Deployment/StatefulSet/DaemonSet)\n2. In spec.template.spec.containers[*].securityContext.capabilities, delete all 'add' entries (remove the entire 'add' list)\n3. Save and apply the change (kubectl apply or use your GitOps pipeline); the controller will roll out updated Pods\n4. If it is a standalone Pod, delete and recreate it without the capabilities.add field", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata {\n name = \"\"\n }\n spec {\n container {\n name = \"\"\n image = \"nginx\"\n # Critical: do not set security_context.capabilities.add\n # This ensures no added Linux capabilities, making the check PASS.\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the addition of extra capabilities to containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Apply **least privilege**: require containers to `drop: ALL` and avoid `capabilities.add` except when strictly justified (e.g., `NET_BIND_SERVICE`). Enforce with **admission policies** and separation of duties. Combine with **seccomp/AppArmor** and non-root execution for **defense in depth**.", + "Url": "https://hub.prowler.com/check/core_minimize_containers_added_capabilities" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.metadata.json index 96805f8001..e51362027c 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.metadata.json @@ -1,26 +1,29 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_containers_capabilities_assigned", - "CheckTitle": "Minimize the admission of containers with capabilities assigned", + "CheckTitle": "Pod containers have no added Linux capabilities and include capability drops when capabilities are defined", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with Linux capabilities assigned, adhering to the principle of least privilege and reducing the risk of privilege escalation.", - "Risk": "Assigning unnecessary Linux capabilities to containers increases the risk of privilege escalation and security breaches.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "Pods are inspected for container **Linux capabilities**. A finding occurs when any container sets capabilities in `add` or does not fully `drop` them (e.g., missing `ALL`), indicating capabilities are assigned instead of removed.", + "Risk": "Retained or added **Linux capabilities** enable privilege escalation and container escape.\n- Confidentiality: packet capture and secret access\n- Integrity: filesystem mounts or process tampering\n- Availability: killing services or altering networking", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_34#kubernetes", - "Other": "", - "Terraform": "" + "CLI": "kubectl patch deployment -n --type=merge -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"],\"add\":[]}}}]}}}}'", + "NativeIaC": "", + "Other": "1. Open your Kubernetes UI (e.g., Kubernetes Dashboard or your cloud provider's console)\n2. Navigate to the workload (Deployment/StatefulSet/DaemonSet) that runs the failing Pod\n3. Click Edit YAML (or equivalent)\n4. For each affected container, set:\n - spec.template.spec.containers[].securityContext.capabilities.drop: [\"ALL\"]\n - Ensure spec.template.spec.containers[].securityContext.capabilities.add is removed or set to an empty list\n5. Save to apply and trigger a rollout", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"nginx:stable-alpine\"\n security_context {\n capabilities {\n drop = [\"ALL\"] # Critical: drop all Linux capabilities to satisfy the check\n # No 'add' specified to ensure no capabilities are added\n }\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the assignment of Linux capabilities to containers unless essential for their operation.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Apply **least privilege**: drop `ALL` capabilities and avoid using `add`.\n\nOnly reintroduce a minimal capability when absolutely required, and isolate such pods via defense-in-depth: strict RBAC, `seccomp` RuntimeDefault, AppArmor, network policies, dedicated namespaces/nodes, and admission controls to enforce policy.", + "Url": "https://hub.prowler.com/check/core_minimize_containers_capabilities_assigned" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.metadata.json index 4dcadadb94..015e83a467 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.metadata.json @@ -1,30 +1,39 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_hostIPC_containers", - "CheckTitle": "Minimize the admission of containers wishing to share the host IPC namespace", + "CheckTitle": "Pod does not use the host IPC namespace", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that share the host's IPC namespace. Containers with hostIPC can interact with processes outside of the container, potentially leading to security risks.", - "Risk": "Allowing containers to share the host's IPC namespace without strict control can lead to security risks and potential privilege escalations.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Kubernetes pods** are evaluated for use of the host's IPC namespace via the `hostIPC` setting. Workloads declaring `hostIPC: true` share node IPC resources (shared memory, semaphores, message queues) instead of isolated container IPC.", + "Risk": "Sharing the host IPC namespace erodes isolation, exposing host shared memory and semaphores. A compromised pod could snoop or tamper with IPC objects, leading to data disclosure, integrity violations, privilege escalation, and lateral movement across workloads.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://medium.com/@benson.philemon/pod-security-standards-restricted-profile-the-fort-knox-of-kubernetes-security-essential-c2ba15dd5250", + "https://blog.techiescamp.com/kubernetes-pod-security-standards/", + "https://support.icompaas.com/support/solutions/articles/62000234627-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace", + "https://k8s-security.geek-kb.com/docs/best_practices/cluster_setup_and_hardening/pod_security/container_escape_mitigation/", + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/compliance/kubernetes/rke-cis-1.24/rke-cis-1.24-policies/5.2/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_3#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open your cluster UI (Kubernetes Dashboard or cloud provider console) and locate the failing workload (Pod/Deployment/StatefulSet)\n2. Click Edit YAML/Manifest\n3. Set the field to disable host IPC:\n - For a Pod: spec.hostIPC: false (or remove hostIPC if present)\n - For controllers: spec.template.spec.hostIPC: false (or remove hostIPC if present)\n4. Save the change to trigger a rollout\n5. If it is a standalone Pod (not managed by a controller), delete and recreate the Pod so the new spec takes effect", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata {\n name = \"\"\n }\n spec {\n host_ipc = false # Critical: disables host IPC namespace to pass the check\n\n container {\n name = \"app\"\n image = \"nginx\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of hostIPC in containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Disallow `hostIPC` with **Pod Security Admission** enforcing **Pod Security Standards** (Baseline/Restricted) or equivalent policy engines. Apply **least privilege** and defense in depth: keep IPC namespaces isolated, grant tightly scoped exceptions only, and prefer app-level messaging or Services over host IPC.", + "Url": "https://hub.prowler.com/check/core_minimize_hostIPC_containers" } }, "Categories": [ - "container-security" + "container-security", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.metadata.json index 1b660e7267..ef1d5f2b33 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_hostNetwork_containers", - "CheckTitle": "Minimize the admission of containers wishing to share the host network namespace", + "CheckTitle": "Pod does not use hostNetwork", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that share the host's network namespace. Containers with hostNetwork can access local network traffic and other pods, potentially leading to security risks.", - "Risk": "Allowing containers to share the host's network namespace without strict control can lead to security risks and potential network breaches.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "Pods configured with `hostNetwork: true` are identified, meaning they share the node's network namespace and use the host's IP stack, interfaces, and ports.", + "Risk": "Using the **host network namespace** exposes node-local interfaces and traffic to the pod. A compromise can enable packet capture and request spoofing (**C/I**), access to node services (e.g., kubelet), and port binding conflicts, causing outages (**A**) and enabling **lateral movement** across the cluster.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_4#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open Kubernetes Dashboard\n2. For controller-managed workloads (Deployment/DaemonSet/StatefulSet):\n - Go to Workloads > select the workload > Edit\n - In the Pod template, set spec.template.spec.hostNetwork to false or remove the field\n - Save to roll out new Pods\n3. For standalone Pods:\n - Go to Workloads > Pods > select the Pod > Delete\n - Click Create > upload the Pod YAML without hostNetwork (or with hostNetwork: false) and create the Pod", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata {\n name = \"\"\n }\n spec {\n host_network = false # Critical: disables hostNetwork so the Pod passes the check\n container {\n name = \"ct\"\n image = \"nginx\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of hostNetwork in containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Disallow `hostNetwork` by default. Enforce **least privilege** with admission policies that block it, allowing narrowly scoped exceptions only for trusted system workloads. Prefer standard pod networking with **NetworkPolicies**, and isolate node services for **defense in depth**.", + "Url": "https://hub.prowler.com/check/core_minimize_hostNetwork_containers" } }, "Categories": [ - "container-security" + "container-security", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.metadata.json index ee5b3f92be..df073e2455 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_hostPID_containers", - "CheckTitle": "Minimize the admission of containers wishing to share the host process ID namespace", + "CheckTitle": "Pod does not use the host PID namespace", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that share the host's process ID namespace. Containers with hostPID can inspect and interact with processes outside of the container, potentially leading to privilege escalation.", - "Risk": "Allowing containers to share the host's PID namespace without strict control can lead to security risks and potential privilege escalations.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Kubernetes Pods** configured with `hostPID: true` are identified, indicating the container shares the node's **host PID namespace**.", + "Risk": "Sharing the **host PID namespace** erodes isolation: containers can list host processes and read `/proc` metadata, enabling **credential exposure**, **privilege escalation**, and **lateral movement**. Limited process interaction can also threaten **integrity** and **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_1#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Identify the workload that owns the failing Pod (Deployment/DaemonSet/StatefulSet/Job) or confirm it is a standalone Pod\n2. Edit the manifest of the owning workload (or the Pod) and set/remove the field so it is not true:\n - In Pod spec: set `hostPID: false` or delete the `hostPID` line\n - For controllers: set `spec.template.spec.hostPID: false` or delete the line\n3. Apply the change (kubectl apply) and allow the workload to restart Pods so they no longer use hostPID", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata {\n name = \"\"\n }\n spec {\n host_pid = false # Critical: disables host PID namespace to pass the check\n container {\n name = \"app\"\n image = \"nginx\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of hostPID in containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Disallow `hostPID` for application Pods via **admission policies** aligned to **Pod Security Standards (Baseline/Restricted)**. Allow only for tightly controlled system workloads. Apply **least privilege**, isolate such Pods on dedicated nodes, and favor debug/observability methods that avoid host namespace sharing.", + "Url": "https://hub.prowler.com/check/core_minimize_hostPID_containers" } }, "Categories": [ - "container-security" + "container-security", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.metadata.json index f171b9434d..d01b3bc396 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.metadata.json @@ -1,26 +1,36 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_net_raw_capability_admission", - "CheckTitle": "Minimize the admission of containers with the NET_RAW capability", + "CheckTitle": "Pod containers do not have the NET_RAW capability", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with the potentially dangerous NET_RAW capability, which can be exploited by malicious containers.", - "Risk": "Allowing containers with NET_RAW capability increases the risk of network attacks and privilege escalation.", - "RelatedUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context", + "ResourceType": "Pod", + "Description": "**Kubernetes pods** where any container's security context adds the `NET_RAW` Linux capability are identified.\n\nThe inspection evaluates container `securityContext.capabilities.add` entries to detect explicit requests for `NET_RAW`.", + "Risk": "Granting **NET_RAW** enables raw sockets for packet crafting and sniffing, undermining **confidentiality** and **integrity**. Attackers can run ARP/DNS spoofing, pivot or scan inside the cluster, bypass service isolation, exfiltrate data, and impact **availability** through network abuse.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://support.icompaas.com/support/solutions/articles/62000234711-minimize-the-admission-of-containers-with-the-net-raw-capability", + "https://medium.com/@benson.philemon/pod-security-standards-baseline-profile-essential-knowledge-for-cks-exam-1bcfeef94959", + "https://dev.to/castai/kubernetes-security-10-best-practices-from-the-industry-and-community-1bp6?comments_sort=latest", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://istio.io/latest/docs/setup/additional-setup/pod-security-admission/", + "https://github.com/aws-samples/k8s-psa-pss-testing", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context", + "https://kubernetes.io/docs/concepts/security/pod-security-admission/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_6#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Identify the affected workload (Deployment/StatefulSet/Pod) and open its spec for edit (e.g., kubectl edit deployment )\n2. In each container under: spec.template.spec.containers[].securityContext.capabilities.add, remove the entry NET_RAW (or remove the entire add field if it only contains NET_RAW)\n3. Save the changes to trigger a rollout (for Pod manifests, kubectl apply -f )\n4. Recreate any standalone Pods if needed so the updated spec takes effect", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"nginx\"\n security_context {\n capabilities {\n drop = [\"NET_RAW\"] # Critical: ensures the container is not granted NET_RAW\n }\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of NET_RAW capability through admission control policies.", - "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container" + "Text": "Apply **least privilege**: avoid adding `NET_RAW` and drop unnecessary Linux capabilities by default. Use cluster-wide **admission policies** to block requests for `NET_RAW`. When strictly required, isolate the workload, restrict egress with network controls, and audit capability use as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/core_minimize_net_raw_capability_admission" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.metadata.json index 54f719b59c..1d8cc72ad2 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.metadata.json @@ -1,26 +1,34 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_privileged_containers", - "CheckTitle": "Minimize the admission of privileged containers", + "CheckTitle": "Pod does not contain a privileged container", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of privileged containers, which have access to all Linux Kernel capabilities and devices. The use of privileged containers should be controlled and restricted to specific use-cases.", - "Risk": "Permitting privileged containers by default can lead to security vulnerabilities as these containers have elevated privileges equivalent to the host.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Pods** are evaluated for containers configured with `securityContext.privileged: true`, indicating execution in **privileged mode**.", + "Risk": "**Privileged containers** can control the host and bypass isolation, enabling:\n- Secret theft (confidentiality)\n- Workload/node tampering (integrity)\n- Service disruption (availability)\nCompromise of one pod can drive lateral movement across the cluster.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://v1-32.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", + "https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/", + "https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/", + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://kubernetes.io/docs/concepts/security/pod-security-admission/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_2#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open your Kubernetes UI (e.g., cloud provider console or Dashboard)\n2. Navigate to the failing workload (Deployment/StatefulSet/DaemonSet) or Pod and choose Edit YAML/Manifest\n3. Set securityContext.privileged: false for each affected container:\n - For controllers: spec.template.spec.containers[].securityContext.privileged: false\n - For standalone Pods: spec.containers[].securityContext.privileged: false\n4. Save changes (controllers will roll out new Pods). If it is a standalone Pod, delete and recreate it to apply the change", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"\"\n security_context {\n privileged = false # Critical: disables privileged mode to pass the check\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of privileged containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Block `privileged: true` using **Pod Security Admission** at `restricted`. Apply **least privilege**:\n- Run unprivileged; set `allowPrivilegeEscalation: false`\n- Drop capabilities; avoid host access\n- Restrict who can deploy privileged pods with **RBAC**\n- Use short-lived, audited exceptions only when strictly required", + "Url": "https://hub.prowler.com/check/core_minimize_privileged_containers" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.metadata.json b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.metadata.json index f20e008248..b423c36b26 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.metadata.json @@ -1,26 +1,35 @@ { "Provider": "kubernetes", "CheckID": "core_minimize_root_containers_admission", - "CheckTitle": "Minimize the admission of root containers", + "CheckTitle": "Pod does not run any container as the root user", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers running as the root user. Running containers as root increases the risk of container breakout and should be restricted.", - "Risk": "Allowing containers to run as root can lead to elevated risk of security breaches and container breakout.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "ResourceType": "Pod", + "Description": "**Kubernetes Pods** are assessed for containers configured to run as the **root user**. The evaluation identifies containers whose security context sets `runAsUser: 0`.", + "Risk": "Containers running as **root (UID 0)** enable **privilege escalation** and **container breakout**. Attackers can modify workloads (**integrity**), read sensitive data on mounted volumes (**confidentiality**), and disrupt nodes or services via kernel/daemon abuse (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://github.com/SumoLogic/sumologic-kubernetes-collection/issues/1229", + "https://kubernetes.io/docs/tutorials/security/cluster-level-pss/", + "https://sdk.operatorframework.io/docs/best-practices/pod-security-standards/", + "https://bobcares.com/blog/container-has-runasnonroot-image-non-numeric-user/", + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://kyverno.io/policies/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot/", + "https://support.icompaas.com/support/solutions/articles/62000234712-minimize-the-admission-of-root-containers" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_5#kubernetes", - "Other": "", - "Terraform": "" + "CLI": "kubectl patch pod -n --type=strategic -p '{\"spec\":{\"containers\":[{\"name\":\"\",\"securityContext\":{\"runAsUser\":1000}}]}}'", + "NativeIaC": "", + "Other": "1. In your Kubernetes dashboard or kubectl editor, open the workload (Deployment/StatefulSet/DaemonSet) that created the failing Pod.\n2. Edit the YAML and set a non-root UID for the specific container:\n ```yaml\n spec:\n template:\n spec:\n containers:\n - name: \n securityContext:\n runAsUser: 1000 # Critical: non-zero UID\n ```\n3. Save and apply. Wait for the new Pod to start and verify the finding is resolved.", + "Terraform": "```hcl\nresource \"kubernetes_pod\" \"\" {\n metadata {\n name = \"\"\n }\n spec {\n container {\n name = \"\"\n image = \"\"\n security_context {\n run_as_user = 1000 # Critical: set a non-zero UID so the container is not root\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict the use of root containers through admission control policies.", - "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/" + "Text": "Require non-root execution and enforce **least privilege**:\n- Set `runAsNonRoot: true` and a non-zero `runAsUser`\n- Use images with a defined non-root UID\n- Apply **Pod Security Standards - restricted** or policies to block UID `0`\n- Use `allowPrivilegeEscalation: false` and drop unnecessary capabilities", + "Url": "https://hub.prowler.com/check/core_minimize_root_containers_admission" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.metadata.json b/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.metadata.json index e384189f38..d95dbad2a9 100644 --- a/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "core_no_secrets_envs", - "CheckTitle": "Prefer using secrets as files over secrets as environment variables", + "CheckTitle": "Pod does not contain secret environment variables", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "KubernetesSecrets", - "Description": "This check ensures that secrets in Kubernetes are used as files rather than environment variables. Using secrets as files is safer, as it reduces the risk of exposing sensitive data through application logs.", - "Risk": "Secrets exposed as environment variables can be inadvertently logged by applications, leading to potential security breaches.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets", + "Severity": "high", + "ResourceType": "Pod", + "Description": "**Pod containers** define environment variables sourced from **Secrets** via `secretKeyRef` instead of mounting them as files.", + "Risk": "Secrets in env vars weaken **confidentiality**:\n- Leak via logs, dumps, `/proc/*/environ`, debug UIs, and pod metadata\n- Propagate to child processes; rotation is hard\nAttackers can steal credentials for unauthorized access and **lateral movement**, risking data integrity and service availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-over-environment-variables", + "https://stackoverflow.com/questions/72952953/setting-secrets-as-environment-variables-in-deployment-file", + "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_33#kubernetes", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Open Kubernetes Dashboard and go to Workloads > Deployments (or StatefulSets/Pods)\n2. Select and click Edit > Edit YAML\n3. For each container, remove any env entries that use valueFrom.secretKeyRef\n4. If the app still needs the secret, add a volume that references your Secret and mount it into the container (e.g., mountPath /etc/secret)\n5. Save the changes", + "Terraform": "```hcl\n# Use a Secret as a volume (no secretKeyRef in env) to pass the check\nresource \"kubernetes_pod\" \"\" {\n metadata { name = \"\" }\n spec {\n container {\n name = \"\"\n image = \"busybox\"\n volume_mount {\n name = \"-secret\" # critical: mount Secret as files instead of env vars\n mount_path = \"/etc/secret\"\n read_only = true\n }\n }\n volume {\n name = \"-secret\"\n secret { secret_name = \"\" } # critical: reference the Secret via a volume\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Minimize the use of environment variable secrets and prefer mounting secrets as files for enhanced security.", - "Url": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-over-environment-variables" + "Text": "Use **Secrets as files** (read-only volumes) and load at runtime.\n- Apply **least privilege** RBAC to Secret access\n- Scope Secrets to required containers; avoid logging env\n- Prefer short-lived creds and regular rotation; set `immutable: true` when suitable\n- Layer **defense in depth** with network and runtime controls", + "Url": "https://hub.prowler.com/check/core_no_secrets_envs" } }, "Categories": [ - "trustboundaries" + "secrets" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.metadata.json b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.metadata.json index 8e6125b992..1aca52a78e 100644 --- a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.metadata.json +++ b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.metadata.json @@ -1,26 +1,30 @@ { "Provider": "kubernetes", "CheckID": "core_seccomp_profile_docker_default", - "CheckTitle": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "CheckTitle": "Pod has the docker/default (RuntimeDefault) seccomp profile at pod level or for all containers", "CheckType": [], "ServiceName": "core", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesPod", - "Description": "This check verifies that the docker/default seccomp profile is enabled in pod definitions. Enabling seccomp profiles helps restrict the set of system calls applications can make, enhancing the security of workloads in the cluster.", - "Risk": "Not using or incorrectly configuring seccomp profiles can leave containers with broader permissions, increasing the risk of malicious actions.", - "RelatedUrl": "https://kubernetes.io/docs/tutorials/clusters/seccomp/", + "ResourceType": "Pod", + "Description": "**Kubernetes Pods** and their containers specify the runtime default seccomp profile using `seccompProfile.type: RuntimeDefault` in the security context.\n\nThe evaluation looks for this setting at the Pod level or per container.", + "Risk": "Without **seccomp RuntimeDefault**, containers may run unconfined and invoke risky syscalls, expanding the kernel attack surface.\n- Container escape, privilege escalation (integrity)\n- Data access or exfiltration (confidentiality)\n- Node or workload disruption (availability)", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/tutorials/clusters/seccomp/", + "https://docs.docker.com/engine/security/seccomp/" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_30#kubernetes", - "Other": "", - "Terraform": "" + "CLI": "kubectl patch deployment --type=merge -p '{\"spec\":{\"template\":{\"spec\":{\"securityContext\":{\"seccompProfile\":{\"type\":\"RuntimeDefault\"}}}}}}'", + "NativeIaC": "", + "Other": "1. Open the manifest of your workload (Deployment/StatefulSet/Pod)\n2. Under the Pod spec, add:\n \n spec:\n securityContext:\n seccompProfile:\n type: RuntimeDefault \n \n - For controllers (e.g., Deployment), place this under spec.template.spec\n3. Apply the change: kubectl apply -f \n4. Wait for pods to restart and confirm the setting on new pods", + "Terraform": "```hcl\nresource \"kubernetes_pod_v1\" \"example\" {\n metadata {\n name = \"\"\n }\n spec {\n security_context {\n seccomp_profile {\n type = \"RuntimeDefault\" # Critical: enforces the runtime default (docker/default) seccomp profile at pod level\n }\n }\n container {\n name = \"app\"\n image = \"nginx\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Implement the docker/default seccomp profile in pod definitions for enhanced container security.", - "Url": "https://docs.docker.com/engine/security/seccomp/" + "Text": "Enforce **least privilege** for syscalls:\n- Set `seccompProfile.type: RuntimeDefault` on Pods/containers\n- Use tailored profiles for sensitive workloads\n- Avoid privileged or unconfined containers; drop unused capabilities\n- Combine with AppArmor/SELinux and policy guardrails to enforce and audit", + "Url": "https://hub.prowler.com/check/core_seccomp_profile_docker_default" } }, "Categories": [