Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apparmor selector seems invalid for deployment type manifests #331

Open
brucelee138 opened this issue Jul 25, 2022 · 0 comments
Open

apparmor selector seems invalid for deployment type manifests #331

brucelee138 opened this issue Jul 25, 2022 · 0 comments
Labels

Comments

@brucelee138
Copy link

brucelee138 commented Jul 25, 2022

Describe the bug
kubesec scan uses the selector ".metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"" for apparmor. While this works fine for the kind "pod", it doesnt apply for the kind "deployment". (kubernetes/kubernetes#66216)
The selector should be rather ".spec.template.metadata.annotations:"container.apparmor.security.beta.kubernetes.io/nginx""

To Reproduce
Run Kubesec scan with a deployment manifest, fix apparmor warning and apply the manifest and it could be found that the apparmor is not honored by the pod.

Expected behaviour
Kubesec scan should handle apparmor selector for deployment differently, else it would report false positives.

apiVersion: apps/v1 kind: Deployment spec: selector: matchLabels: app: dummy template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/dummy: "runtime/default"
master-0-project-stack:~> kubectl describe po dummy-pod -n monitoring | grep -i app Labels: app=dummy Annotations: container.apparmor.security.beta.kubernetes.io/dummy: runtime/default
"advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant