Skip to content

Commit

Permalink
feat: update M-113 to fail for any explicitly bad setter (including p…
Browse files Browse the repository at this point in the history 
…od-level)
  • Loading branch information
@matheusfm
matheusfm committed Mar 13, 2024
1 parent 98f7a29 commit b0ed69d
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
7 changes: 6 additions & 1 deletion internal/builtins/pss/restricted/M-113_run_as_non_root.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ variables:
- name: podRunAsNonRoot
expression: podSpec.?securityContext.?runAsNonRoot.orValue(false)

# pod-level runAsNonRoot is explicitly set to false
- name: podRunAsRoot
expression: podSpec.?securityContext.?runAsNonRoot.orValue(true) == false

# pod-level runAsUser is explicitly set to non-zero
- name: podRunAsNonZeroUser
expression: podSpec.?securityContext.?runAsUser.orValue(0) != 0
Expand All @@ -71,4 +75,5 @@ variables:
)
validations:
- expression: variables.explicitlyBadContainers.size() == 0 && variables.implicitlyBadContainers.size() == 0
- expression: >
!variables.podRunAsRoot && variables.explicitlyBadContainers.size() == 0 && variables.implicitlyBadContainers.size() == 0
2 changes: 1 addition & 1 deletion internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
app: nginx
- name: "Pod set runAsNonRoot to false and container to true"
pass: true
pass: false
input: |
apiVersion: apps/v1
kind: Deployment
Expand Down

0 comments on commit b0ed69d

Please sign in to comment.