Merge pull request #129 from secureCodeBox/security-contexts

Add securityContexts to secureCodeBox Components

Author: fuhrmeistery

hook-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/hook-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]

lurcher/Dockerfile

@@ -20,6 +20,5 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/lurcher .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/lurcher"]

operator/Dockerfile

@@ -28,6 +28,5 @@ ENV TELEMETRY_ENABLED "true"
 
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/manager"]

operator/README.md

@@ -24,7 +24,7 @@ helm install securecodebox-operator secureCodeBox/operator
 | image.pullPolicy | string | `"Always"` | Image pull policy |
 | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository |
 | image.tag | string | defaults to the charts version | Parser image tag |
-| lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy |
 | lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository |
 | lurcher.image.tag | string | defaults to the charts version | Parser image tag |
 | minio.defaultBucket.enabled | bool | `true` |  |
@@ -38,5 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator
 | s3.port | string | `nil` |  |
 | s3.secretAttributeNames.accesskey | string | `"accesskey"` |  |
 | s3.secretAttributeNames.secretkey | string | `"secretkey"` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
+| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required |
+| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode |
+| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
+| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user |
 | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry |
 

operator/controllers/execution/scans/hook_reconciler.go

@@ -362,6 +362,8 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 	labels["securecodebox.io/hook-name"] = hook.Name
 
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -388,7 +390,7 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 							Image:           hook.Spec.Image,
 							Args:            cliArgs,
 							Env:             append(hook.Spec.Env, standardEnvVars...),
-							ImagePullPolicy: "IfNotPresent",
+							ImagePullPolicy: "Always",
 							Resources: corev1.ResourceRequirements{
 								Requests: corev1.ResourceList{
 									corev1.ResourceCPU:    resource.MustParse("200m"),
@@ -399,6 +401,15 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 				},

operator/controllers/execution/scans/parse_reconciler.go

@@ -80,6 +80,8 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 	labels["securecodebox.io/job-type"] = "parser"
 	automountServiceAccountToken := true
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -133,6 +135,15 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 					AutomountServiceAccountToken: &automountServiceAccountToken,

operator/controllers/execution/scans/scan_reconciler.go

@@ -221,6 +221,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw)
 	}
 
+	falsePointer := false
+	truePointer := true
+
 	lurcherSidecar := &corev1.Container{
 		Name:            "lurcher",
 		Image:           lurcherImage,
@@ -260,6 +263,15 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 				ReadOnly:  true,
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsNonRoot:             &truePointer,
+			AllowPrivilegeEscalation: &falsePointer,
+			ReadOnlyRootFilesystem:   &truePointer,
+			Privileged:               &falsePointer,
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"all"},
+			},
+		},
 	}
 
 	job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar)

operator/templates/manager/manager.yaml

@@ -77,4 +77,6 @@ spec:
               value: {{ .Values.lurcher.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       terminationGracePeriodSeconds: 10

operator/values.yaml

@@ -14,6 +14,20 @@ image:
   # image.pullPolicy -- Image pull policy
   pullPolicy: Always
 
+securityContext:
+  # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
+  runAsNonRoot: true
+  # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
+  readOnlyRootFilesystem: true
+  # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
+  allowPrivilegeEscalation: false
+  # securityContext.privileged -- Ensures that the operator container is not run in privileged mode
+  privileged: false
+  capabilities:
+    drop:
+      # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
+      - all
+
 lurcher:
   image:
     # lurcher.image.repository -- The operator image repository
@@ -22,7 +36,7 @@ lurcher:
     # @default -- defaults to the charts version
     tag: null
     # lurcher.image.pullPolicy -- Image pull policy
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
 
 minio:
   # minio.enabled Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.

parser-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/parser-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]

scanners/amass/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: latest
-appVersion: 3.10.3
+appVersion: 3.10.4
 kubeVersion: ">=v1.11.0"
 
 keywords:

scanners/amass/README.md

@@ -4,7 +4,7 @@ path: "scanners/amass"
 category: "scanner"
 type: "Network"
 state: "released"
-appVersion: "3.10.3"
+appVersion: "3.10.4"
 usecase: "Subdomain Enumeration Scanner"
 ---
 
@@ -44,9 +44,10 @@ Special command line options:
 | parserImage.tag | string | defaults to the charts version | Parser image tag |
 | scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
 | scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
-| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
-| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
+| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
+| scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
+| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) |
 
 [owasp_amass_project]: https://owasp.org/www-project-amass/

scanners/amass/README.md.gotmpl

@@ -4,7 +4,7 @@ path: "scanners/amass"
 category: "scanner"
 type: "Network"
 state: "released"
-appVersion: "3.10.3"
+appVersion: "3.10.4"
 usecase: "Subdomain Enumeration Scanner"
 ---
 

scanners/amass/helm2.Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: latest
-appVersion: 3.10.3
+appVersion: 3.10.4
 kubeVersion: ">=v1.11.0"
 
 keywords:

scanners/amass/templates/amass-scan-type.yaml

@@ -24,16 +24,19 @@ spec:
                 - "enum"
                 - "-json"
                 - "/home/securecodebox/amass-results.jsonl"
-              volumeMounts:
-                - name: "amass-config"
-                  mountPath: "/amass/output/config.ini"
-                  subPath: "config.ini"
               resources:
                 {{- toYaml .Values.scannerJob.resources | nindent 16 }}
+              securityContext:
+                {{- toYaml .Values.scannerJob.securityContext | nindent 16 }}
+              env:
+                {{- toYaml .Values.scannerJob.env | nindent 16 }}
+              volumeMounts:
+                {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }}
+            {{- if .Values.scannerJob.extraContainers }}
+            {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
+            {{- end }}
           volumes:
-            - name: "amass-config"
-              configMap:
-                name: "amass-config"
+            {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 12 }}
 ---
 apiVersion: v1
 kind: ConfigMap

scanners/amass/values.yaml

@@ -12,22 +12,31 @@ scannerJob:
 
   # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
   resources: {}
-#   resources:
-#     requests:
-#       memory: "256Mi"
-#       cpu: "250m"
-#     limits:
-#       memory: "512Mi"
-#       cpu: "500m"
+  #   resources:
+  #     requests:
+  #       memory: "256Mi"
+  #       cpu: "250m"
+  #     limits:
+  #       memory: "512Mi"
+  #       cpu: "500m"
 
   # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env: []
 
   # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
-  extraVolumes: []
+  extraVolumes:
+    - name: "amass-config"
+      configMap:
+        name: "amass-config"
 
   # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
-  extraVolumeMounts: []
+  extraVolumeMounts:
+    - name: "amass-config"
+      mountPath: "/amass/output/config.ini"
+      subPath: "config.ini"
 
   # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
-  extraContainers: []
+  extraContainers: []
+
+  # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+  securityContext: {}

scanners/kube-hunter/README.md

@@ -43,6 +43,7 @@ The following security scan configuration example are based on the [kube-hunter
 | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
+| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) |
 
 [kube-hunter Website]: https://kube-hunter.aquasec.com/

scanners/kube-hunter/templates/kubehunter-scan-type.yaml

@@ -24,3 +24,14 @@ spec:
                 - 'json'
               resources:
                 {{- toYaml .Values.scannerJob.resources | nindent 16 }}
+              securityContext:
+                {{- toYaml .Values.scannerJob.securityContext | nindent 16 }}
+              env:
+                {{- toYaml .Values.scannerJob.env | nindent 16 }}
+              volumeMounts:
+                {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }}
+            {{- if .Values.scannerJob.extraContainers }}
+            {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
+            {{- end }}
+          volumes:
+            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}

scanners/kube-hunter/values.yaml

@@ -17,13 +17,13 @@ scannerJob:
 
   # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
   resources: {}
-#   resources:
-#     requests:
-#       memory: "256Mi"
-#       cpu: "250m"
-#     limits:
-#       memory: "512Mi"
-#       cpu: "500m"
+  #   resources:
+  #     requests:
+  #       memory: "256Mi"
+  #       cpu: "250m"
+  #     limits:
+  #       memory: "512Mi"
+  #       cpu: "500m"
 
   # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env: []
@@ -36,3 +36,6 @@ scannerJob:
 
   # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
   extraContainers: []
+
+  # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+  securityContext: {}

scanners/ncrack/README.md

@@ -151,6 +151,7 @@ SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES
 | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
+| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) |
 
 ---

scanners/ncrack/templates/ncrack-scan-type.yaml

@@ -21,8 +21,15 @@ spec:
               command: ["ncrack", "-oX", "/home/securecodebox/ncrack-results.xml"]
               resources:
                 {{- toYaml .Values.scannerJob.resources | nindent 16 }}
+              securityContext:
+                {{- toYaml .Values.scannerJob.securityContext | nindent 16 }}
+              env:
+                {{- toYaml .Values.scannerJob.env | nindent 16 }}
               volumeMounts:
                 {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }}
+            {{- if .Values.scannerJob.extraContainers }}
+            {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
+            {{- end }}
           volumes:
             {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}