containerSecurityContextPrivileged checks for privileged containers
(ps ks.PodSpecer)
| 47 | |
| 48 | // containerSecurityContextPrivileged checks for privileged containers |
| 49 | func containerSecurityContextPrivileged(ps ks.PodSpecer) (score scorecard.TestScore, err error) { |
| 50 | allContainers := ps.GetPodTemplateSpec().Spec.InitContainers |
| 51 | allContainers = append(allContainers, ps.GetPodTemplateSpec().Spec.Containers...) |
| 52 | hasPrivileged := false |
| 53 | for _, container := range allContainers { |
| 54 | if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged { |
| 55 | hasPrivileged = true |
| 56 | score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.") |
| 57 | } |
| 58 | } |
| 59 | if hasPrivileged { |
| 60 | score.Grade = scorecard.GradeCritical |
| 61 | } else { |
| 62 | score.Grade = scorecard.GradeAllOK |
| 63 | } |
| 64 | return |
| 65 | } |
| 66 | |
| 67 | // containerSecurityContextUserGroupID checks that the user and group are valid ( > 10000) in the security context |
| 68 | func containerSecurityContextUserGroupID(ps ks.PodSpecer) (score scorecard.TestScore, err error) { |
nothing calls this directly
no test coverage detected