Clean up privileged/sens mount container rules #651
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fntlnz
approved these changes
Jun 6, 2019
Kaizhe
reviewed
Jun 6, 2019
leodido
approved these changes
Jun 6, 2019
mstemm
force-pushed
the
granular-container-exceptions
branch
2 times, most recently
from
2547439 to
3483920
Compare
|
/auto-cc |
|
/check-dco |
|
/lgtm |
|
LGTM label has been added. Git tree hash: 860948a72a1dbeff53d3417e3febf07a3124aa64
|
fntlnz
approved these changes
Jun 11, 2019
|
/auto-cc |
|
/approve |
fntlnz
changed the title
leodido
approved these changes
Jun 11, 2019
|
/lgtm |
|
LGTM label has been added. Git tree hash: 3d734d9ae6aa2d326167b9e65ab0fa944e0bb762
|
Previously, the exceptions for Launch Privileged Container/Launch Sensitive Mount Container came from a list of "trusted" images and/or a macro that defined "trusted" containers. We want more fine-grained control over the exceptions for these rules, so split them into exception lists/macros that are specific to each rule. This defines: - falco_privileged_images: only those images that are known to require privileged=true - falco_privileged_containers: uses privileged_images and (for now) still allows all openshift images - user_privileged_containers: allows user exceptions - falco_sensitive_mount_images: only thoe images that are known to perform sensitive mounts - falco_sensitive_mount_containers: uses sensitive_mount_images - user_sensitive_mount_containers: allows user exceptions For backwards compatibility purposes only, we keep the trusted_images list and user_trusted_containers macro and they are still used as exceptions for both rules. Comments recommend using the more fine-grained alternatives, though. While defining these lists, also do another survey to see if they still require these permissions and remove them if they didn't. Removed: - quay.io/coreos/flannel - consul Moved to sensitive mount only: - gcr.io/google_containers/hyperkube - datadog - gliderlabs/logspout Finally, get rid of the k8s audit-specific lists of privileged/sensitive mount images, relying on the ones in falco_rules.yaml. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Define macros k8s_audit_always_true/k8s_audit_never_true that work for k8s audit events. Use them in macros that were asserting true/false values. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Start using a falco_ prefix for falco-provided lists/macros. Not changing existing object names to retain compatibility. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
The main changes are to use falco_rules.yaml when using k8s_audit_rules.yaml, as it now depends on it, and to modify one of the tests to add granular exceptions instead of a single trusted list. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
force-pushed
the
granular-container-exceptions
branch
from
4633ec6 to
579ec89
Compare
|
/approve |
|
/lgtm |
|
LGTM label has been added. Git tree hash: 1b17481992bc2fa6d52d34f9f8311b03ce2f6ccc
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fntlnz
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the exceptions for Launch Privileged Container/Launch
Sensitive Mount Container came from a list of "trusted" images and/or a
macro that defined "trusted" containers. We want more fine-grained
control over the exceptions for these rules, so split them into
exception lists/macros that are specific to each rule. This defines:
privileged=true
allows all openshift images
sensitive mounts
For backwards compatibility purposes only, we keep the trusted_images
list and user_trusted_containers macro and they are still used as
exceptions for both rules. Comments recommend using the more
fine-grained alternatives, though.
While defining these lists, also do another survey to see if they still
require these permissions and remove them if they didn't.
Removed:
Moved to sensitive mount only:
Finally, get rid of the k8s audit-specific lists of privileged/sensitive
mount images, relying on the ones in falco_rules.yaml.