Skip to content
This repository has been archived by the owner on Jan 22, 2025. It is now read-only.

fix(gke): Remove pod-security-policy-config check #43

Merged
merged 1 commit into from
Nov 8, 2023
Merged

fix(gke): Remove pod-security-policy-config check #43

merged 1 commit into from
Nov 8, 2023

Conversation

JohnTitor
Copy link
Contributor

@JohnTitor JohnTitor commented Nov 6, 2023
edited by nikpivkin
Loading

@JohnTitor JohnTitor requested a review from simar7 as a code owner November 6, 2023 21:19
@CLAassistant
Copy link

CLAassistant commented Nov 6, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@simar7 simar7 force-pushed the rm-pod-sec-policy branch from c9ec157 to 9755a2b Compare November 7, 2023 07:51
@simar7 simar7 requested a review from nikpivkin November 7, 2023 07:52
simar7
simar7 approved these changes Nov 7, 2023
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikpivkin could you take a look as well?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 7, 2023
edited
Loading

@simar7 I think we should first remove the PodSecurityPolicy field from defsec and the rule from trivy-policies to update the schema and documentation found in this repository.

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 7, 2023
edited
Loading

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@chen-keinan what do you think? Should we deprecate PSP altogether as mentioned above?

@chen-keinan
Copy link
Contributor

I opened PR aquasecurity/defsec#1492.
@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

@chen-keinan what do you think? Should we deprecate PSP altogether as mentioned above?

its true psp is check with k8s however I assume if you use terraform scanner only it will not

@nikpivkin
Copy link
Collaborator

@chen-keinan trivy-iac also scans k8s

@chen-keinan
Copy link
Contributor

@chen-keinan trivy-iac also scans k8s

isn't the rules above are made for terraform files ?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 8, 2023
edited
Loading

@chen-keinan This policy is used when scanning k8s and helm.

@chen-keinan
Copy link
Contributor

@chen-keinan This policy is used when scanning k8s and helm.

@nikpivkin so maybe I'm misunderstanding which policies you suggested to removed ?

@nikpivkin
Copy link
Collaborator

nikpivkin commented Nov 8, 2023
edited
Loading

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

@chen-keinan
Copy link
Contributor

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

I see , thanks for clarifications

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

I opened PR aquasecurity/defsec#1492.

@simar7 I checked, and found that the policies do not use this field when scanning GKE, so they don't need to be updated. But Pod Security Policies are checked when scanning k8s. I think we should create a separate issue for that. Wdyt?

As for the separate issue, we should do that for those policies as they don't seem to use these fields (but a separate k8s rego library).

@simar7
Copy link
Member

simar7 commented Nov 8, 2023

@chen-keinan PodSecurityPolicy was removed from Kubernetes in v1.25, but it is used in k8s policy. That's why I suggested creating a issue for it, but not removing the rule.

I see , thanks for clarifications

I've created aquasecurity/trivy#5541 to track it.

@simar7 simar7 merged commit 9030770 into aquasecurity:main Nov 8, 2023
3 checks passed
@JohnTitor JohnTitor deleted the rm-pod-sec-policy branch November 9, 2023 00:38
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@simar7 simar7 simar7 approved these changes

@nikpivkin nikpivkin Awaiting requested review from nikpivkin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JohnTitor @CLAassistant @nikpivkin @simar7 @chen-keinan