handle case-insensitivity for capabilities (#619)

* handle lowercase letters in ALL for capabilities * change all caps to regexp * revert file
FairwindsOps · Aug 31, 2021 · c0d8eb6 · c0d8eb6
1 parent 19bf91e
commit c0d8eb6
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 21 deletions.
diff --git a/checks/dangerousCapabilities.yaml b/checks/dangerousCapabilities.yaml
@@ -17,10 +17,10 @@ schema:
               allOf:
                 - not:
                     contains:
-                      const: ALL
+                      pattern: '^(?i)ALL$'
                 - not:
                     contains:
-                      const: SYS_ADMIN
+                      pattern: '^(?i)SYS_ADMIN$'
                 - not:
                     contains:
-                      const: NET_ADMIN
+                      pattern: '^(?i)NET_ADMIN$'
diff --git a/checks/insecureCapabilities.yaml b/checks/insecureCapabilities.yaml
@@ -22,35 +22,35 @@ schema:
               type: array
               oneOf:
               - contains:
-                  const: ALL
+                  pattern: '^(?i)ALL$'
               - allOf:
                 - contains:
-                    const: NET_ADMIN
+                    pattern: '^(?i)NET_ADMIN$'
                 - contains:
-                    const: CHOWN
+                    pattern: '^(?i)CHOWN$'
                 - contains:
-                    const: DAC_OVERRIDE
+                    pattern: '^(?i)DAC_OVERRIDE$'
                 - contains:
-                    const: FSETID
+                    pattern: '^(?i)FSETID$'
                 - contains:
-                    const: FOWNER
+                    pattern: '^(?i)FOWNER$'
                 - contains:
-                    const: MKNOD
+                    pattern: '^(?i)MKNOD$'
                 - contains:
-                    const: NET_RAW
+                    pattern: '^(?i)NET_RAW$'
                 - contains:
-                    const: SETGID
+                    pattern: '^(?i)SETGID$'
                 - contains:
-                    const: SETUID
+                    pattern: '^(?i)SETUID$'
                 - contains:
-                    const: SETFCAP
+                    pattern: '^(?i)SETFCAP$'
                 - contains:
-                    const: SETPCAP
+                    pattern: '^(?i)SETPCAP$'
                 - contains:
-                    const: NET_BIND_SERVICE
+                    pattern: '^(?i)NET_BIND_SERVICE$'
                 - contains:
-                    const: SYS_CHROOT
+                    pattern: '^(?i)SYS_CHROOT$'
                 - contains:
-                    const: KILL
+                    pattern: '^(?i)KILL$'
                 - contains:
-                    const: AUDIT_WRITE
+                    pattern: '^(?i)AUDIT_WRITE$'
diff --git a/test/checks/dangerousCapabilities/failure.all-caps.yaml b/test/checks/dangerousCapabilities/failure.all-caps.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    app.kubernetes.io/name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      capabilities:
+        add: ["all"]
diff --git a/test/checks/dangerousCapabilities/failure.case.yaml b/test/checks/dangerousCapabilities/failure.case.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    app.kubernetes.io/name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      capabilities:
+        add:
+        - nEt_aDmIn
diff --git a/test/checks/dangerousCapabilities/success.yaml b/test/checks/dangerousCapabilities/success.yaml
@@ -6,9 +6,8 @@ metadata:
     app.kubernetes.io/name: nginx
 spec:
   containers:
-  - name: nginx 
+  - name: nginx
     image: nginx
     securityContext:
       capabilities:
         add:
-
diff --git a/test/checks/insecureCapabilities/success.all.yaml b/test/checks/insecureCapabilities/success.all.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    env: test
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - All
diff --git a/test/checks/insecureCapabilities/success.case.yaml b/test/checks/insecureCapabilities/success.case.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    env: test
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+          - net_admin
+          - ChOwN
+          - DaC_OverriDE
+          - fsetid
+          - FOWNER
+          - MKNOD
+          - NET_RAW
+          - SETGID
+          - SETUID
+          - SETFCAP
+          - SETPCAP
+          - NET_BIND_SERVICE
+          - SYS_CHROOT
+          - KILL
+          - AUDIT_WRITE
+