You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
kubesec scan uses the selector ".metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"" for apparmor. While this works fine for the kind "pod", it doesnt apply for the kind "deployment". (kubernetes/kubernetes#66216)
The selector should be rather ".spec.template.metadata.annotations:"container.apparmor.security.beta.kubernetes.io/nginx""
To Reproduce
Run Kubesec scan with a deployment manifest, fix apparmor warning and apply the manifest and it could be found that the apparmor is not honored by the pod.
Expected behaviour
Kubesec scan should handle apparmor selector for deployment differently, else it would report false positives.
apiVersion: apps/v1 kind: Deployment spec: selector: matchLabels: app: dummy template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/dummy: "runtime/default" master-0-project-stack:~> kubectl describe po dummy-pod -n monitoring | grep -i app Labels: app=dummy Annotations: container.apparmor.security.beta.kubernetes.io/dummy: runtime/default "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 },
The text was updated successfully, but these errors were encountered:
Describe the bug
kubesec scan uses the selector ".metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"" for apparmor. While this works fine for the kind "pod", it doesnt apply for the kind "deployment". (kubernetes/kubernetes#66216)
The selector should be rather ".spec.template.metadata.annotations:"container.apparmor.security.beta.kubernetes.io/nginx""
To Reproduce
Run Kubesec scan with a deployment manifest, fix apparmor warning and apply the manifest and it could be found that the apparmor is not honored by the pod.
Expected behaviour
Kubesec scan should handle apparmor selector for deployment differently, else it would report false positives.
apiVersion: apps/v1 kind: Deployment spec: selector: matchLabels: app: dummy template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/dummy: "runtime/default"master-0-project-stack:~> kubectl describe po dummy-pod -n monitoring | grep -i app Labels: app=dummy Annotations: container.apparmor.security.beta.kubernetes.io/dummy: runtime/default"advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 },The text was updated successfully, but these errors were encountered: