fix(kubernetes): CKV_K8S_40 should pass when hostUsers is false#7580
Open
UTKARSH698 wants to merge 1 commit into
Open
fix(kubernetes): CKV_K8S_40 should pass when hostUsers is false#7580UTKARSH698 wants to merge 1 commit into
UTKARSH698 wants to merge 1 commit into
Conversation
A pod with spec.hostUsers: false runs in a private user namespace, so container UIDs are remapped to unprivileged host UIDs and the high-UID host-collision risk this check guards against no longer applies. RootContainersHighUID now returns PASSED early in that case. Adds example manifests covering hostUsers: false (PASSED) and an explicit hostUsers: true (still FAILED) to guard the exemption, and updates the expected summary counts. Closes bridgecrewio#7527
UTKARSH698
requested a deployment
to
scan-security
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
CKV_K8S_40("Containers should run as a high UID to avoid host conflict") enforcesrunAsUser >= 10000so that, if a container process runs as root, its UID will not collide with a privileged UID on the host.When a pod sets
spec.hostUsers: falseit runs in a private user namespace (enabled by default since Kubernetes 1.33). Container UIDs are then remapped to unprivileged, non-overlapping host UIDs, so the host-collision risk this check guards against can no longer occur. In that case the high-UID requirement is moot and the check shouldPASS.This PR makes
RootContainersHighUID.scan_spec_confreturnPASSEDearly whenspec.hostUsers is False.Fixes #7527
Behaviour
hostUsers: false->PASSED(private user namespace; UID collision impossible)hostUsers: trueor unset -> unchanged (high-UID check still applies)The guard uses an explicit
is Falsecheck, so only the namespaced case is exempted; an unset ortruevalue keeps the original behaviour.Tests
Extended
tests/kubernetes/checks/test_RootContainersHighUID.pyexample manifests:hostUsers: falsepod with norunAsUser-> expectedPASSED(proves the fix)hostUsers: truepod with norunAsUser-> expectedFAILED(guards against over-broadening the exemption)Expected summary counts updated to
passed=4,failed=7. Test passes locally.