feat(core): add 13 checks of Kubernetes Core service

prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_admission_hostport_containers",
+  "CheckTitle": "Minimize the admission of containers which use HostPorts",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "HostPorts",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that require the use of HostPorts. This helps maintain network policy controls and reduce security risks.",
+  "Risk": "Permitting containers with HostPorts can bypass network policy controls, increasing the risk of unauthorized network access.",
+  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_k8s_25#kubernetes",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Limit the use of HostPorts in Kubernetes containers to maintain network security.",
+      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    }
+  },
+  "Categories": [
+    "Network Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Carefully evaluate the need for HostPorts in container configurations and prefer network policies for secure communication."
+}

prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.py

@@ -0,0 +1,26 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_admission_hostport_containers(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = f"Pod {pod.name} does not use HostPorts."
+
+            for container in pod.containers.values():
+                if container.ports and "host_port" in str(container.ports):
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"Pod {pod.name} uses HostPorts in container {container.name}."
+                    )
+                    break
+
+            findings.append(report)
+
+        return findings

prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_admission_windows_hostprocess_containers",
+  "CheckTitle": "Minimize the admission of Windows HostProcess Containers",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "Windows HostProcess Containers",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of Windows containers with the hostProcess flag set to true, thus reducing the risk of privilege escalation and security breaches.",
+  "Risk": "Allowing Windows containers with hostProcess can lead to increased security risks due to privileged access to Windows nodes.",
+  "RelatedUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_k8s_1#kubernetes",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict the use of Windows HostProcess containers unless essential for their operation.",
+      "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/"
+    }
+  },
+  "Categories": [
+    "Container Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Carefully review the need for HostProcess containers in Windows environments and restrict their use."
+}

prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py

@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_admission_windows_hostprocess_containers(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = (
+                f"Pod {pod.name} does not have the ability to run a Windows HostProcess."
+            )
+
+            for container in pod.containers.values():
+                if (
+                    container.security_context
+                    and container.security_context.windows_options
+                    and container.security_context.windows_options.host_process
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Pod {pod.name} has the ability to run a Windows HostProcess in container {container.name}."
+                    break
+
+            findings.append(report)
+
+        return findings

prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_allowPrivilegeEscalation_containers",
+  "CheckTitle": "Minimize the admission of containers with allowPrivilegeEscalation",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "Privilege Escalation Control",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that have the allowPrivilegeEscalation flag set to true, preventing processes within containers from gaining additional privileges.",
+  "Risk": "Allowing containers with allowPrivilegeEscalation can lead to elevated privileges within the container's context, posing a security risk.",
+  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_k8s_19#kubernetes",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict the use of allowPrivilegeEscalation in containers through admission control policies.",
+      "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+    }
+  },
+  "Categories": [
+    "Container Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Exceptions for containers requiring allowPrivilegeEscalation should be clearly defined and monitored."
+}

prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_allowPrivilegeEscalation_containers(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = (
+                f"Pod {pod.name} does not allow for privilege escalation."
+            )
+
+            for container in pod.containers.values():
+                if (
+                    container.security_context
+                    and container.security_context.allow_privilege_escalation
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Pod {pod.name} allows privilege escalation in container {container.name}."
+                    break
+
+            findings.append(report)
+
+        return findings

prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_containers_added_capabilities",
+  "CheckTitle": "Minimize the admission of containers with added capabilities",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "Capability Management",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with capabilities assigned beyond the default set, mitigating the risks of container breakout attacks.",
+  "Risk": "Allowing containers with additional capabilities increases the risk of security breaches and container breakout attacks.",
+  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict the addition of extra capabilities to containers through admission control policies.",
+      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    }
+  },
+  "Categories": [
+    "Container Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Exceptions for adding capabilities should be explicitly defined and monitored."
+}

prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py

@@ -0,0 +1,28 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_containers_added_capabilities(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = f"Pod {pod.name} does not have added capabilities."
+
+            for container in pod.containers.values():
+                if (
+                    container.security_context
+                    and container.security_context.capabilities
+                    and container.security_context.capabilities.add
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Pod {pod.name} has added capabilities in container {container.name}."
+                    break
+
+            findings.append(report)
+
+        return findings

prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_containers_capabilities_assigned",
+  "CheckTitle": "Minimize the admission of containers with capabilities assigned",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "Capability Assignment",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with Linux capabilities assigned, adhering to the principle of least privilege and reducing the risk of privilege escalation.",
+  "Risk": "Assigning unnecessary Linux capabilities to containers increases the risk of privilege escalation and security breaches.",
+  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_k8s_34#kubernetes",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict the assignment of Linux capabilities to containers unless essential for their operation.",
+      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    }
+  },
+  "Categories": [
+    "Container Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Review the use of capabilities in applications and ensure that only necessary capabilities are assigned."
+}

prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py

@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_containers_capabilities_assigned(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = (
+                f"Pod {pod.name} without capabilities issues found."
+            )
+
+            for container in pod.containers.values():
+                if (
+                    container.security_context
+                    and container.security_context.capabilities
+                ):
+                    if (
+                        container.security_context.capabilities.add
+                        or not container.security_context.capabilities.drop
+                    ):
+                        report.status = "FAIL"
+                        report.status_extended = f"Pod {pod.name} has capabilities assigned or not all dropped in container {container.name}."
+                        break
+
+            findings.append(report)
+
+        return findings

prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "core_minimize_hostIPC_containers",
+  "CheckTitle": "Minimize the admission of containers wishing to share the host IPC namespace",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "Core",
+  "SubServiceName": "Host IPC Namespace",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KubernetesPod",
+  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that share the host's IPC namespace. Containers with hostIPC can interact with processes outside of the container, potentially leading to security risks.",
+  "Risk": "Allowing containers to share the host's IPC namespace without strict control can lead to security risks and potential privilege escalations.",
+  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_k8s_3#kubernetes",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict the use of hostIPC in containers through admission control policies.",
+      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    }
+  },
+  "Categories": [
+    "Container Security",
+    "Best Practices"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Exceptions for hostIPC containers should be clearly defined and monitored."
+}

prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.py

@@ -0,0 +1,21 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.core.core_client import core_client
+
+
+class core_minimize_hostIPC_containers(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in core_client.pods.values():
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            if pod.host_ipc:
+                report.status = "FAIL"
+                report.status_extended = f"Pod {pod.name} is using hostIPC."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Pod {pod.name} is not using hostIPC."
+            findings.append(report)
+
+        return findings