Conftest Fails For a Valid Kubernetets YAML File

239 views Asked by At

I have the following simple Kubernetes YAML Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Values.app.name }}
  namespace: {{ .Values.app.namespace }}
spec:
  selector:
    matchLabels:
      app: {{ .Values.app.name }}
  replicas: 1
  template:
    metadata:
      labels:
        app: {{ .Values.app.name }}
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      containers:
        - name: {{ .Values.app.name }}
          image: {{ .Values.plantSimulatorService.image.repository }}:{{ .Values.plantSimulatorService.image.tag }}
          ports:
            - containerPort: {{ .Values.plantSimulatorService.ports.containerPort }} # Get this value from ConfigMap

I have the following in my test.rego:

package main

import data.kubernetes

name = input.metadata.name

deny[msg] {
  kubernetes.is_deployment
  not input.spec.template.spec.securityContext.runAsNonRoot

  msg = sprintf("Containers must not run as root in Deployment %s", [name])
}

When I ran this using the following command:

joesan@joesan-InfinityBook-S-14-v5:~/Projects/Private/infrastructure-projects/plant-simulator-deployment$ helm conftest helm-k8s -p test
WARN - Found service plant-simulator-service but services are not allowed
WARN - Found service plant-simulator-grafana but services are not allowed
WARN - Found service plant-simulator-prometheus but services are not allowed
FAIL - Containers must not run as root in Deployment plant-simulator
FAIL - Deployment plant-simulator must provide app/release labels for pod selectors

As you can see I'm indeed not running the container as root, but despite that I get this error message - Containers must not run as root in Deployment plant-simulator

Any ideas what the reason could be?

1

There are 1 answers

2
Fritz Duchardt On BEST ANSWER

You need to add runAsNonRoot to your securityContext:

  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
    runAsNonRoot: true

The rego rule is only able to validate Yaml structure - it is not clever enough to work out that your configuration is effectively running a non-root user.