Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(kubernetes): Add to nested resources on k8s graph inherit namespace #6912

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(kubernetes): Add to nested resources on k8s graph inherit namespace #6912

wants to merge 1 commit into from

Conversation

talazuri
Copy link
Contributor

@talazuri talazuri commented Dec 18, 2024
edited by baz-review bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

I fixed the k8s build graph to inherit namespace for nested resources

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

This pull request introduces changes to the Kubernetes graph builder to inherit namespaces for nested resources and implements a new check to ensure Kubernetes resources are not in the default namespace. Additionally, it includes a new check for privilege escalation.

TopicDetails
Namespace Inheritance Modifies the Kubernetes graph builder to inherit namespace for nested resources
Modified files (1)
  • checkov/kubernetes/graph_builder/local_graph.py
Latest Contributors(2)
UserCommitDate
SteveVakninfix-general-downgrade-...February 07, 2024
bo156feat-kustomize-Support...July 13, 2023
No Default Namespace Implements a new check (CKV_K8S_160) to ensure Kubernetes resources are not in the default namespace
Modified files (5)
  • tests/kubernetes/graph/checks/test_yaml_policies.py
  • tests/kubernetes/graph/checks/resources/NoDefaultNamespace/template.yaml
  • tests/kubernetes/graph/checks/resources/NoDefaultNamespace/expected.yaml
  • tests/kubernetes/checks/example_NoDefaultNamespace/Dev-PASSED.yaml
  • tests/kubernetes/graph/checks/test_checks/NoDefaultNamespace.yaml
Latest Contributors(2)
UserCommitDate
lirshindalmanfeat-general-Add-image...September 28, 2023
bo156feat-general-Add-rustw...September 28, 2023
Allow Privilege Escalation Ensures Kubernetes resources do not allow privilege escalation
Modified files (1)
  • tests/kubernetes/graph/checks/resources/AllowPrivilegeEscalation/expected.yaml
Latest Contributors(2)
UserCommitDate
[email protected]feat-kubernetes-set-de...January 15, 2023
YaaraVernerAdd-tests-for-k8s-grap...December 15, 2021
This pull request is reviewed by Baz. Join @talazuri and the rest of your team on (Baz).

@talazuri talazuri force-pushed the add-namespace-nested-resources-k8s branch from ec870e7 to 6331d90 Compare December 18, 2024 11:41
@talazuri talazuri changed the title fix(k8s): Add to nested resources on k8s graph inherit namespace fix(kubernetes): Add to nested resources on k8s graph inherit namespace Dec 18, 2024
@talazuri talazuri force-pushed the add-namespace-nested-resources-k8s branch from 6331d90 to 20a54a0 Compare December 18, 2024 14:31
@talazuri talazuri force-pushed the add-namespace-nested-resources-k8s branch from 20a54a0 to 3ebb59e Compare December 18, 2024 14:34
@talazuri talazuri force-pushed the add-namespace-nested-resources-k8s branch from 3ebb59e to a7a2548 Compare December 18, 2024 14:39
lirshindalman
lirshindalman reviewed Dec 18, 2024
View reviewed changes
checkov/kubernetes/graph_builder/local_graph.py
@@ -171,6 +171,12 @@ def _extract_nested_resources_recursive(conf: Dict[str, Any], all_resources: Lis
template['apiVersion'] = conf.get('apiVersion')

template_metadata = template.get('metadata')

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

OfekShimko
OfekShimko approved these changes Dec 18, 2024
View reviewed changes
checkov/kubernetes/graph_builder/local_graph.py Outdated
template_namespace = template_metadata.get('namespace')
metadata_namespace = metadata.get('namespace')
if template_namespace is None and metadata_namespace is not None:
template_metadata['namespace'] = metadata.get('namespace')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
template_metadata['namespace'] = metadata.get('namespace')
template_metadata['namespace'] = metadata_namespace

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right!
Fixed

@talazuri talazuri force-pushed the add-namespace-nested-resources-k8s branch from a7a2548 to 3d57e74 Compare December 18, 2024 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OfekShimko OfekShimko OfekShimko approved these changes

@lirshindalman lirshindalman lirshindalman approved these changes

@bo156 bo156 bo156 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@talazuri @bo156 @lirshindalman @OfekShimko