diff --git a/skills/cloud/container-security/SKILL.md b/skills/cloud/container-security/SKILL.md index eb43ecf0..f9f3424d 100644 --- a/skills/cloud/container-security/SKILL.md +++ b/skills/cloud/container-security/SKILL.md @@ -31,7 +31,7 @@ This skill performs a structured security review of container images and Kuberne - **CIS Kubernetes Benchmark v1.9.0** -- 5 sections covering control plane, etcd, control plane configuration, worker nodes, and policies. - **NIST SP 800-190** (Application Container Security Guide) -- Countermeasures for image, registry, orchestrator, container, and host OS risks. -The review covers Dockerfiles, Kubernetes manifests, Helm charts, and supporting configurations. Each finding is mapped to specific CIS recommendation IDs or NIST SP 800-190 countermeasure categories. +The review covers Dockerfiles, Kubernetes manifests, Helm charts, and supporting configurations. Each finding is mapped to specific CIS recommendation IDs or NIST SP 800-190 countermeasure categories. For Kubernetes workload reviews, record regular, init, and ephemeral container coverage separately, and capture RBAC/admission/audit evidence when runtime debug containers are possible. --- @@ -151,6 +151,7 @@ Produce the final report using the structure defined in the Output Format sectio - Failed: - Critical/High findings requiring immediate attention: - Pod Security Standard compliance: Privileged / Baseline / Restricted +- Container coverage: Regular / Init / Ephemeral (recorded separately) ### Findings by Domain @@ -170,6 +171,8 @@ Produce the final report using the structure defined in the Output Format sectio - **Status:** Fail - **Severity:** Critical / High / Medium / Low - **Pod Security Standard Impact:** Violates Restricted / Violates Baseline / Compliant +- **Container Coverage:** Regular / Init / Ephemeral +- **Runtime Debug Container Evidence:** RBAC / Admission / Audit / Not Evaluable - **File:** - **Line(s):** - **Resource:** @@ -194,7 +197,8 @@ Produce the final report using the structure defined in the Output Format sectio ### Summary - Dockerfiles reviewed: - Kubernetes workloads reviewed: -- Overall Pod Security Standard level: +- Pod Security Standard compliance: Privileged / Baseline / Restricted +- Container coverage: Regular / Init / Ephemeral (recorded separately) - Critical findings: - High findings: - Medium findings: @@ -250,7 +254,7 @@ Produce the final report using the structure defined in the Output Format sectio ## Common Pitfalls -1. **Init containers and sidecar containers are often missed.** Pod Security Standards apply to ALL containers in a pod, including init containers and ephemeral containers. Check every container spec. +1. **Init containers and sidecar containers are often missed.** Pod Security Standards apply to ALL containers in a pod, including init containers and ephemeral containers. Check every container spec, and record regular/init/ephemeral coverage separately. If runtime debug containers are allowed, verify RBAC, admission, and audit evidence for the `pods/ephemeralcontainers` subresource. 2. **Helm template values may override security settings.** A Helm chart template may set `runAsNonRoot: true`, but `values.yaml` or environment-specific values files may override it to `false`. Always check both the templates and all values files. 3. **Default namespace is not just a naming issue.** The `default` namespace typically has no NetworkPolicy and no Pod Security Admission labels. Workloads in `default` often bypass all policy controls. 4. **Base64 encoding is not encryption.** Kubernetes Secrets store data as base64, which is trivially decodable. Secrets committed to version control in manifests are effectively plaintext. diff --git a/skills/cloud/container-security/cis-benchmarks.md b/skills/cloud/container-security/cis-benchmarks.md index 3b547ca4..df0ae377 100644 --- a/skills/cloud/container-security/cis-benchmarks.md +++ b/skills/cloud/container-security/cis-benchmarks.md @@ -280,6 +280,8 @@ metadata: Or check for OPA/Gatekeeper or Kyverno policies. +For every Pod Security Standards check below, inspect `spec.containers`, `spec.initContainers`, and `spec.ephemeralContainers` when present. If the workload can accept runtime debug containers via `kubectl debug` or the `pods/ephemeralcontainers` subresource, verify RBAC, admission, and audit evidence for that subresource as part of the review. + #### CIS 5.2.2 -- Minimize the admission of privileged containers **Critical check:**