Add a subcommand to print the rules
spiarh opened this issue · 0 comments
spiarh commented
Is your feature request related to a problem? Please describe.
There is no easy way to see the rules that are evaluated except by looking at https://kubesec.io/
Describe the solution you'd like
I did a quick test and this could look like this:
table:
$ kubesec print-rules -f table
ID |Reason |Points |Kinds
AllowPrivilegeEscalation |Ensure a non-root process can not gain more privileges |-7 |Pod,Deployment,StatefulSet,DaemonSet |
ApparmorAny |Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY |3 |Pod,Deployment,StatefulSet,DaemonSet |
json:
$ kubesec print-rules -f json
[
{
"id": "AllowPrivilegeEscalation",
"selector": "containers[] .securityContext .allowPrivilegeEscalation == true",
"reason": "Ensure a non-root process can not gain more privileges",
"kinds": [
"Pod",
"Deployment",
"StatefulSet",
"DaemonSet"
],
"points": -7,
"advise": 0
},
{
"id": "ApparmorAny",
"selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
"kinds": [
"Pod",
"Deployment",
"StatefulSet",
"DaemonSet"
],
"points": 3,
"advise": 0
},
...
]yaml:
$ kubesec print-rules -f yaml
- id: AllowPrivilegeEscalation
selector: containers[] .securityContext .allowPrivilegeEscalation == true
reason: Ensure a non-root process can not gain more privileges
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
points: -7
advise: 0
- id: ApparmorAny
selector: .metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"
reason: 'Well defined AppArmor policies may provide greater protection from unknown
threats. WARNING: NOT PRODUCTION READY'
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
points: 3
advise: 0
...