Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Adds a new 'mounts' command to audit sensitive host paths mounts #322

Merged
merged 11 commits into from
Feb 24, 2021
2 changes: 1 addition & 1 deletion auditors/mounts/config.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package mounts

type Config struct {
SensitivePaths []string `yaml:"paths"`
SensitivePaths []string `yaml:"denyPathsList"`
}

func (config *Config) GetSensitivePaths() []string {
Expand Down
2 changes: 1 addition & 1 deletion cmd/commands/mounts.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
"strings"
)

const sensitivePathsFlagName = "paths"
const sensitivePathsFlagName = "denyPathsList"

var mountsConfig mounts.Config

Expand Down
4 changes: 2 additions & 2 deletions config/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ enabledAuditors:
seccomp: true
auditors:
capabilities:
# add capabilities needed to the add list, so kubeaudit won't report errors
# add capabilities needed to the add list, so kubeaudit won't report errors
add: ["AUDIT_WRITE", "CHOWN", "KILL"]
image:
image: "myimage:mytag"
limits:
cpu: "750m"
memory: "500m"
mounts:
paths: ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"]
denyPathsList: ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"]
10 changes: 5 additions & 5 deletions docs/auditors/mounts.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ kubeaudit mounts [flags]

### Flags

| Short | Long | Description | Default |
| :------ | :-------- | :------------------------------------------------------------------- | :----------------------------------------------------------------------- |
| -s | --paths | List of sensitive paths that shouldn't be mounted. | [default sensitive host paths list](#Default-sensitive-host-paths-list) |
| Short | Long | Description | Default |
| :------ | :---------------- | :------------------------------------------------------------------- | :----------------------------------------------------------------------- |
| -s | --denyPathsList | List of sensitive paths that shouldn't be mounted. | [default sensitive host paths list](#Default-sensitive-host-paths-list) |
jcbbc marked this conversation as resolved.
Show resolved Hide resolved

Also see [Global Flags](/README.md#global-flags)

Expand Down Expand Up @@ -71,7 +71,7 @@ enabledAuditors:
mounts: true
auditors:
mounts:
paths: ["/etc", "/var/run/docker.sock"]
denyPathsList: ["/etc", "/var/run/docker.sock"]
```
`manifest.yaml`
Expand Down Expand Up @@ -154,7 +154,7 @@ volumes:
```

```shell
$ kubeaudit mounts --paths "/etc,/var/run/docker.sock" -f "manifest.yaml"
$ kubeaudit mounts --denyPathsList "/etc,/var/run/docker.sock" -f "manifest.yaml"
jcbbc marked this conversation as resolved.
Show resolved Hide resolved
---------------- Results for ---------------
apiVersion: apps/v1beta2
Expand Down