Ensure we respect K8s version when pulling and indexing RBAC related …

…resources (#298) * Adds version method to the k8s client to determine kubernetes version * Do not fetch and index PSP when dealing with k8s 1.25 and above * Mark psp related rule as only applicable when working with k8s < 1.25 * Small readme tweaks * Update dash dependencies
appvia · Feb 1, 2023 · 2774fbe · 2774fbe
1 parent 670e1e7
commit 2774fbe
Show file tree

Hide file tree

Showing 8 changed files with 13,306 additions and 13,196 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -33,7 +33,7 @@ RUN bundle config set without 'development test'
 RUN bundle install --jobs 20 --retry 5
 
 # build the UI
-RUN cd dashboard && npm install --no-optional && npm audit fix && npm rebuild node-sass && npm install -g sass-migrator && sass-migrator division **/*.scss && node_modules/.bin/gulp release
+RUN cd dashboard && npm install --omit=optional && npm audit fix && npm rebuild node-sass && npm install -g sass-migrator && sass-migrator division **/*.scss && node_modules/.bin/gulp release
 
 ##############################################################
 # Stage: final

diff --git a/README.md b/README.md
@@ -153,6 +153,8 @@ If Pod Security Policies are not in use you may bypass the expectation above by
 }
 ```
 
+Note, `PodSecurityPolicy` was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.
+
 #### Inside a Kubernetes cluster
 
 To run a report from a container running in Kubernetes cluster
@@ -196,15 +198,15 @@ _Krane_ indexes RBAC entites in RedisGraph. This allows us to query network of d
 
 The following nodes are created in the Graph for the relevant RBAC objects:
 
-* `Psp`       - A PSP node containing attributes around the pod security policy.
+* `Psp`       - A PSP node containing attributes around the pod security policy. Only applicable when working with K8s < 1.25.
 * `Rule`      - Rule node represents access control rule around Kubernetes resources.
 * `Role`      - Role node represents a given Role or ClusterRole. `kind` attribute defines type of role.
 * `Subject`   - Subject represents all possible actors in the cluster (`kind`: User, Group and ServiceAccount)
 * `Namespace` - Kubernetes Namespace node.
 
 #### Edges
 
-* `:SECURITY`  - Defines a link between Rule and Psp nodes.
+* `:SECURITY`  - Defines a link between Rule and Psp nodes. Only applicable when working with K8s < 1.25.
 * `:GRANT`     - Defines a link between Role and Rule associated with that role.
 * `:ASSIGN`    - Defines a link between an Actor (Subject) and given Role/ClusterRole (Role node).
 * `:RELATION`  - Defines a link between two different Actor (Subject) nodes.

diff --git a/config/rules.yaml b/config/rules.yaml
@@ -89,7 +89,7 @@ rules:
 #
 
 - id: subjects-with-privileged-psp-not-scoped-to-ns
-  group_title: Subjects with privileged PSP access NOT scoped to a namespace
+  group_title: Subjects with privileged PSP access NOT scoped to a namespace (N/A for K8s version >= 1.25)
   severity: :danger
   info: |
     Subjects below are able to run privileged containers and are NOT scoped to a particular namespace.