add subpath usage to the report (#48)

Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
sysdiglabs · Sep 16, 2021 · feb1b53 · feb1b53
1 parent 2c5da5e
commit feb1b53
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/advisor/report/report.go b/advisor/report/report.go
@@ -16,6 +16,7 @@ const (
 	hostPID                = "hostPID"
 	hostIPC                = "hostIPC"
 	hostNetwork            = "hostNetwork"
+	subPath                = "subPath"
 )
 
 type Report struct {
@@ -40,6 +41,7 @@ func NewReport() *Report {
 	r.Containers[runAsGroup] = []types.ContainerSecuritySpec{}
 	r.Containers[privileged] = []types.ContainerSecuritySpec{}
 	r.Containers[readOnlyRootFileSystem] = []types.ContainerSecuritySpec{}
+	r.Containers[subPath] = []types.ContainerSecuritySpec{}
 
 	// pod related security posture report
 	r.PodSecuritySpecs[hostPID] = []types.PodSecuritySpec{}
@@ -103,4 +105,10 @@ func (r *Report) AddContainer(c types.ContainerSecuritySpec) {
 	if c.ReadOnlyRootFS {
 		r.Containers[readOnlyRootFileSystem] = append(r.Containers[readOnlyRootFileSystem], c)
 	}
+
+	for _, vm := range c.VolumeMounts {
+		if vm.UsesSubPath() {
+			r.Containers[subPath] = append(r.Containers[subPath], c)
+		}
+	}
 }
diff --git a/advisor/types/securityspec.go b/advisor/types/securityspec.go
@@ -47,6 +47,18 @@ type VolumeMount struct {
 	SubPathExpr string `json:"subPathExpr,omitempty"`
 }
 
+func (vm VolumeMount) IsReadOnlyMount() bool {
+	return vm.ReadOnly == true
+}
+
+func (vm VolumeMount) UsesSubPath() bool {
+	if vm.SubPath != "" || vm.SubPathExpr != "" {
+		return true
+	}
+
+	return false
+}
+
 type ContainerSecuritySpec struct {
 	Metadata                 Metadata      `json:"parentMetadata"`
 	ContainerID              string        `json:"containerID"`

diff --git a/test-yaml/subpath.yaml b/test-yaml/subpath.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-lamp-site
+spec:
+  containers:
+  - name: mysql
+    image: mysql
+    env:
+    # this is a bad example for testing purpose
+    - name: MYSQL_ROOT_PASSWORD
+      value: "rootpasswd"
+    volumeMounts:
+    - mountPath: /var/lib/mysql
+      name: site-data
+      subPath: mysql
+  - name: php
+    image: php:7.0-apache
+    volumeMounts:
+    - mountPath: /var/www/html
+      name: site-data
+      subPath: html
+  volumes:
+  - name: site-data
+    persistentVolumeClaim:
+      claimName: my-lamp-site-data