|
| 1 | +package dev.protsenko.securityLinter.kubernetes |
| 2 | + |
| 3 | +import com.intellij.codeInspection.LocalInspectionTool |
| 4 | +import com.intellij.codeInspection.ProblemHighlightType |
| 5 | +import com.intellij.codeInspection.ProblemsHolder |
| 6 | +import com.intellij.psi.PsiElementVisitor |
| 7 | +import dev.protsenko.securityLinter.core.HtmlProblemDescriptor |
| 8 | +import dev.protsenko.securityLinter.core.SecurityPluginBundle |
| 9 | +import dev.protsenko.securityLinter.kubernetes.quickfix.ReplaceValueToDefaultQuickFix |
| 10 | +import dev.protsenko.securityLinter.utils.YamlPath |
| 11 | +import org.jetbrains.yaml.psi.YAMLDocument |
| 12 | +import org.jetbrains.yaml.psi.YAMLScalar |
| 13 | +import org.jetbrains.yaml.psi.YAMLSequence |
| 14 | + |
| 15 | +class InsecureSysctlsInspection : LocalInspectionTool() { |
| 16 | + |
| 17 | + override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor { |
| 18 | + return object : BaseKubernetesVisitor() { |
| 19 | + override fun analyze(specPrefix: String, document: YAMLDocument) { |
| 20 | + val seccompProfileType = YamlPath.findByYamlPath( |
| 21 | + "$specPrefix$SYSCTL_PATH", |
| 22 | + document |
| 23 | + ) as? YAMLSequence ?: return |
| 24 | + |
| 25 | + for (sysctl in seccompProfileType.items) { |
| 26 | + val sysctlKey = sysctl |
| 27 | + .keysValues |
| 28 | + .firstOrNull { it.name == "name" } ?: continue |
| 29 | + val sysctlValueText = sysctlKey.valueText |
| 30 | + if (sysctlValueText !in allowedSysctls) { |
| 31 | + val descriptor = HtmlProblemDescriptor( |
| 32 | + sysctl, |
| 33 | + SecurityPluginBundle.message("kube011.documentation"), |
| 34 | + SecurityPluginBundle.message("kube011.problem-text"), |
| 35 | + ProblemHighlightType.ERROR, emptyArray() |
| 36 | + ) |
| 37 | + holder.registerProblem(descriptor) |
| 38 | + } |
| 39 | + } |
| 40 | + |
| 41 | + } |
| 42 | + } |
| 43 | + } |
| 44 | +} |
| 45 | + |
| 46 | +private val SYSCTL_PATH = "spec.securityContext.sysctls" |
| 47 | +private val allowedSysctls = setOf( |
| 48 | + "", |
| 49 | + "kernel.shm_rmid_forced", |
| 50 | + "net.ipv4.ip_local_port_range", |
| 51 | + "net.ipv4.ip_unprivileged_port_start", |
| 52 | + "net.ipv4.tcp_syncookies", |
| 53 | + "net.ipv4.ping_group_range", |
| 54 | + "net.ipv4.ip_local_reserved_ports", |
| 55 | + "net.ipv4.tcp_keepalive_time", |
| 56 | + "net.ipv4.tcp_fin_timeout", |
| 57 | + "net.ipv4.tcp_keepalive_intvl", |
| 58 | + "net.ipv4.tcp_keepalive_probes" |
| 59 | +) |
0 commit comments