Create rule S6865 (#3505)

* Create rule S6865 * Added description * Improved description * Fix layout to pass asciidoc tests * Fix layout to pass asciidoc tests * Some adjustments after review --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
SonarSource · Dec 19, 2023 · 7830f4a · 7830f4a
1 parent 8c10b08
commit 7830f4a
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 0 deletions.
diff --git a/rules/S6865/kubernetes/metadata.json b/rules/S6865/kubernetes/metadata.json
@@ -0,0 +1,24 @@
+{
+  "title": "Service account tokens should not be mounted in pods",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6865",
+  "sqKey": "S6865",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM",
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "COMPLETE"
+  }
+}
diff --git a/rules/S6865/kubernetes/rule.adoc b/rules/S6865/kubernetes/rule.adoc
@@ -0,0 +1,115 @@
+== Why is this an issue?
+
+Service account tokens are Kubernetes secrets created automatically to authenticate applications running inside pods to the API server. If a pod is compromised, an attacker could use this token to gain access to other resources in the cluster.
+
+For example, they could create new pods, modify existing ones, or even delete critical system pods, depending on the permissions associated with the service account.
+
+Therefore, it's recommended to disable the automounting of service account tokens when it's not necessary for the application running in the pod.
+
+=== What is the potential impact?
+
+==== Unauthorized Access
+If a pod with a mounted service account gets compromised, an attacker could potentially use the token to interact with the Kubernetes API, possibly leading to unauthorized access to other resources in the cluster.
+
+==== Privilege Escalation
+Service account tokens are often bound with roles that have extensive permissions. If these tokens are exposed, it could lead to privilege escalation where an attacker gains higher-level permissions than intended.
+
+==== Data Breach
+Service account tokens can be used to access sensitive data stored in the Kubernetes cluster. If these tokens are compromised, it could lead to a data breach.
+
+==== Denial of Service
+An attacker with access to a service account token could potentially overload the Kubernetes API server by sending a large number of requests, leading to a Denial of Service (DoS) attack.
+
+
+== How to fix it
+//== How to fix it in FRAMEWORK NAME
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,yaml,diff-id=1,diff-type=noncompliant]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+spec:
+  containers: # Noncompliant
+  - name: example-pod
+    image: nginx:1.25.3
+----
+
+==== Compliant solution
+
+[source,yaml,diff-id=1,diff-type=compliant]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+spec:
+  containers:
+  - name: example-pod
+    image: nginx:1.25.3
+  automountServiceAccountToken: false
+
+----
+
+The same can be achieved by setting `automountServiceAccountToken: false` in the service account's configuration:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: example-service-account
+  namespace: default
+automountServiceAccountToken: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+spec:
+  containers:
+  - name: example-pod
+    image: nginx:1.25.3
+  serviceAccountName: example-service-account
+----
+
+=== How does this work?
+
+The automounting of service account tokens can be disabled by setting `automountServiceAccountToken: false` in the pod's specification or in the service account's configuration.
+
+
+// === Pitfalls
+//=== Going the extra mile
+
+
+== Resources
+=== Documentation
+
+* Kubernetes Documentation - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/[Configure Service Accounts for Pods]
+
+//=== Articles & blog posts
+//=== Conference presentations
+//=== Standards
+//=== External coding guidelines
+//=== Benchmarks
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Set automountServiceAccountToken to false for this container.
+
+
+=== Highlighting
+
+* Highlight the `containers` property.
+endif::env-github,rspecator-view[]
diff --git a/rules/S6865/metadata.json b/rules/S6865/metadata.json
@@ -0,0 +1,2 @@
+{
+}