Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#8

Open
StefFashka wants to merge 1 commit into
mainfrom
feature/lab7
Open

feat(lab7): trivy + PSS restricted + conftest gate#8
StefFashka wants to merge 1 commit into
mainfrom
feature/lab7

Conversation

@StefFashka

Copy link
Copy Markdown
Owner

Goal

Scan OWASP Juice Shop v20.0.0 with Trivy, harden the Kubernetes deployment with Pod Security Standards, NetworkPolicy, and securityContext, and add a Conftest policy gate.

Changes

  • submissions/lab7.md β€” added the Lab 7 submission with Trivy image results, Lab 4 Grype comparison, Kubernetes hardening evidence, Trivy K8s scan summary, and Conftest outputs.
  • labs/lab7/k8s/namespace.yaml β€” added the juice-shop namespace with PSS restricted labels for enforce, warn, and audit.
  • labs/lab7/k8s/serviceaccount.yaml β€” added a dedicated ServiceAccount with token automount disabled.
  • labs/lab7/k8s/deployment.yaml β€” added a digest-pinned hardened Juice Shop Deployment with non-root execution, read-only root filesystem, dropped capabilities, RuntimeDefault seccomp, resource limits, probes, and writable emptyDir mounts.
  • labs/lab7/k8s/networkpolicy.yaml β€” added ingress and egress restrictions for the Juice Shop workload.
  • labs/lab7/policies/pod-hardening.rego β€” added a Conftest policy that rejects pods missing required hardening controls.

Testing

trivy image bkimminich/juice-shop:v20.0.0 --severity HIGH,CRITICAL --format json --output labs/lab7/results/trivy-image.json
# Expected: scan completes; report contains 5 Critical and 43 High findings
trivy config labs/lab7/k8s --severity HIGH,CRITICAL --format table
# Expected: 0 High/Critical misconfigurations for namespace, deployment, serviceaccount, and networkpolicy
kubectl apply -f labs/lab7/k8s/
# Expected: namespace, serviceaccount, deployment, and networkpolicy applied
kubectl get pod -n juice-shop -l app=juice-shop
# Expected: Juice Shop pod Ready 1/1, Status Running, Restarts 0
trivy k8s --include-namespaces juice-shop --severity HIGH,CRITICAL --report=summary
# Expected: scan completes; summary reports 10 Critical and 90 High findings
conftest test labs/lab7/k8s/deployment.yaml --policy labs/lab7/policies --no-color
# Expected: 4 tests, 4 passed, 0 failures
conftest test $env:TEMP\bad-pod-lab7.yaml --policy labs/lab7/policies --no-color
# Expected: 4 failures for missing runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation, and capabilities.drop ALL

Artifacts & Screenshots

Submission report: lab7.md
Kubernetes manifests: labs/lab7/k8s/
Conftest policy: pod-hardening.rego

Required checklist:

  • Task 1 β€” Trivy image + config scans + Grype comparison
  • Task 2 β€” Hardened K8s deployment with PSS restricted + NetworkPolicy
  • Bonus β€” Conftest policy passing on hardened + failing on bad manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant