Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#7

Open
demonit4028 wants to merge 1 commit into
mainfrom
feature/lab7
Open

feat(lab7): trivy + PSS restricted + conftest gate#7
demonit4028 wants to merge 1 commit into
mainfrom
feature/lab7

Conversation

@demonit4028

Copy link
Copy Markdown
Owner

Goal

Scan Juice Shop image with Trivy (CVE + misconfig), deploy hardened K8s manifests with PSS restricted profile + NetworkPolicy, and add a Conftest Rego policy to gate non-compliant pods at CI time.

Changes

  • submissions/lab7.md β€” full submission with severity tables, top-10 CVEs, Grype comparison, hardened manifests, Conftest results
  • labs/lab7/k8s/namespace.yaml β€” namespace with PSS enforce/warn/audit = restricted
  • labs/lab7/k8s/serviceaccount.yaml β€” dedicated SA with automountServiceAccountToken: false
  • labs/lab7/k8s/deployment.yaml β€” full hardened: runAsNonRoot, readOnlyRootFilesystem, drop: ["ALL"], initContainers for writable volumes, pinned by digest, emptyDir at writable paths
  • labs/lab7/k8s/networkpolicy.yaml β€” default-deny ingress/egress, allow port 3000 + DNS + HTTPS
  • labs/lab7/policies/pod-hardening.rego β€” Rego policy checking 4 hardening rules

Testing

# Trivy image scan
trivy image bkimminich/juice-shop:v20.0.0 \
  --severity HIGH,CRITICAL \
  --format json --output labs/lab7/results/trivy-image.json

Result: 5 Critical, 43 High; 46 of 48 have fixes

# Trivy config scan
trivy config /tmp/Dockerfile --severity HIGH,CRITICAL

Result: 1 failure β€” DS-0002 (USER root)

# K8s apply + pod running
kubectl apply -f labs/lab7/k8s/
kubectl -n juice-shop wait --for=condition=ready pod -l app=juice-shop --timeout=180s

Result: juice-shop-57bbdb5559-52ll4 Running 1/1

# Trivy k8s scan
trivy k8s --include-namespaces juice-shop --severity HIGH,CRITICAL --report summary

Result: 15 Critical, 129 High, 2 misconfigs, 6 secrets

# Conftest PASS on hardened manifest
conftest test labs/lab7/k8s/deployment.yaml --policy labs/lab7/policies

Result: 5 tests, 5 passed

# Conftest FAIL on bad manifest
conftest test /tmp/bad-pod.yaml --policy labs/lab7/policies

Result: 4 failures (missing runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation, capabilities.drop)

Artifacts & Screenshots

  • submissions/lab7.md

Checklist

  • Title follows feat(labN): <topic> format
  • No secrets or large temp files committed
  • Submission file at submissions/lab7.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant