Admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.
π οΈ developed by
β‘ powered by
β οΈ Semgr8s is in a proof-of-concept state. Do not use in production. Breaking changes, service interruptions, and development flow adjustments are expected.
π More? Read the docs.
Getting started to validate Kubernetes resources against Semgrep rules is only a matter of minutes:
Installation files are contained within this repository:
git clone https://github.com/semgr8ns/semgr8s.git
cd semgr8sSemgr8s comes preconfigured with some basic rules. However, configuration can be adjusted to your needs:
- Central configuration is maintained in
charts/semgr8s/values.yaml. - Configuration aims to provide the most native integration of Semgrep's functionality into Kubernetes. Working knowledge of Kubernetes and the Semgrep documentation should be sufficient to understand the concepts and options being used here.
- Remote Semgrep rules, rulesets, repository rules are configured via
.application.remoteRulesincharts/semgr8s/values.yaml, e.g. set to"r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation"or"p/kubernetes", or"r/yaml.kubernetes"respectively. - Custom Semgrep rules can placed in
charts/semgr8s/rules/and will be auto-mounted into the admission controller. - Semgrep provides online tools to learn and create custom rules.
To deploy the preconfigured admission controller simply run:
helm install semgr8s charts/semgr8s --create-namespace --namespace semgr8nsoutput
NAME: semgr8s
LAST DEPLOYED: Tue Apr 25 00:16:04 2023
NAMESPACE: semgr8ns
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Successfully installed semgr8s!You can check successful deployment of Semgr8s via:
kubectl get all -n semgr8nsoutput
NAME READY STATUS RESTARTS AGE
pod/semgr8s-665dbb8756-qhqv6 1/1 Running 0 7s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/semgr8s-service ClusterIP 10.96.135.157 <none> 443/TCP 7s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/semgr8s 1/1 1 1 7s
NAME DESIRED CURRENT READY AGE
replicaset.apps/semgr8s-665dbb8756 1 1 1 7sOnce all resources are in READY state, you have successfully installed Semgr8s π
Several test resources are provided under tests/demo/.
Semgr8s only validates resources in namespaces with label semgr8s/validation=enabled:
kubectl apply -f tests/demo/00_test-namespace.yamloutput
namespace/test-semgr8s createdIt denies creating pods with non-compliant configuration according to the local rules in charts/semgr8s/rules and .application.remoteRules charts/semgr8s/values.yaml:
kubectl apply -f tests/demo/40_failing-deployment.yamloutput
Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
* rules.test-semgr8s-forbidden-label
Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
* yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container
Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
* yaml.kubernetes.security.privileged-container.privileged-container
Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
* yaml.kubernetes.security.hostnetwork-pod.hostnetwork-podCompliantly configured resources on the other hand are permitted to the cluster:
kubectl apply -f tests/demo/20_passing-deployment.yamloutput
pod/passing-testpod-1 createdTo remove all resources of the admission controller run:
helm uninstall semgr8s -n semgr8ns
kubectl delete ns semgr8nsoutput
release "semgr8s" uninstalledTest resources are deleted via:
kubectl delete -f tests/demo/output
namespace "test-semgr8s" deleted
pod "passing-testpod-1" deleted
Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "forbiddenlabel-pod" not found
Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-1" not found
Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-2" not found
Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-3" not found
Excited about Semgr8s? Here is some next steps:
- π For more details, checkout the docs, e.g. on Concept or Usage
- βοΈ To share feedback, reach out via GitHub Discussions
- π Report bugs via GitHub Issues