{"id":13765027,"url":"https://github.com/sysdiglabs/kube-psp-advisor","last_synced_at":"2025-04-06T00:09:17.481Z","repository":{"id":44926209,"uuid":"168977353","full_name":"sysdiglabs/kube-psp-advisor","owner":"sysdiglabs","description":"Help building an adaptive and fine-grained pod security policy","archived":false,"fork":false,"pushed_at":"2023-10-11T21:18:59.000Z","size":259,"stargazers_count":328,"open_issues_count":7,"forks_count":41,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-05-20T10:54:03.160Z","etag":null,"topics":["container-security","kubernetes","psp","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-02-03T18:18:17.000Z","updated_at":"2024-05-06T21:11:07.000Z","dependencies_parsed_at":"2024-01-13T12:52:36.505Z","dependency_job_id":"b583a9ba-2825-479e-bebc-a7f32af41622","html_url":"https://github.com/sysdiglabs/kube-psp-advisor","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-psp-advisor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-psp-advisor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-psp-advisor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-psp-advisor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/kube-psp-advisor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247415967,"owners_count":20935387,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-security","kubernetes","psp","security-tools"],"created_at":"2024-08-03T16:00:32.919Z","updated_at":"2025-04-06T00:09:17.466Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Go","funding_links":[],"categories":["Security","Repositories / Tools","Go","Tools","Open Source Projects"],"sub_categories":["[Jenkins](#jenkins)","Defending","Kubernetes"],"readme":"# Kube PodSecurityPolicy Advisor\n\nkube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) or OPA Policy from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).\n\nIt has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP or an OPA Policy based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP or OPA Policy based on the file.\n\n## Installation as a Krew Plugin\n\nFollow the [instructions](https://github.com/kubernetes-sigs/krew#installation) to install `krew`. Then run the following command:\n\n```\nkubectl krew install advise-psp\n```\n\nThe plugin will be available as `kubectl advise-psp`.\n\n## Build and Run locally\n1. ```make build```\n2. ```./kube-psp-advisor inspect``` to generate Pod Security Policy based on running cluster configuration\n   - 2.1 ```./kube-psp-advisor inspect --report``` to print the details reports (why this PSP is recommended for the cluster)\n   - 2.2 ```./kube-psp-advisor inspect --grant``` to print PSPs, roles and rolebindings for service accounts (refer to [psp-grant.yaml](./test-yaml/psp-grant.yaml))\n   - 2.3 ```./kube-psp-advisor inspect --namespace=\u003cns\u003e``` to print report or PSP(s) within a given namespace (default to all) \n   - 2.4 ```./kube-psp-advisor inspect --policy opa``` to generate OPA Policy based on running cluster configuration\n   - 2.5 ```./kube-psp-advisor inspect --policy opa --deny-by-default``` to generate an OPA Policy, where OPA Default Rule is Deny ALL\n4. ```./kube-psp-advisor convert --podFile \u003cpath\u003e --pspFile \u003cpath\u003e``` to generate a PSP from a single .yaml file.\n   - 4.1 ```./kube-psp-advisor convert --podFile \u003cpath\u003e --pspFile \u003cpath\u003e --opa``` to generate an OPA Policy from a single .yaml file.\n   - 4.2 ```./kube-psp-advisor convert --podFile \u003cpath\u003e --pspFile \u003cpath\u003e --opa --deny-by-default``` to generate an OPA Policy from a single .yaml file, where OPA Default Rule is Deny ALL.\n    \n## Build and Run as Container\n1. ```docker build -t \u003cImage Name\u003e -f container/Dockerfile .```\n2. ```docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws \u003cImage Name\u003e``` (the `.aws` folder mount is optional and totally depends on your clould provider)\n\n## Use Cases\n1. Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources\n2. Apply Pod Security Policy or OPA policy to the target cluster\n3. Using flag `--namespace=\u003cnamespace\u003e` with `--report` to debug and narrow down the security context per namespace\n\n## Attributes Aggregated for Pod Security Policy\n- allowPrivilegeEscalation\n- allowedCapabilities\n- allowedHostPaths\n  - readOnly\n- hostIPC\n- hostNetwork\n- hostPID\n- privileged\n- readOnlyRootFilesystem\n- runAsUser\n- runAsGroup\n- Volume\n- hostPorts\n- allowedUnsafeSysctls\n\n## Limitations\nSome attributes(e.g. capabilities) required gathering runtime information in order to provide the followings:\n- Least privilege (capabilities captured from runtime)\n\n## High-level todo list\n\n- [x] Basic functionalities;\n- [ ] Create PSP's for common charts\n- [x] Kubectl plugin\n\n## Sample Pod Security Policy\nCommand: `./kube-psp-advisor inspect --namespace=psp-test`\n```\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n  creationTimestamp: null\n  name: pod-security-policy-20181130114734\nspec:\n  allowedCapabilities:\n  - SYS_ADMIN\n  - NET_ADMIN\n  allowedHostPaths:\n  - pathPrefix: /bin\n  - pathPrefix: /tmp\n  - pathPrefix: /usr/sbin\n  - pathPrefix: /usr/bin\n  fsGroup:\n    rule: RunAsAny\n  hostIPC: false\n  hostNetwork: false\n  hostPID: false\n  privileged: true\n  runAsUser:\n    rule: RunAsAny\n  seLinux:\n    rule: RunAsAny\n  supplementalGroups:\n    rule: RunAsAny\n  volumes:\n  - hostPath\n  - configMap\n  - secret\n  ```\n\n## Sample Report\nCommand: `./kube-psp-advisor inspect --namespace=psp-test --report | jq .podSecuritySpecs`\n```\n{\n  \"hostIPC\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostNetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-job\",\n        \"kind\": \"Job\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"hostPath\"\n      ],\n      \"mountedHostPath\": [\n        \"/usr/bin\"\n      ]\n    }\n  ],\n  \"hostNetwork\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostNetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-pod\",\n        \"kind\": \"Pod\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostNetwork\": true,\n      \"volumeTypes\": [\n        \"hostPath\",\n        \"secret\"\n      ],\n      \"mountedHostPath\": [\n        \"/usr/bin\"\n      ]\n    }\n  ],\n  \"hostPID\": [\n    {\n      \"metadata\": {\n        \"name\": \"busy-deploy\",\n        \"kind\": \"Deployment\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"volumeTypes\": [\n        \"hostPath\"\n      ],\n      \"mountedHostPath\": [\n        \"/tmp\"\n      ]\n    },\n    {\n      \"metadata\": {\n        \"name\": \"busy-rs\",\n        \"kind\": \"ReplicaSet\"\n      },\n      \"namespace\": \"psp-test\",\n      \"hostPID\": true,\n      \"hostMetwork\": true,\n      \"hostIPC\": true,\n      \"volumeTypes\": [\n        \"configMap\"\n      ]\n    }\n  ]\n}\n```\n\n## Commercial\nGenerating PSPs based on runtime activity, simulating PSPs and managing different PSPs across Kubernetes namespaces can simplify the life of every Kubernetes operator.\nCheck out how Sysdig Secure can help - https://sysdig.com/blog/psp-in-production/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-psp-advisor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fkube-psp-advisor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-psp-advisor/lists"}