Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#1415

Open
d13-l1t3 wants to merge 1 commit into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab7
Open

feat(lab7): trivy + PSS restricted + conftest gate#1415
d13-l1t3 wants to merge 1 commit into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab7

Conversation

@d13-l1t3

@d13-l1t3 d13-l1t3 commented Jul 3, 2026

Copy link
Copy Markdown

Goal

The goal of this PR is to implement and document container and Kubernetes security best practices. This includes vulnerability and misconfiguration scanning using Trivy, hardening a Kubernetes deployment to comply with Pod Security Standards (PSS) restricted profile, and implementing a policy-as-code gate using Conftest to block non-compliant pods.

Changes

Vulnerability Scanning: Scanned the bkimminich/juice-shop:v20.0.0 image and a sample Dockerfile using Trivy. Documented severity counts, top 10 actionable CVEs with available fixes, and compared findings with Grype from Lab 4.
Kubernetes Hardening: Created and applied Kubernetes manifests for the Juice Shop application in a new namespace with PSS restricted labels applied (enforce, warn, audit).
Workload Security: Hardened the Juice Shop Deployment by implementing an unprivileged ServiceAccount, dropping all capabilities, enabling runAsNonRoot, setting readOnlyRootFilesystem: true, and using emptyDir volumes for writable paths.
Network Restrictions: Implemented a default-deny NetworkPolicy to restrict ingress/egress traffic, allowing only required DNS/HTTPS outbound and specific ingress traffic.
Bonus Task (Conftest): Wrote a custom Rego policy (pod-hardening.rego) to test the deployment manifest in CI, successfully blocking pods missing key securityContext attributes (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and capabilities.drop: ALL).
Documentation: Updated the submissions/lab7.md report with all findings, manifest snippets, and required analysis.

Testing

Trivy Image Scan: Generated JSON and table outputs for high/critical vulnerabilities.
Kubernetes Deployment: Applied manifests locally using k3d, verified the pod is running and Ready: 1/1 via kubectl get pod.
Trivy K8s Scan: Scanned the running juice-shop namespace and documented the severity count.
Conftest Validation: Ran conftest test labs/lab7/k8s/deployment.yaml --policy labs/lab7/policies to confirm the custom Rego rules correctly evaluate the pod security context.

Checklist

[x] Task 1 — Trivy image + config scans + Grype comparison
[x] Task 2 — Hardened K8s deployment with PSS restricted + NetworkPolicy
[x] Bonus — Conftest policy passing on hardened + failing on bad manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant