feat(lab7): trivy + PSS restricted + conftest gate

[Troshkins]

Goal

Deliver Lab 7 container and Kubernetes security controls: Trivy scanning, a PSS-restricted Juice Shop deployment, and a Conftest policy gate.

Changes

• Added submissions/lab7.md with Trivy findings, Grype comparison, Kubernetes hardening analysis, and Conftest results.

• Added hardened Kubernetes manifests in labs/lab7/k8s/:

  • PSS restricted namespace labels
  • dedicated non-default ServiceAccount with token automount disabled
  • Juice Shop Deployment pinned by image digest
  • non-root execution, seccomp, dropped capabilities, read-only root filesystem, resource limits
  • initContainer and scoped emptyDir mounts for Juice Shop writable paths
  • default-deny NetworkPolicy with restricted DNS and HTTPS egress

• Added labs/lab7/policies/pod-hardening.rego Conftest policy.

• Added labs/lab7/.gitignore to exclude regeneratable scan results.

Testing

• trivy image bkimminich/juice-shop:v20.0.0 --severity HIGH,CRITICAL

  • Found 5 Critical and 43 High vulnerabilities; 46 findings have a fix available.

• trivy config against an intentionally insecure Dockerfile

  • Detected DS-0002 (HIGH): final USER is root.

• conftest test labs/lab7/k8s/deployment.yaml --policy labs/lab7/policies

  • Passed: 4 tests, 4 passed.

• conftest test /tmp/bad-pod.yaml --policy labs/lab7/policies

  • Failed as expected with four deny messages for missing non-root execution, read-only root filesystem, privilege-escalation protection, and ALL capabilities drop.

• kubectl -n juice-shop wait --for=condition=Ready pod -l app=juice-shop

  • Juice Shop reached 1/1 Running with 0 restarts.

• curl http://127.0.0.1:3000/rest/products/search?q=

  • Returned HTTP 200.

• trivy k8s --include-namespaces juice-shop --disable-node-collector --severity HIGH,CRITICAL --report summary

  • Reported 0 High/Critical Kubernetes misconfigurations. Remaining findings are CVEs and intentionally embedded training-image secrets in Juice Shop.

Artifacts & Screenshots

• Submission: submissions/lab7.md
• Hardened manifests: labs/lab7/k8s/
• Conftest policy: labs/lab7/policies/pod-hardening.rego
• Scan and runtime proof files were generated locally under labs/lab7/results/ and intentionally excluded from Git as regeneratable artifacts.

Checklist

• Title is clear (feat(lab7): trivy + PSS restricted + conftest gate)
• No secrets/large temporary scan files committed
• Submission file at submissions/lab7.md exists