diff --git a/assets/queries/k8s/using_default_namespace/test/positive1.yaml b/assets/queries/k8s/using_default_namespace/test/positive1.yaml deleted file mode 100644 index 7ae583f9d80..00000000000 --- a/assets/queries/k8s/using_default_namespace/test/positive1.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: frontend - namespace: default -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - securityContext: - allowPrivilegeEscalation: false - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - securityContext: - allowPrivilegeEscalation: false - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - ---- -apiVersion: v1 -kind: Pod -metadata: - name: frontend2 -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - securityContext: - allowPrivilegeEscalation: false - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - securityContext: - allowPrivilegeEscalation: false - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - ---- -apiVersion: v1 -kind: Pod -metadata: - name: mongo.db.collection.com diff --git a/assets/queries/k8s/using_default_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_default_namespace/test/positive_expected_result.json deleted file mode 100644 index 4e8e717b744..00000000000 --- a/assets/queries/k8s/using_default_namespace/test/positive_expected_result.json +++ /dev/null @@ -1,20 +0,0 @@ -[ - { - "queryName": "Using Default Namespace", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" - }, - { - "queryName": "Using Default Namespace", - "severity": "MEDIUM", - "line": 36, - "filename": "positive1.yaml" - }, - { - "queryName": "Using Default Namespace", - "severity": "MEDIUM", - "line": 67, - "filename": "positive1.yaml" - } -] diff --git a/assets/queries/k8s/using_default_namespace/metadata.json b/assets/queries/k8s/using_unrecommended_namespace/metadata.json similarity index 65% rename from assets/queries/k8s/using_default_namespace/metadata.json rename to assets/queries/k8s/using_unrecommended_namespace/metadata.json index 6772c552477..b79dc88d67c 100644 --- a/assets/queries/k8s/using_default_namespace/metadata.json +++ b/assets/queries/k8s/using_unrecommended_namespace/metadata.json @@ -1,9 +1,9 @@ { "id": "611ab018-c4aa-4ba2-b0f6-a448337509a6", - "queryName": "Using Default Namespace", + "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "The default namespace should not be used", + "descriptionText": "Namespaces like 'default', 'kube-system' or 'kube-public' should not be used", "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/", "platform": "Kubernetes", "descriptionID": "29549ea9" diff --git a/assets/queries/k8s/using_default_namespace/query.rego b/assets/queries/k8s/using_unrecommended_namespace/query.rego similarity index 52% rename from assets/queries/k8s/using_default_namespace/query.rego rename to assets/queries/k8s/using_unrecommended_namespace/query.rego index 4f000998365..c132068a921 100644 --- a/assets/queries/k8s/using_default_namespace/query.rego +++ b/assets/queries/k8s/using_unrecommended_namespace/query.rego @@ -2,14 +2,14 @@ package Cx listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob", "Service", "Secret", "ServiceAccount", "Role", "RoleBinding", "ConfigMap", "Ingress"] -import data.generic.k8s as k8sLib +import data.generic.k8s as k8s_lib import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] kind := document.kind - k8sLib.checkKind(kind, listKinds) + k8s_lib.checkKind(kind, listKinds) metadata = document.metadata @@ -19,8 +19,9 @@ CxPolicy[result] { "documentId": input.document[i].id, "issueType": "MissingAttribute", "searchKey": sprintf("kind={{%s}}.metadata.name={{%s}}", [kind, metadata.name]), - "keyExpectedValue": "metadata.namespace is set", - "keyActualValue": "metadata.namespace is undefined", + "keyExpectedValue": "metadata.namespace is defined and not null", + "keyActualValue": "metadata.namespace is undefined or null", + "searchLine": common_lib.build_search_line(["metadata", "name"], []) } } @@ -28,16 +29,19 @@ CxPolicy[result] { document := input.document[i] kind := document.kind - k8sLib.checkKind(kind, listKinds) + k8s_lib.checkKind(kind, listKinds) metadata = document.metadata - metadata.namespace == "default" + + options := {"default", "kube-system", "kube-public"} + metadata.namespace == options[x] result := { "documentId": input.document[i].id, "issueType": "IncorrectValue", - "searchKey": sprintf("kind={{%s}}.metadata.name={{%s}}", [kind, metadata.name]), - "keyExpectedValue": "metadata.namespace is not default", - "keyActualValue": "metadata.namespace is default", + "searchKey": sprintf("metadata.name={{%s}}.namespace", [metadata.name]), + "keyExpectedValue": "'metadata.namespace' is not set to default, kube-system or kube-public", + "keyActualValue": sprintf("'metadata.namespace' is set to %s", [options[x]]), + "searchLine": common_lib.build_search_line(["metadata", "namespace"], []) } } diff --git a/assets/queries/k8s/using_default_namespace/test/negative1.yaml b/assets/queries/k8s/using_unrecommended_namespace/test/negative1.yaml similarity index 100% rename from assets/queries/k8s/using_default_namespace/test/negative1.yaml rename to assets/queries/k8s/using_unrecommended_namespace/test/negative1.yaml diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive1.yaml b/assets/queries/k8s/using_unrecommended_namespace/test/positive1.yaml new file mode 100644 index 00000000000..a9540d6c4b4 --- /dev/null +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend + namespace: default +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive2.yaml b/assets/queries/k8s/using_unrecommended_namespace/test/positive2.yaml new file mode 100644 index 00000000000..0925165ebe3 --- /dev/null +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive3.yaml b/assets/queries/k8s/using_unrecommended_namespace/test/positive3.yaml new file mode 100644 index 00000000000..68096d028cf --- /dev/null +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive3.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mongo.db.collection.com + namespace: kube-public diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive4.yaml b/assets/queries/k8s/using_unrecommended_namespace/test/positive4.yaml new file mode 100644 index 00000000000..837213b75b8 --- /dev/null +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive4.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mongo.db.collection.com + namespace: kube-system diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json new file mode 100644 index 00000000000..38ca8e686f8 --- /dev/null +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "Using Unrecommended Namespace", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.yaml" + }, + { + "queryName": "Using Unrecommended Namespace", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.yaml" + }, + { + "queryName": "Using Unrecommended Namespace", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml" + }, + { + "queryName": "Using Unrecommended Namespace", + "severity": "MEDIUM", + "line": 5, + "filename": "positive4.yaml" + } +]