feat(query): update "Using Unrecommended Namespace"

assets/queries/k8s/using_default_namespace/metadata.json → assets/queries/k8s/using_unrecommended_namespace/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "611ab018-c4aa-4ba2-b0f6-a448337509a6",
-  "queryName": "Using Default Namespace",
+  "queryName": "Using Unrecommended Namespace",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "The default namespace should not be used",
+  "descriptionText": "Namespaces like 'default', 'kube-system' or 'kube-public' should not be used",
   "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/",
   "platform": "Kubernetes",
   "descriptionID": "29549ea9"

assets/queries/k8s/using_default_namespace/query.rego → assets/queries/k8s/using_unrecommended_namespace/query.rego

@@ -2,14 +2,14 @@ package Cx
 
 listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob", "Service", "Secret", "ServiceAccount", "Role", "RoleBinding", "ConfigMap", "Ingress"]
 
-import data.generic.k8s as k8sLib
+import data.generic.k8s as k8s_lib
 import data.generic.common as common_lib
 
 CxPolicy[result] {
 	document := input.document[i]
 
 	kind := document.kind
-	k8sLib.checkKind(kind, listKinds)
+	k8s_lib.checkKind(kind, listKinds)
 
 	metadata = document.metadata
 
@@ -19,25 +19,29 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"issueType": "MissingAttribute",
 		"searchKey": sprintf("kind={{%s}}.metadata.name={{%s}}", [kind, metadata.name]),
-		"keyExpectedValue": "metadata.namespace is set",
-		"keyActualValue": "metadata.namespace is undefined",
+		"keyExpectedValue": "metadata.namespace is defined and not null",
+		"keyActualValue": "metadata.namespace is undefined or null",
+		"searchLine": common_lib.build_search_line(["metadata", "name"], [])
 	}
 }
 
 CxPolicy[result] {
 	document := input.document[i]
 
 	kind := document.kind
-	k8sLib.checkKind(kind, listKinds)
+	k8s_lib.checkKind(kind, listKinds)
 
 	metadata = document.metadata
-	metadata.namespace == "default"
+
+	options := {"default", "kube-system", "kube-public"}
+	metadata.namespace == options[x]
 
 	result := {
 		"documentId": input.document[i].id,
 		"issueType": "IncorrectValue",
-		"searchKey": sprintf("kind={{%s}}.metadata.name={{%s}}", [kind, metadata.name]),
-		"keyExpectedValue": "metadata.namespace is not default",
-		"keyActualValue": "metadata.namespace is default",
+		"searchKey": sprintf("metadata.name={{%s}}.namespace", [metadata.name]),
+		"keyExpectedValue": "'metadata.namespace' is not set to default, kube-system or kube-public",
+		"keyActualValue": sprintf("'metadata.namespace' is set to %s", [options[x]]),
+		"searchLine": common_lib.build_search_line(["metadata", "namespace"], [])
 	}
 }

assets/queries/k8s/using_unrecommended_namespace/test/positive1.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend
+  namespace: default
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    securityContext:
+      allowPrivilegeEscalation: false
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"
+
+  - name: log-aggregator
+    image: images.my-company.example/log-aggregator:v6
+    securityContext:
+      allowPrivilegeEscalation: false
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"
+

assets/queries/k8s/using_unrecommended_namespace/test/positive2.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend2
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    securityContext:
+      allowPrivilegeEscalation: false
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"
+
+  - name: log-aggregator
+    image: images.my-company.example/log-aggregator:v6
+    securityContext:
+      allowPrivilegeEscalation: false
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"

assets/queries/k8s/using_unrecommended_namespace/test/positive3.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mongo.db.collection.com
+  namespace: kube-public

assets/queries/k8s/using_unrecommended_namespace/test/positive4.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mongo.db.collection.com
+  namespace: kube-system

assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json

@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "Using Unrecommended Namespace",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "Using Unrecommended Namespace",
+    "severity": "MEDIUM",
+    "line": 4,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "Using Unrecommended Namespace",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive3.yaml"
+  },
+  {
+    "queryName": "Using Unrecommended Namespace",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive4.yaml"
+  }
+]