From 5b45a1bcbb2dfbf8654beae6b19dcb5fd79b5b6a Mon Sep 17 00:00:00 2001 From: szubersk Date: Sat, 2 Mar 2024 23:39:23 +1000 Subject: [PATCH] feat: add DeploymentConfig support Signed-off-by: szubersk --- .../default_namespace_should_not_be_used.rego | 1 + .../capabilities_no_drop_at_least_one.rego | 1 + .../advanced/optional/manages_etc_hosts.rego | 1 + .../uses_untrusted_azure_registry.rego | 1 + .../optional/uses_untrusted_ecr_registry.rego | 1 + .../optional/uses_untrusted_gcr_registry.rego | 1 + .../uses_untrusted_public_registries.rego | 1 + .../kubernetes/general/CPU_not_limited.rego | 1 + .../general/CPU_requests_not_specified.rego | 1 + .../general/SYS_ADMIN_capability.rego | 1 + .../general/SYS_MODULE_capability.rego | 1 + .../general/capabilities_no_drop_all.rego | 1 + .../general/default_security_context.rego | 1 + .../general/file_system_not_read_only.rego | 1 + .../general/memory_not_limited.rego | 1 + .../memory_requests_not_specified.rego | 1 + .../general/mounts_docker_socket.rego | 1 + .../general/net_raw_capability.rego | 1 + .../general/runs_with_GID_le_10000.rego | 1 + .../general/runs_with_UID_le_10000.rego | 1 + ...h_a_root_primary_or_supplementary_GID.rego | 1 + .../general/uses_image_tag_latest.rego | 1 + .../pss/baseline/10_windows_host_process.rego | 1 + .../11_seccomp_profile_unconfined.rego | 1 + .../baseline/12_privileged_ports_binding.rego | 1 + .../kubernetes/pss/baseline/1_host_ipc.rego | 1 + .../pss/baseline/1_host_network.rego | 1 + .../kubernetes/pss/baseline/1_host_pid.rego | 1 + .../kubernetes/pss/baseline/2_privileged.rego | 1 + .../3_specific_capabilities_added.rego | 1 + .../baseline/4_hostpath_volumes_mounted.rego | 1 + .../pss/baseline/5_access_to_host_ports.rego | 1 + .../baseline/6_apparmor_policy_disabled.rego | 1 + .../7_selinux_custom_options_set.rego | 1 + .../8_non_default_proc_masks_set.rego | 1 + .../baseline/9_unsafe_sysctl_options_set.rego | 1 + .../restricted/1_non_core_volume_types.rego | 1 + .../2_can_elevate_its_own_privileges.rego | 1 + .../pss/restricted/3_runs_as_root.rego | 1 + ...ntime_default_seccomp_profile_not_set.rego | 1 + ...ource_with_disallowed_volumes_mounted.rego | 1 + lib/kubernetes/kubernetes.rego | 7 ++++ lib/kubernetes/kubernetes_test.rego | 36 +++++++++++++++++++ 43 files changed, 84 insertions(+) diff --git a/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego b/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego index 5960c5d0..86ddacf9 100644 --- a/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego +++ b/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego b/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego index 58ac3b0c..050eecdc 100644 --- a/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego +++ b/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/manages_etc_hosts.rego b/checks/kubernetes/advanced/optional/manages_etc_hosts.rego index 0003b672..9ebfb934 100644 --- a/checks/kubernetes/advanced/optional/manages_etc_hosts.rego +++ b/checks/kubernetes/advanced/optional/manages_etc_hosts.rego @@ -18,6 +18,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego index 04d3fd90..4c0caea4 100644 --- a/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego +++ b/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego @@ -18,6 +18,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego index ac25b9b3..951a2a31 100644 --- a/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego +++ b/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego @@ -18,6 +18,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego index a2d6607f..8e5ce31a 100644 --- a/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego +++ b/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego @@ -18,6 +18,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego b/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego index e04248b4..80255b94 100644 --- a/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego +++ b/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego @@ -18,6 +18,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/CPU_not_limited.rego b/checks/kubernetes/general/CPU_not_limited.rego index 244cfdd4..3955ef77 100644 --- a/checks/kubernetes/general/CPU_not_limited.rego +++ b/checks/kubernetes/general/CPU_not_limited.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/CPU_requests_not_specified.rego b/checks/kubernetes/general/CPU_requests_not_specified.rego index d5a7160f..d2a9b8fe 100644 --- a/checks/kubernetes/general/CPU_requests_not_specified.rego +++ b/checks/kubernetes/general/CPU_requests_not_specified.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/SYS_ADMIN_capability.rego b/checks/kubernetes/general/SYS_ADMIN_capability.rego index a1f35a2c..9ee05f91 100644 --- a/checks/kubernetes/general/SYS_ADMIN_capability.rego +++ b/checks/kubernetes/general/SYS_ADMIN_capability.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/SYS_MODULE_capability.rego b/checks/kubernetes/general/SYS_MODULE_capability.rego index d7854c62..4566abf2 100644 --- a/checks/kubernetes/general/SYS_MODULE_capability.rego +++ b/checks/kubernetes/general/SYS_MODULE_capability.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/capabilities_no_drop_all.rego b/checks/kubernetes/general/capabilities_no_drop_all.rego index 04d7dbd7..f3789d13 100644 --- a/checks/kubernetes/general/capabilities_no_drop_all.rego +++ b/checks/kubernetes/general/capabilities_no_drop_all.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/default_security_context.rego b/checks/kubernetes/general/default_security_context.rego index 662d39f3..1e7f7314 100644 --- a/checks/kubernetes/general/default_security_context.rego +++ b/checks/kubernetes/general/default_security_context.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/file_system_not_read_only.rego b/checks/kubernetes/general/file_system_not_read_only.rego index cc8afa4e..a4db3886 100644 --- a/checks/kubernetes/general/file_system_not_read_only.rego +++ b/checks/kubernetes/general/file_system_not_read_only.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/memory_not_limited.rego b/checks/kubernetes/general/memory_not_limited.rego index 3c3aa12c..b3e274f9 100644 --- a/checks/kubernetes/general/memory_not_limited.rego +++ b/checks/kubernetes/general/memory_not_limited.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/memory_requests_not_specified.rego b/checks/kubernetes/general/memory_requests_not_specified.rego index 95c1ccaf..19df70a4 100644 --- a/checks/kubernetes/general/memory_requests_not_specified.rego +++ b/checks/kubernetes/general/memory_requests_not_specified.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/mounts_docker_socket.rego b/checks/kubernetes/general/mounts_docker_socket.rego index 2024dd8e..d1bb3583 100644 --- a/checks/kubernetes/general/mounts_docker_socket.rego +++ b/checks/kubernetes/general/mounts_docker_socket.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/net_raw_capability.rego b/checks/kubernetes/general/net_raw_capability.rego index 1d684bc3..b65e967a 100644 --- a/checks/kubernetes/general/net_raw_capability.rego +++ b/checks/kubernetes/general/net_raw_capability.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/runs_with_GID_le_10000.rego b/checks/kubernetes/general/runs_with_GID_le_10000.rego index 697ea98d..b914dea7 100644 --- a/checks/kubernetes/general/runs_with_GID_le_10000.rego +++ b/checks/kubernetes/general/runs_with_GID_le_10000.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/runs_with_UID_le_10000.rego b/checks/kubernetes/general/runs_with_UID_le_10000.rego index fb7a66ba..573cf266 100644 --- a/checks/kubernetes/general/runs_with_UID_le_10000.rego +++ b/checks/kubernetes/general/runs_with_UID_le_10000.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego b/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego index ce2b6af5..ac8cd518 100644 --- a/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego +++ b/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/general/uses_image_tag_latest.rego b/checks/kubernetes/general/uses_image_tag_latest.rego index 74cca5e3..8b7019ff 100644 --- a/checks/kubernetes/general/uses_image_tag_latest.rego +++ b/checks/kubernetes/general/uses_image_tag_latest.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/10_windows_host_process.rego b/checks/kubernetes/pss/baseline/10_windows_host_process.rego index b74eb6e4..5a668f30 100644 --- a/checks/kubernetes/pss/baseline/10_windows_host_process.rego +++ b/checks/kubernetes/pss/baseline/10_windows_host_process.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/11_seccomp_profile_unconfined.rego b/checks/kubernetes/pss/baseline/11_seccomp_profile_unconfined.rego index aabf3692..608cb0a8 100644 --- a/checks/kubernetes/pss/baseline/11_seccomp_profile_unconfined.rego +++ b/checks/kubernetes/pss/baseline/11_seccomp_profile_unconfined.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego b/checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego index ff102fdd..43f6b41b 100644 --- a/checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego +++ b/checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego @@ -21,6 +21,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.rego b/checks/kubernetes/pss/baseline/1_host_ipc.rego index 3fbd3184..b482b749 100644 --- a/checks/kubernetes/pss/baseline/1_host_ipc.rego +++ b/checks/kubernetes/pss/baseline/1_host_ipc.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/1_host_network.rego b/checks/kubernetes/pss/baseline/1_host_network.rego index 1ee29768..df2e05de 100644 --- a/checks/kubernetes/pss/baseline/1_host_network.rego +++ b/checks/kubernetes/pss/baseline/1_host_network.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/1_host_pid.rego b/checks/kubernetes/pss/baseline/1_host_pid.rego index e64739e7..1972f037 100644 --- a/checks/kubernetes/pss/baseline/1_host_pid.rego +++ b/checks/kubernetes/pss/baseline/1_host_pid.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/2_privileged.rego b/checks/kubernetes/pss/baseline/2_privileged.rego index bab45239..dcb0c648 100644 --- a/checks/kubernetes/pss/baseline/2_privileged.rego +++ b/checks/kubernetes/pss/baseline/2_privileged.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego index efe90b15..b5ebf057 100644 --- a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego index 1faef701..206d4ca9 100644 --- a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego index f6e2420d..a04878aa 100644 --- a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego index 4fcdbe91..52293ee1 100644 --- a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego index 6a7a208c..7333101f 100644 --- a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego index 6a8310b0..7e63550e 100644 --- a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego index b6397962..b4442c36 100644 --- a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego index fa7b2cfd..504a55e8 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego index 9927076a..7a9685f6 100644 --- a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.rego b/checks/kubernetes/pss/restricted/3_runs_as_root.rego index b4bb37c0..ce27c7de 100644 --- a/checks/kubernetes/pss/restricted/3_runs_as_root.rego +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego index 4a336cb6..e534daf9 100644 --- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/checks/kubernetes/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego b/checks/kubernetes/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego index ffffec58..0ab7b847 100644 --- a/checks/kubernetes/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego +++ b/checks/kubernetes/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego @@ -20,6 +20,7 @@ # - kind: replicaset # - kind: replicationcontroller # - kind: deployment +# - kind: deploymentconfig # - kind: statefulset # - kind: daemonset # - kind: cronjob diff --git a/lib/kubernetes/kubernetes.rego b/lib/kubernetes/kubernetes.rego index b238e24b..9c92e093 100644 --- a/lib/kubernetes/kubernetes.rego +++ b/lib/kubernetes/kubernetes.rego @@ -51,10 +51,17 @@ is_cronjob { default is_controller = false +api_version = object.apiVersion + is_controller { kind = "Deployment" } +is_controller { + api_version = "apps.openshift.io/v1" + kind = "DeploymentConfig" +} + is_controller { kind = "StatefulSet" } diff --git a/lib/kubernetes/kubernetes_test.rego b/lib/kubernetes/kubernetes_test.rego index c484908d..9841e5f6 100644 --- a/lib/kubernetes/kubernetes_test.rego +++ b/lib/kubernetes/kubernetes_test.rego @@ -64,6 +64,42 @@ test_deployment { test_pods[_].spec.containers[_].name == "hello-deployment" } +test_deploymentconfig { + # spec -> template + mock = { + "apiVersion": "apps.openshift.io/v1", + "kind": "DeploymentConfig", + "metadata": {"name": "hello"}, + "spec": {"template": {"spec": { + "containers": [{ + "command": [ + "sh", + "-c", + "echo 'Hello !' && sleep 1h", + ], + "image": "busybox", + "name": "hello-deploymentconfig-1", + }], + "volumes": [ + { + "name": "hello-volume-1", + "emptyDir": {}, + }, + { + "name": "hello-volume-2", + "emptyDir": {}, + }, + ], + }}}, + } + + test_containers := containers with input as mock + test_volumes := volumes with input as mock + + test_containers[_].name == "hello-deploymentconfig-1" + test_volumes[_].name == "hello-volume-2" +} + test_stateful_set { # spec -> template test_pods := pods with input as {