From b94ab148e0907640dc4aa496d8d8e3cf436bf260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=B4mulo=20Farias?= Date: Mon, 23 Dec 2024 11:45:37 +0100 Subject: [PATCH] Upgrade to opa v1.0.0 --- bin/{.opa-0.70.0.pkg => .opa-1.0.0.pkg} | 0 bin/opa | 2 +- go.mod | 8 +++----- go.sum | 12 ++++++------ internal/evaluator/debug_logger/factory.go | 4 ++-- internal/evaluator/debug_logger/factory_test.go | 4 ++-- internal/evaluator/debug_logger/plugin.go | 9 ++++----- internal/evaluator/logger.go | 2 +- internal/evaluator/logger_test.go | 2 +- internal/evaluator/opa.go | 6 ++---- .../compliance/cis_k8s/rules/cis_1_2_10/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_11/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_12/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_16/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_17/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_18/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_19/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_25/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_28/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_29/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_4/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_6/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_7/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_8/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_2_9/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_2/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_3/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_4/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_5/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_6/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_3_7/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_4_1/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_1_4_2/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_2_2/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_2_3/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_2_5/rule.rego | 2 +- .../compliance/cis_k8s/rules/cis_2_6/rule.rego | 2 +- .../policy/process/ensure_arguments_contain_key.rego | 5 ++--- .../process/ensure_arguments_contain_key_value.rego | 4 ++-- .../process/ensure_arguments_contain_value.rego | 6 +++--- 41 files changed, 57 insertions(+), 63 deletions(-) rename bin/{.opa-0.70.0.pkg => .opa-1.0.0.pkg} (100%) diff --git a/bin/.opa-0.70.0.pkg b/bin/.opa-1.0.0.pkg similarity index 100% rename from bin/.opa-0.70.0.pkg rename to bin/.opa-1.0.0.pkg diff --git a/bin/opa b/bin/opa index f2c02f5e68..32e66cdf03 120000 --- a/bin/opa +++ b/bin/opa @@ -1 +1 @@ -.opa-0.70.0.pkg \ No newline at end of file +.opa-1.0.0.pkg \ No newline at end of file diff --git a/go.mod b/go.mod index a3a03ccd53..138b120b35 100644 --- a/go.mod +++ b/go.mod @@ -68,7 +68,7 @@ require ( github.com/mikefarah/yq/v4 v4.44.6 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/mapstructure v1.5.0 - github.com/open-policy-agent/opa v0.70.0 + github.com/open-policy-agent/opa v1.0.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/samber/lo v1.47.0 github.com/spf13/viper v1.19.0 @@ -187,8 +187,6 @@ require ( go.opentelemetry.io/collector/pdata v1.15.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect golang.org/x/tools v0.28.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect @@ -521,7 +519,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/crypto v0.31.0 // indirect golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.32.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/term v0.27.0 // indirect @@ -531,7 +529,7 @@ require ( google.golang.org/genproto v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect - google.golang.org/grpc v1.69.0 + google.golang.org/grpc v1.69.2 google.golang.org/protobuf v1.35.2 gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 6ded87bef5..e10f39417d 100644 --- a/go.sum +++ b/go.sum @@ -1384,8 +1384,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U= -github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI= +github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I= +github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -1905,8 +1905,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= -golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2359,8 +2359,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI= -google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/internal/evaluator/debug_logger/factory.go b/internal/evaluator/debug_logger/factory.go index 33120750be..e2a480ecb3 100644 --- a/internal/evaluator/debug_logger/factory.go +++ b/internal/evaluator/debug_logger/factory.go @@ -20,8 +20,8 @@ package dlogger import ( "sync" - "github.com/open-policy-agent/opa/plugins" - "github.com/open-policy-agent/opa/util" + "github.com/open-policy-agent/opa/v1/plugins" + "github.com/open-policy-agent/opa/v1/util" ) type Factory struct{} diff --git a/internal/evaluator/debug_logger/factory_test.go b/internal/evaluator/debug_logger/factory_test.go index dafa95edc9..f9c4006079 100644 --- a/internal/evaluator/debug_logger/factory_test.go +++ b/internal/evaluator/debug_logger/factory_test.go @@ -20,8 +20,8 @@ package dlogger import ( "testing" - "github.com/open-policy-agent/opa/plugins" - "github.com/open-policy-agent/opa/storage/inmem" + "github.com/open-policy-agent/opa/v1/plugins" + "github.com/open-policy-agent/opa/v1/storage/inmem" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/evaluator/debug_logger/plugin.go b/internal/evaluator/debug_logger/plugin.go index d8f16add5d..36fa713f70 100644 --- a/internal/evaluator/debug_logger/plugin.go +++ b/internal/evaluator/debug_logger/plugin.go @@ -22,15 +22,14 @@ import ( "encoding/json" "sync" - "github.com/open-policy-agent/opa/plugins" - "github.com/open-policy-agent/opa/plugins/logs" - "github.com/open-policy-agent/opa/util" + "github.com/open-policy-agent/opa/v1/plugins" + "github.com/open-policy-agent/opa/v1/plugins/logs" + "github.com/open-policy-agent/opa/v1/util" ) const PluginName = "debug_decision_logs" -type config struct { -} +type config struct{} type plugin struct { manager *plugins.Manager diff --git a/internal/evaluator/logger.go b/internal/evaluator/logger.go index 4d11100e1f..6471a43735 100644 --- a/internal/evaluator/logger.go +++ b/internal/evaluator/logger.go @@ -19,7 +19,7 @@ package evaluator import ( "github.com/elastic/elastic-agent-libs/logp" - "github.com/open-policy-agent/opa/logging" + "github.com/open-policy-agent/opa/v1/logging" "go.uber.org/zap" "go.uber.org/zap/zapcore" ) diff --git a/internal/evaluator/logger_test.go b/internal/evaluator/logger_test.go index 6dd8f675a1..51368afe7e 100644 --- a/internal/evaluator/logger_test.go +++ b/internal/evaluator/logger_test.go @@ -21,7 +21,7 @@ import ( "testing" "github.com/elastic/elastic-agent-libs/logp" - "github.com/open-policy-agent/opa/logging" + "github.com/open-policy-agent/opa/v1/logging" "github.com/stretchr/testify/suite" "go.uber.org/zap" "go.uber.org/zap/zapcore" diff --git a/internal/evaluator/opa.go b/internal/evaluator/opa.go index 69dbd8ad32..c87484d85a 100644 --- a/internal/evaluator/opa.go +++ b/internal/evaluator/opa.go @@ -25,8 +25,8 @@ import ( "github.com/elastic/elastic-agent-libs/logp" "github.com/mitchellh/mapstructure" - "github.com/open-policy-agent/opa/plugins" - "github.com/open-policy-agent/opa/sdk" + "github.com/open-policy-agent/opa/v1/plugins" + "github.com/open-policy-agent/opa/v1/sdk" "github.com/elastic/cloudbeat/internal/config" dlogger "github.com/elastic/cloudbeat/internal/evaluator/debug_logger" @@ -84,7 +84,6 @@ func NewOpaEvaluator(ctx context.Context, log *logp.Logger, cfg *config.Config) dlogger.PluginName: &dlogger.Factory{}, }, }) - if err != nil { return nil, fmt.Errorf("fail to init opa: %s", err.Error()) } @@ -123,7 +122,6 @@ func (o *OpaEvaluator) Eval(ctx context.Context, resourceInfo fetching.ResourceI Result: fetcherResult, Benchmark: o.benchmark, }) - if err != nil { return EventData{}, fmt.Errorf("error running the policy: %v", err) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/rule.rego index 9201860a06..c2fc991dec 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_10 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.contains("--enable-admission-plugins", "EventRateLimit")) +finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "EventRateLimit")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/rule.rego index 7814e21845..57ce683a15 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_11 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.not_contains("--enable-admission-plugins", "AlwaysAdmit")) +finding := audit.finding(audit.arg_not_contains("--enable-admission-plugins", "AlwaysAdmit")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/rule.rego index 12a8f1aeb6..86cc9ff699 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_12 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.contains("--enable-admission-plugins", "AlwaysPullImages")) +finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "AlwaysPullImages")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/rule.rego index 11334ae378..1da0cd3b06 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_16 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.contains("--enable-admission-plugins", "NodeRestriction")) +finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "NodeRestriction")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego index 366f787f47..9f73ec3f8c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.not_contains("--secure-port", "0")) + result := audit.finding(audit.arg_not_contains("--secure-port", "0")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego index 7d88eb8b0f..70abb142b0 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--profiling", "false")) + result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego index 478938fc43..fc4313640f 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--audit-log-path")) + result := audit.finding(audit.arg_contains("--audit-log-path")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 1bb2784224..975905c706 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.not_contains("--token-auth-file")) + result := audit.finding(audit.arg_not_contains("--token-auth-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego index 0916d02258..e34ebd471c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--service-account-key-file")) + result := audit.finding(audit.arg_contains("--service-account-key-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego index e18de47890..80cdac4cc4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--client-ca-file")) + result := audit.finding(audit.arg_contains("--client-ca-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego index 759cfe6ea0..c5d8870232 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--etcd-cafile")) + result := audit.finding(audit.arg_contains("--etcd-cafile")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego index 310579fb53..6968dc1d84 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.not_contains("--kubelet-https", "false")) + result := audit.finding(audit.arg_not_contains("--kubelet-https", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego index 2a9deed45a..f2fcd446f5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.apiserver_filter - result := audit.finding(audit.contains("--kubelet-certificate-authority")) + result := audit.finding(audit.arg_contains("--kubelet-certificate-authority")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/rule.rego index 91216eb131..190bd9da99 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_7 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.not_contains("--authorization-mode", "AlwaysAllow")) +finding := audit.finding(audit.arg_not_contains("--authorization-mode", "AlwaysAllow")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/rule.rego index 4c9af4639b..70b010e3c1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_8 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.contains("--authorization-mode", "Node")) +finding := audit.finding(audit.arg_contains("--authorization-mode", "Node")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/rule.rego index 052ef08a97..5903825bf1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_9 import data.compliance.policy.process.ensure_arguments_contain_value as audit -finding := audit.finding(audit.contains("--authorization-mode", "RBAC")) +finding := audit.finding(audit.arg_contains("--authorization-mode", "RBAC")) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego index cc9a33a035..938978598d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--profiling", "false")) + result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego index b92b8a2c5f..8306a300ba 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--use-service-account-credentials", "true")) + result := audit.finding(audit.arg_contains("--use-service-account-credentials", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego index e5d51c1150..67979fb6f5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--service-account-private-key-file")) + result := audit.finding(audit.arg_contains("--service-account-private-key-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego index c699794389..54635794b3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--root-ca-file")) + result := audit.finding(audit.arg_contains("--root-ca-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego index 531729194d..655d851c84 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--feature-gates", "RotateKubeletServerCertificate=true")) + result := audit.finding(audit.arg_contains("--feature-gates", "RotateKubeletServerCertificate=true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego index e28e4c9619..4d71e43f24 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.controller_manager_filter - result := audit.finding(audit.contains("--bind-address", "127.0.0.1")) + result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego index 3bcb3cea76..8b4c243311 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.scheduler_filter - result := audit.finding(audit.contains("--profiling", "false")) + result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego index 8914170673..61ef43887f 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.scheduler_filter - result := audit.finding(audit.contains("--bind-address", "127.0.0.1")) + result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego index 22f67fdbc8..c1ef4ab786 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.etcd_filter - result := audit.finding(audit.contains("--client-cert-auth", "true")) + result := audit.finding(audit.arg_contains("--client-cert-auth", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego index d34d104764..5f6bafbe81 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.etcd_filter - result := audit.finding(audit.not_contains("--auto-tls", "true")) + result := audit.finding(audit.arg_not_contains("--auto-tls", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego index 6d910e2771..ab7b7b9a22 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.etcd_filter - result := audit.finding(audit.contains("--peer-client-cert-auth", "true")) + result := audit.finding(audit.arg_contains("--peer-client-cert-auth", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego index a488d90c32..664d30104c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego @@ -5,5 +5,5 @@ import future.keywords.if finding = result if { audit.etcd_filter - result := audit.finding(audit.not_contains("--peer-auto-tls", "true")) + result := audit.finding(audit.arg_not_contains("--peer-auto-tls", "true")) } diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key.rego index 2a9c008417..67bfe8ab0b 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key.rego @@ -14,10 +14,9 @@ finding(rule_evaluation) := lib_common.generate_result_without_expected( {"process_args": process_args}, ) -not_contains(entity) := assert.is_false(lib_common.contains_key(process_args, entity)) +arg_not_contains(entity) := assert.is_false(lib_common.contains_key(process_args, entity)) -# regal ignore:rule-shadows-builtin -contains(entity) := entity in object.keys(process_args) +arg_contains(entity) := entity in object.keys(process_args) apiserver_filter := data_adapter.is_kube_apiserver diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key_value.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key_value.rego index 997b983bfb..68c12ba8f8 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key_value.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_key_value.rego @@ -12,10 +12,10 @@ finding(rule_evaluation) := lib_common.generate_result_without_expected( {"process_args": process_args}, ) -not_contains(entity, value) := assert.is_false(lib_common.contains_key_with_value(process_args, entity, value)) +arg_not_contains(entity, value) := assert.is_false(lib_common.contains_key_with_value(process_args, entity, value)) # regal ignore:rule-shadows-builtin -contains(entity, value) := lib_common.contains_key_with_value(process_args, entity, value) +arg_contains(entity, value) := lib_common.contains_key_with_value(process_args, entity, value) apiserver_filter := data_adapter.is_kube_apiserver diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego index 55b14e886f..0e61f2349a 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego @@ -19,7 +19,7 @@ finding(rule_evaluation) = result if { ) } -not_contains(entity, value) := assert.is_false(process_common.arg_values_contains(process_args, entity, value)) +arg_not_contains(entity, value) := assert.is_false(process_common.arg_values_contains(process_args, entity, value)) -# regal ignore:rule-shadows-builtin -contains(entity, value) := process_common.arg_values_contains(process_args, entity, value) + +arg_contains(entity, value) := process_common.arg_values_contains(process_args, entity, value)