From 97a042c22d130910897c3c6c293c370d2f270471 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Mon, 2 Oct 2023 18:47:41 +1300 Subject: [PATCH 1/2] Fix spelling of "beggining" throughout. Signed-off-by: Craig Box --- rules/CVE-2021-25741/raw.rego | 16 ++-- rules/CVE-2022-0492/raw.rego | 90 +++++++++---------- rules/K8s common labels usage/raw.rego | 12 +-- rules/alert-any-hostpath/raw.rego | 16 ++-- .../raw.rego | 14 +-- rules/alert-rw-hostpath/raw.rego | 20 ++--- rules/automount-service-account/raw.rego | 24 ++--- rules/container-hostPort/raw.rego | 16 ++-- rules/immutable-container-filesystem/raw.rego | 20 ++--- rules/insecure-capabilities/raw.rego | 16 ++-- rules/label-usage-for-resources/raw.rego | 12 +-- rules/non-root-containers/raw.rego | 58 ++++++------ rules/resource-policies/raw.rego | 28 +++--- .../rule-allow-privilege-escalation/raw.rego | 28 +++--- rules/rule-privileged-container/raw.rego | 28 +++--- rules/serviceaccount-token-mount/filter.rego | 14 +-- rules/serviceaccount-token-mount/raw.rego | 26 +++--- rules/sudo-in-container-entrypoint/raw.rego | 16 ++-- 18 files changed, 227 insertions(+), 227 deletions(-) diff --git a/rules/CVE-2021-25741/raw.rego b/rules/CVE-2021-25741/raw.rego index 76bde3f26..c32498a33 100644 --- a/rules/CVE-2021-25741/raw.rego +++ b/rules/CVE-2021-25741/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]), @@ -29,8 +29,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), @@ -50,8 +50,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), @@ -64,8 +64,8 @@ deny[msga] { -is_sub_path_container(container, i, beggining_of_path) = path { - path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath] +is_sub_path_container(container, i, start_of_path) = path { + path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[start_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath] count(path) > 0 } diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego index c60062a2a..2d777367a 100644 --- a/rules/CVE-2022-0492/raw.rego +++ b/rules/CVE-2022-0492/raw.rego @@ -14,11 +14,11 @@ deny[msga] { container := pod.spec.containers[i] # Path to send - beggining_of_path := "spec" + start_of_path := "spec" # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -28,10 +28,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -54,14 +54,14 @@ deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] - beggining_of_path := "spec.template.spec" + start_of_path := "spec.template.spec" pod := wl.spec.template container := pod.spec.containers[i] # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -71,10 +71,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -96,14 +96,14 @@ deny[msga] { deny[msga] { wl := input[_] wl.kind == "CronJob" - beggining_of_path := "spec.jobTemplate.spec.template.spec" + start_of_path := "spec.jobTemplate.spec.template.spec" pod := wl.spec.jobTemplate.spec.template container = pod.spec.containers[i] # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -113,10 +113,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -147,13 +147,13 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." + start_of_path := "spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -178,13 +178,13 @@ deny[msga] { pod := wl.spec.template container := pod.spec.containers[i] - beggining_of_path := "spec.template.spec." + start_of_path := "spec.template.spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -208,13 +208,13 @@ deny[msga] { pod := wl.spec.jobTemplate.spec.template container = pod.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." + start_of_path := "spec.jobTemplate.spec.template.spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -234,15 +234,15 @@ deny[msga] { -is_cap_sys_admin(container, beggining_of_path) { +is_cap_sys_admin(container, start_of_path) { capability = container.securityContext.capabilities.add[k] capability == "SYS_ADMIN" } -isCAP_DAC_OVERRIDE(container, beggining_of_path, i) = path { +isCAP_DAC_OVERRIDE(container, start_of_path, i) = path { capability = container.securityContext.capabilities.add[k] capability == "DAC_OVERRIDE" - path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) + path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) } @@ -294,16 +294,16 @@ is_no_Seccomp_Container(container) { ################################################################################# # Workload evaluation -evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo { - runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path) +evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { + runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false - runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path) + runAsUserValue := get_run_as_user_value(container, pod, start_of_path) runAsUserValue.value == 0 alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) } else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path) + allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) allowPrivilegeEscalationValue.value == true alertInfo := allowPrivilegeEscalationValue @@ -313,48 +313,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI ################################################################################# # Checking for non-root and allowPrivilegeEscalation enabled -get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) +get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} } else = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = {"value" : false, "failed_path" : "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false} { is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_user_value(container, pod, beggining_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) +get_run_as_user_value(container, pod, start_of_path) = runAsUser { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) +get_run_as_group_value(container, pod, start_of_path) = runAsGroup { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} } else = {"value" : 0, "failed_path": "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false } -get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]) +get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { + failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} choose_first_if_defined(l1, l2) = c { l1.defined diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego index f5d103bd7..f1be99757 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/K8s common labels usage/raw.rego @@ -84,21 +84,21 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path := no_K8s_label_or_no_K8s_label_usage(wl, "") } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 49047a291..c3d50e25c 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod.kind == "Pod" volumes := pod.spec.volumes volume := volumes[i] - beggining_of_path := "spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec." + result := is_dangerous_volume(volume, start_of_path, i) podname := pod.metadata.name @@ -31,8 +31,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] volumes := wl.spec.template.spec.volumes volume := volumes[i] - beggining_of_path := "spec.template.spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_dangerous_volume(volume, start_of_path, i) msga := { @@ -54,8 +54,8 @@ deny[msga] { wl.kind == "CronJob" volumes := wl.spec.jobTemplate.spec.template.spec.volumes volume := volumes[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_dangerous_volume(volume, start_of_path, i) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", @@ -69,7 +69,7 @@ deny[msga] { } } -is_dangerous_volume(volume, beggining_of_path, i) = path { +is_dangerous_volume(volume, start_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) + path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)]) } \ No newline at end of file diff --git a/rules/alert-mount-potential-credentials-paths/raw.rego b/rules/alert-mount-potential-credentials-paths/raw.rego index 04fcc13e0..f28c15776 100644 --- a/rules/alert-mount-potential-credentials-paths/raw.rego +++ b/rules/alert-mount-potential-credentials-paths/raw.rego @@ -9,8 +9,8 @@ deny[msga] { volumes_data := get_volumes(resources) volumes := volumes_data["volumes"] volume := volumes[i] - beggining_of_path := volumes_data["beggining_of_path"] - result := is_unsafe_paths(volume, beggining_of_path, provider,i) + start_of_path := volumes_data["start_of_path"] + result := is_unsafe_paths(volume, start_of_path, provider,i) msga := { "alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]), @@ -30,27 +30,27 @@ deny[msga] { get_volumes(resources) := result { resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} resources_kinds[resources.kind] - result = {"volumes": resources.spec.template.spec.volumes, "beggining_of_path": "spec.template.spec."} + result = {"volumes": resources.spec.template.spec.volumes, "start_of_path": "spec.template.spec."} } # get_volume - get resource volumes paths for "Pod" get_volumes(resources) := result { resources.kind == "Pod" - result = {"volumes": resources.spec.volumes, "beggining_of_path": "spec."} + result = {"volumes": resources.spec.volumes, "start_of_path": "spec."} } # get_volume - get resource volumes paths for "CronJob" get_volumes(resources) := result { resources.kind == "CronJob" - result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "beggining_of_path": "spec.jobTemplate.spec.template.spec."} + result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "start_of_path": "spec.jobTemplate.spec.template.spec."} } # is_unsafe_paths - looking for cloud provider (eks/gke/aks) paths that have the potential of accessing credentials -is_unsafe_paths(volume, beggining_of_path, provider, i) = result { +is_unsafe_paths(volume, start_of_path, provider, i) = result { unsafe := unsafe_paths(provider) unsafe[_] == fix_path(volume.hostPath.path) - result= sprintf("%vvolumes[%d].hostPath.path", [beggining_of_path, i]) + result= sprintf("%vvolumes[%d].hostPath.path", [start_of_path, i]) } diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index eeea414e8..ef936f214 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -11,8 +11,8 @@ deny[msga] { container := pod.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -42,8 +42,8 @@ deny[msga] { container := wl.spec.template.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec.template.spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -72,8 +72,8 @@ deny[msga] { container = wl.spec.jobTemplate.spec.template.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -101,15 +101,15 @@ get_fixed_path(paths) = [paths[1]] { } else = [] -is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { +is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { not mount.readOnly == true not mount.readOnly == false failed_path = "" - fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]), "value":"true"} + fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]), "value":"true"} } -is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { +is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { mount.readOnly == false - failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) + failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]) fix_path = "" } \ No newline at end of file diff --git a/rules/automount-service-account/raw.rego b/rules/automount-service-account/raw.rego index 5a5d7a1a1..8b065df79 100644 --- a/rules/automount-service-account/raw.rego +++ b/rules/automount-service-account/raw.rego @@ -30,9 +30,9 @@ deny [msga]{ pod := input[_] pod.kind == "Pod" - beggining_of_path := "spec." + start_of_path := "spec." wl_namespace := pod.metadata.namespace - result := is_sa_auto_mounted(pod.spec, beggining_of_path, wl_namespace) + result := is_sa_auto_mounted(pod.spec, start_of_path, wl_namespace) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -54,10 +54,10 @@ deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] - beggining_of_path := "spec.template.spec." + start_of_path := "spec.template.spec." wl_namespace := wl.metadata.namespace - result := is_sa_auto_mounted(wl.spec.template.spec, beggining_of_path, wl_namespace) + result := is_sa_auto_mounted(wl.spec.template.spec, start_of_path, wl_namespace) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -79,10 +79,10 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." + start_of_path := "spec.jobTemplate.spec.template.spec." wl_namespace := wl.metadata.namespace - result := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, beggining_of_path, wl.metadata) + result := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, start_of_path, wl.metadata) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -102,7 +102,7 @@ deny[msga] { # -- ---- For workloads -- ---- -is_sa_auto_mounted(spec, beggining_of_path, wl_metadata) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_metadata) = [failed_path, fix_path] { # automountServiceAccountToken not in pod spec not spec.automountServiceAccountToken == false not spec.automountServiceAccountToken == true @@ -114,7 +114,7 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_metadata) = [failed_path, fix_pat not sa.automountServiceAccountToken == false # path is pod spec - fix_path = { "path": sprintf("%vautomountServiceAccountToken", [beggining_of_path]), "value": "false"} + fix_path = { "path": sprintf("%vautomountServiceAccountToken", [start_of_path]), "value": "false"} failed_path = "" } @@ -127,7 +127,7 @@ get_fixed_path(paths) = [paths[1]] { paths[1] != "" } else = [] -is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_namespace) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true @@ -139,18 +139,18 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_p is_same_namespace(sa.metadata , wl_namespace) not sa.automountServiceAccountToken == false - failed_path = sprintf("%vautomountServiceAccountToken", [beggining_of_path]) + failed_path = sprintf("%vautomountServiceAccountToken", [start_of_path]) fix_path = "" } -is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_namespace) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true # No SA (yaml scan) service_accounts := [service_account | service_account = input[_]; service_account.kind == "ServiceAccount"] count(service_accounts) == 0 - failed_path = sprintf("%vautomountServiceAccountToken", [beggining_of_path]) + failed_path = sprintf("%vautomountServiceAccountToken", [start_of_path]) fix_path = "" } diff --git a/rules/container-hostPort/raw.rego b/rules/container-hostPort/raw.rego index 736e42ce9..5892b9520 100644 --- a/rules/container-hostPort/raw.rego +++ b/rules/container-hostPort/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v has Host-port", [ container.name]), "packagename": "armo_builtins", @@ -27,8 +27,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -47,8 +47,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -64,7 +64,7 @@ deny[msga] { -is_host_port(container, i, beggining_of_path) = path { - path = [sprintf("%vcontainers[%v].ports[%v].hostPort", [beggining_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort] +is_host_port(container, i, start_of_path) = path { + path = [sprintf("%vcontainers[%v].ports[%v].hostPort", [start_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort] count(path) > 0 } diff --git a/rules/immutable-container-filesystem/raw.rego b/rules/immutable-container-filesystem/raw.rego index f6fe8a320..6f2d9aaff 100644 --- a/rules/immutable-container-filesystem/raw.rego +++ b/rules/immutable-container-filesystem/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) msga := { @@ -28,8 +28,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) msga := { @@ -50,8 +50,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -68,16 +68,16 @@ deny[msga] { } # Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec -is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] { +is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { container.securityContext.readOnlyRootFilesystem == false - failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]) fixPath = "" } - is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] { + is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { not container.securityContext.readOnlyRootFilesystem == false not container.securityContext.readOnlyRootFilesystem == true - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [beggining_of_path, format_int(i, 10)]), "value": "true"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]), "value": "true"} failed_path = "" } diff --git a/rules/insecure-capabilities/raw.rego b/rules/insecure-capabilities/raw.rego index c7e07f372..ed946ce7f 100644 --- a/rules/insecure-capabilities/raw.rego +++ b/rules/insecure-capabilities/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in pod: %v have dangerous capabilities", [container.name, pod.metadata.name]), "packagename": "armo_builtins", @@ -26,8 +26,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in workload: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -45,8 +45,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in cronjob: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -60,9 +60,9 @@ deny[msga] { } } -is_dangerous_capabilities(container, beggining_of_path, i) = path { +is_dangerous_capabilities(container, start_of_path, i) = path { # see default-config-inputs.json for list values insecureCapabilities := data.postureControlInputs.insecureCapabilities - path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)] + path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)] count(path) > 0 } \ No newline at end of file diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 464c704cd..8c8223711 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -82,21 +82,21 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path := no_label_or_no_label_usage(wl, "") } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { diff --git a/rules/non-root-containers/raw.rego b/rules/non-root-containers/raw.rego index 8d2b0aaae..0e6095d2b 100644 --- a/rules/non-root-containers/raw.rego +++ b/rules/non-root-containers/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec" - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + start_of_path := "spec" + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) @@ -32,8 +32,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.template, beggining_of_path) + start_of_path := "spec.template.spec" + alertInfo := evaluate_workload_non_root_container(container, wl.spec.template, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) msga := { @@ -54,8 +54,8 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec" + alertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) @@ -86,16 +86,16 @@ get_fixed_path(alertInfo, i) = [{"path":replace(alertInfo.fixPath[0].path,"conta ################################################################################# # Workload evaluation -evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo { - runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path) +evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { + runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false - runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path) + runAsUserValue := get_run_as_user_value(container, pod, start_of_path) runAsUserValue.value == 0 alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) } else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path) + allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) allowPrivilegeEscalationValue.value == true alertInfo := allowPrivilegeEscalationValue @@ -106,48 +106,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI # Value resolution functions -get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) +get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} } else = runAsNonRoot { - failed_path := sprintf("%v.securityContext.runAsNonRoot", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}], "defined" : false} { +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false} { is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_user_value(container, pod, beggining_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) +get_run_as_user_value(container, pod, start_of_path) = runAsUser { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = runAsUser { - failed_path := sprintf("%v.securityContext.runAsUser", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) +get_run_as_group_value(container, pod, start_of_path) = runAsGroup { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = runAsGroup { - failed_path := sprintf("%v.securityContext.runAsGroup", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}], "defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false } -get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]) +get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { + failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} choose_first_if_defined(l1, l2) = c { l1.defined diff --git a/rules/resource-policies/raw.rego b/rules/resource-policies/raw.rego index 8b0e52c4e..b7859719e 100644 --- a/rules/resource-policies/raw.rego +++ b/rules/resource-policies/raw.rego @@ -8,8 +8,8 @@ deny[msga] { container := pod.spec.containers[i] - beggining_of_path := "spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) msga := { @@ -34,8 +34,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) @@ -60,8 +60,8 @@ deny [msga] { wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) msga := { "alertMessage": sprintf("there are no cpu and memory limits defined for container : %v", [container.name]), @@ -76,31 +76,31 @@ deny [msga] { } # no limits at all -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { not container.resources.limits - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } # only memory limit -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { container.resources.limits not container.resources.limits.cpu container.resources.limits.memory - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } # only cpu limit -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) =fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) =fixPath { container.resources.limits not container.resources.limits.memory container.resources.limits.cpu - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] failed_path = "" } # limits but without capu and memory -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { container.resources.limits not container.resources.limits.memory not container.resources.limits.cpu - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego index 535b34089..ae03f9313 100644 --- a/rules/rule-allow-privilege-escalation/raw.rego +++ b/rules/rule-allow-privilege-escalation/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -30,8 +30,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -53,8 +53,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -72,16 +72,16 @@ deny[msga] { -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]), "value":"false"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] @@ -89,26 +89,26 @@ is_allow_privilege_escalation_container(container, i, beggining_of_path) = [fail psp := psps[_] not psp.spec.allowPrivilegeEscalation == false failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]), "value":"false"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } -is_allow_privilege_escalation_container(container, i, beggining_of_path)= [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path)= [failed_path, fixPath] { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } get_failed_path(paths) = [paths[0]] { diff --git a/rules/rule-privileged-container/raw.rego b/rules/rule-privileged-container/raw.rego index c4bc81609..efb0fe18b 100644 --- a/rules/rule-privileged-container/raw.rego +++ b/rules/rule-privileged-container/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("the following pods are defined as privileged: %v", [pod.metadata.name]), @@ -30,8 +30,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("%v: %v is defined as privileged:", [wl.kind, wl.metadata.name]), @@ -50,8 +50,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl.metadata.name]), @@ -67,24 +67,24 @@ deny[msga] { # Only SYS_ADMIN capabilite -isPrivilegedContainer(container, i, beggining_of_path) = path { +isPrivilegedContainer(container, i, start_of_path) = path { not container.securityContext.privileged == true - path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] + path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path) > 0 } # Only securityContext.privileged == true -isPrivilegedContainer(container, i, beggining_of_path) = path { +isPrivilegedContainer(container, i, start_of_path) = path { container.securityContext.privileged == true - path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] + path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path1) < 1 - path = [sprintf("%vcontainers[%v].securityContext.privileged", [beggining_of_path, format_int(i, 10)])] + path = [sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)])] } # SYS_ADMIN capabilite && securityContext.privileged == true -isPrivilegedContainer(container, i, beggining_of_path) = path { - path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] +isPrivilegedContainer(container, i, start_of_path) = path { + path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path1) > 0 container.securityContext.privileged == true - path = array.concat(path1, [sprintf("%vcontainers[%v].securityContext.privileged", [beggining_of_path, format_int(i, 10)])]) + path = array.concat(path1, [sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)])]) } \ No newline at end of file diff --git a/rules/serviceaccount-token-mount/filter.rego b/rules/serviceaccount-token-mount/filter.rego index 86fd95247..a0037a65d 100644 --- a/rules/serviceaccount-token-mount/filter.rego +++ b/rules/serviceaccount-token-mount/filter.rego @@ -2,7 +2,7 @@ package armo_builtins deny[msga] { wl := input[_] - beggining_of_path := get_beginning_of_path(wl) + start_of_path := get_beginning_of_path(wl) msga := { "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), @@ -15,18 +15,18 @@ deny[msga] { } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[workload.kind] - beggining_of_path := ["spec", "template", "spec"] + start_of_path := ["spec", "template", "spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "Pod" - beggining_of_path := ["spec"] + start_of_path := ["spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "CronJob" - beggining_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] } \ No newline at end of file diff --git a/rules/serviceaccount-token-mount/raw.rego b/rules/serviceaccount-token-mount/raw.rego index 69b028120..e8d4f2977 100644 --- a/rules/serviceaccount-token-mount/raw.rego +++ b/rules/serviceaccount-token-mount/raw.rego @@ -2,15 +2,15 @@ package armo_builtins deny[msga] { wl := input[_] - beggining_of_path := get_beginning_of_path(wl) - spec := object.get(wl, beggining_of_path, []) + start_of_path := get_beginning_of_path(wl) + spec := object.get(wl, start_of_path, []) sa := input[_] sa.kind == "ServiceAccount" is_same_sa(spec, sa.metadata.name) is_same_namespace(sa.metadata , wl.metadata) has_service_account_binding(sa) - result := is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) + result := is_sa_auto_mounted_and_bound(spec, start_of_path, sa) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -31,40 +31,40 @@ deny[msga] { } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[workload.kind] - beggining_of_path := ["spec", "template", "spec"] + start_of_path := ["spec", "template", "spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "Pod" - beggining_of_path := ["spec"] + start_of_path := ["spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "CronJob" - beggining_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] } # -- ---- For workloads -- ---- -is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) = [failed_path, fix_path] { +is_sa_auto_mounted_and_bound(spec, start_of_path, sa) = [failed_path, fix_path] { # automountServiceAccountToken not in pod spec not spec.automountServiceAccountToken == false not spec.automountServiceAccountToken == true not sa.automountServiceAccountToken == false - fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]), "value": "false"} + fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", start_of_path)]), "value": "false"} failed_path = "" } -is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) = [failed_path, fix_path] { +is_sa_auto_mounted_and_bound(spec, start_of_path, sa) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true - failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]) + failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", start_of_path)]) fix_path = "" } diff --git a/rules/sudo-in-container-entrypoint/raw.rego b/rules/sudo-in-container-entrypoint/raw.rego index 7d3fc08bf..70f14869c 100644 --- a/rules/sudo-in-container-entrypoint/raw.rego +++ b/rules/sudo-in-container-entrypoint/raw.rego @@ -5,8 +5,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in pod: %v have sudo in entrypoint", [container.name, pod.metadata.name]), "packagename": "armo_builtins", @@ -24,8 +24,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in %v: %v have sudo in entrypoint", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -42,8 +42,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in cronjob: %v have sudo in entrypoint", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -56,7 +56,7 @@ deny[msga] { } } -is_sudo_entrypoint(container, beggining_of_path, i) = path { - path = [sprintf("%vcontainers[%v].command[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | command = container.command[k]; contains(command, "sudo")] +is_sudo_entrypoint(container, start_of_path, i) = path { + path = [sprintf("%vcontainers[%v].command[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | command = container.command[k]; contains(command, "sudo")] count(path) > 0 } From f1cf9c1cb69e3fbc8d4e8f71357419096ae19ee5 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky <66885688+itsmeital@users.noreply.github.com> Date: Mon, 9 Oct 2023 14:39:16 +0300 Subject: [PATCH 2/2] Add .YOUR_KEY to C-0077 & C-0076 (#514) * add .YOUR_KEY to C-0077 & C-0076 Signed-off-by: Meital Rudnitsky * fix tests Signed-off-by: Meital Rudnitsky * fix rule naming convention Signed-off-by: Meital Rudnitsky * use 1st value of recommended labels for label key Signed-off-by: Meital Rudnitsky * fix test Signed-off-by: Meital Rudnitsky * fix rules Signed-off-by: Meital Rudnitsky * fix Signed-off-by: Meital Rudnitsky --------- Signed-off-by: Meital Rudnitsky --- ControlID_RuleName.csv | 2 +- controls/C-0077-k8scommonlabelsusage.json | 2 +- .../raw.rego | 16 +++++++++++++--- .../rule.metadata.json | 2 +- .../test/cronjob/data.json | 8 ++++++++ .../test/cronjob/expected.json | 2 +- .../test/cronjob/input/cronjob.yaml | 0 rules/k8s-common-labels-usage/test/pod/data.json | 5 +++++ .../test/pod/expected.json | 2 +- .../test/pod/input/pod.yaml | 0 .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- .../test/workload-fail/input/deployment.yaml | 0 .../test/workload/expected.json | 0 .../test/workload/input/deployment.yaml | 0 rules/label-usage-for-resources/raw.rego | 15 ++++++++++++--- .../test/cronjob/data.json | 5 +++++ .../test/cronjob/expected.json | 4 ++-- .../label-usage-for-resources/test/pod/data.json | 8 ++++++++ .../test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- 22 files changed, 77 insertions(+), 16 deletions(-) rename rules/{K8s common labels usage => k8s-common-labels-usage}/raw.rego (81%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/rule.metadata.json (97%) create mode 100644 rules/k8s-common-labels-usage/test/cronjob/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/expected.json (86%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/input/cronjob.yaml (100%) create mode 100644 rules/k8s-common-labels-usage/test/pod/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/expected.json (91%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/input/pod.yaml (100%) create mode 100644 rules/k8s-common-labels-usage/test/workload-fail/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/expected.json (89%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/input/deployment.yaml (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/input/deployment.yaml (100%) create mode 100644 rules/label-usage-for-resources/test/cronjob/data.json create mode 100644 rules/label-usage-for-resources/test/pod/data.json create mode 100644 rules/label-usage-for-resources/test/workload-fail/data.json diff --git a/ControlID_RuleName.csv b/ControlID_RuleName.csv index dee396dae..51235bb80 100644 --- a/ControlID_RuleName.csv +++ b/ControlID_RuleName.csv @@ -69,7 +69,7 @@ C-0073,naked-pods C-0074,containers-mounting-docker-socket C-0075,image-pull-policy-is-not-set-to-always C-0076,label-usage-for-resources -C-0077,K8s common labels usage +C-0077,k8s-common-labels-usage C-0078,container-image-repository C-0079,CVE-2022-0185 C-0081,CVE-2022-24348 diff --git a/controls/C-0077-k8scommonlabelsusage.json b/controls/C-0077-k8scommonlabelsusage.json index a4ed375d9..d3645ac56 100644 --- a/controls/C-0077-k8scommonlabelsusage.json +++ b/controls/C-0077-k8scommonlabelsusage.json @@ -10,7 +10,7 @@ "description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "remediation": "Define applicable labels or use the exception mechanism to prevent further notifications.", "rulesNames": [ - "K8s common labels usage" + "k8s-common-labels-usage" ], "long_description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "test": "Test will check if the list of label that start with app.kubernetes.io/ are defined.", diff --git a/rules/K8s common labels usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego similarity index 81% rename from rules/K8s common labels usage/raw.rego rename to rules/k8s-common-labels-usage/raw.rego index d9adb28e4..238b41216 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,19 +86,22 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ @@ -106,3 +109,10 @@ all_kubernetes_labels(labels){ recommended_label := recommended_labels[_] labels[recommended_label] } + +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { + recommended_labels := data.postureControlInputs.k8sRecommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/K8s common labels usage/rule.metadata.json b/rules/k8s-common-labels-usage/rule.metadata.json similarity index 97% rename from rules/K8s common labels usage/rule.metadata.json rename to rules/k8s-common-labels-usage/rule.metadata.json index 8cfc734bc..fdf0b6bc4 100644 --- a/rules/K8s common labels usage/rule.metadata.json +++ b/rules/k8s-common-labels-usage/rule.metadata.json @@ -1,5 +1,5 @@ { - "name": "K8s common labels usage", + "name": "k8s-common-labels-usage", "attributes": { "armoBuiltin": true }, diff --git a/rules/k8s-common-labels-usage/test/cronjob/data.json b/rules/k8s-common-labels-usage/test/cronjob/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/cronjob/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json similarity index 86% rename from rules/K8s common labels usage/test/cronjob/expected.json rename to rules/k8s-common-labels-usage/test/cronjob/expected.json index 54bbecca0..2f9d26829 100644 --- a/rules/K8s common labels usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/cronjob/input/cronjob.yaml b/rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml similarity index 100% rename from rules/K8s common labels usage/test/cronjob/input/cronjob.yaml rename to rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml diff --git a/rules/k8s-common-labels-usage/test/pod/data.json b/rules/k8s-common-labels-usage/test/pod/data.json new file mode 100644 index 000000000..8125fe53b --- /dev/null +++ b/rules/k8s-common-labels-usage/test/pod/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json similarity index 91% rename from rules/K8s common labels usage/test/pod/expected.json rename to rules/k8s-common-labels-usage/test/pod/expected.json index fa82c5e58..2a4cac865 100644 --- a/rules/K8s common labels usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/pod/input/pod.yaml b/rules/k8s-common-labels-usage/test/pod/input/pod.yaml similarity index 100% rename from rules/K8s common labels usage/test/pod/input/pod.yaml rename to rules/k8s-common-labels-usage/test/pod/input/pod.yaml diff --git a/rules/k8s-common-labels-usage/test/workload-fail/data.json b/rules/k8s-common-labels-usage/test/workload-fail/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json similarity index 89% rename from rules/K8s common labels usage/test/workload-fail/expected.json rename to rules/k8s-common-labels-usage/test/workload-fail/expected.json index aa02dcc2f..3a98cdfa0 100644 --- a/rules/K8s common labels usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/workload-fail/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload-fail/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml diff --git a/rules/K8s common labels usage/test/workload/expected.json b/rules/k8s-common-labels-usage/test/workload/expected.json similarity index 100% rename from rules/K8s common labels usage/test/workload/expected.json rename to rules/k8s-common-labels-usage/test/workload/expected.json diff --git a/rules/K8s common labels usage/test/workload/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload/input/deployment.yaml diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index e059dc7e1..a8f8e82e8 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,22 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { @@ -105,3 +108,9 @@ is_desired_label(labels) { labels[recommended_label] } +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { + recommended_labels := data.postureControlInputs.recommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/label-usage-for-resources/test/cronjob/data.json b/rules/label-usage-for-resources/test/cronjob/data.json new file mode 100644 index 000000000..8e17f0794 --- /dev/null +++ b/rules/label-usage-for-resources/test/cronjob/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "recommendedLabels": [] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index 35aca7d3c..595a928d3 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/data.json b/rules/label-usage-for-resources/test/pod/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/pod/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index 18eb1ba9c..ffcc45464 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/data.json b/rules/label-usage-for-resources/test/workload-fail/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index 6adc8d7c7..dcf7acfeb 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "",