From a9b037aed12e8457d15ed24a7ab34b8b5dd15db4 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 <80635572+YiscahLevySilas1@users.noreply.github.com> Date: Mon, 9 Oct 2023 16:38:54 +0300 Subject: [PATCH] SUB-2768 - add delete / review paths (#517) Signed-off-by: YiscahLevySilas1 Co-authored-by: Yuval Leibovich <89763818+yuleib@users.noreply.github.com> --- rules/exposure-to-internet/raw.rego | 2 ++ rules/has-image-signature/raw.rego | 3 +++ rules/horizontalpodautoscaler-in-default-namespace/raw.rego | 1 + rules/host-network-access/raw.rego | 3 +++ rules/ingress-in-default-namespace/raw.rego | 1 + rules/insecure-port-flag/raw.rego | 1 + rules/k8s-audit-logs-enabled-native-cis/raw.rego | 1 + rules/k8s-audit-logs-enabled-native/raw.rego | 1 + rules/kubelet-authorization-mode-alwaysAllow/raw.rego | 1 + rules/kubelet-event-qps/raw.rego | 1 + rules/kubelet-ip-tables/raw.rego | 1 + rules/kubelet-protect-kernel-defaults/raw.rego | 1 + rules/kubelet-rotate-certificates/raw.rego | 1 + rules/kubelet-streaming-connection-idle-timeout/raw.rego | 1 + rules/kubelet-strong-cryptography-ciphers/raw.rego | 1 + rules/lease-in-default-namespace/raw.rego | 1 + rules/non-root-containers/raw.rego | 3 +++ rules/persistentvolumeclaim-in-default-namespace/raw.rego | 1 + rules/poddisruptionbudget-in-default-namespace/raw.rego | 1 + rules/podtemplate-in-default-namespace/raw.rego | 1 + rules/psp-deny-allowed-capabilities/raw.rego | 1 + rules/psp-deny-allowprivilegeescalation/raw.rego | 1 + rules/psp-deny-hostipc/raw.rego | 1 + rules/psp-deny-hostnetwork/raw.rego | 1 + rules/psp-deny-hostpid/raw.rego | 1 + rules/psp-deny-privileged-container/raw.rego | 1 + rules/psp-deny-root-container/raw.rego | 1 + rules/psp-enabled-native/raw.rego | 1 + rules/rbac-enabled-cloud/raw.rego | 1 + rules/rbac-enabled-native/raw.rego | 1 + rules/read-only-port-enabled-updated/raw.rego | 1 + rules/replicationcontroller-in-default-namespace/raw.rego | 1 + rules/resources-cpu-limit-and-request/raw.rego | 3 +++ rules/resources-memory-limit-and-request/raw.rego | 3 +++ rules/resources-secret-in-default-namespace/raw.rego | 1 + rules/role-in-default-namespace/raw.rego | 1 + rules/rolebinding-in-default-namespace/raw.rego | 1 + rules/rule-access-dashboard-subject-v1/raw.rego | 1 + rules/rule-access-dashboard-wl-v1/raw.rego | 3 +++ rules/rule-access-dashboard/raw.rego | 3 +++ rules/rule-allow-privilege-escalation/raw.rego | 3 +++ rules/rule-can-bind-escalate/raw.rego | 2 ++ rules/rule-can-create-pod/raw.rego | 1 + rules/rule-can-delete-k8s-events-v1/raw.rego | 1 + rules/rule-can-delete-k8s-events/raw.rego | 3 +++ rules/rule-can-impersonate-users-groups-v1/raw.rego | 1 + rules/rule-can-impersonate-users-groups/raw.rego | 1 + rules/rule-can-list-get-secrets-v1/raw.rego | 1 + rules/rule-can-list-get-secrets/raw.rego | 1 + rules/rule-can-portforward-v1/raw.rego | 1 + rules/rule-can-portforward/raw.rego | 1 + rules/rule-can-ssh-to-pod-v1/raw.rego | 3 +++ rules/rule-can-ssh-to-pod/raw.rego | 1 + rules/rule-can-update-configmap-v1/raw.rego | 2 ++ rules/rule-can-update-configmap/raw.rego | 1 + rules/rule-credentials-configmap/raw.rego | 1 + rules/rule-credentials-in-env-var/raw.rego | 1 + rules/rule-excessive-delete-rights-v1/raw.rego | 1 + rules/rule-excessive-delete-rights/raw.rego | 3 +++ rules/rule-identify-blocklisted-image-registries-v1/raw.rego | 1 + rules/rule-identify-blocklisted-image-registries/raw.rego | 3 +++ rules/rule-identify-old-k8s-registry/raw.rego | 3 +++ rules/rule-list-all-cluster-admins-v1/raw.rego | 1 + rules/rule-list-all-cluster-admins/raw.rego | 3 +++ rules/rule-privileged-container/raw.rego | 3 +++ rules/rule-secrets-in-env-var/raw.rego | 3 +++ rules/secret-etcd-encryption-cloud/raw.rego | 1 + rules/service-in-default-namespace/raw.rego | 1 + rules/serviceaccount-in-default-namespace/raw.rego | 1 + rules/serviceaccount-token-mount/raw.rego | 1 + rules/set-fsgroup-value/raw.rego | 3 +++ rules/set-procmount-default/raw.rego | 3 +++ rules/set-seccomp-profile-RuntimeDefault/raw.rego | 3 +++ rules/set-supplementalgroups-values/raw.rego | 3 +++ rules/sudo-in-container-entrypoint/raw.rego | 3 +++ rules/verify-image-signature/raw.rego | 3 +++ rules/workload-mounted-configmap/raw.rego | 5 +++-- .../workload-mounted-configmap/test/failed_pod/expected.json | 2 +- rules/workload-mounted-pvc/raw.rego | 5 +++-- .../test/failed_pod_mounted/expected.json | 2 +- rules/workload-mounted-secrets/raw.rego | 5 +++-- rules/workload-mounted-secrets/test/failed/expected.json | 2 +- 82 files changed, 135 insertions(+), 9 deletions(-) diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego index f8ded1dfc..e31379b8b 100644 --- a/rules/exposure-to-internet/raw.rego +++ b/rules/exposure-to-internet/raw.rego @@ -22,6 +22,7 @@ deny[msga] { }, "relatedObjects": [{ "object": service, + "reviewPaths": failPath, "failedPaths": failPath, }] } @@ -56,6 +57,7 @@ deny[msga] { }, "relatedObjects": [{ "object": ingress, + "reviewPaths": result, "failedPaths": result, }] } diff --git a/rules/has-image-signature/raw.rego b/rules/has-image-signature/raw.rego index d44315ca2..6a82003d9 100644 --- a/rules/has-image-signature/raw.rego +++ b/rules/has-image-signature/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "alertMessage": sprintf("image: %v is not signed", [ container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [failedPath], "failedPaths": [failedPath], "packagename": "armo_builtins", "alertObject": { @@ -37,6 +38,7 @@ deny[msga] { "alertMessage": sprintf("image: %v is not signed", [ container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [failedPath], "failedPaths": [failedPath], "packagename": "armo_builtins", "alertObject": { @@ -59,6 +61,7 @@ deny[msga] { "alertMessage": sprintf("image: %v is not signed", [ container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [failedPath], "failedPaths": [failedPath], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/horizontalpodautoscaler-in-default-namespace/raw.rego b/rules/horizontalpodautoscaler-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/horizontalpodautoscaler-in-default-namespace/raw.rego +++ b/rules/horizontalpodautoscaler-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/host-network-access/raw.rego b/rules/host-network-access/raw.rego index b98f3bffe..43e3ab34c 100644 --- a/rules/host-network-access/raw.rego +++ b/rules/host-network-access/raw.rego @@ -10,6 +10,7 @@ deny[msga] { msga := { "alertMessage": sprintf("Pod: %v is connected to the host network", [pod.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "packagename": "armo_builtins", @@ -28,6 +29,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v has a pod connected to the host network", [wl.kind, wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "packagename": "armo_builtins", @@ -46,6 +48,7 @@ deny[msga] { msga := { "alertMessage": sprintf("CronJob: %v has a pod connected to the host network", [wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "packagename": "armo_builtins", diff --git a/rules/ingress-in-default-namespace/raw.rego b/rules/ingress-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/ingress-in-default-namespace/raw.rego +++ b/rules/ingress-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/insecure-port-flag/raw.rego b/rules/insecure-port-flag/raw.rego index 9c8ca72da..2f5ab7b5a 100644 --- a/rules/insecure-port-flag/raw.rego +++ b/rules/insecure-port-flag/raw.rego @@ -13,6 +13,7 @@ deny[msga] { "alertMessage": sprintf("The API server container: %v has insecure-port flag enabled", [ container.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/k8s-audit-logs-enabled-native-cis/raw.rego b/rules/k8s-audit-logs-enabled-native-cis/raw.rego index 8ef187391..b2ec07f46 100644 --- a/rules/k8s-audit-logs-enabled-native-cis/raw.rego +++ b/rules/k8s-audit-logs-enabled-native-cis/raw.rego @@ -13,6 +13,7 @@ deny[msga] { "alertMessage": "audit logs are not enabled", "alertScore": 5, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/k8s-audit-logs-enabled-native/raw.rego b/rules/k8s-audit-logs-enabled-native/raw.rego index 9782eb234..1f0a057b6 100644 --- a/rules/k8s-audit-logs-enabled-native/raw.rego +++ b/rules/k8s-audit-logs-enabled-native/raw.rego @@ -15,6 +15,7 @@ deny[msga] { "alertMessage": "audit logs is not enabled", "alertScore": 9, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego index 8a75ea6fb..052efa4c2 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego +++ b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego @@ -43,6 +43,7 @@ deny[msga] { msga := { "alertMessage": "Anonymous requests are enabled", "alertScore": 10, + "reviewPaths": ["authorization.mode"], "failedPaths": ["authorization.mode"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-event-qps/raw.rego b/rules/kubelet-event-qps/raw.rego index c700cb104..ad0eed856 100644 --- a/rules/kubelet-event-qps/raw.rego +++ b/rules/kubelet-event-qps/raw.rego @@ -22,6 +22,7 @@ deny[msga] { msga := { "alertMessage": "Value of the eventRecordQPS argument is set to 0", "alertScore": 2, + "reviewPaths": ["eventRecordQPS"], "failedPaths": ["eventRecordQPS"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-ip-tables/raw.rego b/rules/kubelet-ip-tables/raw.rego index 440f3491d..0373e1f6b 100644 --- a/rules/kubelet-ip-tables/raw.rego +++ b/rules/kubelet-ip-tables/raw.rego @@ -41,6 +41,7 @@ deny[msga] { msga := { "alertMessage": "Property makeIPTablesUtilChains is not set to true", "alertScore": 3, + "reviewPaths": ["makeIPTablesUtilChains"], "failedPaths": ["makeIPTablesUtilChains"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-protect-kernel-defaults/raw.rego b/rules/kubelet-protect-kernel-defaults/raw.rego index 3c420c862..963ccc6fc 100644 --- a/rules/kubelet-protect-kernel-defaults/raw.rego +++ b/rules/kubelet-protect-kernel-defaults/raw.rego @@ -41,6 +41,7 @@ deny[msga] { msga := { "alertMessage": "Property protectKernelDefaults is not set to true", "alertScore": 2, + "reviewPaths": ["protectKernelDefaults"], "failedPaths": ["protectKernelDefaults"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-rotate-certificates/raw.rego b/rules/kubelet-rotate-certificates/raw.rego index 4e8cff4e5..bbe633709 100644 --- a/rules/kubelet-rotate-certificates/raw.rego +++ b/rules/kubelet-rotate-certificates/raw.rego @@ -41,6 +41,7 @@ deny[msga] { msga := { "alertMessage": "Kubelet client certificates rotation is disabled", "alertScore": 6, + "reviewPaths": ["rotateCertificates"], "failedPaths": ["rotateCertificates"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-streaming-connection-idle-timeout/raw.rego b/rules/kubelet-streaming-connection-idle-timeout/raw.rego index 33fdc1d87..86532b50c 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/raw.rego +++ b/rules/kubelet-streaming-connection-idle-timeout/raw.rego @@ -41,6 +41,7 @@ deny[msga] { msga := { "alertMessage": "Timeouts on streaming connections are enabled", "alertScore": 3, + "reviewPaths": ["streamingConnectionIdleTimeout"], "failedPaths": ["streamingConnectionIdleTimeout"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-strong-cryptography-ciphers/raw.rego b/rules/kubelet-strong-cryptography-ciphers/raw.rego index c923a75d7..5871f6968 100644 --- a/rules/kubelet-strong-cryptography-ciphers/raw.rego +++ b/rules/kubelet-strong-cryptography-ciphers/raw.rego @@ -44,6 +44,7 @@ deny[msga] { msga := { "alertMessage": "Kubelet is not configured to only use strong cryptographic ciphers", "alertScore": 5, + "reviewPaths": ["TLSCipherSuites"], "failedPaths": ["TLSCipherSuites"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/lease-in-default-namespace/raw.rego b/rules/lease-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/lease-in-default-namespace/raw.rego +++ b/rules/lease-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/non-root-containers/raw.rego b/rules/non-root-containers/raw.rego index 0e6095d2b..08c6e74ae 100644 --- a/rules/non-root-containers/raw.rego +++ b/rules/non-root-containers/raw.rego @@ -17,6 +17,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in pod: %v may run as root", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { @@ -40,6 +41,7 @@ deny[msga] { "alertMessage": sprintf("container :%v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { @@ -64,6 +66,7 @@ deny[msga] { "alertMessage": sprintf("container :%v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { diff --git a/rules/persistentvolumeclaim-in-default-namespace/raw.rego b/rules/persistentvolumeclaim-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/persistentvolumeclaim-in-default-namespace/raw.rego +++ b/rules/persistentvolumeclaim-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/poddisruptionbudget-in-default-namespace/raw.rego b/rules/poddisruptionbudget-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/poddisruptionbudget-in-default-namespace/raw.rego +++ b/rules/poddisruptionbudget-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/podtemplate-in-default-namespace/raw.rego b/rules/podtemplate-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/podtemplate-in-default-namespace/raw.rego +++ b/rules/podtemplate-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/psp-deny-allowed-capabilities/raw.rego b/rules/psp-deny-allowed-capabilities/raw.rego index ad7569792..4a76ccad5 100644 --- a/rules/psp-deny-allowed-capabilities/raw.rego +++ b/rules/psp-deny-allowed-capabilities/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has allowedCapabilities.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-allowprivilegeescalation/raw.rego b/rules/psp-deny-allowprivilegeescalation/raw.rego index 30da73377..4117dbc26 100644 --- a/rules/psp-deny-allowprivilegeescalation/raw.rego +++ b/rules/psp-deny-allowprivilegeescalation/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has allowPrivilegeEscalation set as true.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-hostipc/raw.rego b/rules/psp-deny-hostipc/raw.rego index 55787fa66..a15a175cb 100644 --- a/rules/psp-deny-hostipc/raw.rego +++ b/rules/psp-deny-hostipc/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has hostIPC set as true.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-hostnetwork/raw.rego b/rules/psp-deny-hostnetwork/raw.rego index 83ca9e316..323ab6cc1 100644 --- a/rules/psp-deny-hostnetwork/raw.rego +++ b/rules/psp-deny-hostnetwork/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has hostNetwork set as true.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-hostpid/raw.rego b/rules/psp-deny-hostpid/raw.rego index f888a2292..10d8976da 100644 --- a/rules/psp-deny-hostpid/raw.rego +++ b/rules/psp-deny-hostpid/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has hostPID set as true.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-privileged-container/raw.rego b/rules/psp-deny-privileged-container/raw.rego index b1ae67912..9cd82eb02 100644 --- a/rules/psp-deny-privileged-container/raw.rego +++ b/rules/psp-deny-privileged-container/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' has privileged set as true.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-deny-root-container/raw.rego b/rules/psp-deny-root-container/raw.rego index 4c5842af2..7b53256c0 100644 --- a/rules/psp-deny-root-container/raw.rego +++ b/rules/psp-deny-root-container/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("PodSecurityPolicy: '%v' permits containers to run as the root user.", [psp.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": {"k8sApiObjects": [psp]}, diff --git a/rules/psp-enabled-native/raw.rego b/rules/psp-enabled-native/raw.rego index 5774b5c2d..b91749f9e 100644 --- a/rules/psp-enabled-native/raw.rego +++ b/rules/psp-enabled-native/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "alertMessage": "PodSecurityPolicy is not enabled", "alertScore": 9, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/rbac-enabled-cloud/raw.rego b/rules/rbac-enabled-cloud/raw.rego index bd5c4b831..392610619 100644 --- a/rules/rbac-enabled-cloud/raw.rego +++ b/rules/rbac-enabled-cloud/raw.rego @@ -12,6 +12,7 @@ deny[msga] { "alertMessage": "rbac is not enabled", "alertScore": 3, "packagename": "armo_builtins", + "reviewPaths": ["data.properties.enableRBAC"], "failedPaths": ["data.properties.enableRBAC"], "fixCommand": "", "fixPaths": [], diff --git a/rules/rbac-enabled-native/raw.rego b/rules/rbac-enabled-native/raw.rego index 6b040c5d8..d0a9a8807 100644 --- a/rules/rbac-enabled-native/raw.rego +++ b/rules/rbac-enabled-native/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "alertMessage": "RBAC is not enabled", "alertScore": 9, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/read-only-port-enabled-updated/raw.rego b/rules/read-only-port-enabled-updated/raw.rego index 99e1583f7..e267baaa0 100644 --- a/rules/read-only-port-enabled-updated/raw.rego +++ b/rules/read-only-port-enabled-updated/raw.rego @@ -43,6 +43,7 @@ deny[msga] { msga := { "alertMessage": "kubelet read-only port is not disabled", "alertScore": 4, + "reviewPaths": ["readOnlyPort"], "failedPaths": ["readOnlyPort"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/replicationcontroller-in-default-namespace/raw.rego b/rules/replicationcontroller-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/replicationcontroller-in-default-namespace/raw.rego +++ b/rules/replicationcontroller-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/resources-cpu-limit-and-request/raw.rego b/rules/resources-cpu-limit-and-request/raw.rego index 760545b60..317be212e 100644 --- a/rules/resources-cpu-limit-and-request/raw.rego +++ b/rules/resources-cpu-limit-and-request/raw.rego @@ -87,6 +87,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v exceeds CPU-limit or request", [ container.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": { @@ -112,6 +113,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": { @@ -136,6 +138,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": { diff --git a/rules/resources-memory-limit-and-request/raw.rego b/rules/resources-memory-limit-and-request/raw.rego index 7b81f7be3..cf1c9f289 100644 --- a/rules/resources-memory-limit-and-request/raw.rego +++ b/rules/resources-memory-limit-and-request/raw.rego @@ -86,6 +86,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v exceeds memory-limit or request", [container.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": {"k8sApiObjects": [pod]}, @@ -109,6 +110,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": {"k8sApiObjects": [wl]}, @@ -131,6 +133,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [failed_paths], "failedPaths": [failed_paths], "fixPaths": [], "alertObject": {"k8sApiObjects": [wl]}, diff --git a/rules/resources-secret-in-default-namespace/raw.rego b/rules/resources-secret-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/resources-secret-in-default-namespace/raw.rego +++ b/rules/resources-secret-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/role-in-default-namespace/raw.rego b/rules/role-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/role-in-default-namespace/raw.rego +++ b/rules/role-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/rolebinding-in-default-namespace/raw.rego b/rules/rolebinding-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/rolebinding-in-default-namespace/raw.rego +++ b/rules/rolebinding-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/rule-access-dashboard-subject-v1/raw.rego b/rules/rule-access-dashboard-subject-v1/raw.rego index 03ede61df..24ebd9339 100644 --- a/rules/rule-access-dashboard-subject-v1/raw.rego +++ b/rules/rule-access-dashboard-subject-v1/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("Subject: %v-%v is bound to dashboard role/clusterrole", [subjectVector.kind, subjectVector.name]), "alertScore": 9, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-access-dashboard-wl-v1/raw.rego b/rules/rule-access-dashboard-wl-v1/raw.rego index c3d882fef..d3191a423 100644 --- a/rules/rule-access-dashboard-wl-v1/raw.rego +++ b/rules/rule-access-dashboard-wl-v1/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], + "deletePaths": ["spec.serviceaccountname"], "failedPaths": ["spec.serviceaccountname"], "alertObject": { "k8sApiObjects": [pod] @@ -35,6 +36,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v is associated with dashboard service account", [wl.kind, wl.metadata.name]), "packagename": "armo_builtins", + "deletePaths": ["spec.template.spec.serviceaccountname"], "failedPaths": ["spec.template.spec.serviceaccountname"], "alertScore": 7, "fixPaths": [], @@ -59,6 +61,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], + "deletePaths": ["spec.jobTemplate.spec.template.spec.serviceaccountname"], "failedPaths": ["spec.jobTemplate.spec.template.spec.serviceaccountname"], "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/rule-access-dashboard/raw.rego b/rules/rule-access-dashboard/raw.rego index 27edbb404..1b5b94867 100644 --- a/rules/rule-access-dashboard/raw.rego +++ b/rules/rule-access-dashboard/raw.rego @@ -65,6 +65,7 @@ deny[msga] { "alertMessage": sprintf("the following pods: %s are associated with dashboard service account", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [pod] @@ -87,6 +88,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is associated with dashboard service account", [wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] @@ -108,6 +110,7 @@ deny[msga] { "alertMessage": sprintf("the following cronjob: %s is associated with dashboard service account", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego index ae03f9313..41cf0a6f2 100644 --- a/rules/rule-allow-privilege-escalation/raw.rego +++ b/rules/rule-allow-privilege-escalation/raw.rego @@ -15,6 +15,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in pod: %v allow privilege escalation", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { @@ -39,6 +40,7 @@ deny[msga] { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { @@ -62,6 +64,7 @@ deny[msga] { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/rule-can-bind-escalate/raw.rego b/rules/rule-can-bind-escalate/raw.rego index ecdfff74b..e041845cc 100644 --- a/rules/rule-can-bind-escalate/raw.rego +++ b/rules/rule-can-bind-escalate/raw.rego @@ -40,6 +40,7 @@ deny[msga] { msga := { "alertMessage": sprintf("Subject: %s-%s can bind roles/clusterroles", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", @@ -90,6 +91,7 @@ deny[msga] { msga := { "alertMessage": sprintf("Subject: %s-%s can escalate roles/clusterroles", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-can-create-pod/raw.rego b/rules/rule-can-create-pod/raw.rego index 9c008368b..53a2ac623 100644 --- a/rules/rule-can-create-pod/raw.rego +++ b/rules/rule-can-create-pod/raw.rego @@ -40,6 +40,7 @@ is_same_subjects(subjectVector, subject) msga := { "alertMessage": sprintf("Subject: %s-%s can create pods", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-can-delete-k8s-events-v1/raw.rego b/rules/rule-can-delete-k8s-events-v1/raw.rego index e722c8d48..858c0e71f 100644 --- a/rules/rule-can-delete-k8s-events-v1/raw.rego +++ b/rules/rule-can-delete-k8s-events-v1/raw.rego @@ -40,6 +40,7 @@ rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p]) "alertMessage": sprintf("Subject: %s-%s can delete events", [subjectVector.kind, subjectVector.name]), "alertScore": 3, "packagename": "armo_builtins", + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "alertObject": { diff --git a/rules/rule-can-delete-k8s-events/raw.rego b/rules/rule-can-delete-k8s-events/raw.rego index 5a6aca47e..a586984fc 100644 --- a/rules/rule-can-delete-k8s-events/raw.rego +++ b/rules/rule-can-delete-k8s-events/raw.rego @@ -23,6 +23,7 @@ deny [msga] { msga := { "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), "alertScore": 6, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -57,6 +58,7 @@ deny[msga] { msga := { "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), "alertScore": 6, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -91,6 +93,7 @@ deny[msga] { msga := { "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), "alertScore": 6, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-can-impersonate-users-groups-v1/raw.rego b/rules/rule-can-impersonate-users-groups-v1/raw.rego index c3b3b6749..eaef06336 100644 --- a/rules/rule-can-impersonate-users-groups-v1/raw.rego +++ b/rules/rule-can-impersonate-users-groups-v1/raw.rego @@ -39,6 +39,7 @@ is_same_subjects(subjectVector, subject) msga := { "alertMessage": sprintf("Subject: %s-%s can impersonate users", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-can-impersonate-users-groups/raw.rego b/rules/rule-can-impersonate-users-groups/raw.rego index 8e18fe891..4d2fcceac 100644 --- a/rules/rule-can-impersonate-users-groups/raw.rego +++ b/rules/rule-can-impersonate-users-groups/raw.rego @@ -21,6 +21,7 @@ deny[msga] { msga := { "alertMessage": sprintf("the following %v: %v, can impersonate users", [subject.kind, subject.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-can-list-get-secrets-v1/raw.rego b/rules/rule-can-list-get-secrets-v1/raw.rego index 866c1cd3f..ccc6632dc 100644 --- a/rules/rule-can-list-get-secrets-v1/raw.rego +++ b/rules/rule-can-list-get-secrets-v1/raw.rego @@ -40,6 +40,7 @@ is_same_subjects(subjectVector, subject) msga := { "alertMessage": sprintf("Subject: %s-%s can read secrets", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-can-list-get-secrets/raw.rego b/rules/rule-can-list-get-secrets/raw.rego index 586f6c28c..d9a8d65a6 100644 --- a/rules/rule-can-list-get-secrets/raw.rego +++ b/rules/rule-can-list-get-secrets/raw.rego @@ -24,6 +24,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]), "alertScore": 9, "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [role,rolebinding], diff --git a/rules/rule-can-portforward-v1/raw.rego b/rules/rule-can-portforward-v1/raw.rego index 78ff0bbb8..e36ce1660 100644 --- a/rules/rule-can-portforward-v1/raw.rego +++ b/rules/rule-can-portforward-v1/raw.rego @@ -37,6 +37,7 @@ rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p]) msga := { "alertMessage": sprintf("Subject: %s-%s can do port forwarding", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-can-portforward/raw.rego b/rules/rule-can-portforward/raw.rego index 0bc0c21d8..69ccb7a1c 100644 --- a/rules/rule-can-portforward/raw.rego +++ b/rules/rule-can-portforward/raw.rego @@ -21,6 +21,7 @@ deny[msga] { msga := { "alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-can-ssh-to-pod-v1/raw.rego b/rules/rule-can-ssh-to-pod-v1/raw.rego index e380442b6..9ed072201 100644 --- a/rules/rule-can-ssh-to-pod-v1/raw.rego +++ b/rules/rule-can-ssh-to-pod-v1/raw.rego @@ -27,6 +27,7 @@ deny[msga] { "alertMessage": sprintf("pod %v/%v exposed by SSH services: %v", [podns, podname, service]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -58,6 +59,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [], @@ -87,6 +89,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [], diff --git a/rules/rule-can-ssh-to-pod/raw.rego b/rules/rule-can-ssh-to-pod/raw.rego index f137e2156..7421aaf05 100644 --- a/rules/rule-can-ssh-to-pod/raw.rego +++ b/rules/rule-can-ssh-to-pod/raw.rego @@ -23,6 +23,7 @@ deny[msga] { "alertMessage": sprintf("pod %v/%v exposed by SSH services: %v", [podns, podname, service]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/rule-can-update-configmap-v1/raw.rego b/rules/rule-can-update-configmap-v1/raw.rego index da0e2c6dd..d93ded517 100644 --- a/rules/rule-can-update-configmap-v1/raw.rego +++ b/rules/rule-can-update-configmap-v1/raw.rego @@ -39,6 +39,7 @@ rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p]) msga := { "alertMessage": sprintf("Subject: %s-%s can modify 'coredns' configmap", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "packagename": "armo_builtins", @@ -85,6 +86,7 @@ rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p]) msga := { "alertMessage": sprintf("Subject: %s-%s can modify 'coredns' configmap", [subjectVector.kind, subjectVector.name]), "alertScore": 3, + "reviewPaths": finalpath, "failedPaths": finalpath, "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-can-update-configmap/raw.rego b/rules/rule-can-update-configmap/raw.rego index 4e75b016b..4cb945719 100644 --- a/rules/rule-can-update-configmap/raw.rego +++ b/rules/rule-can-update-configmap/raw.rego @@ -30,6 +30,7 @@ deny [msga] { msga := { "alertMessage": sprintf("The following %v: %v can modify 'coredns' configmap", [subject.kind, subject.name]), "alertScore": 6, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-credentials-configmap/raw.rego b/rules/rule-credentials-configmap/raw.rego index 6910faa3a..7486b62d2 100644 --- a/rules/rule-credentials-configmap/raw.rego +++ b/rules/rule-credentials-configmap/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("this configmap has sensitive information: %v", [configmap.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/rule-credentials-in-env-var/raw.rego b/rules/rule-credentials-in-env-var/raw.rego index e3a2e586c..328efc25a 100644 --- a/rules/rule-credentials-in-env-var/raw.rego +++ b/rules/rule-credentials-in-env-var/raw.rego @@ -22,6 +22,7 @@ "alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-excessive-delete-rights-v1/raw.rego b/rules/rule-excessive-delete-rights-v1/raw.rego index ef874e0f3..2be6ff5b1 100644 --- a/rules/rule-excessive-delete-rights-v1/raw.rego +++ b/rules/rule-excessive-delete-rights-v1/raw.rego @@ -39,6 +39,7 @@ rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p]) "alertMessage": sprintf("Subject: %s-%s can delete important resources", [subjectVector.kind, subjectVector.name]), "alertScore": 3, "fixPaths": [], + "reviewPaths": finalpath, "failedPaths": finalpath, "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-excessive-delete-rights/raw.rego b/rules/rule-excessive-delete-rights/raw.rego index 88a0606e0..a5560634f 100644 --- a/rules/rule-excessive-delete-rights/raw.rego +++ b/rules/rule-excessive-delete-rights/raw.rego @@ -24,6 +24,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -58,6 +59,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -92,6 +94,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-identify-blocklisted-image-registries-v1/raw.rego b/rules/rule-identify-blocklisted-image-registries-v1/raw.rego index e7ac5213c..b6d018d2f 100644 --- a/rules/rule-identify-blocklisted-image-registries-v1/raw.rego +++ b/rules/rule-identify-blocklisted-image-registries-v1/raw.rego @@ -14,6 +14,7 @@ untrustedImageRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": {"k8sApiObjects": [wl]}, } diff --git a/rules/rule-identify-blocklisted-image-registries/raw.rego b/rules/rule-identify-blocklisted-image-registries/raw.rego index 1882343c5..add46113a 100644 --- a/rules/rule-identify-blocklisted-image-registries/raw.rego +++ b/rules/rule-identify-blocklisted-image-registries/raw.rego @@ -16,6 +16,7 @@ untrustedImageRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [pod] @@ -37,6 +38,7 @@ untrustedImageRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] @@ -57,6 +59,7 @@ untrustedImageRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/rule-identify-old-k8s-registry/raw.rego b/rules/rule-identify-old-k8s-registry/raw.rego index 43ccb8625..8fa4d83a3 100644 --- a/rules/rule-identify-old-k8s-registry/raw.rego +++ b/rules/rule-identify-old-k8s-registry/raw.rego @@ -15,6 +15,7 @@ deprecatedK8sRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [pod] @@ -37,6 +38,7 @@ deprecatedK8sRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] @@ -58,6 +60,7 @@ deprecatedK8sRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/rule-list-all-cluster-admins-v1/raw.rego b/rules/rule-list-all-cluster-admins-v1/raw.rego index 62d90b755..ebcb6805c 100644 --- a/rules/rule-list-all-cluster-admins-v1/raw.rego +++ b/rules/rule-list-all-cluster-admins-v1/raw.rego @@ -40,6 +40,7 @@ is_same_subjects(subjectVector, subject) "alertMessage": sprintf("Subject: %s-%s have high privileges, such as cluster-admin", [subjectVector.kind, subjectVector.name]), "alertScore": 3, "fixPaths": [], + "reviewPaths": finalpath, "failedPaths": finalpath, "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-list-all-cluster-admins/raw.rego b/rules/rule-list-all-cluster-admins/raw.rego index 2a4115184..fffa8bfa8 100644 --- a/rules/rule-list-all-cluster-admins/raw.rego +++ b/rules/rule-list-all-cluster-admins/raw.rego @@ -25,6 +25,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -60,6 +61,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -95,6 +97,7 @@ deny[msga] { "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/rule-privileged-container/raw.rego b/rules/rule-privileged-container/raw.rego index fc8e63c8f..d48eef6c9 100644 --- a/rules/rule-privileged-container/raw.rego +++ b/rules/rule-privileged-container/raw.rego @@ -16,6 +16,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 3, "fixPaths": [], + "deletePaths": path, "failedPaths": path, "alertObject": { "k8sApiObjects": [pod] @@ -38,6 +39,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 3, "fixPaths": [], + "deletePaths": path, "failedPaths": path, "alertObject": { "k8sApiObjects": [wl] @@ -58,6 +60,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 3, "fixPaths": [], + "deletePaths": path, "failedPaths": path, "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/rule-secrets-in-env-var/raw.rego b/rules/rule-secrets-in-env-var/raw.rego index ab63c5590..cb7e96da6 100644 --- a/rules/rule-secrets-in-env-var/raw.rego +++ b/rules/rule-secrets-in-env-var/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v has secrets in environment variables", [pod.metadata.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -36,6 +37,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v has secrets in environment variables", [wl.kind, wl.metadata.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { @@ -57,6 +59,7 @@ deny[msga] { "alertMessage": sprintf("Cronjob: %v has secrets in environment variables", [wl.metadata.name]), "alertScore": 9, "fixPaths": [], + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/secret-etcd-encryption-cloud/raw.rego b/rules/secret-etcd-encryption-cloud/raw.rego index c0df4a2f5..5cf12a7c9 100644 --- a/rules/secret-etcd-encryption-cloud/raw.rego +++ b/rules/secret-etcd-encryption-cloud/raw.rego @@ -66,6 +66,7 @@ deny[msga] { "alertMessage": "etcd/secret encryption is not enabled", "alertScore": 3, "packagename": "armo_builtins", + "reviewPaths": ["data.database_encryption.state"], "failedPaths": ["data.database_encryption.state"], "fixPaths": [], "fixCommand": "gcloud container clusters update --region= --database-encryption-key=/locations//keyRings//cryptoKeys/ --project=", diff --git a/rules/service-in-default-namespace/raw.rego b/rules/service-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/service-in-default-namespace/raw.rego +++ b/rules/service-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/serviceaccount-in-default-namespace/raw.rego b/rules/serviceaccount-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/serviceaccount-in-default-namespace/raw.rego +++ b/rules/serviceaccount-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/serviceaccount-token-mount/raw.rego b/rules/serviceaccount-token-mount/raw.rego index e8d4f2977..ed77b666d 100644 --- a/rules/serviceaccount-token-mount/raw.rego +++ b/rules/serviceaccount-token-mount/raw.rego @@ -20,6 +20,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 9, "fixPaths": fixed_path, + "reviewPaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/set-fsgroup-value/raw.rego b/rules/set-fsgroup-value/raw.rego index ff9429858..9d81b6076 100644 --- a/rules/set-fsgroup-value/raw.rego +++ b/rules/set-fsgroup-value/raw.rego @@ -23,6 +23,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v does not set 'securityContext.fsGroup' with allowed value", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": paths["failedPaths"], "failedPaths": paths["failedPaths"], "fixPaths": paths["fixPaths"], "alertObject": { @@ -51,6 +52,7 @@ deny[msga] { "alertMessage": sprintf("CronJob: %v does not set 'securityContext.fsGroup' with allowed value", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": paths["failedPaths"], "failedPaths": paths["failedPaths"], "fixPaths": paths["fixPaths"], "alertObject": { @@ -79,6 +81,7 @@ deny[msga] { "alertMessage": sprintf("Workload: %v does not set 'securityContext.fsGroup' with allowed value", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": paths["failedPaths"], "failedPaths": paths["failedPaths"], "fixPaths": paths["fixPaths"], "alertObject": { diff --git a/rules/set-procmount-default/raw.rego b/rules/set-procmount-default/raw.rego index 35d56eca5..71b43255e 100644 --- a/rules/set-procmount-default/raw.rego +++ b/rules/set-procmount-default/raw.rego @@ -20,6 +20,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v has containers that do not set 'securityContext.procMount' to 'Default'", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -48,6 +49,7 @@ deny[msga] { "alertMessage": sprintf("Workload: %v has containers that do not set 'securityContext.procMount' to 'Default'", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -75,6 +77,7 @@ deny[msga] { "alertMessage": sprintf("CronJob: %v has containers that do not set 'securityContext.procMount' to 'Default'", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/set-seccomp-profile-RuntimeDefault/raw.rego b/rules/set-seccomp-profile-RuntimeDefault/raw.rego index 40b04d6ef..68fe84e3a 100644 --- a/rules/set-seccomp-profile-RuntimeDefault/raw.rego +++ b/rules/set-seccomp-profile-RuntimeDefault/raw.rego @@ -18,6 +18,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v does not define seccompProfile as RuntimeDefault", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": seccompProfile_result.failed_path, "failedPaths": seccompProfile_result.failed_path, "fixPaths": seccompProfile_result.fix_path, "alertObject": { @@ -45,6 +46,7 @@ deny[msga] { "alertMessage": sprintf("Workload: %v does not define seccompProfile as RuntimeDefault", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": seccompProfile_result.failed_path, "failedPaths": seccompProfile_result.failed_path, "fixPaths": seccompProfile_result.fix_path, "alertObject": { @@ -72,6 +74,7 @@ deny[msga] { "alertMessage": sprintf("Cronjob: %v does not define seccompProfile as RuntimeDefault", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": seccompProfile_result.failed_path, "failedPaths": seccompProfile_result.failed_path, "fixPaths": seccompProfile_result.fix_path, "alertObject": { diff --git a/rules/set-supplementalgroups-values/raw.rego b/rules/set-supplementalgroups-values/raw.rego index e0e008dda..caca884db 100644 --- a/rules/set-supplementalgroups-values/raw.rego +++ b/rules/set-supplementalgroups-values/raw.rego @@ -16,6 +16,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v does not set 'securityContext.supplementalGroups'", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -41,6 +42,7 @@ deny[msga] { "alertMessage": sprintf("Workload: %v does not set 'securityContext.supplementalGroups'", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -65,6 +67,7 @@ deny[msga] { "alertMessage": sprintf("CronJob: %v does not set 'securityContext.supplementalGroups'", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/sudo-in-container-entrypoint/raw.rego b/rules/sudo-in-container-entrypoint/raw.rego index 70f14869c..097f36bc7 100644 --- a/rules/sudo-in-container-entrypoint/raw.rego +++ b/rules/sudo-in-container-entrypoint/raw.rego @@ -12,6 +12,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [pod] @@ -31,6 +32,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [wl] @@ -49,6 +51,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/verify-image-signature/raw.rego b/rules/verify-image-signature/raw.rego index e30eccd98..fc74eb05d 100644 --- a/rules/verify-image-signature/raw.rego +++ b/rules/verify-image-signature/raw.rego @@ -14,6 +14,7 @@ deny[msga] { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [container.image], "failedPaths": [container.image], "packagename": "armo_builtins", "alertObject": { @@ -35,6 +36,7 @@ deny[msga] { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [container.image], "failedPaths": [container.image], "packagename": "armo_builtins", "alertObject": { @@ -56,6 +58,7 @@ deny[msga] { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], + "reviewPaths": [container.image], "failedPaths": [container.image], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/workload-mounted-configmap/raw.rego b/rules/workload-mounted-configmap/raw.rego index ad01ec974..c51dd4dfc 100644 --- a/rules/workload-mounted-configmap/raw.rego +++ b/rules/workload-mounted-configmap/raw.rego @@ -18,14 +18,15 @@ deny[msga] { container.volumeMounts # check if volume is mounted - container.volumeMounts[_].name == volume.name + container.volumeMounts[k].name == volume.name - failedPaths := sprintf("%s[%d].volumeMounts", [concat(".", containers_path), j]) + failedPaths := sprintf("%s[%d].volumeMounts[%d]", [concat(".", containers_path), j, k]) msga := { "alertMessage": sprintf("%v: %v has mounted configMap", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [failedPaths], "failedPaths": [failedPaths], "fixPaths":[], "alertObject": { diff --git a/rules/workload-mounted-configmap/test/failed_pod/expected.json b/rules/workload-mounted-configmap/test/failed_pod/expected.json index 3c1fb7d93..1d1c00abf 100644 --- a/rules/workload-mounted-configmap/test/failed_pod/expected.json +++ b/rules/workload-mounted-configmap/test/failed_pod/expected.json @@ -2,7 +2,7 @@ { "alertMessage": "Pod: mypod has mounted configMap", "failedPaths": [ - "spec.containers[0].volumeMounts" + "spec.containers[0].volumeMounts[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/workload-mounted-pvc/raw.rego b/rules/workload-mounted-pvc/raw.rego index 1e9a535c3..c3f713abc 100644 --- a/rules/workload-mounted-pvc/raw.rego +++ b/rules/workload-mounted-pvc/raw.rego @@ -18,13 +18,14 @@ deny[msga] { container.volumeMounts # check if volume is mounted - container.volumeMounts[_].name == volume.name + container.volumeMounts[k].name == volume.name - failedPaths := sprintf("%s[%d].volumeMounts", [concat(".", containers_path), j]) + failedPaths := sprintf("%s[%d].volumeMounts[%d]", [concat(".", containers_path), j, k]) msga := { "alertMessage": sprintf("%v: %v has mounted PVC", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [failedPaths], "failedPaths": [failedPaths], "fixPaths":[], "alertObject": { diff --git a/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json b/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json index 724d982bb..9c86b72e6 100644 --- a/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json +++ b/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json @@ -2,7 +2,7 @@ { "alertMessage": "Pod: mypod has mounted PVC", "failedPaths": [ - "spec.containers[0].volumeMounts" + "spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/workload-mounted-secrets/raw.rego b/rules/workload-mounted-secrets/raw.rego index fa6076cd7..713dabb0c 100644 --- a/rules/workload-mounted-secrets/raw.rego +++ b/rules/workload-mounted-secrets/raw.rego @@ -18,13 +18,14 @@ deny[msga] { container.volumeMounts # check if volume is mounted - container.volumeMounts[_].name == volume.name + container.volumeMounts[k].name == volume.name - failedPaths := sprintf("%s[%d].volumeMounts", [concat(".", containers_path), j]) + failedPaths := sprintf("%s[%d].volumeMounts[%d]", [concat(".", containers_path), j, k]) msga := { "alertMessage": sprintf("%v: %v has mounted secret", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [failedPaths], "failedPaths": [failedPaths], "fixPaths":[], "alertObject": { diff --git a/rules/workload-mounted-secrets/test/failed/expected.json b/rules/workload-mounted-secrets/test/failed/expected.json index b377a75e1..aa3edc9cf 100644 --- a/rules/workload-mounted-secrets/test/failed/expected.json +++ b/rules/workload-mounted-secrets/test/failed/expected.json @@ -2,7 +2,7 @@ { "alertMessage": "Pod: mypod has mounted secret", "failedPaths": [ - "spec.containers[0].volumeMounts" + "spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "",