Merge pull request #508 from kubescape/delete-review-path

start adding delete / review paths

rules/CVE-2021-25741/raw.rego

@@ -14,6 +14,7 @@ deny[msga] {
 	msga := {
 			"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]),
 			"alertObject": {"k8SApiObjects": [pod]},
+			"deletePaths": final_path,
 			"failedPaths": final_path,
 			"fixPaths": [],
 		}
@@ -34,6 +35,7 @@ deny[msga] {
 	msga := {
 	"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
 			"alertObject": {"k8SApiObjects": [wl]},
+			"deletePaths": final_path,
 			"failedPaths": final_path,
 			"fixPaths": [],
 		}
@@ -54,6 +56,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
 			"alertObject": {"k8SApiObjects": [wl]},
+			"deletePaths": final_path,
 			"failedPaths": final_path,
 			"fixPaths": [],
 		}

rules/alert-any-hostpath/raw.rego

@@ -15,6 +15,7 @@ deny[msga] {
 		"alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [result],
 		"failedPaths": [result],
 		"fixPaths":[],
 		"alertObject": {
@@ -38,6 +39,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [result],
 		"failedPaths": [result],
 		"fixPaths":[],
 		"alertObject": {
@@ -58,6 +60,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [result],
 		"failedPaths": [result],
 		"fixPaths":[],
 		"alertObject": {

rules/alert-container-optimized-os-not-in-use/raw.rego

@@ -27,6 +27,7 @@ deny[msga] {
 		"packagename": "armo_builtins",
 
 		"alertScore": 7,
+		"reviewPaths": failedPaths,
 		"failedPaths": failedPaths,
 		"fixPaths": [],
 		"alertObject": {

rules/alert-mount-potential-credentials-paths/raw.rego

@@ -16,6 +16,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [result],
 		"failedPaths": [result],
 		"fixPaths":[],
 		"alertObject": {

rules/alert-rw-hostpath/raw.rego

@@ -23,6 +23,7 @@ deny[msga] {
 		"packagename": "armo_builtins",
 		"alertScore": 7,
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [pod]
@@ -51,6 +52,7 @@ deny[msga] {
 		"packagename": "armo_builtins",
 		"alertScore": 7,
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [wl]
@@ -81,6 +83,7 @@ deny[msga] {
 	"packagename": "armo_builtins",
 	"alertScore": 7,
 	"fixPaths": fixed_path,
+	"deletePaths": failed_path,
 	"failedPaths": failed_path,
 	"alertObject": {
 			"k8sApiObjects": [wl]

rules/anonymous-requests-to-kubelet-updated/raw.rego

@@ -57,6 +57,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Anonymous requests is enabled.",
 		"alertScore": 7,
+		"reviewPaths": ["authentication.anonymous.enabled"],
 		"failedPaths": ["authentication.anonymous.enabled"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/automount-default-service-account/raw.rego

@@ -14,6 +14,7 @@ deny [msga]{
 		"alertScore": 9,
 		"packagename": "armo_builtins",
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [service_account]

rules/automount-service-account/raw.rego

@@ -13,6 +13,7 @@ deny [msga]{
 		"alertScore": 9,
 		"packagename": "armo_builtins",
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [service_account]
@@ -40,6 +41,7 @@ deny [msga]{
 		"alertScore": 9,
 		"packagename": "armo_builtins",
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [pod]
@@ -64,6 +66,7 @@ deny[msga] {
 		"packagename": "armo_builtins",
 		"alertScore": 7,
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [wl]
@@ -88,6 +91,7 @@ deny[msga] {
 		"packagename": "armo_builtins",
 		"alertScore": 7,
 		"fixPaths": fixed_path,
+		"deletePaths": failed_path,
 		"failedPaths": failed_path,
 		"alertObject": {
 			"k8sApiObjects": [wl]

rules/cluster-admin-role/raw.rego

@@ -45,6 +45,7 @@ deny[msga] {
 		"alertMessage": sprintf("Subject: %s-%s is bound to cluster-admin role", [subjectVector.kind, subjectVector.name]),
 		"alertScore": 3,
 		"fixPaths": [],
+		"deletePaths": finalpath,
 		"failedPaths": finalpath,
 		"packagename": "armo_builtins",
 		"alertObject": {

rules/configmap-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/container-hostPort/raw.rego

@@ -12,6 +12,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v has Host-port", [ container.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": path,
 		"failedPaths": path,
 		"fixPaths":[],
 		"alertObject": {
@@ -32,6 +33,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v   has Host-port", [ container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": path,
 		"failedPaths": path,
 		"fixPaths":[],
 		"alertObject": {
@@ -51,6 +53,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v   has Host-port", [ container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": path,
 		"failedPaths": path,
 		"fixPaths":[],
 		"alertObject": {

rules/container-image-repository-v1/raw.rego

@@ -14,6 +14,7 @@ untrustedImageRepo[msga] {
 		"packagename": "armo_builtins",
 		"alertScore": 2,
 		"fixPaths": [],
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"alertObject": {"k8sApiObjects": [wl]},
 	}

rules/container-image-repository/raw.rego

@@ -14,6 +14,7 @@ untrusted_image_repo[msga] {
 		"alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]),
 		"alertScore": 2,
         "packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"alertObject": {
@@ -35,6 +36,7 @@ untrusted_image_repo[msga] {
 		"alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]),
 		"alertScore": 2,
         "packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"alertObject": {
@@ -55,6 +57,7 @@ untrusted_image_repo[msga] {
 		"alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]),
 		"alertScore": 2,
         "packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 			"alertObject": {

rules/containers-mounting-docker-socket/raw.rego

@@ -11,6 +11,7 @@ deny[msga] {
     msga := {
 		"alertMessage": sprintf("volume: %v in pod: %v has mounting to Docker internals.", [volume.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"alertScore": 5,
@@ -33,6 +34,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"alertScore": 5,
@@ -53,6 +55,7 @@ deny[msga] {
     msga := {
 		"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"alertScore": 5,

rules/csistoragecapacity-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/insecure-capabilities/raw.rego

@@ -12,6 +12,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in pod: %v  have dangerous capabilities", [container.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": result,
 		"failedPaths": result,
 		"fixPaths": [],
 		"alertObject": {
@@ -31,6 +32,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in workload: %v  have dangerous capabilities", [container.name, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": result,
 		"failedPaths": result,
 		"fixPaths": [],
 		"alertObject": {
@@ -49,6 +51,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in cronjob: %v  have dangerous capabilities", [container.name, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": result,
 		"failedPaths": result,
 		"fixPaths": [],
 		"alertObject": {