From e07de44d427b9ad1fc15de336a082e85ec34456d Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 <80635572+YiscahLevySilas1@users.noreply.github.com> Date: Thu, 12 Oct 2023 18:40:45 +0300 Subject: [PATCH] Fix fixpath for controls C-0077 and C-0076 (#523) * SUB-2185 - improve C-0262 Signed-off-by: YiscahLevySilas1 * minor fix Signed-off-by: YiscahLevySilas1 * add [] to fixpath Signed-off-by: YiscahLevySilas1 * add [] to fixpath Signed-off-by: YiscahLevySilas1 * add [] to fixpath Signed-off-by: YiscahLevySilas1 --------- Signed-off-by: YiscahLevySilas1 --- rules/k8s-common-labels-usage/raw.rego | 6 +++--- rules/k8s-common-labels-usage/test/cronjob/expected.json | 2 +- rules/k8s-common-labels-usage/test/pod/expected.json | 2 +- .../test/workload-fail/expected.json | 2 +- rules/label-usage-for-resources/raw.rego | 6 +++--- rules/label-usage-for-resources/test/cronjob/expected.json | 4 ++-- rules/label-usage-for-resources/test/pod/expected.json | 2 +- .../test/workload-fail/expected.json | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index 238b41216..7a6a29c7e 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -87,21 +87,21 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/k8s-common-labels-usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json index 2f9d26829..39bd3724c 100644 --- a/rules/k8s-common-labels-usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", + "path": "spec.jobTemplate.spec.template.metadata.labels[app.kubernetes.io/name]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json index 2a4cac865..ee876ef1b 100644 --- a/rules/k8s-common-labels-usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_LABEL", + "path": "metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json index 3a98cdfa0..105929639 100644 --- a/rules/k8s-common-labels-usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.app.kubernetes.io/name", + "path": "spec.template.metadata.labels[app.kubernetes.io/name]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index a8f8e82e8..06047c3b5 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -85,21 +85,21 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index 595a928d3..8e24502e9 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_LABEL", + "path": "metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", + "path": "spec.jobTemplate.spec.template.metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index ffcc45464..159053bb6 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.app", + "path": "metadata.labels[app]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index dcf7acfeb..ff103d96a 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.app", + "path": "spec.template.metadata.labels[app]", "value": "YOUR_VALUE" }], "ruleStatus": "",