forked from elastic/cloudbeat
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7988484
commit 3f77666
Showing
59 changed files
with
334 additions
and
383 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...liance/cis_k8s/rules/cis_1_2_11/test.rego → ...liance/cis_k8s/rules/cis_1_2_10/test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package compliance.cis_k8s.rules.cis_1_2_13 | ||
|
||
import data.compliance.cis_k8s | ||
import data.compliance.lib.common | ||
import data.compliance.lib.data_adapter | ||
|
||
# Ensure that the admission control plugin ServiceAccount is set (Automated) | ||
|
||
# evaluate | ||
process_args := data_adapter.process_args | ||
|
||
default rule_evaluation = false | ||
|
||
rule_evaluation { | ||
# Verify that the --disable-admission-plugins argument is set to a value that does not includes ServiceAccount. | ||
process_args["--disable-admission-plugins"] | ||
not common.arg_values_contains(process_args, "--disable-admission-plugins", "ServiceAccount") | ||
} | ||
|
||
finding = result { | ||
# filter | ||
data_adapter.is_kube_apiserver | ||
|
||
# set result | ||
result := { | ||
"evaluation": common.calculate_result(rule_evaluation), | ||
"evidence": {"process_args": process_args}, | ||
} | ||
} | ||
|
||
metadata = { | ||
"name": "Ensure that the admission control plugin ServiceAccount is set", | ||
"description": "When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.", | ||
"impact": "None", | ||
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.13", "API Server"]), | ||
"benchmark": cis_k8s.benchmark_metadata, | ||
"remediation": "Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.", | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package compliance.cis_k8s.rules.cis_1_2_13 | ||
|
||
import data.kubernetes_common.test_data | ||
import data.lib.test | ||
|
||
test_violation { | ||
test.assert_fail(finding) with input as rule_input("") | ||
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=ServiceAccount") | ||
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,ServiceAccount") | ||
} | ||
|
||
test_pass { | ||
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=AlwaysDeny") | ||
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,AlwaysDeny") | ||
} | ||
|
||
test_not_evaluated { | ||
not finding with input as test_data.process_input("some_process", []) | ||
} | ||
|
||
rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.