github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/lib/kubernetes.rego (about) 1 # METADATA 2 # custom: 3 # library: true 4 # input: 5 # selector: 6 # - type: kubernetes 7 # - type: rbac 8 package lib.kubernetes 9 10 default is_gatekeeper = false 11 12 is_gatekeeper { 13 has_field(input, "review") 14 has_field(input.review, "object") 15 } 16 17 object = input { 18 not is_gatekeeper 19 } 20 21 object = input.review.object { 22 is_gatekeeper 23 } 24 25 format(msg) = gatekeeper_format { 26 is_gatekeeper 27 gatekeeper_format = {"msg": msg} 28 } 29 30 format(msg) = msg { 31 not is_gatekeeper 32 } 33 34 name = object.metadata.name 35 36 default namespace = "default" 37 38 namespace = object.metadata.namespace 39 40 #annotations = object.metadata.annotations 41 42 kind = object.kind 43 44 is_pod { 45 kind = "Pod" 46 } 47 48 is_cronjob { 49 kind = "CronJob" 50 } 51 52 default is_controller = false 53 54 is_controller { 55 kind = "Deployment" 56 } 57 58 is_controller { 59 kind = "StatefulSet" 60 } 61 62 is_controller { 63 kind = "DaemonSet" 64 } 65 66 is_controller { 67 kind = "ReplicaSet" 68 } 69 70 is_controller { 71 kind = "ReplicationController" 72 } 73 74 is_controller { 75 kind = "Job" 76 } 77 78 split_image(image) = [image, "latest"] { 79 not contains(image, ":") 80 } 81 82 split_image(image) = [image_name, tag] { 83 [image_name, tag] = split(image, ":") 84 } 85 86 pod_containers(pod) = all_containers { 87 keys = {"containers", "initContainers"} 88 all_containers = [c | keys[k]; c = pod.spec[k][_]] 89 } 90 91 containers[container] { 92 pods[pod] 93 all_containers = pod_containers(pod) 94 container = all_containers[_] 95 } 96 97 containers[container] { 98 all_containers = pod_containers(object) 99 container = all_containers[_] 100 } 101 102 pods[pod] { 103 is_pod 104 pod = object 105 } 106 107 pods[pod] { 108 is_controller 109 pod = object.spec.template 110 } 111 112 pods[pod] { 113 is_cronjob 114 pod = object.spec.jobTemplate.spec.template 115 } 116 117 volumes[volume] { 118 pods[pod] 119 volume = pod.spec.volumes[_] 120 } 121 122 dropped_capability(container, cap) { 123 container.securityContext.capabilities.drop[_] == cap 124 } 125 126 added_capability(container, cap) { 127 container.securityContext.capabilities.add[_] == cap 128 } 129 130 has_field(obj, field) { 131 obj[field] 132 } 133 134 no_read_only_filesystem(c) { 135 not has_field(c, "securityContext") 136 } 137 138 no_read_only_filesystem(c) { 139 has_field(c, "securityContext") 140 not has_field(c.securityContext, "readOnlyRootFilesystem") 141 } 142 143 privilege_escalation_allowed(c) { 144 not has_field(c, "securityContext") 145 } 146 147 privilege_escalation_allowed(c) { 148 has_field(c, "securityContext") 149 has_field(c.securityContext, "allowPrivilegeEscalation") 150 } 151 152 annotations[annotation] { 153 pods[pod] 154 annotation = pod.metadata.annotations 155 } 156 157 host_ipcs[host_ipc] { 158 pods[pod] 159 host_ipc = pod.spec.hostIPC 160 } 161 162 host_networks[host_network] { 163 pods[pod] 164 host_network = pod.spec.hostNetwork 165 } 166 167 host_pids[host_pid] { 168 pods[pod] 169 host_pid = pod.spec.hostPID 170 } 171 172 host_aliases[host_alias] { 173 pods[pod] 174 host_alias = pod.spec 175 } 176 177 command_has_flag(command, flag) { 178 regex.match(flag, command[_]) 179 } 180 181 is_controllermanager(container) { 182 regex.match("^(.*/)?kube-controller-manager$", container.command[0]) 183 } 184 185 is_etcd(container) { 186 regex.match("^(.*/)?etcd$", container.command[0]) 187 } 188 189 is_scheduler(container) { 190 regex.match("^(.*/)?kube-scheduler$", container.command[0]) 191 } 192 193 is_apiserver(container) { 194 regex.match("^(.*/)?kube-apiserver$", container.command[0]) 195 }