github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/lib/kubernetes_test.rego (about) 1 package lib.kubernetes 2 3 test_pod { 4 # spec 5 test_pods := pods with input as { 6 "apiVersion": "v1", 7 "kind": "Pod", 8 "spec": {"containers": [{ 9 "command": [ 10 "sh", 11 "-c", 12 "echo 'Hello !' && sleep 1h", 13 ], 14 "image": "busybox", 15 "name": "hello-pod", 16 }]}, 17 } 18 19 test_pods[_].spec.containers[_].name == "hello-pod" 20 } 21 22 test_cron_job { 23 # spec -> jobTemplate -> spec -> template -> spec 24 test_pods := pods with input as { 25 "apiVersion": "v1", 26 "kind": "CronJob", 27 "metadata": {"name": "hello"}, 28 "schedule": "*/1 * * * *", 29 "spec": {"jobTemplate": {"spec": {"template": {"spec": { 30 "restartPolicy": "OnFailure", 31 "containers": [{ 32 "command": [ 33 "sh", 34 "-c", 35 "echo 'Hello !' && sleep 1h", 36 ], 37 "image": "busybox", 38 "name": "hello-cron-job", 39 }], 40 }}}}}, 41 } 42 43 test_pods[_].spec.containers[_].name == "hello-cron-job" 44 } 45 46 test_deployment { 47 # spec -> template 48 test_pods := pods with input as { 49 "apiVersion": "v1", 50 "kind": "Deployment", 51 "metadata": {"name": "hello"}, 52 "schedule": "*/1 * * * *", 53 "spec": {"template": {"spec": {"containers": [{ 54 "command": [ 55 "sh", 56 "-c", 57 "echo 'Hello !' && sleep 1h", 58 ], 59 "image": "busybox", 60 "name": "hello-deployment", 61 }]}}}, 62 } 63 64 test_pods[_].spec.containers[_].name == "hello-deployment" 65 } 66 67 test_stateful_set { 68 # spec -> template 69 test_pods := pods with input as { 70 "apiVersion": "v1", 71 "kind": "StatefulSet", 72 "metadata": {"name": "hello"}, 73 "schedule": "*/1 * * * *", 74 "spec": {"template": {"spec": {"containers": [{ 75 "command": [ 76 "sh", 77 "-c", 78 "echo 'Hello !' && sleep 1h", 79 ], 80 "image": "busybox", 81 "name": "hello-stateful-set", 82 }]}}}, 83 } 84 85 test_pods[_].spec.containers[_].name == "hello-stateful-set" 86 } 87 88 test_daemon_set { 89 # spec -> template 90 test_pods := pods with input as { 91 "apiVersion": "v1", 92 "kind": "DaemonSet", 93 "metadata": {"name": "hello"}, 94 "schedule": "*/1 * * * *", 95 "spec": {"template": {"spec": {"containers": [{ 96 "command": [ 97 "sh", 98 "-c", 99 "echo 'Hello !' && sleep 1h", 100 ], 101 "image": "busybox", 102 "name": "hello-daemon-set", 103 }]}}}, 104 } 105 106 test_pods[_].spec.containers[_].name == "hello-daemon-set" 107 } 108 109 test_replica_set { 110 # spec -> template 111 test_pods := pods with input as { 112 "apiVersion": "v1", 113 "kind": "ReplicaSet", 114 "metadata": {"name": "hello"}, 115 "schedule": "*/1 * * * *", 116 "spec": {"template": {"spec": {"containers": [{ 117 "command": [ 118 "sh", 119 "-c", 120 "echo 'Hello !' && sleep 1h", 121 ], 122 "image": "busybox", 123 "name": "hello-replica-set", 124 }]}}}, 125 } 126 127 test_pods[_].spec.containers[_].name == "hello-replica-set" 128 } 129 130 test_replication_controller { 131 # spec -> template 132 test_pods := pods with input as { 133 "apiVersion": "v1", 134 "kind": "ReplicationController", 135 "metadata": {"name": "hello"}, 136 "schedule": "*/1 * * * *", 137 "spec": {"template": {"spec": {"containers": [{ 138 "command": [ 139 "sh", 140 "-c", 141 "echo 'Hello !' && sleep 1h", 142 ], 143 "image": "busybox", 144 "name": "hello-replication-controller", 145 }]}}}, 146 } 147 148 test_pods[_].spec.containers[_].name == "hello-replication-controller" 149 } 150 151 test_job { 152 # spec -> template 153 test_pods := pods with input as { 154 "apiVersion": "v1", 155 "kind": "Job", 156 "metadata": {"name": "hello"}, 157 "schedule": "*/1 * * * *", 158 "spec": {"template": {"spec": {"containers": [{ 159 "command": [ 160 "sh", 161 "-c", 162 "echo 'Hello !' && sleep 1h", 163 ], 164 "image": "busybox", 165 "name": "hello-job", 166 }]}}}, 167 } 168 169 test_pods[_].spec.containers[_].name == "hello-job" 170 } 171 172 test_init_containers { 173 test_containers := containers with input as { 174 "apiVersion": "v1", 175 "kind": "Pod", 176 "spec": {"initContainers": [{ 177 "command": [ 178 "sh", 179 "-c", 180 "echo 'Hello !' && sleep 1h", 181 ], 182 "image": "busybox", 183 "name": "hello-init-containers", 184 }]}, 185 } 186 187 test_containers[_].name == "hello-init-containers" 188 } 189 190 test_containers { 191 test_containers := containers with input as { 192 "apiVersion": "v1", 193 "kind": "Pod", 194 "spec": {"containers": [{ 195 "command": [ 196 "sh", 197 "-c", 198 "echo 'Hello !' && sleep 1h", 199 ], 200 "image": "busybox", 201 "name": "hello-containers", 202 }]}, 203 } 204 205 test_containers[_].name == "hello-containers" 206 } 207 208 test_isapiserver_has_valid_container { 209 apiserver_container := containers[_] with input as { 210 "apiVersion": "v1", 211 "kind": "Pod", 212 "metadata": { 213 "name": "kube-apiserver", 214 "namespace": "kube-system", 215 }, 216 "spec": {"containers": [ 217 { 218 "command": ["kube-apiserver-invalid"], 219 "name": "invalid-1", 220 }, 221 { 222 "command": [ 223 "/usr/bin/kube-apiserver", 224 "--test-flag=test", 225 ], 226 "name": "valid-1", 227 }, 228 { 229 "command": ["invalid-kube-apiserver"], 230 "name": "invalid-2", 231 }, 232 { 233 "command": [ 234 "kube-apiserver", 235 "--test-flag=test", 236 ], 237 "name": "valid-2", 238 }, 239 ]}, 240 } 241 242 is_apiserver(apiserver_container) 243 any([apiserver_container.name == "valid-1", apiserver_container.name == "valid-2"]) 244 } 245 246 test_isapiserver_has_not_valid_container { 247 apiserver_container := containers[_] with input as { 248 "apiVersion": "v1", 249 "kind": "Pod", 250 "metadata": { 251 "name": "kube-apiserver", 252 "namespace": "kube-system", 253 }, 254 "spec": {"containers": [ 255 { 256 "command": [ 257 "/usr/bin-kube-apiserver", 258 "--test-flag=test", 259 ], 260 "name": "invalid-1", 261 }, 262 { 263 "command": ["kube-apiserver-invalid"], 264 "name": "invalid-2", 265 }, 266 { 267 "command": ["kube-apiserver-invalid"], 268 "name": "invalid-3", 269 }, 270 ]}, 271 } 272 not is_apiserver(apiserver_container) 273 } 274 275 test_etcd_has_valid_container { 276 etcd_container := containers[_] with input as { 277 "apiVersion": "v1", 278 "kind": "Pod", 279 "metadata": { 280 "name": "etcd", 281 "namespace": "kube-system", 282 }, 283 "spec": {"containers": [ 284 { 285 "command": ["etcd-invalid"], 286 "name": "invalid-1", 287 }, 288 { 289 "command": [ 290 "/usr/bin/etcd", 291 "--test-flag=test", 292 ], 293 "name": "valid-1", 294 }, 295 { 296 "command": ["invalid-etcd"], 297 "name": "invalid-2", 298 }, 299 { 300 "command": [ 301 "etcd", 302 "--test-flag=test", 303 ], 304 "name": "valid-2", 305 }, 306 ]}, 307 } 308 is_etcd(etcd_container) 309 any([etcd_container.name == "valid-1", etcd_container.name == "valid-2"]) 310 } 311 312 test_etcd_has_not_valid_container { 313 etcd_container := containers[_] with input as { 314 "apiVersion": "v1", 315 "kind": "Pod", 316 "metadata": { 317 "name": "etcd", 318 "namespace": "kube-system", 319 }, 320 "spec": {"containers": [ 321 { 322 "command": [ 323 "/usr/bin-etcd", 324 "--test-flag=test", 325 ], 326 "name": "invalid-1", 327 }, 328 { 329 "command": ["etcd-invalid"], 330 "name": "invalid-2", 331 }, 332 { 333 "command": ["etcd-invalid"], 334 "name": "invalid-3", 335 }, 336 ]}, 337 } 338 not is_etcd(etcd_container) 339 } 340 341 test_controllermananager_has_valid_container { 342 controllermananager_container := containers[_] with input as { 343 "apiVersion": "v1", 344 "kind": "Pod", 345 "metadata": { 346 "name": "kube-controller-manager", 347 "namespace": "kube-system", 348 }, 349 "spec": {"containers": [ 350 { 351 "command": ["kube-controller-manager-invalid"], 352 "name": "invalid-1", 353 }, 354 { 355 "command": [ 356 "/usr/bin/kube-controller-manager", 357 "--test-flag=test", 358 ], 359 "name": "valid-1", 360 }, 361 { 362 "command": ["invalid-kube-controller-manager"], 363 "name": "invalid-2", 364 }, 365 { 366 "command": [ 367 "kube-controller-manager", 368 "--test-flag=test", 369 ], 370 "name": "valid-2", 371 }, 372 ]}, 373 } 374 is_controllermanager(controllermananager_container) 375 any([controllermananager_container.name == "valid-1", controllermananager_container.name == "valid-2"]) 376 } 377 378 test_controllermananager_has_not_valid_container { 379 controllermananager_container := containers[_] with input as { 380 "apiVersion": "v1", 381 "kind": "Pod", 382 "metadata": { 383 "name": "kube-controller-manager", 384 "namespace": "kube-system", 385 }, 386 "spec": {"containers": [ 387 { 388 "command": [ 389 "/usr/bin-kube-controller-manager", 390 "--test-flag=test", 391 ], 392 "name": "invalid-1", 393 }, 394 { 395 "command": ["kube-controller-manager-invalid"], 396 "name": "invalid-2", 397 }, 398 { 399 "command": ["kube-controller-manager-invalid"], 400 "name": "invalid-3", 401 }, 402 ]}, 403 } 404 not is_controllermanager(controllermananager_container) 405 } 406 407 test_scheduler_has_valid_container { 408 scheduler_container := containers[_] with input as { 409 "apiVersion": "v1", 410 "kind": "Pod", 411 "metadata": { 412 "name": "kube-scheduler", 413 "namespace": "kube-system", 414 }, 415 "spec": {"containers": [ 416 { 417 "command": ["kube-scheduler-invalid"], 418 "name": "invalid-1", 419 }, 420 { 421 "command": [ 422 "/usr/bin/kube-scheduler", 423 "--test-flag=test", 424 ], 425 "name": "valid-1", 426 }, 427 { 428 "command": ["invalid-kube-scheduler"], 429 "name": "invalid-2", 430 }, 431 { 432 "command": [ 433 "kube-scheduler", 434 "--test-flag=test", 435 ], 436 "name": "valid-2", 437 }, 438 ]}, 439 } 440 is_scheduler(scheduler_container) 441 any([scheduler_container.name == "valid-1", scheduler_container.name == "valid-2"]) 442 } 443 444 test_scheduler_has_not_valid_container { 445 scheduler_container := containers[_] with input as { 446 "apiVersion": "v1", 447 "kind": "Pod", 448 "metadata": { 449 "name": "kube-scheduler", 450 "namespace": "kube-system", 451 }, 452 "spec": {"containers": [ 453 { 454 "command": [ 455 "/usr/bin-kube-scheduler", 456 "--test-flag=test", 457 ], 458 "name": "invalid-1", 459 }, 460 { 461 "command": ["kube-scheduler-invalid"], 462 "name": "invalid-2", 463 }, 464 { 465 "command": ["kube-scheduler-invalid"], 466 "name": "invalid-3", 467 }, 468 ]}, 469 } 470 not is_scheduler(scheduler_container) 471 }