github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/network/no_public_egress.go (about) 1 package network 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicEgress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-KUBE-0002", 15 Provider: providers.KubernetesProvider, 16 Service: "network", 17 ShortCode: "no-public-egress", 18 Summary: "Public egress should not be allowed via network policies", 19 Impact: "Exfiltration of data to the public internet", 20 Resolution: "Remove public access except where explicitly required", 21 Explanation: `You should not expose infrastructure to the public internet except where explicitly required`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicEgressGoodExamples, 25 BadExamples: terraformNoPublicEgressBadExamples, 26 Links: terraformNoPublicEgressLinks, 27 RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, 28 }, 29 Severity: severity.High, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, policy := range s.Kubernetes.NetworkPolicies { 33 if policy.Metadata.IsUnmanaged() { 34 continue 35 } 36 for _, destination := range policy.Spec.Egress.DestinationCIDRs { 37 if cidr.IsPublic(destination.Value()) { 38 results.Add( 39 "Network policy allows egress to the public internet.", 40 destination, 41 ) 42 } else { 43 results.AddPassed(destination) 44 } 45 } 46 } 47 return 48 }, 49 )