github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/network/no_public_egress.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/network/no_public_egress.tf.go (about)

     1  package network
     2  
     3  var terraformNoPublicEgressGoodExamples = []string{
     4  	`
     5   resource "kubernetes_network_policy" "good_example" {
     6     metadata {
     7       name      = "terraform-example-network-policy"
     8       namespace = "default"
     9     }
    10   
    11     spec {
    12       pod_selector {
    13         match_expressions {
    14           key      = "name"
    15           operator = "In"
    16           values   = ["webfront", "api"]
    17         }
    18       }
    19   
    20       egress {
    21         ports {
    22           port     = "http"
    23           protocol = "TCP"
    24         }
    25         ports {
    26           port     = "8125"
    27           protocol = "UDP"
    28         }
    29   
    30         to {
    31           ip_block {
    32             cidr = "10.0.0.0/16"
    33             except = [
    34               "10.0.0.0/24",
    35               "10.0.1.0/24",
    36             ]
    37           }
    38         }
    39       }
    40   
    41       ingress {
    42         ports {
    43           port     = "http"
    44           protocol = "TCP"
    45         }
    46         ports {
    47           port     = "8125"
    48           protocol = "UDP"
    49         }
    50   
    51         from {
    52           ip_block {
    53             cidr = "10.0.0.0/16"
    54             except = [
    55               "10.0.0.0/24",
    56               "10.0.1.0/24",
    57             ]
    58           }
    59         }
    60       }
    61   
    62       policy_types = ["Ingress", "Egress"]
    63     }
    64   }
    65   `,
    66  }
    67  
    68  var terraformNoPublicEgressBadExamples = []string{
    69  	`
    70   resource "kubernetes_network_policy" "bad_example" {
    71     metadata {
    72       name      = "terraform-example-network-policy"
    73       namespace = "default"
    74     }
    75   
    76     spec {
    77       pod_selector {
    78         match_expressions {
    79           key      = "name"
    80           operator = "In"
    81           values   = ["webfront", "api"]
    82         }
    83       }
    84   
    85       egress {
    86         ports {
    87           port     = "http"
    88           protocol = "TCP"
    89         }
    90         ports {
    91           port     = "8125"
    92           protocol = "UDP"
    93         }
    94   
    95         to {
    96           ip_block {
    97             cidr = "0.0.0.0/0"
    98             except = [
    99               "10.0.0.0/24",
   100               "10.0.1.0/24",
   101             ]
   102           }
   103         }
   104       }
   105   
   106       ingress {
   107         ports {
   108           port     = "http"
   109           protocol = "TCP"
   110         }
   111         ports {
   112           port     = "8125"
   113           protocol = "UDP"
   114         }
   115   
   116         from {
   117           ip_block {
   118             cidr = "10.0.0.0/16"
   119             except = [
   120               "10.0.0.0/24",
   121               "10.0.1.0/24",
   122             ]
   123           }
   124         }
   125       }
   126   
   127       policy_types = ["Ingress", "Egress"]
   128     }
   129   }
   130   `,
   131  }
   132  
   133  var terraformNoPublicEgressLinks = []string{
   134  	`https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr`,
   135  }
   136  
   137  var terraformNoPublicEgressRemediationMarkdown = ``