github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/network/no_public_ingress.go (about) 1 package network 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-KUBE-0001", 15 Provider: providers.KubernetesProvider, 16 Service: "network", 17 ShortCode: "no-public-ingress", 18 Summary: "Public ingress should not be allowed via network policies", 19 Impact: "Exposure of infrastructure to the public internet", 20 Resolution: "Remove public access except where explicitly required", 21 Explanation: `You should not expose infrastructure to the public internet except where explicitly required`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicIngressGoodExamples, 25 BadExamples: terraformNoPublicIngressBadExamples, 26 Links: terraformNoPublicIngressLinks, 27 RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, 28 }, 29 Severity: severity.High, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, policy := range s.Kubernetes.NetworkPolicies { 33 if policy.Metadata.IsUnmanaged() { 34 continue 35 } 36 for _, source := range policy.Spec.Ingress.SourceCIDRs { 37 if cidr.IsPublic(source.Value()) { 38 results.Add( 39 "Network policy allows ingress from the public internet.", 40 source, 41 ) 42 } else { 43 results.AddPassed(source) 44 } 45 } 46 } 47 return 48 }, 49 )