github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego (about)

     1  # METADATA
     2  # title: "Workloads in the default namespace"
     3  # description: "ensure that default namespace should not be used"
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
     9  # custom:
    10  #   id: KSV110
    11  #   avd_id: AVD-KSV-0110
    12  #   severity: LOW
    13  #   short_code: default-namespace-should-not-be-used
    14  #   recommended_action: "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace."
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV110
    19  
    20  import data.lib.kubernetes
    21  
    22  default defaultNamespaceInUse = false
    23  
    24  allowedKinds := ["pod", "replicaset", "replicationcontroller", "deployment", "statefulset", "daemonset", "cronjob", "job"]
    25  
    26  defaultNamespaceInUse {
    27  	kubernetes.namespace == "default"
    28  	lower(kubernetes.kind) == allowedKinds[_]
    29  }
    30  
    31  deny[res] {
    32  	defaultNamespaceInUse
    33  	msg := kubernetes.format(sprintf("%s %s in %s namespace should set metadata.namespace to a non-default namespace", [lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))
    34  	res := result.new(msg, input.metadata.namespace)
    35  }