github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego (about) 1 # METADATA 2 # title: "Default capabilities: some containers do not drop any" 3 # description: "Security best practices require containers to run with minimal required capabilities." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/ 9 # custom: 10 # id: KSV004 11 # avd_id: AVD-KSV-0004 12 # severity: LOW 13 # short_code: drop-unused-capabilities 14 # recommended_action: "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'" 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV004 19 20 import data.lib.kubernetes 21 import data.lib.utils 22 23 default failCapsDropAny = false 24 25 # getCapsDropAnyContainers returns names of all containers 26 # which set securityContext.capabilities.drop 27 getCapsDropAnyContainers[container] { 28 allContainers := kubernetes.containers[_] 29 utils.has_key(allContainers.securityContext.capabilities, "drop") 30 container := allContainers.name 31 } 32 33 # getNoCapsDropContainers returns names of all containers which 34 # do not set securityContext.capabilities.drop 35 getNoCapsDropContainers[container] { 36 container := kubernetes.containers[_] 37 not getCapsDropAnyContainers[container.name] 38 } 39 40 deny[res] { 41 container := getNoCapsDropContainers[_] 42 msg := kubernetes.format(sprintf("Container '%s' of '%s' '%s' in '%s' namespace should set securityContext.capabilities.drop", [container.name, lower(kubernetes.kind), kubernetes.name, kubernetes.namespace])) 43 res := result.new(msg, container) 44 }