github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego (about)

     1  # METADATA
     2  # title: "Manages /etc/hosts"
     3  # description: "Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # custom:
     8  #   id: KSV007
     9  #   avd_id: AVD-KSV-0007
    10  #   severity: LOW
    11  #   short_code: no-hostaliases
    12  #   recommended_action: "Do not set 'spec.template.spec.hostAliases'."
    13  #   input:
    14  #     selector:
    15  #     - type: kubernetes
    16  package builtin.kubernetes.KSV007
    17  
    18  import data.lib.kubernetes
    19  import data.lib.utils
    20  
    21  # failHostAliases is true if spec.hostAliases is set (on all controllers)
    22  failHostAliases[spec] {
    23  	spec := kubernetes.host_aliases[_]
    24  	utils.has_key(spec, "hostAliases")
    25  }
    26  
    27  deny[res] {
    28  	spec := failHostAliases[_]
    29  	msg := kubernetes.format(sprintf("'%s' '%s' in '%s' namespace should not set spec.template.spec.hostAliases", [lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))
    30  	res := result.new(msg, spec)
    31  }