github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego (about)

     1  # METADATA
     2  # title: "All container images must start with a GCR domain"
     3  # description: "Containers should only use images from trusted GCR registries."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # custom:
     8  #   id: KSV033
     9  #   avd_id: AVD-KSV-0033
    10  #   severity: MEDIUM
    11  #   short_code: use-gcr-domain
    12  #   recommended_action: "Use images from trusted GCR registries."
    13  #   input:
    14  #     selector:
    15  #     - type: kubernetes
    16  package builtin.kubernetes.KSV033
    17  
    18  import data.lib.kubernetes
    19  import data.lib.utils
    20  
    21  default failTrustedGCRRegistry = false
    22  
    23  # list of trusted GCR registries
    24  trusted_gcr_registries = [
    25  	"gcr.io",
    26  	"us.gcr.io",
    27  	"eu.gcr.io",
    28  	"asia.gcr.io",
    29  ]
    30  
    31  # getContainersWithTrustedGCRRegistry returns a list of containers
    32  # with image from a trusted gcr registry
    33  getContainersWithTrustedGCRRegistry[name] {
    34  	container := kubernetes.containers[_]
    35  	image := container.image
    36  
    37  	# get image registry/repo parts
    38  	image_parts := split(image, "/")
    39  
    40  	# images with only one part do not specify a registry
    41  	count(image_parts) > 1
    42  	registry = image_parts[0]
    43  	trusted := trusted_gcr_registries[_]
    44  	endswith(registry, trusted)
    45  	name := container.name
    46  }
    47  
    48  # getContainersWithUntrustedGCRRegistry returns a list of containers
    49  # with image from an untrusted gcr registry
    50  getContainersWithUntrustedGCRRegistry[container] {
    51  	container := kubernetes.containers[_]
    52  	not getContainersWithTrustedGCRRegistry[container.name]
    53  }
    54  
    55  deny[res] {
    56  	container := getContainersWithUntrustedGCRRegistry[_]
    57  	msg := kubernetes.format(sprintf("container %s of %s %s in %s namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries", [container.name, lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))
    58  	res := result.new(msg, container)
    59  }