github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/selector_usage_in_network_policies.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/selector_usage_in_network_policies.rego (about)

     1  # METADATA
     2  # title: "Selector usage in network policies"
     3  # description: "ensure that network policies selectors are applied to pods or namespaces to restricted ingress and egress traffic within the pod network"
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/
     9  # custom:
    10  #   id: KSV038
    11  #   avd_id: AVD-KSV-0038
    12  #   severity: MEDIUM
    13  #   short_code: selector-usage-in-network-policies
    14  #   recommended_action: "create network policies and ensure that pods are selected using the podSelector and/or the namespaceSelector options"
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV038
    19  
    20  import data.lib.kubernetes
    21  import data.lib.utils
    22  
    23  hasSelector(spec) {
    24  	kubernetes.has_field(spec, "podSelector")
    25  	kubernetes.has_field(spec.podSelector, "matchLabels")
    26  }
    27  
    28  hasSelector(spec) {
    29  	kubernetes.has_field(spec, "namespaceSelector")
    30  }
    31  
    32  hasSelector(spec) {
    33  	kubernetes.has_field(spec, "podSelector")
    34  }
    35  
    36  hasSelector(spec) {
    37  	kubernetes.has_field(spec, "ingress")
    38  	kubernetes.has_field(spec.ingress[_], "from")
    39  	kubernetes.has_field(spec.ingress[_].from[_], "namespaceSelector")
    40  }
    41  
    42  hasSelector(spec) {
    43  	kubernetes.has_field(spec, "ingress")
    44  	kubernetes.has_field(spec.ingress[_], "from")
    45  	kubernetes.has_field(spec.ingress[_].from[_], "podSelector")
    46  }
    47  
    48  hasSelector(spec) {
    49  	kubernetes.has_field(spec, "egress")
    50  	kubernetes.has_field(spec.egress[_], "to")
    51  	kubernetes.has_field(spec.egress[_].to[_], "podSelector")
    52  }
    53  
    54  hasSelector(spec) {
    55  	kubernetes.has_field(spec, "egress")
    56  	kubernetes.has_field(spec.egress[_], "to")
    57  	kubernetes.has_field(spec.egress[_].to[_], "namespaceSelector")
    58  }
    59  
    60  hasSelector(spec) {
    61  	kubernetes.spec.podSelector == {}
    62  	contains(input.spec.policyType, "Egress")
    63  }
    64  
    65  hasSelector(spec) {
    66  	kubernetes.spec.podSelector == {}
    67  	contains(input.spec.policyType, "Ingress")
    68  }
    69  
    70  contains(arr, elem) {
    71  	arr[_] = elem
    72  }
    73  
    74  deny[res] {
    75  	lower(kubernetes.kind) == "networkpolicy"
    76  	not hasSelector(input.spec)
    77  	msg := "Network policy should uses podSelector and/or the namespaceSelector to restrict ingress and egress traffic within the Pod network"
    78  	res := result.new(msg, input.spec)
    79  }