github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego (about)

     1  package builtin.kubernetes.KCV0008
     2  
     3  test_authorization_mode_is_set_node {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {
     8  			"name": "apiserver",
     9  			"labels": {
    10  				"component": "kube-apiserver",
    11  				"tier": "control-plane",
    12  			},
    13  		},
    14  		"spec": {"containers": [{
    15  			"command": ["kube-apiserver", "--authorization-mode=Node", "--anonymous-auth=false"],
    16  			"image": "busybox",
    17  			"name": "hello",
    18  		}]},
    19  	}
    20  
    21  	count(r) == 0
    22  }
    23  
    24  test_authorization_mode_includes_node {
    25  	r := deny with input as {
    26  		"apiVersion": "v1",
    27  		"kind": "Pod",
    28  		"metadata": {
    29  			"name": "apiserver",
    30  			"labels": {
    31  				"component": "kube-apiserver",
    32  				"tier": "control-plane",
    33  			},
    34  		},
    35  		"spec": {"containers": [{
    36  			"command": ["kube-apiserver", "--authorization-mode=RBAC,Node", "--anonymous-auth=false"],
    37  			"image": "busybox",
    38  			"name": "hello",
    39  		}]},
    40  	}
    41  
    42  	count(r) == 0
    43  }
    44  
    45  test_authorization_mode_default_value {
    46  	r := deny with input as {
    47  		"apiVersion": "v1",
    48  		"kind": "Pod",
    49  		"metadata": {
    50  			"name": "apiserver",
    51  			"labels": {
    52  				"component": "kube-apiserver",
    53  				"tier": "control-plane",
    54  			},
    55  		},
    56  		"spec": {"containers": [{
    57  			"command": ["kube-apiserver", "--anonymous-auth=false"],
    58  			"image": "busybox",
    59  			"name": "hello",
    60  		}]},
    61  	}
    62  
    63  	count(r) == 1
    64  	r[_].msg == "Ensure that the --authorization-mode argument includes Node"
    65  }
    66  
    67  test_authorization_mode_is_set_rbac {
    68  	r := deny with input as {
    69  		"apiVersion": "v1",
    70  		"kind": "Pod",
    71  		"metadata": {
    72  			"name": "apiserver",
    73  			"labels": {
    74  				"component": "kube-apiserver",
    75  				"tier": "control-plane",
    76  			},
    77  		},
    78  		"spec": {"containers": [{
    79  			"command": ["kube-apiserver", "--authorization-mode=RBAC", "--anonymous-auth=false"],
    80  			"image": "busybox",
    81  			"name": "hello",
    82  		}]},
    83  	}
    84  
    85  	count(r) == 1
    86  	r[_].msg == "Ensure that the --authorization-mode argument includes Node"
    87  }
    88  
    89  test_authorization_mode_with_multiple_values {
    90  	r := deny with input as {
    91  		"apiVersion": "v1",
    92  		"kind": "Pod",
    93  		"metadata": {
    94  			"name": "apiserver",
    95  			"labels": {
    96  				"component": "kube-apiserver",
    97  				"tier": "control-plane",
    98  			},
    99  		},
   100  		"spec": {"containers": [{
   101  			"command": ["kube-apiserver", "--authorization-mode=ABAC,Webhook,AlwaysAllow", "--anonymous-auth=false"],
   102  			"image": "busybox",
   103  			"name": "hello",
   104  		}]},
   105  	}
   106  
   107  	count(r) == 1
   108  	r[_].msg == "Ensure that the --authorization-mode argument includes Node"
   109  }