github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego (about) 1 # METADATA 2 # title: "Ensure that the --authorization-mode argument includes RBAC" 3 # description: "Turn on Role Based Access Control." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://www.cisecurity.org/benchmark/kubernetes 9 # custom: 10 # id: KCV0009 11 # avd_id: AVD-KCV-0009 12 # severity: LOW 13 # short_code: ensure-authorization-mode-argument-includes-rbac 14 # recommended_action: "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes RBAC." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KCV0009 19 20 import data.lib.kubernetes 21 22 check_flag[container] { 23 container := kubernetes.containers[_] 24 kubernetes.is_apiserver(container) 25 not kubernetes.command_has_flag(container.command, "--authorization-mode") 26 } 27 28 check_flag[container] { 29 container := kubernetes.containers[_] 30 some i 31 output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1) 32 not regex.match("RBAC", output[0][1]) 33 } 34 35 deny[res] { 36 output := check_flag[_] 37 msg := "Ensure that the --authorization-mode argument includes RBAC" 38 res := result.new(msg, output) 39 }