github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego (about)

     1  package builtin.kubernetes.KCV0026
     2  
     3  test_only_etcd_certfile_is_set {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {
     8  			"name": "apiserver",
     9  			"labels": {
    10  				"component": "kube-apiserver",
    11  				"tier": "control-plane",
    12  			},
    13  		},
    14  		"spec": {"containers": [{
    15  			"command": ["kube-apiserver", "--advertise-address=192.168.49.2", "--etcd-certfile=<file>"],
    16  			"image": "busybox",
    17  			"name": "hello",
    18  		}]},
    19  	}
    20  
    21  	count(r) == 1
    22  	r[_].msg == "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
    23  }
    24  
    25  test_only_etcd_keyfile_is_set {
    26  	r := deny with input as {
    27  		"apiVersion": "v1",
    28  		"kind": "Pod",
    29  		"metadata": {
    30  			"name": "apiserver",
    31  			"labels": {
    32  				"component": "kube-apiserver",
    33  				"tier": "control-plane",
    34  			},
    35  		},
    36  		"spec": {"containers": [{
    37  			"command": ["kube-apiserver", "--advertise-address=192.168.49.2", "--etcd-keyfile=<file>"],
    38  			"image": "busybox",
    39  			"name": "hello",
    40  		}]},
    41  	}
    42  
    43  	count(r) == 1
    44  	r[_].msg == "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
    45  }
    46  
    47  test_etcd_certfile_and_keyfile_are_set {
    48  	r := deny with input as {
    49  		"apiVersion": "v1",
    50  		"kind": "Pod",
    51  		"metadata": {
    52  			"name": "apiserver",
    53  			"labels": {
    54  				"component": "kube-apiserver",
    55  				"tier": "control-plane",
    56  			},
    57  		},
    58  		"spec": {"containers": [{
    59  			"command": ["kube-apiserver", "--advertise-address=192.168.49.2", "--etcd-certfile=<file>", "--etcd-keyfile=<file>"],
    60  			"image": "busybox",
    61  			"name": "hello",
    62  		}]},
    63  	}
    64  
    65  	count(r) == 0
    66  }
    67  
    68  test_etcd_certfile_and_keyfile_are_not_set {
    69  	r := deny with input as {
    70  		"apiVersion": "v1",
    71  		"kind": "Pod",
    72  		"metadata": {
    73  			"name": "apiserver",
    74  			"labels": {
    75  				"component": "kube-apiserver",
    76  				"tier": "control-plane",
    77  			},
    78  		},
    79  		"spec": {"containers": [{
    80  			"command": ["kube-apiserver", "--advertise-address=192.168.49.2"],
    81  			"image": "busybox",
    82  			"name": "hello",
    83  		}]},
    84  	}
    85  
    86  	count(r) == 1
    87  	r[_].msg == "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
    88  }