github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/node_restriction_plugin_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/apiserver/node_restriction_plugin_test.rego (about)

     1  package builtin.kubernetes.KCV0016
     2  
     3  test_node_restriction_plugin_is_enabled {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {
     8  			"name": "apiserver",
     9  			"labels": {
    10  				"component": "kube-apiserver",
    11  				"tier": "control-plane",
    12  			},
    13  		},
    14  		"spec": {"containers": [{
    15  			"command": ["kube-apiserver", "--enable-admission-plugins=NodeRestriction"],
    16  			"image": "busybox",
    17  			"name": "hello",
    18  		}]},
    19  	}
    20  
    21  	count(r) == 0
    22  }
    23  
    24  test_enable_admission_plugins_is_not_configured {
    25  	r := deny with input as {
    26  		"apiVersion": "v1",
    27  		"kind": "Pod",
    28  		"metadata": {
    29  			"name": "apiserver",
    30  			"labels": {
    31  				"component": "kube-apiserver",
    32  				"tier": "control-plane",
    33  			},
    34  		},
    35  		"spec": {"containers": [{
    36  			"command": ["kube-apiserver", "--authorization-mode=Node,RBAC", "--anonymous-auth=false"],
    37  			"image": "busybox",
    38  			"name": "hello",
    39  		}]},
    40  	}
    41  
    42  	count(r) == 1
    43  	r[_].msg == "Ensure that the admission control plugin NodeRestriction is set"
    44  }
    45  
    46  test_node_restriction__plugin_is_not_enabled {
    47  	r := deny with input as {
    48  		"apiVersion": "v1",
    49  		"kind": "Pod",
    50  		"metadata": {
    51  			"name": "apiserver",
    52  			"labels": {
    53  				"component": "kube-apiserver",
    54  				"tier": "control-plane",
    55  			},
    56  		},
    57  		"spec": {"containers": [{
    58  			"command": ["kube-apiserver", "--enable-admission-plugins=NamespaceLifecycle,ServiceAccount"],
    59  			"image": "busybox",
    60  			"name": "hello",
    61  		}]},
    62  	}
    63  
    64  	count(r) == 1
    65  	r[_].msg == "Ensure that the admission control plugin NodeRestriction is set"
    66  }
    67  
    68  test_node_restriction_plugin_is_enabled_with_others {
    69  	r := deny with input as {
    70  		"apiVersion": "v1",
    71  		"kind": "Pod",
    72  		"metadata": {
    73  			"name": "apiserver",
    74  			"labels": {
    75  				"component": "kube-apiserver",
    76  				"tier": "control-plane",
    77  			},
    78  		},
    79  		"spec": {"containers": [{
    80  			"command": ["kube-apiserver", "--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,ServiceAccount"],
    81  			"image": "busybox",
    82  			"name": "hello",
    83  		}]},
    84  	}
    85  
    86  	count(r) == 0
    87  }