github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/controllermamager/rotate_kubelet_server_certificate_test.rego (about) 1 package builtin.kubernetes.KCV0038 2 3 test_use_rotate_kubelet_server_certificate_is_set_to_true { 4 r := deny with input as { 5 "apiVersion": "v1", 6 "kind": "Pod", 7 "metadata": { 8 "name": "controller-manager", 9 "labels": { 10 "component": "kube-controller-manager", 11 "tier": "control-plane", 12 }, 13 }, 14 "spec": {"containers": [{ 15 "command": ["kube-controller-manager", "--feature-gates=RotateKubeletServerCertificate=true"], 16 "image": "busybox", 17 "name": "hello", 18 }]}, 19 } 20 21 count(r) == 0 22 } 23 24 test_use_rotate_kubelet_server_certificate_is_set_to_false { 25 r := deny with input as { 26 "apiVersion": "v1", 27 "kind": "Pod", 28 "metadata": { 29 "name": "controller-manager", 30 "labels": { 31 "component": "kube-controller-manager", 32 "tier": "control-plane", 33 }, 34 }, 35 "spec": {"containers": [{ 36 "command": ["kube-controller-manager", "--feature-gates=RotateKubeletServerCertificate=false"], 37 "image": "busybox", 38 "name": "hello", 39 }]}, 40 } 41 42 count(r) == 1 43 r[_].msg == "Ensure that the RotateKubeletServerCertificate argument is set to true" 44 } 45 46 test_use_rotate_kubelet_server_certificate_is_not_configured { 47 r := deny with input as { 48 "apiVersion": "v1", 49 "kind": "Pod", 50 "metadata": { 51 "name": "controller-manager", 52 "labels": { 53 "component": "kube-controller-manager", 54 "tier": "control-plane", 55 }, 56 }, 57 "spec": {"containers": [{ 58 "command": ["kube-controller-manager", "--allocate-node-cidrs=true", "--feature-gates=Test=true"], 59 "image": "busybox", 60 "name": "hello", 61 }]}, 62 } 63 64 count(r) == 1 65 r[_].msg == "Ensure that the RotateKubeletServerCertificate argument is set to true" 66 }