github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/etcd/cert_file_and_key_file.rego (about) 1 # METADATA 2 # title: "Ensure that the --cert-file and --key-file arguments are set as appropriate" 3 # description: "Configure TLS encryption for the etcd service." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://www.cisecurity.org/benchmark/kubernetes 9 # custom: 10 # id: KCV0042 11 # avd_id: AVD-KCV-0042 12 # severity: LOW 13 # short_code: Ensure-cert-file-and-key-file-arguments-are-set-as-appropriate 14 # recommended_action: "Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KCV0042 19 20 import data.lib.kubernetes 21 22 checkFlag[container] { 23 container := kubernetes.containers[_] 24 kubernetes.is_etcd(container) 25 not kubernetes.command_has_flag(container.command, "--cert-file") 26 } 27 28 checkFlag[container] { 29 container := kubernetes.containers[_] 30 kubernetes.is_etcd(container) 31 not kubernetes.command_has_flag(container.command, "--key-file") 32 } 33 34 deny[res] { 35 output := checkFlag[_] 36 msg := "Ensure that the --cert-file and --key-file arguments are set as appropriate" 37 res := result.new(msg, output) 38 }