github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/kubelet/kubelet_authorization_mode_argument.rego (about) 1 # METADATA 2 # title: "Ensure that the --authorization-mode argument is not set to AlwaysAllow" 3 # description: "Do not allow all requests. Enable explicit authorization." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://www.cisecurity.org/benchmark/kubernetes 9 # custom: 10 # id: KCV0080 11 # avd_id: AVD-KCV-0080 12 # severity: HIGH 13 # short_code: ensure-authorization-mode-argument-set-alwaysallow 14 # recommended_action: "edit Kubelet config and set authorization: mode to Webhook." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KCV0080 19 20 import data.lib.kubernetes 21 22 types := ["master", "worker"] 23 24 validate_kubelet_authorization_mode(sp) := {"kubeletAuthorizationModeArgumentSet": violation} { 25 sp.kind == "NodeInfo" 26 sp.type == types[_] 27 violation := {authorization_mode | authorization_mode = sp.info.kubeletAuthorizationModeArgumentSet.values[_]; authorization_mode == "AlwaysAllow"} 28 count(violation) > 0 29 } 30 31 validate_kubelet_authorization_mode(sp) := {"kubeletAuthorizationModeArgumentSet": authorization_mode} { 32 sp.kind == "NodeInfo" 33 sp.type == types[_] 34 count(sp.info.kubeletAuthorizationModeArgumentSet.values) == 0 35 authorization_mode = {} 36 } 37 38 deny[res] { 39 output := validate_kubelet_authorization_mode(input) 40 msg := "Ensure that the --authorization-mode argument is not set to AlwaysAllow" 41 res := result.new(msg, output) 42 }