github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/kubelet/kubelet_protect_kernel_defaults.rego (about) 1 # METADATA 2 # title: "Ensure that the --protect-kernel-defaults is set to true" 3 # description: "Protect tuned kernel parameters from overriding kubelet default kernel parameter values." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://www.cisecurity.org/benchmark/kubernetes 9 # custom: 10 # id: KCV0083 11 # avd_id: AVD-KCV-0083 12 # severity: HIGH 13 # short_code: ensure-protect-kernel-defaults-set-true 14 # recommended_action: "If using a Kubelet config file, edit the file to set protectKernelDefaults: true" 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KCV0083 19 20 import data.lib.kubernetes 21 22 types := ["master", "worker"] 23 24 validate_kubelet_anonymous_auth_set(sp) := {"kubeletProtectKernelDefaultsArgumentSet": violation} { 25 sp.kind == "NodeInfo" 26 sp.type == types[_] 27 violation := {kernel_defaults | kernel_defaults = sp.info.kubeletProtectKernelDefaultsArgumentSet.values[_]; not kernel_defaults == "true"} 28 count(violation) > 0 29 } 30 31 validate_kubelet_anonymous_auth_set(sp) := {"kubeletProtectKernelDefaultsArgumentSet": kernel_defaults} { 32 sp.kind == "NodeInfo" 33 sp.type == types[_] 34 count(sp.info.kubeletProtectKernelDefaultsArgumentSet.values) == 0 35 kernel_defaults = {} 36 } 37 38 deny[res] { 39 output := validate_kubelet_anonymous_auth_set(input) 40 msg := "Ensure that the --protect-kernel-defaults is set to true" 41 res := result.new(msg, output) 42 }