github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/cisbenchmarks/kubelet/kubelet_rotate_certificates.rego (about) 1 # METADATA 2 # title: "Ensure that the --rotate-certificates argument is not set to false" 3 # description: "Enable kubelet client certificate rotation." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://www.cisecurity.org/benchmark/kubernetes 9 # custom: 10 # id: KCV0090 11 # avd_id: AVD-KCV-0090 12 # severity: HIGH 13 # short_code: ensure-rotate-certificates-argument-set-false 14 # recommended_action: "If using a Kubelet config file, edit the file to add the line rotateCertificates: true or remove it altogether to use the default value." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KCV0090 19 20 import data.lib.kubernetes 21 22 types := ["master", "worker"] 23 24 validate_kubelet_rotate_certificates(sp) := {"kubeletRotateCertificatesArgumentSet": violation} { 25 sp.kind == "NodeInfo" 26 sp.type == types[_] 27 violation := {rotate_certificates | rotate_certificates = sp.info.kubeletRotateCertificatesArgumentSet.values[_]; rotate_certificates == "false"} 28 count(violation) > 0 29 } 30 31 validate_kubelet_rotate_certificates(sp) := {"kubeletRotateCertificatesArgumentSet": rotate_certificates} { 32 sp.kind == "NodeInfo" 33 sp.type == types[_] 34 count(sp.info.kubeletRotateCertificatesArgumentSet.values) == 0 35 rotate_certificates = {} 36 } 37 38 deny[res] { 39 output := validate_kubelet_rotate_certificates(input) 40 msg := "Ensure that the --rotate-certificates argument is not set to false" 41 res := result.new(msg, output) 42 }