github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/SYS_ADMIN_capability_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/SYS_ADMIN_capability_test.rego (about)

     1  package builtin.kubernetes.KSV005
     2  
     3  test_cap_without_sys_admin_allowed {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-sys-admin-capabilities"},
     8  		"spec": {"containers": [{
     9  			"command": [
    10  				"sh",
    11  				"-c",
    12  				"echo 'Hello' && sleep 1h",
    13  			],
    14  			"image": "busybox",
    15  			"name": "hello",
    16  		}]},
    17  	}
    18  
    19  	count(r) == 0
    20  }
    21  
    22  test_cap_add_sys_admin_denied {
    23  	r := deny with input as {
    24  		"apiVersion": "v1",
    25  		"kind": "Pod",
    26  		"metadata": {"name": "hello-sys-admin-capabilities"},
    27  		"spec": {"containers": [{
    28  			"command": [
    29  				"sh",
    30  				"-c",
    31  				"echo 'Hello' && sleep 1h",
    32  			],
    33  			"image": "busybox",
    34  			"name": "hello",
    35  			"securityContext": {"capabilities": {"add": ["SYS_ADMIN"]}},
    36  		}]},
    37  	}
    38  
    39  	count(r) == 1
    40  	r[_].msg == "Container 'hello' of Pod 'hello-sys-admin-capabilities' should not include 'SYS_ADMIN' in 'securityContext.capabilities.add'"
    41  }