github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod_test.rego (about) 1 package builtin.kubernetes.KSV048 2 3 test_update_malicious_pod_deployments { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["deployments"], 14 "verbs": ["update"], 15 }], 16 } 17 18 count(r) > 0 19 } 20 21 test_update_malicious_pod_daemonsets { 22 r := deny with input as { 23 "apiVersion": "rbac.authorization.k8s.io/v1", 24 "kind": "Role", 25 "metadata": { 26 "namespace": "default", 27 "name": "pod-reader", 28 }, 29 "rules": [{ 30 "apiGroups": ["*"], 31 "resources": ["daemonsets"], 32 "verbs": ["update"], 33 }], 34 } 35 36 count(r) > 0 37 } 38 39 test_update_malicious_pod_statefulsets { 40 r := deny with input as { 41 "apiVersion": "rbac.authorization.k8s.io/v1", 42 "kind": "Role", 43 "metadata": { 44 "namespace": "default", 45 "name": "pod-reader", 46 }, 47 "rules": [{ 48 "apiGroups": ["*"], 49 "resources": ["statefulsets"], 50 "verbs": ["update"], 51 }], 52 } 53 54 count(r) > 0 55 } 56 57 test_update_malicious_pod_replicationcontrollers { 58 r := deny with input as { 59 "apiVersion": "rbac.authorization.k8s.io/v1", 60 "kind": "Role", 61 "metadata": { 62 "namespace": "default", 63 "name": "pod-reader", 64 }, 65 "rules": [{ 66 "apiGroups": ["*"], 67 "resources": ["statefulsets"], 68 "verbs": ["update"], 69 }], 70 } 71 72 count(r) > 0 73 } 74 75 test_update_malicious_pod_replicasets { 76 r := deny with input as { 77 "apiVersion": "rbac.authorization.k8s.io/v1", 78 "kind": "Role", 79 "metadata": { 80 "namespace": "default", 81 "name": "pod-reader", 82 }, 83 "rules": [{ 84 "apiGroups": ["*"], 85 "resources": ["replicasets"], 86 "verbs": ["update"], 87 }], 88 } 89 90 count(r) > 0 91 } 92 93 test_update_malicious_pod_cronjobs { 94 r := deny with input as { 95 "apiVersion": "rbac.authorization.k8s.io/v1", 96 "kind": "Role", 97 "metadata": { 98 "namespace": "default", 99 "name": "pod-reader", 100 }, 101 "rules": [{ 102 "apiGroups": ["*"], 103 "resources": ["cronjobs"], 104 "verbs": ["update"], 105 }], 106 } 107 108 count(r) > 0 109 } 110 111 test_update_malicious_pod_not_secret_resource { 112 r := deny with input as { 113 "apiVersion": "rbac.authorization.k8s.io/v1", 114 "kind": "Role", 115 "metadata": { 116 "namespace": "default", 117 "name": "pod-reader", 118 }, 119 "rules": [{ 120 "apiGroups": ["*"], 121 "resources": ["deployments1"], 122 "verbs": ["update"], 123 }], 124 } 125 126 count(r) == 0 127 } 128 129 test_update_malicious_pod_deployment { 130 r := deny with input as { 131 "apiVersion": "rbac.authorization.k8s.io/v1", 132 "kind": "Role", 133 "metadata": { 134 "namespace": "default", 135 "name": "pod-reader", 136 }, 137 "rules": [{ 138 "apiGroups": ["*"], 139 "resources": ["deployments"], 140 "verbs": ["create"], 141 }], 142 } 143 144 count(r) > 0 145 } 146 147 test_update_malicious_pod_daemonsets { 148 r := deny with input as { 149 "apiVersion": "rbac.authorization.k8s.io/v1", 150 "kind": "Role", 151 "metadata": { 152 "namespace": "default", 153 "name": "pod-reader", 154 }, 155 "rules": [{ 156 "apiGroups": ["*"], 157 "resources": ["daemonsets"], 158 "verbs": ["create"], 159 }], 160 } 161 162 count(r) > 0 163 } 164 165 test_update_malicious_pod_statefulsets { 166 r := deny with input as { 167 "apiVersion": "rbac.authorization.k8s.io/v1", 168 "kind": "Role", 169 "metadata": { 170 "namespace": "default", 171 "name": "pod-reader", 172 }, 173 "rules": [{ 174 "apiGroups": ["*"], 175 "resources": ["statefulsets"], 176 "verbs": ["create"], 177 }], 178 } 179 180 count(r) > 0 181 } 182 183 test_update_malicious_pod_replicationcontrollers { 184 r := deny with input as { 185 "apiVersion": "rbac.authorization.k8s.io/v1", 186 "kind": "Role", 187 "metadata": { 188 "namespace": "default", 189 "name": "pod-reader", 190 }, 191 "rules": [{ 192 "apiGroups": ["*"], 193 "resources": ["replicationcontrollers"], 194 "verbs": ["create"], 195 }], 196 } 197 198 count(r) > 0 199 } 200 201 test_update_malicious_pod_replicasets { 202 r := deny with input as { 203 "apiVersion": "rbac.authorization.k8s.io/v1", 204 "kind": "Role", 205 "metadata": { 206 "namespace": "default", 207 "name": "pod-reader", 208 }, 209 "rules": [{ 210 "apiGroups": ["*"], 211 "resources": ["replicasets"], 212 "verbs": ["create"], 213 }], 214 } 215 216 count(r) > 0 217 } 218 219 test_update_malicious_pod_jobs { 220 r := deny with input as { 221 "apiVersion": "rbac.authorization.k8s.io/v1", 222 "kind": "Role", 223 "metadata": { 224 "namespace": "default", 225 "name": "pod-reader", 226 }, 227 "rules": [{ 228 "apiGroups": ["*"], 229 "resources": ["jobs"], 230 "verbs": ["create"], 231 }], 232 } 233 234 count(r) > 0 235 } 236 237 test_update_malicious_pod_cronjobs { 238 r := deny with input as { 239 "apiVersion": "rbac.authorization.k8s.io/v1", 240 "kind": "Role", 241 "metadata": { 242 "namespace": "default", 243 "name": "pod-reader", 244 }, 245 "rules": [{ 246 "apiGroups": ["*"], 247 "resources": ["cronjobs"], 248 "verbs": ["create"], 249 }], 250 } 251 252 count(r) > 0 253 } 254 255 test_update_malicious_pod_deletecollection { 256 r := deny with input as { 257 "apiVersion": "rbac.authorization.k8s.io/v1", 258 "kind": "Role", 259 "metadata": { 260 "namespace": "default", 261 "name": "pod-reader", 262 }, 263 "rules": [{ 264 "apiGroups": ["*"], 265 "resources": ["cronjobs"], 266 "verbs": ["deletecollection"], 267 }], 268 } 269 270 count(r) > 0 271 } 272 273 test_update_malicious_pod_delete { 274 r := deny with input as { 275 "apiVersion": "rbac.authorization.k8s.io/v1", 276 "kind": "Role", 277 "metadata": { 278 "namespace": "default", 279 "name": "pod-reader", 280 }, 281 "rules": [{ 282 "apiGroups": ["*"], 283 "resources": ["job"], 284 "verbs": ["delete"], 285 }], 286 } 287 288 count(r) == 0 289 } 290 291 test_update_malicious_pod_patch { 292 r := deny with input as { 293 "apiVersion": "rbac.authorization.k8s.io/v1", 294 "kind": "Role", 295 "metadata": { 296 "namespace": "default", 297 "name": "pod-reader", 298 }, 299 "rules": [{ 300 "apiGroups": ["*"], 301 "resources": ["job"], 302 "verbs": ["patch"], 303 }], 304 } 305 306 count(r) == 0 307 } 308 309 test_update_malicious_pod_impersonate { 310 r := deny with input as { 311 "apiVersion": "rbac.authorization.k8s.io/v1", 312 "kind": "Role", 313 "metadata": { 314 "namespace": "default", 315 "name": "pod-reader", 316 }, 317 "rules": [{ 318 "apiGroups": ["*"], 319 "resources": ["job"], 320 "verbs": ["impersonate"], 321 }], 322 } 323 324 count(r) == 0 325 }