github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/any_verb_test.rego (about) 1 package builtin.kubernetes.KSV045 2 3 test_any_verb_role_secrets { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["secrets"], 14 "verbs": ["*"], 15 }], 16 } 17 18 count(r) > 0 19 } 20 21 test_any_verb_role_pods { 22 r := deny with input as { 23 "apiVersion": "rbac.authorization.k8s.io/v1", 24 "kind": "Role", 25 "metadata": { 26 "namespace": "default", 27 "name": "pod-reader", 28 }, 29 "rules": [{ 30 "apiGroups": ["*"], 31 "resources": ["pods"], 32 "verbs": ["*"], 33 }], 34 } 35 36 count(r) > 0 37 } 38 39 test_any_verb_role_deployments { 40 r := deny with input as { 41 "apiVersion": "rbac.authorization.k8s.io/v1", 42 "kind": "Role", 43 "metadata": { 44 "namespace": "default", 45 "name": "pod-reader", 46 }, 47 "rules": [{ 48 "apiGroups": ["*"], 49 "resources": ["deployments"], 50 "verbs": ["*"], 51 }], 52 } 53 54 count(r) > 0 55 } 56 57 test_any_verb_role_daemonsets { 58 r := deny with input as { 59 "apiVersion": "rbac.authorization.k8s.io/v1", 60 "kind": "Role", 61 "metadata": { 62 "namespace": "default", 63 "name": "pod-reader", 64 }, 65 "rules": [{ 66 "apiGroups": ["*"], 67 "resources": ["daemonsets"], 68 "verbs": ["*"], 69 }], 70 } 71 72 count(r) > 0 73 } 74 75 test_any_verb_role_statefulsets { 76 r := deny with input as { 77 "apiVersion": "rbac.authorization.k8s.io/v1", 78 "kind": "Role", 79 "metadata": { 80 "namespace": "default", 81 "name": "pod-reader", 82 }, 83 "rules": [{ 84 "apiGroups": ["*"], 85 "resources": ["statefulsets"], 86 "verbs": ["*"], 87 }], 88 } 89 90 count(r) > 0 91 } 92 93 test_any_verb_role_replicationcontrollers { 94 r := deny with input as { 95 "apiVersion": "rbac.authorization.k8s.io/v1", 96 "kind": "Role", 97 "metadata": { 98 "namespace": "default", 99 "name": "pod-reader", 100 }, 101 "rules": [{ 102 "apiGroups": ["*"], 103 "resources": ["replicationcontrollers"], 104 "verbs": ["*"], 105 }], 106 } 107 108 count(r) > 0 109 } 110 111 test_any_verb_role_replicasets { 112 r := deny with input as { 113 "apiVersion": "rbac.authorization.k8s.io/v1", 114 "kind": "Role", 115 "metadata": { 116 "namespace": "default", 117 "name": "pod-reader", 118 }, 119 "rules": [{ 120 "apiGroups": ["*"], 121 "resources": ["replicasets"], 122 "verbs": ["*"], 123 }], 124 } 125 126 count(r) > 0 127 } 128 129 test_any_verb_role_cronjobs { 130 r := deny with input as { 131 "apiVersion": "rbac.authorization.k8s.io/v1", 132 "kind": "Role", 133 "metadata": { 134 "namespace": "default", 135 "name": "pod-reader", 136 }, 137 "rules": [{ 138 "apiGroups": ["*"], 139 "resources": ["cronjobs"], 140 "verbs": ["*"], 141 }], 142 } 143 144 count(r) > 0 145 } 146 147 test_any_verb_role_jobs { 148 r := deny with input as { 149 "apiVersion": "rbac.authorization.k8s.io/v1", 150 "kind": "Role", 151 "metadata": { 152 "namespace": "default", 153 "name": "pod-reader", 154 }, 155 "rules": [{ 156 "apiGroups": ["*"], 157 "resources": ["jobs"], 158 "verbs": ["*"], 159 }], 160 } 161 162 count(r) > 0 163 } 164 165 test_any_verb_role_clusterroles { 166 r := deny with input as { 167 "apiVersion": "rbac.authorization.k8s.io/v1", 168 "kind": "Role", 169 "metadata": { 170 "namespace": "default", 171 "name": "pod-reader", 172 }, 173 "rules": [{ 174 "apiGroups": ["*"], 175 "resources": ["clusterroles"], 176 "verbs": ["*"], 177 }], 178 } 179 180 count(r) > 0 181 } 182 183 test_any_verb_role_roles { 184 r := deny with input as { 185 "apiVersion": "rbac.authorization.k8s.io/v1", 186 "kind": "Role", 187 "metadata": { 188 "namespace": "default", 189 "name": "pod-reader", 190 }, 191 "rules": [{ 192 "apiGroups": ["*"], 193 "resources": ["roles"], 194 "verbs": ["*"], 195 }], 196 } 197 198 count(r) > 0 199 } 200 201 test_any_verb_role_rolebindings { 202 r := deny with input as { 203 "apiVersion": "rbac.authorization.k8s.io/v1", 204 "kind": "Role", 205 "metadata": { 206 "namespace": "default", 207 "name": "pod-reader", 208 }, 209 "rules": [{ 210 "apiGroups": ["*"], 211 "resources": ["rolebindings"], 212 "verbs": ["*"], 213 }], 214 } 215 216 count(r) > 0 217 } 218 219 test_any_verb_role_clusterrolebindings { 220 r := deny with input as { 221 "apiVersion": "rbac.authorization.k8s.io/v1", 222 "kind": "Role", 223 "metadata": { 224 "namespace": "default", 225 "name": "pod-reader", 226 }, 227 "rules": [{ 228 "apiGroups": ["*"], 229 "resources": ["clusterrolebindings"], 230 "verbs": ["*"], 231 }], 232 } 233 234 count(r) > 0 235 } 236 237 test_any_verb_role_users { 238 r := deny with input as { 239 "apiVersion": "rbac.authorization.k8s.io/v1", 240 "kind": "Role", 241 "metadata": { 242 "namespace": "default", 243 "name": "pod-reader", 244 }, 245 "rules": [{ 246 "apiGroups": ["*"], 247 "resources": ["users"], 248 "verbs": ["*"], 249 }], 250 } 251 252 count(r) > 0 253 } 254 255 test_any_verb_role_groups { 256 r := deny with input as { 257 "apiVersion": "rbac.authorization.k8s.io/v1", 258 "kind": "Role", 259 "metadata": { 260 "namespace": "default", 261 "name": "pod-reader", 262 }, 263 "rules": [{ 264 "apiGroups": ["*"], 265 "resources": ["groups"], 266 "verbs": ["*"], 267 }], 268 } 269 270 count(r) > 0 271 } 272 273 test_any_verb_role_groups { 274 r := deny with input as { 275 "apiVersion": "rbac.authorization.k8s.io/v1", 276 "kind": "Role", 277 "metadata": { 278 "namespace": "default", 279 "name": "pod-reader", 280 }, 281 "rules": [{ 282 "apiGroups": ["*"], 283 "resources": ["groups"], 284 "verbs": ["*"], 285 }], 286 } 287 288 count(r) > 0 289 } 290 291 test_any_verb_role_no_specific_resource { 292 r := deny with input as { 293 "apiVersion": "rbac.authorization.k8s.io/v1", 294 "kind": "Role", 295 "metadata": { 296 "namespace": "default", 297 "name": "pod-reader", 298 }, 299 "rules": [{ 300 "apiGroups": ["*"], 301 "resources": ["aaa"], 302 "verbs": ["*"], 303 }], 304 } 305 306 count(r) == 0 307 } 308 309 test_any_verb_role_no_any_verb { 310 r := deny with input as { 311 "apiVersion": "rbac.authorization.k8s.io/v1", 312 "kind": "Role", 313 "metadata": { 314 "namespace": "default", 315 "name": "pod-reader", 316 }, 317 "rules": [{ 318 "apiGroups": ["*"], 319 "resources": ["*"], 320 "verbs": ["aaa"], 321 }], 322 } 323 324 count(r) == 0 325 }