github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/attaching_pod_view_logs_realtime_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/attaching_pod_view_logs_realtime_test.rego (about)

     1  package builtin.kubernetes.KSV054
     2  
     3  test_getting_shell_on_pods {
     4  	r := deny with input as {
     5  		"apiVersion": "rbac.authorization.k8s.io/v1",
     6  		"kind": "Role",
     7  		"metadata": {
     8  			"namespace": "default",
     9  			"name": "pod-reader",
    10  		},
    11  		"rules": [
    12  			{
    13  				"apiGroups": ["*"],
    14  				"resources": ["pods/attach"],
    15  				"verbs": ["create"],
    16  			},
    17  			{
    18  				"apiGroups": ["*"],
    19  				"resources": ["pods"],
    20  				"verbs": ["get"],
    21  			},
    22  		],
    23  	}
    24  
    25  	count(r) == 1
    26  }
    27  
    28  test_getting_shell_on_pods_no_pod_exec {
    29  	r := deny with input as {
    30  		"apiVersion": "rbac.authorization.k8s.io/v1",
    31  		"kind": "Role",
    32  		"metadata": {
    33  			"namespace": "default",
    34  			"name": "pod-reader",
    35  		},
    36  		"rules": [
    37  			{
    38  				"apiGroups": ["*"],
    39  				"resources": ["pods/attach1"],
    40  				"verbs": ["create"],
    41  			},
    42  			{
    43  				"apiGroups": ["*"],
    44  				"resources": ["pods"],
    45  				"verbs": ["get"],
    46  			},
    47  		],
    48  	}
    49  
    50  	count(r) == 0
    51  }
    52  
    53  test_getting_shell_on_pods_no_verb_create {
    54  	r := deny with input as {
    55  		"apiVersion": "rbac.authorization.k8s.io/v1",
    56  		"kind": "Role",
    57  		"metadata": {
    58  			"namespace": "default",
    59  			"name": "pod-reader",
    60  		},
    61  		"rules": [
    62  			{
    63  				"apiGroups": ["*"],
    64  				"resources": ["pods/attach"],
    65  				"verbs": ["create1"],
    66  			},
    67  			{
    68  				"apiGroups": ["*"],
    69  				"resources": ["pods"],
    70  				"verbs": ["get"],
    71  			},
    72  		],
    73  	}
    74  
    75  	count(r) == 0
    76  }
    77  
    78  test_getting_shell_on_pods_no_resource_pod {
    79  	r := deny with input as {
    80  		"apiVersion": "rbac.authorization.k8s.io/v1",
    81  		"kind": "Role",
    82  		"metadata": {
    83  			"namespace": "default",
    84  			"name": "pod-reader",
    85  		},
    86  		"rules": [
    87  			{
    88  				"apiGroups": ["*"],
    89  				"resources": ["pods/attach"],
    90  				"verbs": ["create1"],
    91  			},
    92  			{
    93  				"apiGroups": ["*"],
    94  				"resources": ["pods1"],
    95  				"verbs": ["get"],
    96  			},
    97  		],
    98  	}
    99  
   100  	count(r) == 0
   101  }
   102  
   103  test_getting_shell_on_pods_no_verb_get {
   104  	r := deny with input as {
   105  		"apiVersion": "rbac.authorization.k8s.io/v1",
   106  		"kind": "Role",
   107  		"metadata": {
   108  			"namespace": "default",
   109  			"name": "pod-reader",
   110  		},
   111  		"rules": [
   112  			{
   113  				"apiGroups": ["*"],
   114  				"resources": ["pods/attach"],
   115  				"verbs": ["create1"],
   116  			},
   117  			{
   118  				"apiGroups": ["*"],
   119  				"resources": ["pods"],
   120  				"verbs": ["get1"],
   121  			},
   122  		],
   123  	}
   124  
   125  	count(r) == 0
   126  }