github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/file_system_not_read_only_test.rego (about) 1 package builtin.kubernetes.KSV014 2 3 test_read_only_root_file_system_not_set_denied { 4 r := deny with input as { 5 "apiVersion": "v1", 6 "kind": "Pod", 7 "metadata": {"name": "hello-fs-not-readonly"}, 8 "spec": {"containers": [{ 9 "command": [ 10 "sh", 11 "-c", 12 "echo 'Hello' && sleep 1h", 13 ], 14 "image": "busybox", 15 "name": "hello", 16 }]}, 17 } 18 19 count(r) == 1 20 r[_].msg == "Container 'hello' of Pod 'hello-fs-not-readonly' should set 'securityContext.readOnlyRootFilesystem' to true" 21 } 22 23 test_read_only_root_file_system_false_denied { 24 r := deny with input as { 25 "apiVersion": "v1", 26 "kind": "Pod", 27 "metadata": {"name": "hello-fs-not-readonly"}, 28 "spec": {"containers": [{ 29 "command": [ 30 "sh", 31 "-c", 32 "echo 'Hello' && sleep 1h", 33 ], 34 "image": "busybox", 35 "name": "hello", 36 "securityContext": {"readOnlyRootFilesystem": false}, 37 }]}, 38 } 39 40 count(r) == 1 41 r[_].msg == "Container 'hello' of Pod 'hello-fs-not-readonly' should set 'securityContext.readOnlyRootFilesystem' to true" 42 } 43 44 test_read_only_root_file_system_true_allowed { 45 r := deny with input as { 46 "apiVersion": "v1", 47 "kind": "Pod", 48 "metadata": {"name": "hello-fs-not-readonly"}, 49 "spec": {"containers": [{ 50 "command": [ 51 "sh", 52 "-c", 53 "echo 'Hello' && sleep 1h", 54 ], 55 "image": "busybox", 56 "name": "hello", 57 "securityContext": {"readOnlyRootFilesystem": true}, 58 }]}, 59 } 60 61 count(r) == 0 62 }