github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/get_shell_on_pod_test.rego (about) 1 package builtin.kubernetes.KSV053 2 3 test_getting_shell_on_pods { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["pods/exec"], 14 "verbs": ["create"], 15 }], 16 } 17 18 count(r) == 1 19 } 20 21 test_getting_shell_on_pods_no_pod_exec { 22 r := deny with input as { 23 "apiVersion": "rbac.authorization.k8s.io/v1", 24 "kind": "Role", 25 "metadata": { 26 "namespace": "default", 27 "name": "pod-reader", 28 }, 29 "rules": [{ 30 "apiGroups": ["*"], 31 "resources": ["pods/exec1"], 32 "verbs": ["create"], 33 }], 34 } 35 36 count(r) == 0 37 } 38 39 test_getting_shell_on_pods_no_verb_create { 40 r := deny with input as { 41 "apiVersion": "rbac.authorization.k8s.io/v1", 42 "kind": "Role", 43 "metadata": { 44 "namespace": "default", 45 "name": "pod-reader", 46 }, 47 "rules": [{ 48 "apiGroups": ["*"], 49 "resources": ["pods/exec"], 50 "verbs": ["create1"], 51 }], 52 } 53 54 count(r) == 0 55 } 56 57 test_getting_shell_on_pods_no_resource_pod { 58 r := deny with input as { 59 "apiVersion": "rbac.authorization.k8s.io/v1", 60 "kind": "Role", 61 "metadata": { 62 "namespace": "default", 63 "name": "pod-reader", 64 }, 65 "rules": [{ 66 "apiGroups": ["*"], 67 "resources": ["pods/exec"], 68 "verbs": ["create1"], 69 }], 70 } 71 72 count(r) == 0 73 } 74 75 test_getting_shell_on_pods_no_verb_get { 76 r := deny with input as { 77 "apiVersion": "rbac.authorization.k8s.io/v1", 78 "kind": "Role", 79 "metadata": { 80 "namespace": "default", 81 "name": "pod-reader", 82 }, 83 "rules": [{ 84 "apiGroups": ["*"], 85 "resources": ["pods/exec"], 86 "verbs": ["create1"], 87 }], 88 } 89 90 count(r) == 0 91 }