github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/manage_configmaps.rego (about)

     1  # METADATA
     2  # title: "Manage configmaps"
     3  # description: "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubernetes.io/docs/concepts/security/rbac-good-practices/
     9  # custom:
    10  #   id: KSV049
    11  #   avd_id: AVD-KSV-0049
    12  #   severity: MEDIUM
    13  #   short_code: no-manage-configmaps
    14  #   recommended_action: "Remove write permission verbs for resource 'configmaps'"
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV049
    19  
    20  import data.lib.kubernetes
    21  import data.lib.utils
    22  
    23  readVerbs := ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
    24  
    25  readKinds := ["Role", "ClusterRole"]
    26  
    27  readResource = "configmaps"
    28  
    29  manageConfigmaps[input.rules[ru]] {
    30  	some ru, r, v
    31  	input.kind == readKinds[_]
    32  	input.rules[ru].resources[r] == readResource
    33  	input.rules[ru].verbs[v] == readVerbs[_]
    34  }
    35  
    36  deny[res] {
    37  	badRule := manageConfigmaps[_]
    38  	msg := kubernetes.format(sprintf("%s '%s' should not have access to resource '%s' for verbs %s", [kubernetes.kind, kubernetes.name, readResource, readVerbs]))
    39  	res := result.new(msg, badRule)
    40  }