github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/manage_eks_iam_auth_configmap_test.rego (about) 1 package builtin.kubernetes.KSV115 2 3 test_manageEKSIAMAuthConfigmap_verb_create { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["configmaps"], 14 "verbs": ["create"], 15 "resourceNames": ["aws-auth"], 16 }], 17 } 18 19 count(r) > 0 20 } 21 22 test_manageEKSIAMAuthConfigmap_verb_update { 23 r := deny with input as { 24 "apiVersion": "rbac.authorization.k8s.io/v1", 25 "kind": "Role", 26 "metadata": { 27 "namespace": "default", 28 "name": "pod-reader", 29 }, 30 "rules": [{ 31 "apiGroups": ["*"], 32 "resources": ["configmaps"], 33 "verbs": ["update"], 34 "resourceNames": ["aws-auth"], 35 }], 36 } 37 38 count(r) > 0 39 } 40 41 test_manageEKSIAMAuthConfigmap_verb_patch { 42 r := deny with input as { 43 "apiVersion": "rbac.authorization.k8s.io/v1", 44 "kind": "Role", 45 "metadata": { 46 "namespace": "default", 47 "name": "pod-reader", 48 }, 49 "rules": [{ 50 "apiGroups": ["*"], 51 "resources": ["configmaps"], 52 "verbs": ["patch"], 53 "resourceNames": ["aws-auth"], 54 }], 55 } 56 57 count(r) > 0 58 } 59 60 test_manageEKSIAMAuthConfigmap_verb_delete { 61 r := deny with input as { 62 "apiVersion": "rbac.authorization.k8s.io/v1", 63 "kind": "Role", 64 "metadata": { 65 "namespace": "default", 66 "name": "pod-reader", 67 }, 68 "rules": [{ 69 "apiGroups": ["*"], 70 "resources": ["configmaps"], 71 "verbs": ["delete"], 72 "resourceNames": ["aws-auth"], 73 }], 74 } 75 76 count(r) > 0 77 } 78 79 test_manageEKSIAMAuthConfigmap_verb_deletecollection { 80 r := deny with input as { 81 "apiVersion": "rbac.authorization.k8s.io/v1", 82 "kind": "Role", 83 "metadata": { 84 "namespace": "default", 85 "name": "pod-reader", 86 }, 87 "rules": [{ 88 "apiGroups": ["*"], 89 "resources": ["configmaps"], 90 "verbs": ["deletecollection"], 91 "resourceNames": ["aws-auth"], 92 }], 93 } 94 95 count(r) > 0 96 } 97 98 test_manageEKSIAMAuthConfigmap_verb_impersonate { 99 r := deny with input as { 100 "apiVersion": "rbac.authorization.k8s.io/v1", 101 "kind": "Role", 102 "metadata": { 103 "namespace": "default", 104 "name": "pod-reader", 105 }, 106 "rules": [{ 107 "apiGroups": ["*"], 108 "resources": ["configmaps"], 109 "verbs": ["impersonate"], 110 "resourceNames": ["aws-auth"], 111 }], 112 } 113 114 count(r) > 0 115 } 116 117 test_manageEKSIAMAuthConfigmap_verb_all { 118 r := deny with input as { 119 "apiVersion": "rbac.authorization.k8s.io/v1", 120 "kind": "Role", 121 "metadata": { 122 "namespace": "default", 123 "name": "pod-reader", 124 }, 125 "rules": [{ 126 "apiGroups": ["*"], 127 "resources": ["configmaps"], 128 "verbs": ["*"], 129 "resourceNames": ["aws-auth"], 130 }], 131 } 132 133 count(r) > 0 134 } 135 136 test_manageEKSIAMAuthConfigmap_verb_wrong { 137 r := deny with input as { 138 "apiVersion": "rbac.authorization.k8s.io/v1", 139 "kind": "Role", 140 "metadata": { 141 "namespace": "default", 142 "name": "pod-reader", 143 }, 144 "rules": [{ 145 "apiGroups": ["*"], 146 "resources": ["configmaps"], 147 "verbs": ["just"], 148 "resourceNames": ["aws-auth"], 149 }], 150 } 151 152 count(r) == 0 153 }