github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/manage_kubernetes_networking_test.rego (about) 1 package builtin.kubernetes.KSV056 2 3 test_manage_manage_kubernetes_networking_create { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["services"], 14 "verbs": ["create"], 15 }], 16 } 17 18 count(r) > 0 19 } 20 21 test_manage_manage_kubernetes_networking_update { 22 r := deny with input as { 23 "apiVersion": "rbac.authorization.k8s.io/v1", 24 "kind": "Role", 25 "metadata": { 26 "namespace": "default", 27 "name": "pod-reader", 28 }, 29 "rules": [{ 30 "apiGroups": ["*"], 31 "resources": ["endpoints"], 32 "verbs": ["update"], 33 }], 34 } 35 36 count(r) > 0 37 } 38 39 test_manage_manage_kubernetes_networking_delete { 40 r := deny with input as { 41 "apiVersion": "rbac.authorization.k8s.io/v1", 42 "kind": "Role", 43 "metadata": { 44 "namespace": "default", 45 "name": "pod-reader", 46 }, 47 "rules": [{ 48 "apiGroups": ["*"], 49 "resources": ["endpointslices"], 50 "verbs": ["delete"], 51 }], 52 } 53 54 count(r) > 0 55 } 56 57 test_manage_manage_kubernetes_networking_deletecollection { 58 r := deny with input as { 59 "apiVersion": "rbac.authorization.k8s.io/v1", 60 "kind": "Role", 61 "metadata": { 62 "namespace": "default", 63 "name": "pod-reader", 64 }, 65 "rules": [{ 66 "apiGroups": ["*"], 67 "resources": ["networkpolicies"], 68 "verbs": ["deletecollection"], 69 }], 70 } 71 72 count(r) > 0 73 } 74 75 test_manage_manage_kubernetes_networking_impersonate { 76 r := deny with input as { 77 "apiVersion": "rbac.authorization.k8s.io/v1", 78 "kind": "Role", 79 "metadata": { 80 "namespace": "default", 81 "name": "pod-reader", 82 }, 83 "rules": [{ 84 "apiGroups": ["*"], 85 "resources": ["ingresses"], 86 "verbs": ["impersonate"], 87 }], 88 } 89 90 count(r) > 0 91 } 92 93 test_manage_manage_kubernetes_networking_all { 94 r := deny with input as { 95 "apiVersion": "rbac.authorization.k8s.io/v1", 96 "kind": "Role", 97 "metadata": { 98 "namespace": "default", 99 "name": "pod-reader", 100 }, 101 "rules": [{ 102 "apiGroups": ["*"], 103 "resources": ["ingresses"], 104 "verbs": ["*"], 105 }], 106 } 107 108 count(r) > 0 109 } 110 111 test_manage_manage_kubernetes_networking_wrong_verb { 112 r := deny with input as { 113 "apiVersion": "rbac.authorization.k8s.io/v1", 114 "kind": "Role", 115 "metadata": { 116 "namespace": "default", 117 "name": "pod-reader", 118 }, 119 "rules": [{ 120 "apiGroups": ["*"], 121 "resources": ["ingresses"], 122 "verbs": ["aa"], 123 }], 124 } 125 126 count(r) == 0 127 } 128 129 test_manage_manage_kubernetes_networking_wrong_resource { 130 r := deny with input as { 131 "apiVersion": "rbac.authorization.k8s.io/v1", 132 "kind": "Role", 133 "metadata": { 134 "namespace": "default", 135 "name": "pod-reader", 136 }, 137 "rules": [{ 138 "apiGroups": ["*"], 139 "resources": ["services1"], 140 "verbs": ["*"], 141 }], 142 } 143 144 count(r) == 0 145 }