github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources_test.rego (about)

     1  package builtin.kubernetes.KSV050
     2  
     3  test_manage_K8s_RBAC_resources_create {
     4  	r := deny with input as {
     5  		"apiVersion": "rbac.authorization.k8s.io/v1",
     6  		"kind": "Role",
     7  		"metadata": {
     8  			"namespace": "default",
     9  			"name": "pod-reader",
    10  		},
    11  		"rules": [{
    12  			"apiGroups": ["*"],
    13  			"resources": ["roles"],
    14  			"verbs": ["create"],
    15  		}],
    16  	}
    17  
    18  	count(r) > 0
    19  }
    20  
    21  test_manage_K8s_RBAC_resources_create {
    22  	r := deny with input as {
    23  		"apiVersion": "rbac.authorization.k8s.io/v1",
    24  		"kind": "Role",
    25  		"metadata": {
    26  			"namespace": "default",
    27  			"name": "pod-reader",
    28  		},
    29  		"rules": [{
    30  			"apiGroups": ["*"],
    31  			"resources": ["roles"],
    32  			"verbs": ["update"],
    33  		}],
    34  	}
    35  
    36  	count(r) > 0
    37  }
    38  
    39  test_manage_K8s_RBAC_resources_delete {
    40  	r := deny with input as {
    41  		"apiVersion": "rbac.authorization.k8s.io/v1",
    42  		"kind": "Role",
    43  		"metadata": {
    44  			"namespace": "default",
    45  			"name": "pod-reader",
    46  		},
    47  		"rules": [{
    48  			"apiGroups": ["*"],
    49  			"resources": ["roles"],
    50  			"verbs": ["update"],
    51  		}],
    52  	}
    53  
    54  	count(r) > 0
    55  }
    56  
    57  test_manage_K8s_RBAC_resources_deletecollection {
    58  	r := deny with input as {
    59  		"apiVersion": "rbac.authorization.k8s.io/v1",
    60  		"kind": "Role",
    61  		"metadata": {
    62  			"namespace": "default",
    63  			"name": "pod-reader",
    64  		},
    65  		"rules": [{
    66  			"apiGroups": ["*"],
    67  			"resources": ["rolebindings"],
    68  			"verbs": ["deletecollection"],
    69  		}],
    70  	}
    71  
    72  	count(r) > 0
    73  }
    74  
    75  test_manage_K8s_RBAC_resources_deletecollection {
    76  	r := deny with input as {
    77  		"apiVersion": "rbac.authorization.k8s.io/v1",
    78  		"kind": "Role",
    79  		"metadata": {
    80  			"namespace": "default",
    81  			"name": "pod-reader",
    82  		},
    83  		"rules": [{
    84  			"apiGroups": ["*"],
    85  			"resources": ["rolebindings"],
    86  			"verbs": ["impersonate"],
    87  		}],
    88  	}
    89  
    90  	count(r) > 0
    91  }
    92  
    93  test_manage_K8s_RBAC_resources_all {
    94  	r := deny with input as {
    95  		"apiVersion": "rbac.authorization.k8s.io/v1",
    96  		"kind": "Role",
    97  		"metadata": {
    98  			"namespace": "default",
    99  			"name": "pod-reader",
   100  		},
   101  		"rules": [{
   102  			"apiGroups": ["*"],
   103  			"resources": ["rolebindings"],
   104  			"verbs": ["*"],
   105  		}],
   106  	}
   107  
   108  	count(r) > 0
   109  }
   110  
   111  test_manage_K8s_RBAC_resources_all {
   112  	r := deny with input as {
   113  		"apiVersion": "rbac.authorization.k8s.io/v1",
   114  		"kind": "Role",
   115  		"metadata": {
   116  			"namespace": "default",
   117  			"name": "pod-reader",
   118  		},
   119  		"rules": [{
   120  			"apiGroups": ["*"],
   121  			"resources": ["rolebindings1"],
   122  			"verbs": ["*"],
   123  		}],
   124  	}
   125  
   126  	count(r) == 0
   127  }