github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/mounts_docker_socket_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/mounts_docker_socket_test.rego (about)

     1  package builtin.kubernetes.KSV006
     2  
     3  test_docker_socket_not_mounted_allowed {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-docker-socket"},
     8  		"spec": {"containers": [{
     9  			"command": [
    10  				"sh",
    11  				"-c",
    12  				"echo 'Hello' && sleep 1h",
    13  			],
    14  			"image": "busybox",
    15  			"name": "hello",
    16  		}]},
    17  	}
    18  
    19  	count(r) == 0
    20  }
    21  
    22  test_docker_socket_mounted_denied {
    23  	r := deny with input as {
    24  		"apiVersion": "v1",
    25  		"kind": "Pod",
    26  		"metadata": {"name": "hello-docker-socket"},
    27  		"spec": {
    28  			"containers": [{
    29  				"command": [
    30  					"sh",
    31  					"-c",
    32  					"echo 'Hello' && sleep 1h",
    33  				],
    34  				"image": "busybox",
    35  				"name": "hello",
    36  			}],
    37  			"volumes": [{
    38  				"name": "test-volume",
    39  				"hostPath": {
    40  					"path": "/var/run/docker.sock",
    41  					"type": "Directory",
    42  				},
    43  			}],
    44  		},
    45  	}
    46  
    47  	count(r) == 1
    48  	r[_].msg == "Pod 'hello-docker-socket' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'"
    49  }