github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/privilege_escalation_from_node_proxy_test.rego (about) 1 package builtin.kubernetes.KSV047 2 3 test_privilege_escalation_from_node_proxy_create { 4 r := deny with input as { 5 "apiVersion": "rbac.authorization.k8s.io/v1", 6 "kind": "Role", 7 "metadata": { 8 "namespace": "default", 9 "name": "pod-reader", 10 }, 11 "rules": [{ 12 "apiGroups": ["*"], 13 "resources": ["nodes/proxy"], 14 "verbs": ["create"], 15 }], 16 } 17 18 count(r) > 0 19 } 20 21 test_privilege_escalation_from_node_proxy_get { 22 r := deny with input as { 23 "apiVersion": "rbac.authorization.k8s.io/v1", 24 "kind": "Role", 25 "metadata": { 26 "namespace": "default", 27 "name": "pod-reader", 28 }, 29 "rules": [{ 30 "apiGroups": ["*"], 31 "resources": ["nodes/proxy"], 32 "verbs": ["get"], 33 }], 34 } 35 36 count(r) > 0 37 } 38 39 test_privilege_escalation_from_node_proxy_not_secret_resource { 40 r := deny with input as { 41 "apiVersion": "rbac.authorization.k8s.io/v1", 42 "kind": "Role", 43 "metadata": { 44 "namespace": "default", 45 "name": "pod-reader", 46 }, 47 "rules": [{ 48 "apiGroups": ["*"], 49 "resources": ["nodes/proxy1"], 50 "verbs": ["create"], 51 }], 52 } 53 54 count(r) == 0 55 } 56 57 test_privilege_escalation_from_node_proxy_not_secret_resource { 58 r := deny with input as { 59 "apiVersion": "rbac.authorization.k8s.io/v1", 60 "kind": "Role", 61 "metadata": { 62 "namespace": "default", 63 "name": "pod-reader", 64 }, 65 "rules": [{ 66 "apiGroups": ["*"], 67 "resources": ["nodes/proxy"], 68 "verbs": ["update"], 69 }], 70 } 71 72 count(r) == 0 73 }