github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/runs_with_GID_le_10000.rego (about) 1 # METADATA 2 # title: "Runs with GID <= 10000" 3 # description: "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubesec.io/basics/containers-securitycontext-runasuser/ 9 # custom: 10 # id: KSV021 11 # avd_id: AVD-KSV-0021 12 # severity: LOW 13 # short_code: use-high-gid 14 # recommended_action: "Set 'containers[].securityContext.runAsGroup' to an integer > 10000." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV021 19 20 import data.lib.kubernetes 21 import data.lib.utils 22 23 default failRunAsGroup = false 24 25 # getGroupIdContainers returns the names of all containers which have 26 # securityContext.runAsGroup less than or equal to 10000. 27 getGroupIdContainers[container] { 28 container := kubernetes.containers[_] 29 container.securityContext.runAsGroup <= 10000 30 } 31 32 # getGroupIdContainers returns the names of all containers which do 33 # not have securityContext.runAsGroup set. 34 getGroupIdContainers[container] { 35 container := kubernetes.containers[_] 36 not utils.has_key(container.securityContext, "runAsGroup") 37 } 38 39 # getGroupIdContainers returns the names of all containers which do 40 # not have securityContext set. 41 getGroupIdContainers[container] { 42 container := kubernetes.containers[_] 43 not utils.has_key(container, "securityContext") 44 } 45 46 deny[res] { 47 output := getGroupIdContainers[_] 48 msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should set 'securityContext.runAsGroup' > 10000", [output.name, kubernetes.kind, kubernetes.name])) 49 res := result.new(msg, output) 50 }