github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/runs_with_UID_le_10000_test.rego (about) 1 package builtin.kubernetes.KSV020 2 3 test_UID_gt_10000_allowed { 4 r := deny with input as { 5 "apiVersion": "v1", 6 "kind": "Pod", 7 "metadata": {"name": "hello-uid"}, 8 "spec": {"containers": [{ 9 "command": [ 10 "sh", 11 "-c", 12 "echo 'Hello' && sleep 1h", 13 ], 14 "image": "busybox", 15 "name": "hello", 16 "securityContext": {"runAsUser": 10004}, 17 }]}, 18 } 19 20 count(r) == 0 21 } 22 23 test_no_run_as_user_denied { 24 r := deny with input as { 25 "apiVersion": "v1", 26 "kind": "Pod", 27 "metadata": {"name": "hello-uid"}, 28 "spec": {"containers": [{ 29 "command": [ 30 "sh", 31 "-c", 32 "echo 'Hello' && sleep 1h", 33 ], 34 "image": "busybox", 35 "name": "hello", 36 }]}, 37 } 38 39 count(r) == 1 40 r[_].msg == "Container 'hello' of Pod 'hello-uid' should set 'securityContext.runAsUser' > 10000" 41 } 42 43 test_low_uid_denied { 44 r := deny with input as { 45 "apiVersion": "v1", 46 "kind": "Pod", 47 "metadata": {"name": "hello-uid"}, 48 "spec": {"containers": [{ 49 "command": [ 50 "sh", 51 "-c", 52 "echo 'Hello' && sleep 1h", 53 ], 54 "image": "busybox", 55 "name": "hello", 56 "securityContext": {"runAsUser": 100}, 57 }]}, 58 } 59 60 count(r) == 1 61 r[_].msg == "Container 'hello' of Pod 'hello-uid' should set 'securityContext.runAsUser' > 10000" 62 } 63 64 test_zero_uid_denied { 65 r := deny with input as { 66 "apiVersion": "v1", 67 "kind": "Pod", 68 "metadata": {"name": "hello-uid"}, 69 "spec": {"containers": [{ 70 "command": [ 71 "sh", 72 "-c", 73 "echo 'Hello' && sleep 1h", 74 ], 75 "image": "busybox", 76 "name": "hello", 77 "securityContext": {"runAsUser": 0}, 78 }]}, 79 } 80 81 count(r) == 1 82 r[_].msg == "Container 'hello' of Pod 'hello-uid' should set 'securityContext.runAsUser' > 10000" 83 }