github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/tiller_is_deployed.rego (about) 1 # METADATA 2 # title: "Tiller Is Deployed" 3 # description: "Check if Helm Tiller component is deployed." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # custom: 8 # id: KSV102 9 # avd_id: AVD-KSV-0102 10 # severity: CRITICAL 11 # short_code: no-tiller 12 # recommended_action: "Migrate to Helm v3 which no longer has Tiller component" 13 # input: 14 # selector: 15 # - type: kubernetes 16 package builtin.kubernetes.KSV102 17 18 import data.lib.kubernetes 19 20 # Get all containers and check kubernetes metadata for tiller 21 tillerDeployed[container] { 22 container := kubernetes.containers[_] 23 checkMetadata(input.metadata) 24 } 25 26 # Get all containers and check each image for tiller 27 tillerDeployed[container] { 28 container := kubernetes.containers[_] 29 contains(container.image, "tiller") 30 } 31 32 # Get all pods and check each metadata for tiller 33 tillerDeployed[pod] { 34 pod := kubernetes.pods[_] 35 checkMetadata(pod.metadata) 36 } 37 38 getName(output) = name { 39 name := output.metadata.name 40 } 41 42 getName(output) = name { 43 name := output.name 44 } 45 46 # Check for tiller by resource name 47 checkMetadata(metadata) { 48 contains(metadata.name, "tiller") 49 } 50 51 # Check for tiller by app label 52 checkMetadata(metadata) { 53 metadata.labels.app == "helm" 54 } 55 56 # Check for tiller by name label 57 checkMetadata(metadata) { 58 metadata.labels.name == "tiller" 59 } 60 61 deny[res] { 62 output := tillerDeployed[_] 63 msg := kubernetes.format(sprintf("container '%s' of %s '%s' in '%s' namespace shouldn't have tiller deployed", [getName(output), lower(kubernetes.kind), kubernetes.name, kubernetes.namespace])) 64 res := result.new(msg, output) 65 }