github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/tiller_is_deployed_test.rego (about) 1 package builtin.kubernetes.KSV102 2 3 test_tiller_deployed_by_image { 4 res := deny with input as { 5 "apiVersion": "apps/v1", 6 "kind": "Deployment", 7 "metadata": {"name": "mongo-deployment"}, 8 "spec": {"template": {"spec": { 9 "containers": [{ 10 "name": "carts-db", 11 "image": "tiller", 12 "securityContext": { 13 "runAsNonRoot": true, 14 "allowPrivilegeEscalation": true, 15 }, 16 }], 17 "initContainers": [{ 18 "name": "init-svc", 19 "image": "busybox:1.28", 20 "securityContext": {"allowPrivilegeEscalation": false}, 21 }], 22 }}}, 23 } 24 25 count(res) != 0 26 } 27 28 test_tiller_deployed_by_metadata_name { 29 res := deny with input as { 30 "apiVersion": "apps/v1beta2", 31 "kind": "Deployment", 32 "metadata": {"name": "app-run-tiller-middle"}, 33 "spec": {"template": {"spec": { 34 "containers": [{ 35 "name": "carts-db", 36 "image": "mongo", 37 "securityContext": { 38 "runAsNonRoot": true, 39 "allowPrivilegeEscalation": true, 40 }, 41 }], 42 "initContainers": [{ 43 "name": "init-svc", 44 "image": "busybox:1.28", 45 "securityContext": {"allowPrivilegeEscalation": false}, 46 }], 47 }}}, 48 } 49 50 count(res) != 0 51 } 52 53 test_tiller_deployed_by_spec_metadata_name { 54 res := deny with input as { 55 "apiVersion": "apps/v1beta2", 56 "kind": "Deployment", 57 "metadata": {"name": "Onga"}, 58 "spec": {"template": { 59 "spec": { 60 "containers": [{ 61 "name": "carts-db", 62 "image": "mongo", 63 "securityContext": { 64 "runAsNonRoot": true, 65 "allowPrivilegeEscalation": true, 66 }, 67 }], 68 "initContainers": [{ 69 "name": "init-svc", 70 "image": "busybox:1.28", 71 "securityContext": {"allowPrivilegeEscalation": false}, 72 }], 73 }, 74 "metadata": { 75 "name": "tiller", 76 "labels": { 77 "app": "example", 78 "tier": "backend", 79 }, 80 }, 81 }}, 82 } 83 84 count(res) != 0 85 } 86 87 test_tiller_deployed_by_using_helm_app { 88 res := deny with input as { 89 "apiVersion": "apps/v1beta2", 90 "kind": "Deployment", 91 "metadata": {"name": "Onga"}, 92 "spec": {"template": { 93 "spec": { 94 "containers": [{ 95 "name": "carts-db", 96 "image": "mongo", 97 "securityContext": { 98 "runAsNonRoot": true, 99 "allowPrivilegeEscalation": true, 100 }, 101 }], 102 "initContainers": [{ 103 "name": "init-svc", 104 "image": "busybox:1.28", 105 "securityContext": {"allowPrivilegeEscalation": false}, 106 }], 107 }, 108 "metadata": { 109 "name": "Onag", 110 "labels": { 111 "app": "helm", 112 "tier": "backend", 113 }, 114 }, 115 }}, 116 } 117 118 count(res) != 0 119 } 120 121 test_tiller_is_not_deployed { 122 res := deny with input as { 123 "apiVersion": "apps/v1beta2", 124 "kind": "Deployment", 125 "metadata": {"name": "Onga"}, 126 "spec": {"template": { 127 "spec": { 128 "containers": [{ 129 "name": "carts-db", 130 "image": "mongo", 131 "securityContext": { 132 "runAsNonRoot": true, 133 "allowPrivilegeEscalation": true, 134 }, 135 }], 136 "initContainers": [{ 137 "name": "init-svc", 138 "image": "busybox:1.28", 139 "securityContext": {"allowPrivilegeEscalation": false}, 140 }], 141 }, 142 "metadata": { 143 "name": "None", 144 "labels": { 145 "app": "example", 146 "tier": "backend", 147 }, 148 }, 149 }}, 150 } 151 152 count(res) == 0 153 }