github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/tiller_is_deployed_test.rego (about)

     1  package builtin.kubernetes.KSV102
     2  
     3  test_tiller_deployed_by_image {
     4  	res := deny with input as {
     5  		"apiVersion": "apps/v1",
     6  		"kind": "Deployment",
     7  		"metadata": {"name": "mongo-deployment"},
     8  		"spec": {"template": {"spec": {
     9  			"containers": [{
    10  				"name": "carts-db",
    11  				"image": "tiller",
    12  				"securityContext": {
    13  					"runAsNonRoot": true,
    14  					"allowPrivilegeEscalation": true,
    15  				},
    16  			}],
    17  			"initContainers": [{
    18  				"name": "init-svc",
    19  				"image": "busybox:1.28",
    20  				"securityContext": {"allowPrivilegeEscalation": false},
    21  			}],
    22  		}}},
    23  	}
    24  
    25  	count(res) != 0
    26  }
    27  
    28  test_tiller_deployed_by_metadata_name {
    29  	res := deny with input as {
    30  		"apiVersion": "apps/v1beta2",
    31  		"kind": "Deployment",
    32  		"metadata": {"name": "app-run-tiller-middle"},
    33  		"spec": {"template": {"spec": {
    34  			"containers": [{
    35  				"name": "carts-db",
    36  				"image": "mongo",
    37  				"securityContext": {
    38  					"runAsNonRoot": true,
    39  					"allowPrivilegeEscalation": true,
    40  				},
    41  			}],
    42  			"initContainers": [{
    43  				"name": "init-svc",
    44  				"image": "busybox:1.28",
    45  				"securityContext": {"allowPrivilegeEscalation": false},
    46  			}],
    47  		}}},
    48  	}
    49  
    50  	count(res) != 0
    51  }
    52  
    53  test_tiller_deployed_by_spec_metadata_name {
    54  	res := deny with input as {
    55  		"apiVersion": "apps/v1beta2",
    56  		"kind": "Deployment",
    57  		"metadata": {"name": "Onga"},
    58  		"spec": {"template": {
    59  			"spec": {
    60  				"containers": [{
    61  					"name": "carts-db",
    62  					"image": "mongo",
    63  					"securityContext": {
    64  						"runAsNonRoot": true,
    65  						"allowPrivilegeEscalation": true,
    66  					},
    67  				}],
    68  				"initContainers": [{
    69  					"name": "init-svc",
    70  					"image": "busybox:1.28",
    71  					"securityContext": {"allowPrivilegeEscalation": false},
    72  				}],
    73  			},
    74  			"metadata": {
    75  				"name": "tiller",
    76  				"labels": {
    77  					"app": "example",
    78  					"tier": "backend",
    79  				},
    80  			},
    81  		}},
    82  	}
    83  
    84  	count(res) != 0
    85  }
    86  
    87  test_tiller_deployed_by_using_helm_app {
    88  	res := deny with input as {
    89  		"apiVersion": "apps/v1beta2",
    90  		"kind": "Deployment",
    91  		"metadata": {"name": "Onga"},
    92  		"spec": {"template": {
    93  			"spec": {
    94  				"containers": [{
    95  					"name": "carts-db",
    96  					"image": "mongo",
    97  					"securityContext": {
    98  						"runAsNonRoot": true,
    99  						"allowPrivilegeEscalation": true,
   100  					},
   101  				}],
   102  				"initContainers": [{
   103  					"name": "init-svc",
   104  					"image": "busybox:1.28",
   105  					"securityContext": {"allowPrivilegeEscalation": false},
   106  				}],
   107  			},
   108  			"metadata": {
   109  				"name": "Onag",
   110  				"labels": {
   111  					"app": "helm",
   112  					"tier": "backend",
   113  				},
   114  			},
   115  		}},
   116  	}
   117  
   118  	count(res) != 0
   119  }
   120  
   121  test_tiller_is_not_deployed {
   122  	res := deny with input as {
   123  		"apiVersion": "apps/v1beta2",
   124  		"kind": "Deployment",
   125  		"metadata": {"name": "Onga"},
   126  		"spec": {"template": {
   127  			"spec": {
   128  				"containers": [{
   129  					"name": "carts-db",
   130  					"image": "mongo",
   131  					"securityContext": {
   132  						"runAsNonRoot": true,
   133  						"allowPrivilegeEscalation": true,
   134  					},
   135  				}],
   136  				"initContainers": [{
   137  					"name": "init-svc",
   138  					"image": "busybox:1.28",
   139  					"securityContext": {"allowPrivilegeEscalation": false},
   140  				}],
   141  			},
   142  			"metadata": {
   143  				"name": "None",
   144  				"labels": {
   145  					"app": "example",
   146  					"tier": "backend",
   147  				},
   148  			},
   149  		}},
   150  	}
   151  
   152  	count(res) == 0
   153  }