github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/10_windows_host_process_test.rego (about)

     1  package builtin.kubernetes.KSV103
     2  
     3  test_base_securityContext_hostProcess_enabled_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-sysctls"},
     8  		"spec": {
     9  			"securityContext": {"windowsOptions": {"hostProcess": true}},
    10  			"containers": [{
    11  				"command": [
    12  					"sh",
    13  					"-c",
    14  					"echo 'Hello' && sleep 1h",
    15  				],
    16  				"image": "busybox",
    17  				"name": "hello",
    18  			}],
    19  		},
    20  	}
    21  
    22  	count(r) == 1
    23  	r[_].msg == "You should not enable hostProcess."
    24  }
    25  
    26  test_base_securityContext_hostProcess_disabled_allowed {
    27  	r := deny with input as {
    28  		"apiVersion": "v1",
    29  		"kind": "Pod",
    30  		"metadata": {"name": "hello-sysctls"},
    31  		"spec": {
    32  			"securityContext": {"windowsOptions": {"hostProcess": false}},
    33  			"containers": [{
    34  				"command": [
    35  					"sh",
    36  					"-c",
    37  					"echo 'Hello' && sleep 1h",
    38  				],
    39  				"image": "busybox",
    40  				"name": "hello",
    41  			}],
    42  		},
    43  	}
    44  
    45  	count(r) == 0
    46  }
    47  
    48  test_base_securityContext_hostProcess_unspecified_allowed {
    49  	r := deny with input as {
    50  		"apiVersion": "v1",
    51  		"kind": "Pod",
    52  		"metadata": {"name": "hello-sysctls"},
    53  		"spec": {
    54  			"securityContext": {"windowsOptions": {"hostProcess": false}},
    55  			"containers": [{
    56  				"command": [
    57  					"sh",
    58  					"-c",
    59  					"echo 'Hello' && sleep 1h",
    60  				],
    61  				"image": "busybox",
    62  				"name": "hello",
    63  			}],
    64  		},
    65  	}
    66  
    67  	count(r) == 0
    68  }
    69  
    70  test_container_securityContext_hostProcess_enabled_denied {
    71  	r := deny with input as {
    72  		"apiVersion": "v1",
    73  		"kind": "Pod",
    74  		"metadata": {"name": "hello-sysctls"},
    75  		"spec": {
    76  			"securityContext": {},
    77  			"containers": [{
    78  				"command": [
    79  					"sh",
    80  					"-c",
    81  					"echo 'Hello' && sleep 1h",
    82  				],
    83  				"image": "busybox",
    84  				"name": "hello",
    85  				"securityContext": {"windowsOptions": {"hostProcess": true}},
    86  			}],
    87  		},
    88  	}
    89  
    90  	count(r) == 1
    91  	r[_].msg == "You should not enable hostProcess."
    92  }
    93  
    94  test_container_securityContext_hostProcess_disabled_allowed {
    95  	r := deny with input as {
    96  		"apiVersion": "v1",
    97  		"kind": "Pod",
    98  		"metadata": {"name": "hello-sysctls"},
    99  		"spec": {
   100  			"securityContext": {},
   101  			"containers": [{
   102  				"command": [
   103  					"sh",
   104  					"-c",
   105  					"echo 'Hello' && sleep 1h",
   106  				],
   107  				"image": "busybox",
   108  				"name": "hello",
   109  				"securityContext": {"windowsOptions": {"hostProcess": false}},
   110  			}],
   111  		},
   112  	}
   113  
   114  	count(r) == 0
   115  }
   116  
   117  test_container_securityContext_hostProcess_unspecified_allowed {
   118  	r := deny with input as {
   119  		"apiVersion": "v1",
   120  		"kind": "Pod",
   121  		"metadata": {"name": "hello-sysctls"},
   122  		"spec": {
   123  			"securityContext": {},
   124  			"containers": [{
   125  				"command": [
   126  					"sh",
   127  					"-c",
   128  					"echo 'Hello' && sleep 1h",
   129  				],
   130  				"image": "busybox",
   131  				"name": "hello",
   132  				"securityContext": {"windowsOptions": {}},
   133  			}],
   134  		},
   135  	}
   136  
   137  	count(r) == 0
   138  }