github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego (about)

     1  # METADATA
     2  # title: "Seccomp policies disabled"
     3  # description: "Seccomp profile must not be explicitly set to 'Unconfined'."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
     9  # custom:
    10  #   id: KSV104
    11  #   avd_id: AVD-KSV-0104
    12  #   severity: MEDIUM
    13  #   short_code: no-seccomp-unconfined
    14  #   recommended_action: "Do not set seccomp profile to 'Unconfined'"
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV104
    19  
    20  import data.lib.kubernetes
    21  import data.lib.utils
    22  
    23  # getSeccompContainers returns all containers which have a seccomp
    24  # profile set and is profile not set to "unconfined"
    25  getSeccompContainers[container] {
    26  	some i
    27  	keys := [key | key := sprintf("%s/%s", [
    28  		"container.seccomp.security.alpha.kubernetes.io",
    29  		kubernetes.containers[_].name,
    30  	])]
    31  	seccomp := object.filter(kubernetes.annotations[_], keys)
    32  	val := seccomp[i]
    33  	val != "unconfined"
    34  	[a, c] := split(i, "/")
    35  	container = c
    36  }
    37  
    38  # getNoSeccompContainers returns all containers which do not have
    39  # a seccomp profile specified or profile set to "unconfined"
    40  getNoSeccompContainers[container] {
    41  	container := kubernetes.containers[_].name
    42  	not getSeccompContainers[container]
    43  }
    44  
    45  # getContainersWithDisallowedSeccompProfileType returns all containers which have a seccomp
    46  # profile set and is profile set to "Unconfined"
    47  getContainersWithDisallowedSeccompProfileType[name] {
    48  	container := kubernetes.containers[_]
    49  	type := container.securityContext.seccompProfile.type
    50  	type == "Unconfined"
    51  	name = container.name
    52  }
    53  
    54  # getContainersWithDisallowedSeccompProfileType returns all containers which do not have
    55  # a seccomp profile type specified
    56  getContainersWithDisallowedSeccompProfileType[name] {
    57  	container := kubernetes.containers[_]
    58  	not container.securityContext.seccompProfile.type
    59  	name = container.name
    60  }
    61  
    62  deny[res] {
    63  	cause := getContainersWithDisallowedSeccompProfileType[_]
    64  	msg := kubernetes.format(sprintf("container %s of %s %s in %s namespace should specify a seccomp profile", [getNoSeccompContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))
    65  	res := result.new(msg, cause)
    66  }