github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined_test.rego (about)

     1  package builtin.kubernetes.KSV104
     2  
     3  test_container_seccomp_profile_unconfined_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-sysctls"},
     8  		"spec": {"containers": [{
     9  			"name": "hello",
    10  			"image": "busybox",
    11  			"command": [
    12  				"sh",
    13  				"-c",
    14  				"echo 'Hello' && sleep 1h",
    15  			],
    16  			"securityContext": {"seccompProfile": {"type": "RuntimeDefault"}},
    17  		}]},
    18  	}
    19  
    20  	count(r) == 0
    21  }
    22  
    23  test_container_seccomp_profile_unconfined_allowed {
    24  	r := deny with input as {
    25  		"apiVersion": "v1",
    26  		"kind": "Pod",
    27  		"metadata": {"name": "my-pod"},
    28  		"spec": {"containers": [
    29  			{
    30  				"name": "container-1",
    31  				"image": "nginx",
    32  				"securityContext": {"seccompProfile": {"type": "RuntimeDefault"}},
    33  			},
    34  			{
    35  				"name": "container-2",
    36  				"image": "busybox",
    37  				"securityContext": {"seccompProfile": {"type": "RuntimeDefault"}},
    38  			},
    39  		]},
    40  	}
    41  
    42  	count(r) == 0
    43  }