github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/1_host_ipc_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/1_host_ipc_test.rego (about)

     1  package builtin.kubernetes.KSV008
     2  
     3  test_host_ipc_set_to_true_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-ipc"},
     8  		"spec": {
     9  			"hostIPC": true,
    10  			"containers": [{
    11  				"command": [
    12  					"sh",
    13  					"-c",
    14  					"echo 'Hello' && sleep 1h",
    15  				],
    16  				"image": "busybox",
    17  				"name": "hello",
    18  			}],
    19  		},
    20  	}
    21  
    22  	count(r) == 1
    23  	r[_].msg == "Pod 'hello-ipc' should not set 'spec.template.spec.hostIPC' to true"
    24  }
    25  
    26  test_host_ipc_set_to_false_allowed {
    27  	r := deny with input as {
    28  		"apiVersion": "v1",
    29  		"kind": "Pod",
    30  		"metadata": {"name": "hello-ipc"},
    31  		"spec": {
    32  			"hostIPC": false,
    33  			"containers": [{
    34  				"command": [
    35  					"sh",
    36  					"-c",
    37  					"echo 'Hello' && sleep 1h",
    38  				],
    39  				"image": "busybox",
    40  				"name": "hello",
    41  			}],
    42  		},
    43  	}
    44  
    45  	count(r) == 0
    46  }
    47  
    48  test_host_ipc_is_undefined_allowed {
    49  	r := deny with input as {
    50  		"apiVersion": "v1",
    51  		"kind": "Pod",
    52  		"metadata": {"name": "hello-ipc"},
    53  		"spec": {"containers": [{
    54  			"command": [
    55  				"sh",
    56  				"-c",
    57  				"echo 'Hello' && sleep 1h",
    58  			],
    59  			"image": "busybox",
    60  			"name": "hello",
    61  		}]},
    62  	}
    63  
    64  	count(r) == 0
    65  }