github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/2_privileged_test.rego (about)

     1  package builtin.kubernetes.KSV017
     2  
     3  test_privileged_is_true_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-privileged"},
     8  		"spec": {"containers": [{
     9  			"command": [
    10  				"sh",
    11  				"-c",
    12  				"echo 'Hello' && sleep 1h",
    13  			],
    14  			"image": "busybox",
    15  			"name": "hello",
    16  			"securityContext": {"privileged": true},
    17  		}]},
    18  	}
    19  
    20  	count(r) == 1
    21  	r[_].msg == "Container 'hello' of Pod 'hello-privileged' should set 'securityContext.privileged' to false"
    22  }
    23  
    24  test_privileged_is_undefined_allowed {
    25  	r := deny with input as {
    26  		"apiVersion": "v1",
    27  		"kind": "Pod",
    28  		"metadata": {"name": "hello-privileged"},
    29  		"spec": {"containers": [{
    30  			"command": [
    31  				"sh",
    32  				"-c",
    33  				"echo 'Hello' && sleep 1h",
    34  			],
    35  			"image": "busybox",
    36  			"name": "hello",
    37  		}]},
    38  	}
    39  
    40  	count(r) == 0
    41  }
    42  
    43  test_privileged_is_false_allowed {
    44  	r := deny with input as {
    45  		"apiVersion": "v1",
    46  		"kind": "Pod",
    47  		"metadata": {"name": "hello-privileged"},
    48  		"spec": {"containers": [{
    49  			"command": [
    50  				"sh",
    51  				"-c",
    52  				"echo 'Hello' && sleep 1h",
    53  			],
    54  			"image": "busybox",
    55  			"name": "hello",
    56  			"securityContext": {"privileged": false},
    57  		}]},
    58  	}
    59  
    60  	count(r) == 0
    61  }