github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/3_specific_capabilities_added_test.rego (about) 1 package builtin.kubernetes.KSV022 2 3 test_capabilities_add_denied { 4 r := deny with input as { 5 "apiVersion": "v1", 6 "kind": "Pod", 7 "metadata": {"name": "hello-add-capabilities"}, 8 "spec": {"containers": [{ 9 "command": [ 10 "sh", 11 "-c", 12 "echo 'Hello' && sleep 1h", 13 ], 14 "image": "busybox", 15 "name": "hello", 16 "securityContext": {"capabilities": {"add": ["NET_BIND_SERVICE"]}}, 17 }]}, 18 } 19 20 count(r) == 1 21 r[_].msg == "Container 'hello' of Pod 'hello-add-capabilities' should not set 'securityContext.capabilities.add'" 22 } 23 24 test_capabilities_add_empty_allowed { 25 r := deny with input as { 26 "apiVersion": "v1", 27 "kind": "Pod", 28 "metadata": {"name": "hello-add-capabilities"}, 29 "spec": {"containers": [{ 30 "command": [ 31 "sh", 32 "-c", 33 "echo 'Hello' && sleep 1h", 34 ], 35 "image": "busybox", 36 "name": "hello", 37 "securityContext": {"capabilities": {"add": []}}, 38 }]}, 39 } 40 41 count(r) == 0 42 } 43 44 test_capabilities_no_add_allowed { 45 r := deny with input as { 46 "apiVersion": "v1", 47 "kind": "Pod", 48 "metadata": {"name": "hello-add-capabilities"}, 49 "spec": {"containers": [{ 50 "command": [ 51 "sh", 52 "-c", 53 "echo 'Hello' && sleep 1h", 54 ], 55 "image": "busybox", 56 "name": "hello", 57 "securityContext": {"capabilities": {}}, 58 }]}, 59 } 60 61 count(r) == 0 62 } 63 64 test_no_capabilities_allowed { 65 r := deny with input as { 66 "apiVersion": "v1", 67 "kind": "Pod", 68 "metadata": {"name": "hello-add-capabilities"}, 69 "spec": {"containers": [{ 70 "command": [ 71 "sh", 72 "-c", 73 "echo 'Hello' && sleep 1h", 74 ], 75 "image": "busybox", 76 "name": "hello", 77 "securityContext": {}, 78 }]}, 79 } 80 81 count(r) == 0 82 }