github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted_test.rego (about)

     1  package builtin.kubernetes.KSV023
     2  
     3  test_host_path_specified_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-host-path"},
     8  		"spec": {
     9  			"containers": [{
    10  				"command": [
    11  					"sh",
    12  					"-c",
    13  					"echo 'Hello' && sleep 1h",
    14  				],
    15  				"image": "busybox",
    16  				"name": "hello",
    17  			}],
    18  			"volumes": [{"hostPath": {
    19  				"path": "/sys",
    20  				"type": "",
    21  			}}],
    22  		},
    23  	}
    24  
    25  	count(r) == 1
    26  	r[_].msg == "Pod 'hello-host-path' should not set 'spec.template.volumes.hostPath'"
    27  }
    28  
    29  test_host_path_not_specified_allowed {
    30  	r := deny with input as {
    31  		"apiVersion": "v1",
    32  		"kind": "Pod",
    33  		"metadata": {"name": "hello-host-path"},
    34  		"spec": {
    35  			"containers": [{
    36  				"command": [
    37  					"sh",
    38  					"-c",
    39  					"echo 'Hello' && sleep 1h",
    40  				],
    41  				"image": "busybox",
    42  				"name": "hello",
    43  			}],
    44  			"volumes": [{"name": "my-vol"}],
    45  		},
    46  	}
    47  
    48  	count(r) == 0
    49  }