github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/6_apparmor_policy_disabled_test.rego (about)

     1  package builtin.kubernetes.KSV002
     2  
     3  import data.lib.kubernetes
     4  
     5  test_custom_deny {
     6  	r := deny with input as {
     7  		"apiVersion": "v1",
     8  		"kind": "Pod",
     9  		"metadata": {
    10  			"annotations": {"container.apparmor.security.beta.kubernetes.io/hello": "custom"},
    11  			"name": "hello-apparmor",
    12  		},
    13  		"spec": {"containers": [{
    14  			"command": [
    15  				"sh",
    16  				"-c",
    17  				"echo 'Hello AppArmor!' && sleep 1h",
    18  			],
    19  			"image": "busybox",
    20  			"name": "hello",
    21  		}]},
    22  	}
    23  
    24  	count(r) == 1
    25  	r[_].msg == "Container 'hello' of Pod 'hello-apparmor' should specify an AppArmor profile"
    26  }
    27  
    28  test_undefined_allowed {
    29  	r := deny with input as {
    30  		"apiVersion": "v1",
    31  		"kind": "Pod",
    32  		"metadata": {"name": "hello-apparmor"},
    33  		"spec": {"containers": [{
    34  			"command": [
    35  				"sh",
    36  				"-c",
    37  				"echo 'Hello AppArmor!' && sleep 1h",
    38  			],
    39  			"image": "busybox",
    40  			"name": "hello",
    41  		}]},
    42  	}
    43  
    44  	count(r) == 0
    45  }
    46  
    47  test_only_one_is_undefined_allowed {
    48  	r := deny with input as {
    49  		"apiVersion": "v1",
    50  		"kind": "Pod",
    51  		"metadata": {
    52  			"annotations": {"container.apparmor.security.beta.kubernetes.io/hello2": "runtime/default"},
    53  			"name": "hello-apparmor",
    54  		},
    55  		"spec": {"containers": [
    56  			{
    57  				"command": [
    58  					"sh",
    59  					"-c",
    60  					"echo 'Hello AppArmor!' && sleep 1h",
    61  				],
    62  				"image": "busybox",
    63  				"name": "hello",
    64  			},
    65  			{
    66  				"command": [
    67  					"sh",
    68  					"-c",
    69  					"echo 'Hello AppArmor Again!' && sleep 1h",
    70  				],
    71  				"image": "busybox",
    72  				"name": "hello2",
    73  			},
    74  		]},
    75  	}
    76  
    77  	count(r) == 0
    78  }
    79  
    80  test_runtime_default_allowed {
    81  	r := deny with input as {
    82  		"apiVersion": "v1",
    83  		"kind": "Pod",
    84  		"metadata": {
    85  			"annotations": {"container.apparmor.security.beta.kubernetes.io/hello": "runtime/default"},
    86  			"name": "hello-apparmor",
    87  		},
    88  		"spec": {"containers": [{
    89  			"command": [
    90  				"sh",
    91  				"-c",
    92  				"echo 'Hello AppArmor!' && sleep 1h",
    93  			],
    94  			"image": "busybox",
    95  			"name": "hello",
    96  		}]},
    97  	}
    98  
    99  	count(r) == 0
   100  }