github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set_test.rego (about) 1 package builtin.kubernetes.KSV025 2 3 test_pod_invalid_selinux_type_denied { 4 r := deny with input as { 5 "apiVersion": "v1", 6 "kind": "Pod", 7 "metadata": {"name": "hello-selinux"}, 8 "spec": { 9 "securityContext": {"seLinuxOptions": {"type": "custom"}}, 10 "containers": [{ 11 "command": [ 12 "sh", 13 "-c", 14 "echo 'Hello' && sleep 1h", 15 ], 16 "image": "busybox", 17 "name": "hello", 18 }], 19 }, 20 } 21 22 count(r) == 1 23 r[_].msg == "Pod 'hello-selinux' uses invalid seLinux type 'custom'" 24 } 25 26 test_container_invalid_selinux_type_denied { 27 r := deny with input as { 28 "apiVersion": "v1", 29 "kind": "Pod", 30 "metadata": {"name": "hello-selinux"}, 31 "spec": {"containers": [{ 32 "command": [ 33 "sh", 34 "-c", 35 "echo 'Hello' && sleep 1h", 36 ], 37 "image": "busybox", 38 "name": "hello", 39 "securityContext": {"seLinuxOptions": {"type": "custom"}}, 40 }]}, 41 } 42 43 count(r) == 1 44 r[_].msg == "Pod 'hello-selinux' uses invalid seLinux type 'custom'" 45 } 46 47 test_empty_selinux_options_allowed { 48 r := deny with input as { 49 "apiVersion": "v1", 50 "kind": "Pod", 51 "metadata": {"name": "hello-selinux"}, 52 "spec": { 53 "securityContext": {"seLinuxOptions": {}}, 54 "containers": [{ 55 "command": [ 56 "sh", 57 "-c", 58 "echo 'Hello' && sleep 1h", 59 ], 60 "image": "busybox", 61 "name": "hello", 62 }], 63 }, 64 } 65 66 count(r) == 0 67 } 68 69 test_no_security_context_allowed { 70 r := deny with input as { 71 "apiVersion": "v1", 72 "kind": "Pod", 73 "metadata": {"name": "hello-selinux"}, 74 "spec": {"containers": [{ 75 "command": [ 76 "sh", 77 "-c", 78 "echo 'Hello' && sleep 1h", 79 ], 80 "image": "busybox", 81 "name": "hello", 82 }]}, 83 } 84 85 count(r) == 0 86 } 87 88 test_restricted_key_in_selinux_options_denied { 89 r := deny with input as { 90 "apiVersion": "v1", 91 "kind": "Pod", 92 "metadata": {"name": "hello-selinux"}, 93 "spec": { 94 "securityContext": {"seLinuxOptions": {"type": "container_t", "role": "admin"}}, 95 "containers": [{ 96 "command": [ 97 "sh", 98 "-c", 99 "echo 'Hello' && sleep 1h", 100 ], 101 "image": "busybox", 102 "name": "hello", 103 }], 104 }, 105 } 106 107 count(r) == 1 108 r[_].msg == "Pod 'hello-selinux' uses restricted properties in seLinuxOptions: ('role')" 109 } 110 111 test_multiple_restricted_keys_in_selinux_options_denied { 112 r := deny with input as { 113 "apiVersion": "v1", 114 "kind": "Pod", 115 "metadata": {"name": "hello-selinux"}, 116 "spec": { 117 "securityContext": {"seLinuxOptions": {"type": "container_t", "role": "admin", "user": "root"}}, 118 "containers": [{ 119 "command": [ 120 "sh", 121 "-c", 122 "echo 'Hello' && sleep 1h", 123 ], 124 "image": "busybox", 125 "name": "hello", 126 }], 127 }, 128 } 129 130 count(r) == 1 131 r[_].msg == "Pod 'hello-selinux' uses restricted properties in seLinuxOptions: ('role', 'user')" 132 } 133 134 test_containers_have_multiple_restricted_keys_in_selinux_options_denied { 135 r := deny with input as { 136 "apiVersion": "v1", 137 "kind": "Pod", 138 "metadata": {"name": "hello-selinux"}, 139 "spec": {"containers": [ 140 { 141 "command": [ 142 "sh", 143 "-c", 144 "echo 'Hello' && sleep 1h", 145 ], 146 "image": "busybox", 147 "name": "hello", 148 "securityContext": {"seLinuxOptions": {"type": "container_t", "role": "admin", "user": "root"}}, 149 }, 150 { 151 "command": [ 152 "sh", 153 "-c", 154 "echo 'Hello' && sleep 1h", 155 ], 156 "image": "busybox", 157 "name": "hello2", 158 "securityContext": {"seLinuxOptions": {"type": "container_t", "role": "admin", "user": "root"}}, 159 }, 160 ]}, 161 } 162 163 count(r) == 1 164 r[_].msg == "Pod 'hello-selinux' uses restricted properties in seLinuxOptions: ('role', 'user')" 165 }