github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set_test.rego (about)

     1  package builtin.kubernetes.KSV026
     2  
     3  test_sysctls_restricted_property_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-sysctls"},
     8  		"spec": {
     9  			"securityContext": {"sysctls": [
    10  				{
    11  					"name": "net.core.somaxconn",
    12  					"value": "1024",
    13  				},
    14  				{
    15  					"name": "kernel.msgmax",
    16  					"value": "65536",
    17  				},
    18  			]},
    19  			"containers": [{
    20  				"command": [
    21  					"sh",
    22  					"-c",
    23  					"echo 'Hello' && sleep 1h",
    24  				],
    25  				"image": "busybox",
    26  				"name": "hello",
    27  			}],
    28  		},
    29  	}
    30  
    31  	count(r) == 1
    32  	r[_].msg == "Pod 'hello-sysctls' should set 'securityContext.sysctl' to the allowed values"
    33  }
    34  
    35  test_sysctls_not_restricted_property_mixed_with_restriced_denied {
    36  	r := deny with input as {
    37  		"apiVersion": "v1",
    38  		"kind": "Pod",
    39  		"metadata": {"name": "hello-sysctls"},
    40  		"spec": {
    41  			"securityContext": {"sysctls": [
    42  				{
    43  					"name": "kernel.shm_rmid_forced",
    44  					"value": "0",
    45  				},
    46  				{
    47  					"name": "net.core.somaxconn",
    48  					"value": "1024",
    49  				},
    50  				{
    51  					"name": "kernel.msgmax",
    52  					"value": "65536",
    53  				},
    54  			]},
    55  			"containers": [{
    56  				"command": [
    57  					"sh",
    58  					"-c",
    59  					"echo 'Hello' && sleep 1h",
    60  				],
    61  				"image": "busybox",
    62  				"name": "hello",
    63  			}],
    64  		},
    65  	}
    66  
    67  	count(r) == 1
    68  	r[_].msg == "Pod 'hello-sysctls' should set 'securityContext.sysctl' to the allowed values"
    69  }
    70  
    71  test_sysctls_not_restricted_property_allowed {
    72  	r := deny with input as {
    73  		"apiVersion": "v1",
    74  		"kind": "Pod",
    75  		"metadata": {"name": "hello-sysctls"},
    76  		"spec": {
    77  			"securityContext": {"sysctls": [{
    78  				"name": "kernel.shm_rmid_forced",
    79  				"value": "0",
    80  			}]},
    81  			"containers": [{
    82  				"command": [
    83  					"sh",
    84  					"-c",
    85  					"echo 'Hello' && sleep 1h",
    86  				],
    87  				"image": "busybox",
    88  				"name": "hello",
    89  			}],
    90  		},
    91  	}
    92  
    93  	count(r) == 0
    94  }
    95  
    96  test_sysctls_is_undefined_allowed {
    97  	r := deny with input as {
    98  		"apiVersion": "v1",
    99  		"kind": "Pod",
   100  		"metadata": {"name": "hello-sysctls"},
   101  		"spec": {
   102  			"securityContext": {},
   103  			"containers": [{
   104  				"command": [
   105  					"sh",
   106  					"-c",
   107  					"echo 'Hello' && sleep 1h",
   108  				],
   109  				"image": "busybox",
   110  				"name": "hello",
   111  			}],
   112  		},
   113  	}
   114  
   115  	count(r) == 0
   116  }