github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/restricted/3_runs_as_root_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/restricted/3_runs_as_root_test.rego (about)

     1  package builtin.kubernetes.KSV012
     2  
     3  test_run_as_non_root_not_set_to_true_denied {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "Pod",
     7  		"metadata": {"name": "hello-run-as-root"},
     8  		"spec": {"containers": [{
     9  			"command": [
    10  				"sh",
    11  				"-c",
    12  				"echo 'Hello' && sleep 1h",
    13  			],
    14  			"image": "busybox",
    15  			"name": "hello",
    16  		}]},
    17  	}
    18  
    19  	count(r) == 1
    20  	r[_].msg == "Container 'hello' of Pod 'hello-run-as-root' should set 'securityContext.runAsNonRoot' to true"
    21  }
    22  
    23  test_run_as_non_root_not_set_to_true_for_all_containers_denied {
    24  	r := deny with input as {
    25  		"apiVersion": "v1",
    26  		"kind": "Pod",
    27  		"metadata": {"name": "hello-run-as-root"},
    28  		"spec": {"containers": [
    29  			{
    30  				"command": [
    31  					"sh",
    32  					"-c",
    33  					"echo 'Hello' && sleep 1h",
    34  				],
    35  				"image": "busybox",
    36  				"name": "hello",
    37  				"securityContext": {"runAsNonRoot": true},
    38  			},
    39  			{
    40  				"command": [
    41  					"sh",
    42  					"-c",
    43  					"echo 'Hello' && sleep 1h",
    44  				],
    45  				"image": "busybox",
    46  				"name": "hello2",
    47  			},
    48  		]},
    49  	}
    50  
    51  	count(r) == 1
    52  	r[_].msg == "Container 'hello2' of Pod 'hello-run-as-root' should set 'securityContext.runAsNonRoot' to true"
    53  }
    54  
    55  test_run_as_non_root_set_to_true_for_pod_allowed {
    56  	r := deny with input as {
    57  		"apiVersion": "v1",
    58  		"kind": "Pod",
    59  		"metadata": {"name": "hello-run-as-root"},
    60  		"spec": {
    61  			"securityContext": {"runAsNonRoot": true},
    62  			"containers": [{
    63  				"command": [
    64  					"sh",
    65  					"-c",
    66  					"echo 'Hello' && sleep 1h",
    67  				],
    68  				"image": "busybox",
    69  				"name": "hello",
    70  			}],
    71  		},
    72  	}
    73  
    74  	count(r) == 0
    75  }
    76  
    77  test_run_as_non_root_set_to_true_for_container_allowed {
    78  	r := deny with input as {
    79  		"apiVersion": "v1",
    80  		"kind": "Pod",
    81  		"metadata": {"name": "hello-run-as-root"},
    82  		"spec": {"containers": [{
    83  			"command": [
    84  				"sh",
    85  				"-c",
    86  				"echo 'Hello' && sleep 1h",
    87  			],
    88  			"image": "busybox",
    89  			"name": "hello",
    90  			"securityContext": {"runAsNonRoot": true},
    91  		}]},
    92  	}
    93  
    94  	count(r) == 0
    95  }