Add policy AC-K8-NS-SE-M-0188 for CVE-2020-8554

tenable · Dec 10, 2020 · 185f8c6 · 185f8c6
1 parent 929e377
commit 185f8c6
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/AC-K8-NS-SE-M-0188.json b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/AC-K8-NS-SE-M-0188.json
@@ -0,0 +1,15 @@
+{
+    "name": "ensurePrivateIP",
+    "file": "ensurePrivateIP.rego",
+    "template_args": {
+        "name": "ensurePrivateIP",
+        "prefix": "",
+        "resource_type": "kubernetes_service",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Vulnerable to CVE-2020-8554",
+    "reference_id": "AC-K8-NS-SE-M-0188",
+    "category": "Network Security",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego
@@ -0,0 +1,16 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[service.id] {
+    service := input.{{.resource_type}}[_]
+    service.config.kind == "Service"
+    type_check(service.config.spec)
+    object.get(service.config.spec, "externalIPs", "undefined") != "undefined"
+}
+
+type_check(spec) {
+    spec.type == "ClusterIP"
+}
+
+type_check(spec) {
+    object.get(spec, "type", "undefined") == "undefined"
+}