policy to detect a service without selector (#931)

(CVE-2021-25740)
tenable · Jul 15, 2021 · c299d50 · c299d50
1 parent 29201a7
commit c299d50
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC_K8S_0114.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC_K8S_0114.json
@@ -0,0 +1,17 @@
+{
+    "name": "ensureServiceWithSelector",
+    "file": "ensureServiceWithSelector.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_service",
+    "template_args": {
+        "name": "ensureServiceWithSelector",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "LOW",
+    "description": "Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service",
+    "reference_id": "AC_K8S_0114",
+    "category": "Infrastructure Security",
+    "version": 1,
+    "id": "AC_K8S_0114"
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/ensureServiceWithSelector.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/ensureServiceWithSelector.rego
@@ -0,0 +1,8 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[service.id] {
+    service := input.kubernetes_service[_]
+    service_config := service.config
+    service_config.spec.type == ["LoadBalancer", "Ingress"][_]
+    object.get(service_config, "selector", "undefined") == "undefined"
+}