Skip to content
This repository has been archived by the owner on Feb 16, 2022. It is now read-only.

Rego metadata changes #54

Merged
merged 1 commit into from
Apr 12, 2021
Merged

Rego metadata changes #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 19 additions & 9 deletions kubernetes/policies/general/CPU_not_limited.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,20 @@
# @title: CPU not limited
# @description: Enforcing CPU limits prevents DoS via resource exhaustion.
# @recommended_actions: Set a limit value under 'containers[].resources.limits.cpu'.
# @severity: Low
# @id: KSV011
# @links:

package main
package appshield.kubernetes.KSV011

import data.lib.kubernetes
import data.lib.utils

default failLimitsCPU = false

__rego_metadata__ := {
"id": "KSV011",
"title": "CPU not limited",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "Enforcing CPU limits prevents DoS via resource exhaustion.",
"recommended_actions": "Set a limit value under 'containers[].resources.limits.cpu'.",
}

# getLimitsCPUContainers returns all containers which have set resources.limits.cpu
getLimitsCPUContainers[container] {
allContainers := kubernetes.containers[_]
Expand All @@ -32,7 +35,7 @@ failLimitsCPU {
count(getNoLimitsCPUContainers) > 0
}

deny[msg] {
deny[res] {
failLimitsCPU

msg := kubernetes.format(
Expand All @@ -41,4 +44,11 @@ deny[msg] {
[getNoLimitsCPUContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
28 changes: 19 additions & 9 deletions kubernetes/policies/general/CPU_requests_not_specified.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,20 @@
# @title: CPU requests not specified
# @description: When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
# @recommended_actions: Set 'containers[].resources.requests.cpu'.
# @severity: Low
# @id: KSV015
# @links:

package main
package appshield.kubernetes.KSV015

import data.lib.kubernetes
import data.lib.utils

default failRequestsCPU = false

__rego_metadata__ := {
"id": "KSV015",
"title": "CPU requests not specified",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.",
"recommended_actions": "Set 'containers[].resources.requests.cpu'.",
}

# getRequestsCPUContainers returns all containers which have set resources.requests.cpu
getRequestsCPUContainers[container] {
allContainers := kubernetes.containers[_]
Expand All @@ -32,7 +35,7 @@ failRequestsCPU {
count(getNoRequestsCPUContainers) > 0
}

deny[msg] {
deny[res] {
failRequestsCPU

msg := kubernetes.format(
Expand All @@ -41,4 +44,11 @@ deny[msg] {
[getNoRequestsCPUContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
28 changes: 19 additions & 9 deletions kubernetes/policies/general/SYS_ADMIN_capability.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
# @title: SYS_ADMIN capability added
# @description: SYS_ADMIN gives the processes running inside the container privileges that are equivalent to root.
# @recommended_actions: Remove the SYS_ADMIN capability from 'containers[].securityContext.capabilities.add'.
# @severity: High
# @id: KSV005
# @links:

package main
package appshield.kubernetes.KSV005

import data.lib.kubernetes

default failCapsSysAdmin = false

__rego_metadata__ := {
"id": "KSV005",
"title": "SYS_ADMIN capability added",
"version": "v1.0.0",
"severity": "High",
"type": "Kubernetes Security Check",
"description": "SYS_ADMIN gives the processes running inside the container privileges that are equivalent to root.",
"recommended_actions": "Remove the SYS_ADMIN capability from 'containers[].securityContext.capabilities.add'.",
}

# getCapsSysAdmin returns the names of all containers which include
# 'SYS_ADMIN' in securityContext.capabilities.add.
getCapsSysAdmin[container] {
Expand All @@ -25,7 +28,7 @@ failCapsSysAdmin {
count(getCapsSysAdmin) > 0
}

deny[msg] {
deny[res] {
failCapsSysAdmin

msg := kubernetes.format(
Expand All @@ -34,5 +37,12 @@ deny[msg] {
[getCapsSysAdmin[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}

28 changes: 19 additions & 9 deletions kubernetes/policies/general/excess_default_capabilities.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
# @title: Default capabilities: some containers do not drop all
# @description: The container should drop all default capabilities and add only those that are needed for its execution.
# @recommended_actions: Add 'ALL' to containers[].securityContext.capabilities.drop.
# @severity: Low
# @id: KSV003
# @links:

package main
package appshield.kubernetes.KSV003

import data.lib.kubernetes

default checkCapsDropAll = false

__rego_metadata__ := {
"id": "KSV003",
"title": "Default capabilities: some containers do not drop all",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "The container should drop all default capabilities and add only those that are needed for its execution.",
"recommended_actions": "Add 'ALL' to containers[].securityContext.capabilities.drop.",
}

# Get all containers which include 'ALL' in security.capabilities.drop
getCapsDropAllContainers[container] {
allContainers := kubernetes.containers[_]
Expand All @@ -30,7 +33,7 @@ checkCapsDropAll {
count(getCapsNoDropAllContainers) > 0
}

deny[msg] {
deny[res] {
checkCapsDropAll

msg := kubernetes.format(
Expand All @@ -39,4 +42,11 @@ deny[msg] {
[getCapsNoDropAllContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
28 changes: 19 additions & 9 deletions kubernetes/policies/general/file_system_not_read_only.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
# @title: Root file system is not read-only
# @description: An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
# @recommended_actions: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
# @severity: Low
# @id: KSV014
# @links:

package main
package appshield.kubernetes.KSV014

import data.lib.kubernetes

default failReadOnlyRootFilesystem = false

__rego_metadata__ := {
"id": "KSV014",
"title": "Root file system is not read-only",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.",
"recommended_actions": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.",
}

# getReadOnlyRootFilesystemContainers returns all containers that have
# securityContext.readOnlyFilesystem set to true.
getReadOnlyRootFilesystemContainers[container] {
Expand All @@ -32,7 +35,7 @@ failReadOnlyRootFilesystem {
count(getNotReadOnlyRootFilesystemContainers) > 0
}

deny[msg] {
deny[res] {
failReadOnlyRootFilesystem

msg := kubernetes.format(
Expand All @@ -41,4 +44,11 @@ deny[msg] {
[getNotReadOnlyRootFilesystemContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
28 changes: 19 additions & 9 deletions kubernetes/policies/general/manages_etc_hosts.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,26 @@
# @title: Manages /etc/hosts
# @description: Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started.
# @recommended_actions: Do not set 'spec.template.spec.hostAliases'.
# @severity: Low
# @id: KSV007
# @links:

package main
package appshield.kubernetes.KSV007

import data.lib.kubernetes
import data.lib.utils

default failHostAliases = false

__rego_metadata__ := {
"id": "KSV007",
"title": "Manages /etc/hosts",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started.",
"recommended_actions": "Do not set 'spec.template.spec.hostAliases'.",
}

# failHostAliases is true if spec.hostAliases is set (on all controllers)
failHostAliases {
utils.has_key(kubernetes.host_aliases[_], "hostAliases")
}

deny[msg] {
deny[res] {
failHostAliases

msg := kubernetes.format(
Expand All @@ -26,5 +29,12 @@ deny[msg] {
[lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}

27 changes: 18 additions & 9 deletions kubernetes/policies/general/memory_not_limited.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
# @title: Memory not limited
# @description: Enforcing memory limits prevents DoS via resource exhaustion.
# @recommended_actions: Set a limit value under 'containers[].resources.limits.memory'.
# @severity: Low
# @id: KSV018
# @links:

package main
package appshield.kubernetes.KSV018

import data.lib.kubernetes
import data.lib.utils

default failLimitsMemory = false

__rego_metadata__ := {
"id": "KSV018",
"title": "Memory not limited",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "Enforcing memory limits prevents DoS via resource exhaustion.",
"recommended_actions": "Set a limit value under 'containers[].resources.limits.memory'.",
}
# getLimitsMemoryContainers returns all containers which have set resources.limits.memory
getLimitsMemoryContainers[container] {
allContainers := kubernetes.containers[_]
Expand All @@ -32,7 +34,7 @@ failLimitsMemory {
count(getNoLimitsMemoryContainers) > 0
}

deny[msg] {
deny[res] {
failLimitsMemory

msg := kubernetes.format(
Expand All @@ -41,4 +43,11 @@ deny[msg] {
[getNoLimitsMemoryContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
28 changes: 19 additions & 9 deletions kubernetes/policies/general/memory_requests_not_specified.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,20 @@
# @title: Memory requests not specified
# @description: When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
# @recommended_actions: Set 'containers[].resources.requests.memory'.
# @severity: Low
# @id: KSV016
# @links:

package main
package appshield.kubernetes.KSV016

import data.lib.kubernetes
import data.lib.utils

default failRequestsMemory = false

__rego_metadata__ := {
"id": "KSV016",
"title": "Memory requests not specified",
"version": "v1.0.0",
"severity": "Low",
"type": "Kubernetes Security Check",
"description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.",
"recommended_actions": "Set 'containers[].resources.requests.memory'.",
}

# getRequestsMemoryContainers returns all containers which have set resources.requests.memory
getRequestsMemoryContainers[container] {
allContainers := kubernetes.containers[_]
Expand All @@ -32,7 +35,7 @@ failRequestsMemory {
count(getNoRequestsMemoryContainers) > 0
}

deny[msg] {
deny[res] {
failRequestsMemory

msg := kubernetes.format(
Expand All @@ -41,4 +44,11 @@ deny[msg] {
[getNoRequestsMemoryContainers[_], lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]
)
)
res := {
"msg": msg,
"id": __rego_metadata__.id,
"title": __rego_metadata__.title,
"severity": __rego_metadata__.severity,
"type": __rego_metadata__.type,
}
}
Loading