-
Notifications
You must be signed in to change notification settings - Fork 19
/
3_runs_as_root.rego
66 lines (59 loc) · 1.95 KB
/
3_runs_as_root.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# METADATA
# title: "Runs as root user"
# description: "Force the running image to run as a non-root user to ensure least privileges."
# scope: package
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# custom:
# id: KSV012
# avd_id: AVD-KSV-0012
# severity: MEDIUM
# short_code: no-root
# recommended_action: "Set 'containers[].securityContext.runAsNonRoot' to true."
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: deploymentconfig
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV012
import data.lib.kubernetes
import data.lib.utils
default checkRunAsNonRoot = false
# getNonRootContainers returns the names of all containers which have
# securityContext.runAsNonRoot set to true.
getNonRootContainers[container] {
allContainers := kubernetes.containers[_]
allContainers.securityContext.runAsNonRoot == true
container := allContainers.name
}
# getRootContainers returns the names of all containers which have
# securityContext.runAsNonRoot set to false or not set.
getRootContainers[container] {
container := kubernetes.containers[_]
not getNonRootContainers[container.name]
}
# checkRunAsNonRoot is true if securityContext.runAsNonRoot is set to false
# or if securityContext.runAsNonRoot is not set.
checkRunAsNonRootContainers {
count(getRootContainers) > 0
}
checkRunAsNonRootPod {
allPods := kubernetes.pods[_]
not allPods.spec.securityContext.runAsNonRoot
}
deny[res] {
checkRunAsNonRootPod
output := getRootContainers[_]
msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should set 'securityContext.runAsNonRoot' to true", [output.name, kubernetes.kind, kubernetes.name]))
res := result.new(msg, output)
}