Merge pull request #240 from ek1ng/feat/veinmind-iac

feat(plugins): update kubernetes iac polices
chaitin · May 17, 2023 · 5aff338 · 5aff338
2 parents 4d27100 + a9aff50
commit 5aff338
Show file tree

Hide file tree

Showing 44 changed files with 468 additions and 104 deletions.
diff --git a/plugins/go/veinmind-iac/go.sum b/plugins/go/veinmind-iac/go.sum
@@ -284,8 +284,8 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chaitin/libveinmind v1.5.2/go.mod h1:TXLYL6GeSAQ7pQ5IxPG4Tp0DuB1QvPPFhqdOjyiWxVU=
-github.com/chaitin/libveinmind v1.5.5 h1:cd3aAc4v+p4ZTuzVPQQMqAgq4aboDoa1XAUxyl35hWg=
-github.com/chaitin/libveinmind v1.5.5/go.mod h1:TXLYL6GeSAQ7pQ5IxPG4Tp0DuB1QvPPFhqdOjyiWxVU=
+github.com/chaitin/libveinmind v1.5.6 h1:fyNq142a+uOfYZ68GTzElFXVB0dtEXvs+ffwk24+Vfg=
+github.com/chaitin/libveinmind v1.5.6/go.mod h1:TXLYL6GeSAQ7pQ5IxPG4Tp0DuB1QvPPFhqdOjyiWxVU=
 github.com/chaitin/veinmind-common-go v1.4.2 h1:+AK2lt/OI7/kGQpt3rkp1gVJvoxfosnxxFaBfi6nbGw=
 github.com/chaitin/veinmind-common-go v1.4.2/go.mod h1:+dshrlmHiBtRV7ATyObBIg3SZoffpNCr1PdahT1LUQo=
 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=

diff --git a/plugins/go/veinmind-iac/pkg/parser/parser.go b/plugins/go/veinmind-iac/pkg/parser/parser.go
@@ -101,6 +101,7 @@ type KubernetesInput struct {
 	Spec            interface{}       `yaml:"spec" json:"spec"`
 	RoleRef         interface{}       `yaml:"roleRef" json:"roleRef"`
 	Status          interface{}       `yaml:"status" json:"status"`
+	Subjects        interface{}       `yaml:"subjects" json:"subjects"`
 	Authentication  interface{}       `yaml:"authentication" json:"authentication"`
 	Authorization   interface{}       `yaml:"authorization" json:"authorization"`
 	Template        interface{}       `yaml:"template" json:"template"`
@@ -152,5 +153,5 @@ func kubernetes(file *os.File, path string) (interface{}, error) {
 		res = append(res, kubernetesInput)
 	}
 
-	return kubernetesInput, nil
+	return res, nil
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_10250_wrong_settings.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_10250_wrong_settings.rego
@@ -1,12 +1,9 @@
 package brightMirror.kubernetes
 
 import data.common
-import future.keywords.in
-import future.keywords.contains
-import future.keywords.if
 
 risks[res]{
-	input.authentication.anonymous.enabled==true
-    input.authorization.mode=="AlwaysAllow"
-    res := common.result({"original":"UnSafeSettings:`authentication.anonymous`,`authorization.mode`", "Path": input.Path}, "KN-007")
+	input[_].authentication.anonymous.enabled==true
+    input[_].authorization.mode=="AlwaysAllow"
+    res := common.result({"original":"UnSafeSettings:`authentication.anonymous`,`authorization.mode`", "Path": input[_].Path}, "KN-007")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_anonymous_wrong_settings.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_anonymous_wrong_settings.rego
@@ -1,12 +1,10 @@
 package brightMirror.kubernetes
 
 import data.common
-import future.keywords.in
-import future.keywords.contains
-import future.keywords.if
 
 risks[res]{
-    input.metadata.name=="system:anonymous"
-    input.roleRef.name=="cluster-admin"
-    res := common.result({"original":"UnSafeSettings:`metadata.name`,`roleRef.name`", "Path": input.Path}, "KN-006")
+    input[_].kind=="ClusterRoleBinding"
+    input[_].roleRef.name=="cluster-admin"
+    input[_].subjects[i].name=="system:anonymous"
+    res := common.result({"original":"UnSafeSettings:`metadata.name`,`roleRef.name`", "Path": input[_].Path}, "KN-006")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_insecureport_enable.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_insecureport_enable.rego
@@ -5,14 +5,16 @@ import future.keywords.in
 import future.keywords.contains
 import future.keywords.if
 
+
 risks[res]{
-    input.spec.containers[i].command[i]=="kube-apiserver"
-    version:=input.spec.containers[i].image
-    contains(version,"v1.1")
-	inner:=input.spec.containers[i].command
-    some val in inner
-        contains(val,"insecure-port")
-        not contains(val,"insecure-port=0")
-        code:=val
-   res := common.result({"original":"UnSafeSettings:`spec.containers.command`", "Path": input.Path}, "KN-005")
+	    containers[_].command[_]=="kube-apiserver"
+	    version:=containers[_].image
+	    contains(version,"v1.1")
+	    not contains(version,"v1.19")
+		inner:=containers[_].args
+	    some val in inner
+	        contains(val,"insecure-port")
+	        not contains(val,"insecure-port=0")
+	    res := common.result({"original":"UnSafeSettings:`spec.containers.args", "Path": input[_].Path}, "KN-005")
 }
+
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/dashboard_skip_login.rego b/plugins/go/veinmind-iac/rules/kubernetes/dashboard_skip_login.rego
@@ -1,11 +1,14 @@
 package brightMirror.kubernetes
 
 import data.common
-import future.keywords.in
 import future.keywords.contains
-import future.keywords.if
 
 risks[res]{
-    contains(input.spec.containers[0].args[i],"enable-skip-login")
-	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input.Path}, "KN-008")
+    contains(containers[_].args[_],"enable-skip-login")
+	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input[_].Path}, "KN-008")
+}
+
+risks[res]{
+    contains(pods[_].spec.containers[_].args[_],"enable-skip-login")
+	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input[_].Path}, "KN-008")
 }
diff --git a/...ubernetes/client_cert_auth_wrong_set.rego → ...etes/etcd_client_cert_auth_wrong_set.rego b/...ubernetes/client_cert_auth_wrong_set.rego → ...etes/etcd_client_cert_auth_wrong_set.rego
@@ -1,16 +1,15 @@
 package brightMirror.kubernetes
 
-import future.keywords.every
 import data.common
+import future.keywords.every
 import future.keywords.in
 import future.keywords.contains
-import future.keywords.if
 
 
 risks[res]{
-    input.spec.containers[i].command[i]=="etcd"
-	every val in input.spec.containers[i].command{
+    containers[_].command[_]=="etcd"
+	every val in containers[_].args{
     not contains(val,"--client-cert-auth=true")
     }
-    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --client-cert-auth=true`", "Path": input.Path}, "KN-009")
+    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --client-cert-auth=true`", "Path": input[_].Path}, "KN-009")
 }
diff --git a/...etes/peer_client_cert_auth_wrong_set.rego → ...etcd_peer_client_cert_auth_wrong_set.rego b/...etes/peer_client_cert_auth_wrong_set.rego → ...etcd_peer_client_cert_auth_wrong_set.rego
@@ -1,16 +1,15 @@
 package brightMirror.kubernetes
 
-import future.keywords.every
 import data.common
+import future.keywords.every
 import future.keywords.in
 import future.keywords.contains
-import future.keywords.if
 
 
 risks[res]{
-    input.spec.containers[i].command[i]=="etcd"
-	every val in input.spec.containers[i].command{
+    containers[_].command[_]=="etcd"
+	every val in containers[_].args{
     not contains(val,"--peer-client-cert-auth=true")
     }
-    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --peer-client-cert-auth=true", "Path": input.Path}, "KN-010")
+    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --peer-client-cert-auth=true", "Path": input[_].Path}, "KN-010")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/kubernetes.rego b/plugins/go/veinmind-iac/rules/kubernetes/kubernetes.rego
@@ -25,6 +25,11 @@ containers[container] {
 	container = all_containers[_]
 }
 
+volumes[volume] {
+    is_pod
+    volume = input[_].spec.volumes[_]
+}
+
 annotations[annotation] {
     pods[pod]
 	annotation := pod.metadata.annotations
@@ -41,7 +46,7 @@ securityContexts[sec] {
 }
 
 allowPrivilegeEscalations[allow] {
-    allow := securityContexts[_].allowPrivilegeEscalation
+    allow := securityContexts[_].allowPrivilegeEscalations
 }
 
 is_pod {
@@ -52,7 +57,6 @@ is_cronjob {
 	input[_].kind = "CronJob"
 }
 
-
 default is_controller = false
 
 is_controller {

diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_OVERRIDE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_OVERRIDE.rego
@@ -4,13 +4,13 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "DAC_OVERRIDE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-015")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-015")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_READ_SEARCH.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_READ_SEARCH.rego
@@ -4,13 +4,13 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "DAC_READ_SEARCH"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-013")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-013")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_MODULE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_MODULE.rego
@@ -3,15 +3,14 @@ package brightMirror.kubernetes
 import data.common
 import future.keywords.in
 
-
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_MODULE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
          Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-014")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-014")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_PTRACE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_PTRACE.rego
@@ -3,16 +3,15 @@ package brightMirror.kubernetes
 import data.common
 import future.keywords.in
 
-
 risks[res]{
-         input.spec.hostPID==true
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        input[_].spec.hostPID==true
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_PTRACE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
-         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-020")
+        Combine:=array.concat(Hints,Names)
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-020")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_SYS_ADMIN.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_SYS_ADMIN.rego
@@ -3,16 +3,13 @@ package brightMirror.kubernetes
 import data.common
 import future.keywords.in
 
-
-
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_ADMIN"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-012")
-
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-012")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_apparmor.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_apparmor.rego
@@ -3,9 +3,9 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-    name := containers[_].name
-	key := sprintf("%s/%s", ["container.apparmor.security.beta.kubernetes.io", name])
-	val := annotations[i][key]
-	val != "runtime/default"
-    res := common.result({"original": val,"Path": input[i].Path}, "KN-003")
+	inner:= containers[i]
+	key := sprintf("%s/%s", ["container.apparmor.security.beta.kubernetes.io", inner.name])
+    annotations:=input[_].metadata.annotations
+    annotations[key]!="runtime/default"
+    res := common.result({"original": annotations[key],"Path": input[_].Path}, "KN-003")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_elevate.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_elevate.rego
@@ -3,14 +3,6 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-   count(securityContexts) > 0
-   count(allowPrivilegeEscalations) > 0
-   allowPrivilegeEscalations[i] == true
-   res := common.result({"original": allowPrivilegeEscalations[i], "Path": input[i].Path}, "KN-002")
+   allowPrivilegeEscalations[_] == true
+   res := common.result({"original": "UnSafeSettings:set allowPrivilegeEscalation=true", "Path": input[_].Path}, "KN-002")
 }
-
-risks[res] {
-   count(securityContexts) > 0
-   count(allowPrivilegeEscalations)  < 1
-   res := common.result({"original":"UnSafeSettings:`unset allowPrivilegeEscalation=false`", "Path": input[i].Path}, "KN-002")
-}
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_image_latest.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_image_latest.rego
@@ -3,14 +3,14 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-    image := containers[_].image
-    contains(image, "latest")
-    res := common.result({"original":image, "Path": input[i].Path}, "KN-001")
+	image := containers[_].image
+	contains(image, "latest")
+    res := common.result({"original":containers[_].image, "Path": input[_].Path}, "KN-001")
 }
 
 risks[res] {
     image := containers[_].image
     not contains(image, ":")
     not equal(image, "scratch")
-    res := common.result({"original":image, "Path": input[i].Path}, "KN-001")
+    res := common.result({"original":containers[_].image, "Path": input[_].Path}, "KN-001")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_dockersock.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_dockersock.rego
@@ -5,12 +5,12 @@ import future.keywords.if
 import future.keywords.in
 
 risks[res]{
-    inner := input.spec.volumes[i].hostPath
+    inner := volumes[_].hostPath
     some val in inner
     contains(val,"docker.sock")
-    Name:=input.spec.volumes[i].name
+    Name:=volumes[_].name
     Names:=[Name]
     Hints:=["UnSafeVolumeName"]
     Combine:=array.concat(Hints,Names)
-    res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-016")
+    res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-016")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_lxcfs.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_lxcfs.rego
@@ -5,12 +5,12 @@ import future.keywords.if
 import future.keywords.in
 
 risks[res]{
-    inner := input.spec.volumes[i].hostPath
+    inner := volumes[_].hostPath
     some val in inner
     contains(val,"lxcfs")
-    Name:=input.spec.volumes[i].name
+    Name:=volumes[_].name
     Names:=[Name]
     Hints:=["UnSafeVolumeName"]
     Combine:=array.concat(Hints,Names)
-    res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-017")
+    res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-017")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_proc.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_proc.rego
@@ -6,12 +6,12 @@ import future.keywords.in
 
 
 risks[res]{
-        inner := input.spec.volumes[i].hostPath
+        inner := volumes[_].hostPath
         some val in inner
-        contains(val,"/proc")
-        Name:=input.spec.volumes[i].name
+            contains(val,"/proc")
+        Name:=volumes[_].name
         Names:=[Name]
         Hints:=["UnSafeVolumeName"]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-019")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-019")
 }