refactor(plugins): Modularize the security policy of kubernetes

chaitin · May 16, 2023 · 6a688e1 · 6a688e1
1 parent 435ea4d
commit 6a688e1
Show file tree

Hide file tree

Showing 23 changed files with 88 additions and 87 deletions.
diff --git a/plugins/go/veinmind-iac/pkg/parser/parser.go b/plugins/go/veinmind-iac/pkg/parser/parser.go
@@ -153,5 +153,5 @@ func kubernetes(file *os.File, path string) (interface{}, error) {
 		res = append(res, kubernetesInput)
 	}
 
-	return kubernetesInput, nil
+	return res, nil
 }
diff --git a/plugins/go/veinmind-iac/pkg/scanner/scanner.go b/plugins/go/veinmind-iac/pkg/scanner/scanner.go
@@ -2,7 +2,9 @@ package scanner
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -46,10 +48,10 @@ func (bs *Scanner) Scan(ctx context.Context, iacFile api.IAC) ([]Result, error)
 
 	// parse
 	input, err := parseHandle(file, iacFile.Path)
-	//jsonBytes, _ := json.Marshal(input)
-	//jsonString := string(jsonBytes)
-	//
-	//fmt.Println(jsonString)
+	jsonBytes, _ := json.Marshal(input)
+	jsonString := string(jsonBytes)
+
+	fmt.Println(jsonString)
 	if err != nil {
 		return nil, err
 	}

diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_10250_wrong_settings.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_10250_wrong_settings.rego
@@ -3,7 +3,7 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res]{
-	input.authentication.anonymous.enabled==true
-    input.authorization.mode=="AlwaysAllow"
-    res := common.result({"original":"UnSafeSettings:`authentication.anonymous`,`authorization.mode`", "Path": input.Path}, "KN-007")
+	input[_].authentication.anonymous.enabled==true
+    input[_].authorization.mode=="AlwaysAllow"
+    res := common.result({"original":"UnSafeSettings:`authentication.anonymous`,`authorization.mode`", "Path": input[_].Path}, "KN-007")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_anonymous_wrong_settings.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_anonymous_wrong_settings.rego
@@ -3,8 +3,8 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res]{
-    input.kind=="ClusterRoleBinding"
-    input.roleRef.name=="cluster-admin"
-    input.subjects[i].name=="system:anonymous"
-    res := common.result({"original":"UnSafeSettings:`metadata.name`,`roleRef.name`", "Path": input.Path}, "KN-006")
+    input[_].kind=="ClusterRoleBinding"
+    input[_].roleRef.name=="cluster-admin"
+    input[_].subjects[i].name=="system:anonymous"
+    res := common.result({"original":"UnSafeSettings:`metadata.name`,`roleRef.name`", "Path": input[_].Path}, "KN-006")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/apiserver_insecureport_enable.rego b/plugins/go/veinmind-iac/rules/kubernetes/apiserver_insecureport_enable.rego
@@ -5,15 +5,16 @@ import future.keywords.in
 import future.keywords.contains
 import future.keywords.if
 
+
 risks[res]{
-    input.spec.containers[i].command[i]=="kube-apiserver"
-    version:=input.spec.containers[i].image
-    contains(version,"v1.1")
-    not contains(version,"v1.19")
-	inner:=input.spec.containers[i].args
-    some val in inner
-        contains(val,"insecure-port")
-        not contains(val,"insecure-port=0")
-        code:=val
-   res := common.result({"original":"UnSafeSettings:`spec.containers.command`", "Path": input.Path}, "KN-005")
-}
+	    containers[_].command[_]=="kube-apiserver"
+	    version:=containers[_].image
+	    contains(version,"v1.1")
+	    not contains(version,"v1.19")
+		inner:=containers[_].args
+	    some val in inner
+	        contains(val,"insecure-port")
+	        not contains(val,"insecure-port=0")
+	    res := common.result({"original":"UnSafeSettings:`spec.containers.args", "Path": input[_].Path}, "KN-005")
+}
+
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/dashboard_skip_login.rego b/plugins/go/veinmind-iac/rules/kubernetes/dashboard_skip_login.rego
@@ -4,11 +4,11 @@ import data.common
 import future.keywords.contains
 
 risks[res]{
-    contains(input.spec.containers[_].args[i],"enable-skip-login")
-	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input.Path}, "KN-008")
+    contains(containers[_].args[_],"enable-skip-login")
+	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input[_].Path}, "KN-008")
 }
 
 risks[res]{
-    contains(input.spec.template.spec.containers[_].args[i],"enable-skip-login")
-	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input.Path}, "KN-008")
+    contains(pods[_].spec.containers[_].args[_],"enable-skip-login")
+	res := common.result({"original":"UnSafeSettings:`spec.containers.args`", "Path": input[_].Path}, "KN-008")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/etcd_client_cert_auth_wrong_set.rego b/plugins/go/veinmind-iac/rules/kubernetes/etcd_client_cert_auth_wrong_set.rego
@@ -1,16 +1,15 @@
 package brightMirror.kubernetes
 
-import future.keywords.every
 import data.common
+import future.keywords.every
 import future.keywords.in
 import future.keywords.contains
-import future.keywords.if
 
 
 risks[res]{
-    input.spec.containers[i].command[i]=="etcd"
-	every val in input.spec.containers[i].args{
+    containers[_].command[_]=="etcd"
+	every val in containers[_].args{
     not contains(val,"--client-cert-auth=true")
     }
-    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --client-cert-auth=true`", "Path": input.Path}, "KN-009")
+    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --client-cert-auth=true`", "Path": input[_].Path}, "KN-009")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/etcd_peer_client_cert_auth_wrong_set.rego b/plugins/go/veinmind-iac/rules/kubernetes/etcd_peer_client_cert_auth_wrong_set.rego
@@ -1,16 +1,15 @@
 package brightMirror.kubernetes
 
-import future.keywords.every
 import data.common
+import future.keywords.every
 import future.keywords.in
 import future.keywords.contains
-import future.keywords.if
 
 
 risks[res]{
-    input.spec.containers[i].command[i]=="etcd"
-	every val in input.spec.containers[i].args{
+    containers[_].command[_]=="etcd"
+	every val in containers[_].args{
     not contains(val,"--peer-client-cert-auth=true")
     }
-    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --peer-client-cert-auth=true", "Path": input.Path}, "KN-010")
+    res := common.result({"original":"UnSafeSettings:`spec.containers.command missing --peer-client-cert-auth=true", "Path": input[_].Path}, "KN-010")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/kubernetes.rego b/plugins/go/veinmind-iac/rules/kubernetes/kubernetes.rego
@@ -25,6 +25,11 @@ containers[container] {
 	container = all_containers[_]
 }
 
+volumes[volume] {
+    is_pod
+    volume = input[_].spec.volumes[_]
+}
+
 annotations[annotation] {
     pods[pod]
 	annotation := pod.metadata.annotations
@@ -41,7 +46,7 @@ securityContexts[sec] {
 }
 
 allowPrivilegeEscalations[allow] {
-    allow := securityContexts[_].allowPrivilegeEscalation
+    allow := securityContexts[_].allowPrivilegeEscalations
 }
 
 is_pod {
@@ -52,7 +57,6 @@ is_cronjob {
 	input[_].kind = "CronJob"
 }
 
-
 default is_controller = false
 
 is_controller {

diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_OVERRIDE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_OVERRIDE.rego
@@ -4,13 +4,13 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "DAC_OVERRIDE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-015")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-015")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_READ_SEARCH.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_DAC_READ_SEARCH.rego
@@ -4,13 +4,13 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "DAC_READ_SEARCH"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-013")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-013")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_MODULE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_MODULE.rego
@@ -4,13 +4,13 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_MODULE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
          Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-014")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-014")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_PTRACE.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_CAP_SYS_PTRACE.rego
@@ -4,14 +4,14 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        input.spec.hostPID==true
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        input[_].spec.hostPID==true
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_PTRACE"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
-         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-020")
+        Combine:=array.concat(Hints,Names)
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-020")
 
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_SYS_ADMIN.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_SYS_ADMIN.rego
@@ -4,12 +4,12 @@ import data.common
 import future.keywords.in
 
 risks[res]{
-        inner := input.spec.containers[i].securityContext.capabilities.add
+        inner := securityContexts[_].capabilities.add
         some val in inner
         upper(val) == "SYS_ADMIN"
-        Name:=input.spec.containers[i].name
+        Name:=containers[i].name
         Hints=["UnsafeContainers"]
         Names=[Name]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-012")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-012")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_apparmor.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_apparmor.rego
@@ -3,9 +3,9 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-	inner:= input.spec.containers[i]
+	inner:= containers[i]
 	key := sprintf("%s/%s", ["container.apparmor.security.beta.kubernetes.io", inner.name])
-    annotations:=input.metadata.annotations
+    annotations:=input[_].metadata.annotations
     annotations[key]!="runtime/default"
-    res := common.result({"original": annotations[key],"Path": input.Path}, "KN-003")
+    res := common.result({"original": annotations[key],"Path": input[_].Path}, "KN-003")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_elevate.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_elevate.rego
@@ -3,9 +3,6 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-   containers := input.spec.containers
-   securityContexts := containers[_].securityContext
-   allowPrivilegeEscalations := securityContexts.allowPrivilegeEscalations
-   allowPrivilegeEscalations == true
-   res := common.result({"original": "UnSafeSettings:set allowPrivilegeEscalation=true", "Path": input.Path}, "KN-002")
+   allowPrivilegeEscalations[_] == true
+   res := common.result({"original": "UnSafeSettings:set allowPrivilegeEscalation=true", "Path": input[_].Path}, "KN-002")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_image_latest.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_image_latest.rego
@@ -3,14 +3,14 @@ package brightMirror.kubernetes
 import data.common
 
 risks[res] {
-	image := input.spec.containers[_].image
+	image := containers[_].image
 	contains(image, "latest")
-    res := common.result({"original":input.spec.containers[_].image, "Path": input.Path}, "KN-001")
+    res := common.result({"original":containers[_].image, "Path": input[_].Path}, "KN-001")
 }
 
 risks[res] {
-    image := input.spec.containers[_].image
+    image := containers[_].image
     not contains(image, ":")
     not equal(image, "scratch")
-    res := common.result({"original":input.spec.containers[_].image, "Path": input.Path}, "KN-001")
+    res := common.result({"original":containers[_].image, "Path": input[_].Path}, "KN-001")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_dockersock.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_dockersock.rego
@@ -5,12 +5,12 @@ import future.keywords.if
 import future.keywords.in
 
 risks[res]{
-    inner := input.spec.volumes[i].hostPath
+    inner := volumes[_].hostPath
     some val in inner
     contains(val,"docker.sock")
-    Name:=input.spec.volumes[i].name
+    Name:=volumes[_].name
     Names:=[Name]
     Hints:=["UnSafeVolumeName"]
     Combine:=array.concat(Hints,Names)
-    res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-016")
+    res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-016")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_lxcfs.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_lxcfs.rego
@@ -5,12 +5,12 @@ import future.keywords.if
 import future.keywords.in
 
 risks[res]{
-    inner := input.spec.volumes[i].hostPath
+    inner := volumes[_].hostPath
     some val in inner
     contains(val,"lxcfs")
-    Name:=input.spec.volumes[i].name
+    Name:=volumes[_].name
     Names:=[Name]
     Hints:=["UnSafeVolumeName"]
     Combine:=array.concat(Hints,Names)
-    res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-017")
+    res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-017")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_proc.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_proc.rego
@@ -6,12 +6,12 @@ import future.keywords.in
 
 
 risks[res]{
-        inner := input.spec.volumes[i].hostPath
+        inner := volumes[_].hostPath
         some val in inner
-        contains(val,"/proc")
-        Name:=input.spec.volumes[i].name
+            contains(val,"/proc")
+        Name:=volumes[_].name
         Names:=[Name]
         Hints:=["UnSafeVolumeName"]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-019")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-019")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_root.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_mount_root.rego
@@ -6,12 +6,12 @@ import future.keywords.in
 
 
 risks[res]{
-        inner := input.spec.volumes[i].hostPath
+        inner := volumes[_].hostPath
         some val in inner
         val=="/"
-        Name:=input.spec.volumes[i].name
+        Name:= volumes[_].name
         Names:=[Name]
         Hints:=["UnSafeVolumeName"]
         Combine:=array.concat(Hints,Names)
-        res := common.result({"original":concat(":",Combine), "Path": input.Path}, "KN-018")
+        res := common.result({"original":concat(":",Combine), "Path": input[_].Path}, "KN-018")
 }
diff --git a/plugins/go/veinmind-iac/rules/kubernetes/pod_container_privileged.rego b/plugins/go/veinmind-iac/rules/kubernetes/pod_container_privileged.rego
@@ -7,10 +7,10 @@ import future.keywords.contains
 import future.keywords.if
 
 risks[res]{
-    input.spec.containers[i].securityContext.privileged==true
-        d := input.spec.containers[i].name
+    securityContexts[_].privileged==true
+        d := containers[i].name
         a=["UnsafeContainers"]
         b=[d]
         c:=array.concat(a,b)
-        res := common.result({"original":concat(":",c), "Path": input.Path}, "KN-011")
+        res := common.result({"original":concat(":",c), "Path": input[_].Path}, "KN-011")
 }