# Step 1: Evidence Details

|System|Source|Frameworks|
|---|---|---|
|kubernetes|compliancecow|-|

```
Purpose: The purpose of the control "Block Load Balancer Service" is to prevent the creation of services with type "LoadBalancer," thereby restricting external access to services via load balancers. This enhances security and control over network exposure within a Kubernetes cluster.
```
```
RecomendedEvidenceName: K8sBlockLoadBalancer
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# Sample data 

{
        "apiVersion": "v1",
        "kind": "Service",
        "metadata": {
          "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app.kubernetes.io/component\":\"applicationset-controller\",\"app.kubernetes.io/name\":\"argocd-applicationset-controller\",\"app.kubernetes.io/part-of\":\"argocd\"},\"name\":\"argocd-applicationset-controller\",\"namespace\":\"argocd\"},\"spec\":{\"ports\":[{\"name\":\"webhook\",\"port\":7000,\"protocol\":\"TCP\",\"targetPort\":\"webhook\"},{\"name\":\"metrics\",\"port\":8080,\"protocol\":\"TCP\",\"targetPort\":\"metrics\"}],\"selector\":{\"app.kubernetes.io/name\":\"argocd-applicationset-controller\"}}}\n"
          },
          "creationTimestamp": "2023-11-22T06:06:21Z",
          "labels": {
            "app.kubernetes.io/component": "applicationset-controller",
            "app.kubernetes.io/name": "argocd-applicationset-controller",
            "app.kubernetes.io/part-of": "argocd"
          },
          "name": "argocd-applicationset-controller",
          "namespace": "argocd",
          "resourceVersion": "176619824",
          "uid": "2606902a-080e-44c3-bb79-5b9ae369d6a3"
        },
        "spec": {
          "clusterIP": "10.2.0.210",
          "clusterIPs": [
            "10.2.0.210"
          ],
          "internalTrafficPolicy": "Cluster",
          "ipFamilies": [
            "IPv4"
          ],
          "ipFamilyPolicy": "SingleStack",
          "ports": [
            {
              "name": "webhook",
              "port": 7000,
              "protocol": "TCP",
              "targetPort": "webhook"
            },
            {
              "name": "metrics",
              "port": 8080,
              "protocol": "TCP",
              "targetPort": "metrics"
            }
          ],
          "selector": {
            "app.kubernetes.io/name": "argocd-applicationset-controller"
          },
          "sessionAffinity": "None",
          "type": "ClusterIP"
        },
        "status": {
          "loadBalancer": {}
        }
      }

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System": "kubernetes",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "Service/argocd-applicationset-controller",
    "ResourceName": "argocd-applicationset-controller",
    "ResourceType": "Service",
    "ResourceTags": "",

    # Data
    "Namespace": "argocd",
    "ClusterType": "Private cluster",
    "ClusterName": "cr-dev-eks-cr-4",
    "RuleName": "k8sblockloadbalancer",
    
    
    # Compliance details
    "ValidationStatusCode": "LB_BLK",
    "ValidationStatusNotes": "LoadBalancer Service blocked",
    "ComplianceStatus": "COMPLIANT",
    "ComplianceStatusReason": "Blocking LoadBalancer services enhances security.",
    "RemediationNotes": "",
    "EvaluatedTime": "2024-07-25T15:10:03.807883717Z",

    # User editable data
    "PrNumber": "",
    "PrStatus": "",
    "CommitID": "",
    "TicketCreatedDate": "",
    "TicketClosedDate": "",
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
    
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceTags|Namespace|ClusterType|ClusterName|RuleName|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|RemediationNotes|EvaluatedTime|PrNumber|PrStatus|CommitID|TicketCreatedDate|TicketClosedDate|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|kubernetes|compliancecow|Service/argocd-applicationset-controller|argocd-applicationset-controller|Service||argocd|Private cluster|cr-dev-eks-cr-4|k8sblockloadbalancer|LB_BLK|LoadBalancer Service blocked|COMPLIANT|Blocking LoadBalancer services enhances security.||2024-07-25T15:10:03.807883717Z||||||||

# Step 4: Describe the Compliance Taxonomy


|ComplianceStatus|ComplianceStatusReason|ValidationStatusCode|ValidationStatusNotes|
|---|---|---|---|
|COMPLIANT|Blocking LoadBalancer services enhances security.|LB_BLK|LoadBalancer Service blocked|
|NON_COMPLIANT|This record is non-compliant because LoadBalancer services are not blocked, which may weaken security.|LB_N_BLK|LoadBalancer Service not blocked|

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
#COMPLIANT - 100%
#NON_COMPLIANT - 0%<=status<100%
#NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

1. NotifyBySlackChannel
2. OpaGitHubRemediation

# Step 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | EvaluateTypeOpaRule    |
| **PreRequisiteRuleNames**  |           |
| **ExtendedSchemaRuleNames**|            |
| **ApplicationClassName**   | kubernetes               |