Skip to content

Commit

Permalink
Add ID Field for K8s Policies' Metadata (#826)
Browse files Browse the repository at this point in the history 
* updating k8s referenceid

* fixing indentition issue

Co-authored-by: Avanti Vyas <avanti@accurics.com>
  • Loading branch information
@Avanti19
Avanti19 and Avanti Vyas committed Jun 1, 2021
1 parent 0d8bc97 commit 48f92ef
Show file tree
Hide file tree
Showing 37 changed files with 78 additions and 41 deletions.
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "TLS disabled can affect the confidentiality of the data in transit",
"reference_id": "AC-K8-NS-IN-H-0020",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0002"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "No owner for namespace affects the operations",
"reference_id": "AC-K8-OE-NS-L-0128",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0013"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Containers Should Not Run with AllowPrivilegeEscalation",
"reference_id": "AC-K8-CA-PO-H-0165",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_K8S_0085"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure Kubernetes Dashboard Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0176",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_K8S_0067"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure That Tiller (Helm V2) Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0177",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_K8S_0071"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Minimize the admission of privileged containers",
"reference_id": "AC-K8-IA-PO-H-0106",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0046"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Allowing the pod to make system level calls provide access to host/node sensitive information",
"reference_id": "AC-K8-IA-PO-H-0137",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0074"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem",
"reference_id": "AC-K8-IA-PO-H-0138",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0076"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Minimize Admission of Root Containers",
"reference_id": "AC-K8-IA-PO-H-0168",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0087"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure that Service Account Tokens are only mounted where necessary",
"reference_id": "AC-K8-IA-PO-M-0105",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0045"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
"reference_id": "AC-K8-IA-PO-M-0135",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0073"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s",
"reference_id": "AC-K8-IA-PO-M-0139",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0077"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
"reference_id": "AC-K8-IA-PO-M-0140",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0078"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
"reference_id": "AC-K8-IA-PO-M-0141",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0080"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@
"description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host",
"reference_id": "AC-K8-IA-PO-M-0143",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0081"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share Host Process ID Namespace",
"reference_id": "AC-K8-IA-PO-M-0162",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0082"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@
"description": "Minimize the admission of containers with the NET_RAW capability",
"reference_id": "AC-K8-IA-PS-M-0112",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0048"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Prefer using secrets as files over secrets as environment variables",
"reference_id": "AC-K8-NS-PO-H-0117",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0051"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
"reference_id": "AC-K8-NS-PO-H-0170",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0075"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Apply Security Context to Your Pods and Containers",
"reference_id": "AC-K8-NS-PO-M-0122",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0064"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Image without digest affects the integrity principle of image security",
"reference_id": "AC-K8-NS-PO-M-0133",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0069"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share Host IPC Namespace",
"reference_id": "AC-K8-NS-PO-M-0163",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0083"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share the Host Network Namespace",
"reference_id": "AC-K8-NS-PO-M-0164",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0084"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,6 @@
"description": "Restrict Mounting Docker Socket in a Container",
"reference_id": "AC-K8-NS-PO-M-0171",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0088"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Containers Should Run as a High UID to Avoid Host Conflict",
"reference_id": "AC-K8-NS-PO-M-0182",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0079"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@
"description": "AlwaysPullImages plugin is not set",
"reference_id": "AC-K8-OE-PK-M-0034",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_K8S_0021"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "CPU Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0155",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0097"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "CPU Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0156",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0098"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Memory Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0157",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0099"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Memory Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0158",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0100"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
"reference_id": "AC-K8-OE-PO-L-0129",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0070"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "No readiness probe will affect automatic recovery in case of unexpected errors",
"reference_id": "AC-K8-OE-PO-L-0130",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0072"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "No tag or container image with :Latest tag makes difficult to rollback and track",
"reference_id": "AC-K8-OE-PO-L-0134",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0068"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Default Namespace Should Not be Used",
"reference_id": "AC-K8-OE-PO-M-0166",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0086"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure that the Tiller Service (Helm v2) is deleted",
"reference_id": "AC-K8-NS-SE-M-0185",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0110"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Restrict the use of externalIPs",
"reference_id": "AC-K8-NS-SE-M-0188",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0112"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Nodeport service can expose the worker nodes as they have public interface",
"reference_id": "AC-K8-NS-SV-L-0132",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0111"
}

0 comments on commit 48f92ef

Please sign in to comment.