/
ingress.sp
39 lines (31 loc) · 1.72 KB
/
ingress.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
locals {
ingress_common_tags = merge(local.kubernetes_compliance_common_tags, {
service = "Kubernetes/Ingress"
})
}
control "ingress_default_namespace_used" {
title = "Ingress definition should not use default namespace"
description = "Default namespace should not be used by Ingress definition. Placing objects in this namespace makes application of RBAC and other controls more difficult."
query = query.ingress_default_namespace_used
tags = merge(local.ingress_common_tags, {
cis = "true"
})
}
control "ingress_nginx_annotations_snippets_alias_not_used" {
title = "Ingress definition should not have NGINX ingress annotation snippets containing alias statements"
description = "This check ensures that the NGINX ingress annotation snippets in the Ingress do not contain alias statements."
query = query.ingress_nginx_annotations_snippets_alias_not_used
tags = local.ingress_common_tags
}
control "ingress_nginx_annotations_all_snippets_not_used" {
title = "Ingress definition should not allow any usage of NGINX ingress annotation snippets"
description = "This check ensures that the NGINX ingress annotation snippets usage is not allowed in the Ingress."
query = query.ingress_nginx_annotations_all_snippets_not_used
tags = local.ingress_common_tags
}
control "ingress_nginx_annotations_snippets_lua_code_not_used" {
title = "Ingress definition should not have NGINX ingress annotation snippets containing lua code snippets"
description = "This check ensures that the NGINX ingress annotation snippets in the Ingress do not contain lua code snippets."
query = query.ingress_nginx_annotations_snippets_lua_code_not_used
tags = local.ingress_common_tags
}