Skip to content

Commit

Permalink
feat: add argo-workflows checks
Browse files Browse the repository at this point in the history
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
  • Loading branch information
AnaisUrlichs authored and simar7 committed Mar 7, 2024
1 parent bfef710 commit de4e25b
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 0 deletions.
24 changes: 24 additions & 0 deletions checks/argo/not_default_service.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# METADATA
# title: "default ServiceAccount not allowed"
# description: "Ensure Workflow pods are not using the default serviceAccountName"
# scope: package
# custom:
# id:
# avd_id:
# severity: HIGH
# provider: Kubernetes
# short_code: default-serviceaccount-not-allowed
# recommended_action: "Default ServiceAccount not allowed"
package builtin.argowf

deny[msg] {
input.kind == "Workflow"
not input.spec.serviceAccountName
msg := "Ensure Workflow pods are not using the default ServiceAccount"
}

deny[msg] {
input.kind == "Workflow"
input.spec.serviceAccountName == "default"
msg := "Ensure Workflow pods are not using the default ServiceAccount"
}
26 changes: 26 additions & 0 deletions checks/argo/workflow_pods_non_root.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# METADATA
# title: "ensure workflow pods are running as non root"
# description: "Ensure Workflow pods are running as non root"
# scope: package
# related_resources:
# - https://argo-workflows.readthedocs.io/en/latest/workflow-pod-security-context/
# custom:
# id: ID002
# avd_id: AVD-ARGOWF-0002
# severity: HIGH
# provider: Kubernetes
# short_code: non-root-argowf
# recommended_action: "Ensure pods are running as non root"
package custom.argowf.ID002

deny[msg] {
input.kind == "Workflow"
not input.spec.securityContext.runAsNonRoot
msg = "Workflow should not run as root and securityContext.runAsNonRoot for the workflow should be set to true."
}

deny[msg] {
input.kind == "Workflow"
input.spec.securityContext.runAsNonRoot != true
msg = "Workflow should not run as root and securityContext.runAsNonRoot for the workflow should be set to true."
}

0 comments on commit de4e25b

Please sign in to comment.