Skip to content

Commit

Permalink
Add to nested resources on k8s graph inherit namespace
Browse files Browse the repository at this point in the history
  • Loading branch information
talazuri committed Dec 18, 2024
1 parent c20a031 commit ec870e7
Show file tree
Hide file tree
Showing 7 changed files with 156 additions and 2 deletions.
61 changes: 61 additions & 0 deletions checkov/kubernetes/checks/graph_checks/NoDefaultNamespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
metadata:
id: "CKV_K8S_160"
name: "ensure_resources_in_dedicated_namespaces"
category: "KUBERNETES"
definition:
and:
- cond_type: "attribute"
resource_types:
- "Deployment"
- "StatefulSet"
- "DaemonSet"
- "Job"
- "CronJob"
- "Pod"
- "Service"
- "ConfigMap"
- "Secret"
attribute: "metadata.namespace"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "Deployment"
- "StatefulSet"
- "DaemonSet"
- "Job"
- "CronJob"
- "Pod"
- "Service"
- "ConfigMap"
- "Secret"
attribute: "metadata.namespace"
operator: "not_equals"
value: "default"
- cond_type: "attribute"
resource_types:
- "Deployment"
- "StatefulSet"
- "DaemonSet"
- "Job"
- "CronJob"
- "Pod"
- "Service"
- "ConfigMap"
- "Secret"
attribute: "metadata.namespace"
operator: "not_equals"
value: "kube-system"
- cond_type: "attribute"
resource_types:
- "Deployment"
- "StatefulSet"
- "DaemonSet"
- "Job"
- "CronJob"
- "Pod"
- "Service"
- "ConfigMap"
- "Secret"
attribute: "metadata.namespace"
operator: "not_regex_match"
value: "^kube-.*"
6 changes: 6 additions & 0 deletions checkov/kubernetes/graph_builder/local_graph.py
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,12 @@ def _extract_nested_resources_recursive(conf: Dict[str, Any], all_resources: Lis
template['apiVersion'] = conf.get('apiVersion')

template_metadata = template.get('metadata')

template_namespace = template_metadata.get('namespace')
metadata_namespace = metadata.get('namespace')
if template_namespace is None and metadata_namespace is not None:
template_metadata['namespace'] = metadata.get('namespace')

annotations = metadata.get('annotations')
if annotations is not None and template_metadata is not None and 'annotations' not in template_metadata:
# Updates annotations to template as well to handle metadata added to the parent resource
Expand Down
40 changes: 40 additions & 0 deletions tests/kubernetes/checks/example_NoDefaultNamespace/Dev-PASSED.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: v1
kind: Namespace
metadata:
name: dev

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: dev
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
pass:
- 'Pod.default.nginx-ingress-controller-2.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/part-of-ingress-nginx'
- 'Pod.example-ns.nginx-ingress-controller-2.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/part-of-ingress-nginx'
fail:
- 'Pod.default.nginx-ingress-controller.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/part-of-ingress-nginx'
- 'Pod.example-ns.nginx-ingress-controller.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/part-of-ingress-nginx'
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
pass:
- 'Pod.dev.nginx-deployment.app-nginx'
- 'Deployment.dev.nginx-deployment'
- 'Service.dev.nginx-service'
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: v1
kind: Namespace
metadata:
name: dev

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: dev
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
3 changes: 3 additions & 0 deletions tests/kubernetes/graph/checks/test_yaml_policies.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ def test_PodIsPubliclyAccessibleExample(self) -> None:
def test_RequireAllPodsToHaveNetworkPolicy(self) -> None:
self.go('RequireAllPodsToHaveNetworkPolicy')

def test_NoDefaultNamespace(self):
self.go('NoDefaultNamespace')

def create_report_from_graph_checks_results(self, checks_results, check):
report = Report("kubernetes")
first_results_key = list(checks_results.keys())[0]
Expand Down

0 comments on commit ec870e7

Please sign in to comment.