Merge pull request #480 from williepaul/policy-update-2021-01-14

Policy update 2021 01 14

pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json

@@ -0,0 +1,14 @@
+{
+    "name": "noHttps",
+    "file": "noHttps.rego",
+    "template_args": {
+        "name": "noHttps",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "TLS disabled can affect the confidentiality of the data in transit",
+    "reference_id": "AC-K8-NS-IN-H-0020",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_ingress/noHttps.rego

@@ -0,0 +1,12 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[ingress.id] {
+    ingress = input.kubernetes_ingress[_]
+    re_match("^(extensions|networking.k8s.io)", ingress.config.apiVersion) #can be from two apis "extensions", "networking.k8s.io"
+    not https_complete(ingress.config)
+}
+##two conditions ingress spec should have a tls key map and annotation kubernetes.io/ingress.allow-http = false
+https_complete(arg) = true {
+    object.get(arg.spec, "tls", "undefined") != "undefined"
+    arg.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false"
+}

pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json

@@ -0,0 +1,14 @@
+{
+    "name": "noOwnerLabel",
+    "file": "noOwnerLabel.rego",
+    "template_args": {
+        "name": "noOwnerLabel",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "LOW",
+    "description": "No owner for namespace affects the operations",
+    "reference_id": "AC-K8-OE-NS-L-0128",
+    "category": "Operational Efficiency",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_namespace/noOwnerLabel.rego

@@ -0,0 +1,11 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[namespace.id] {
+    namespace := input.kubernetes_namespace[_]
+    object.get(namespace.config.metadata, "labels", "undefined") == "undefined"
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[namespace.id] {
+    namespace := input.kubernetes_namespace[_]
+    object.get(namespace.config.metadata.labels, "owner", "undefined") == "undefined"
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json

@@ -0,0 +1,21 @@
+{
+    "name": "privilegeEscalationCheck",
+    "file": "securityContextCheck.rego",
+    "template_args": {
+        "allowed": "false",
+        "arg1": "cpu",
+        "arg2": "limits",
+        "name": "privilegeEscalationCheck",
+        "not_allowed": "true",
+        "param": "allowPrivilegeEscalation",
+        "param1": "securityContext",
+        "prefix": "",
+        "suffix": "",
+        "value": "true"
+    },
+    "severity": "HIGH",
+    "description": "Containers Should Not Run with AllowPrivilegeEscalation",
+    "reference_id": "AC-K8-CA-PO-H-0165",
+    "category": "Cloud Assets Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json

@@ -0,0 +1,14 @@
+{
+    "name": "kubeDashboardEnabled",
+    "file": "kubeDashboardEnabled.rego",
+    "template_args": {
+        "name": "kubeDashboardEnabled",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Kubernetes Dashboard Is Not Deployed",
+    "reference_id": "AC-K8-DS-PO-M-0176",
+    "category": "Data Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json

@@ -0,0 +1,14 @@
+{
+    "name": "tillerDeployed",
+    "file": "tillerDeployed.rego",
+    "template_args": {
+        "name": "tillerDeployed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure That Tiller (Helm V2) Is Not Deployed",
+    "reference_id": "AC-K8-DS-PO-M-0177",
+    "category": "Data Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json

@@ -0,0 +1,14 @@
+{
+    "name": "priviledgedContainersEnabled",
+    "file": "priviledgedContainersEnabled.rego",
+    "template_args": {
+        "name": "priviledgedContainersEnabled",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "AC-K8-IA-PO-H-0106",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json

@@ -0,0 +1,14 @@
+{
+    "name": "disallowedSysCalls",
+    "file": "disallowedSysCalls.rego",
+    "template_args": {
+        "name": "disallowedSysCalls",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Allowing the pod to make system level calls provide access to host/node sensitive information",
+    "reference_id": "AC-K8-IA-PO-H-0137",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json

@@ -0,0 +1,14 @@
+{
+    "name": "allowedHostPath",
+    "file": "allowedHostPath.rego",
+    "template_args": {
+        "name": "allowedHostPath",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem",
+    "reference_id": "AC-K8-IA-PO-H-0138",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json

@@ -0,0 +1,21 @@
+{
+    "name": "runAsNonRootCheck",
+    "file": "securityContextCheck.rego",
+    "template_args": {
+        "allowed": "false",
+        "arg1": "cpu",
+        "arg2": "limits",
+        "name": "runAsNonRootCheck",
+        "not_allowed": "true",
+        "param": "runAsNonRoot",
+        "param1": "securityContext",
+        "prefix": "",
+        "suffix": "",
+        "value": "false"
+    },
+    "severity": "HIGH",
+    "description": "Minimize Admission of Root Containers",
+    "reference_id": "AC-K8-IA-PO-H-0168",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json

@@ -0,0 +1,14 @@
+{
+    "name": "autoMountTokenEnabled",
+    "file": "autoMountTokenEnabled.rego",
+    "template_args": {
+        "name": "autoMountTokenEnabled",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure that Service Account Tokens are only mounted where necessary",
+    "reference_id": "AC-K8-IA-PO-M-0105",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json

@@ -0,0 +1,14 @@
+{
+    "name": "appArmorProfile",
+    "file": "appArmorProfile.rego",
+    "template_args": {
+        "name": "appArmorProfile",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
+    "reference_id": "AC-K8-IA-PO-M-0135",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json

@@ -0,0 +1,14 @@
+{
+    "name": "allowedProcMount",
+    "file": "allowedProcMount.rego",
+    "template_args": {
+        "name": "allowedProcMount",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s",
+    "reference_id": "AC-K8-IA-PO-M-0139",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json

@@ -0,0 +1,21 @@
+{
+    "name": "readOnlyFileSystem",
+    "file": "securityContextCheck.rego",
+    "template_args": {
+        "allowed": "false",
+        "arg1": "limits",
+        "arg2": "cpu",
+        "name": "readOnlyFileSystem",
+        "not_allowed": "true",
+        "param": "readOnlyRootFilesystem",
+        "param1": "securityContext",
+        "prefix": "",
+        "suffix": "",
+        "value": "false"
+    },
+    "severity": "MEDIUM",
+    "description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
+    "reference_id": "AC-K8-IA-PO-M-0140",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json

@@ -0,0 +1,14 @@
+{
+    "name": "secCompProfile",
+    "file": "secCompProfile.rego",
+    "template_args": {
+        "name": "secCompProfile",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
+    "reference_id": "AC-K8-IA-PO-M-0141",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json

@@ -0,0 +1,22 @@
+{
+    "name": "allowedVolumes",
+    "file": "allowedVolumes.rego",
+    "template_args": {
+        "name": "allowedVolumes",
+        "prefix": "",
+        "secure_volumes": [
+            "configMap",
+            "emptyDir",
+            "projected",
+            "secret",
+            "downwardAPI",
+            "persistentVolumeClaim"
+        ],
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host",
+    "reference_id": "AC-K8-IA-PO-M-0143",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json

@@ -0,0 +1,16 @@
+{
+    "name": "falseHostPID",
+    "file": "specBoolCheck.rego",
+    "template_args": {
+        "name": "falseHostPID",
+        "param": "hostPID",
+        "prefix": "",
+        "suffix": "",
+        "value": "true"
+    },
+    "severity": "MEDIUM",
+    "description": "Containers Should Not Share Host Process ID Namespace",
+    "reference_id": "AC-K8-IA-PO-M-0162",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json

@@ -0,0 +1,15 @@
+{
+    "name": "netRawCapabilityUsed",
+    "file": "capabilityUsed.rego",
+    "template_args": {
+        "attribute": "requiredDropCapabilities",
+        "name": "netRawCapabilityUsed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of containers with the NET_RAW capability",
+    "reference_id": "AC-K8-IA-PS-M-0112",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json

@@ -0,0 +1,14 @@
+{
+    "name": "secretsAsEnvVariables",
+    "file": "secretsAsEnvVariables.rego",
+    "template_args": {
+        "name": "secretsAsEnvVariables",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Prefer using secrets as files over secrets as environment variables",
+    "reference_id": "AC-K8-NS-PO-H-0117",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json

@@ -0,0 +1,14 @@
+{
+    "name": "capSysAdminUsed",
+    "file": "capSysAdminUsed.rego",
+    "template_args": {
+        "name": "capSysAdminUsed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
+    "reference_id": "AC-K8-NS-PO-H-0170",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json

@@ -0,0 +1,14 @@
+{
+    "name": "securityContextUsed",
+    "file": "securityContextUsed.rego",
+    "template_args": {
+        "name": "securityContextUsed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Apply Security Context to Your Pods and Containers",
+    "reference_id": "AC-K8-NS-PO-M-0122",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json

@@ -0,0 +1,14 @@
+{
+    "name": "imageWithoutDigest",
+    "file": "imageWithoutDigest.rego",
+    "template_args": {
+        "name": "imageWithoutDigest",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Image without digest affects the integrity principle of image security",
+    "reference_id": "AC-K8-NS-PO-M-0133",
+    "category": "Network Security",
+    "version": 1
+}