initial policy set for k8s

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_cron_job",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.1",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_daemonset",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.10",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_deployment",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.11",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_job",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.12",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_pod",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.13",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_replicaset",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.14",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_replication_controller",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.15",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_stateful_set",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.16",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_daemonset",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.2",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_deployment",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.3",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_job",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.4",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_pod",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.5",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_replicaset",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.6",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_replication_controller",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.7",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": false,
+        "prefix": "",
+        "resource_type": "kubernetes_stateful_set",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.8",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json

@@ -0,0 +1,15 @@
+{
+    "name": "containerAllowPrivilegeEscalationIsTrue",
+    "file": "containerAllowPrivilegeEscalationIsTrue.rego",
+    "template_args": {
+        "is_init": true,
+        "prefix": "",
+        "resource_type": "kubernetes_cron_job",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of privileged containers",
+    "reference_id": "accurics.kubernetes.IAM.9",
+    "category": "Identity and Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego

@@ -0,0 +1,111 @@
+package accurics
+
+{{- if eq .is_init true}}
+
+{{.prefix}}{{.name}}{{.suffix}}[api.id] {
+  {{- template "initContainersSecurityContext" . }}
+  initContainersSecurityContext.allowPrivilegeEscalation == true
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[api.id] {
+  {{- template "initContainersSecurityContextTF" . }}
+  initContainersSecurityContextTF.allow_privilege_escalation == true
+}
+
+{{- else}}
+
+{{.prefix}}{{.name}}{{.suffix}}[api.id] {
+  {{- template "containersSecurityContext" . }}
+  containersSecurityContext.allowPrivilegeEscalation == true
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[api.id] {
+  {{- template "containersSecurityContextTF" . }}
+  containersSecurityContextTF.allow_privilege_escalation == true
+}
+
+{{- end}}
+
+
+##################################
+### Template definitions below ###
+##################################
+{{- define "api" }}
+    api = input.{{.resource_type}}[_]
+{{- end}}
+
+# resolves path to the spec key
+{{- define "spec" }}
+    {{- template "api" . }}
+    {{- if eq .resource_type "kubernetes_pod" }}
+    spec = api.config.spec
+    {{- else if eq .resource_type "kubernetes_pod_security_policy" }}
+    spec = api.config.spec
+    {{- else if eq .resource_type "kubernetes_cron_job" }}
+    spec = api.config.spec.jobTemplate.spec.template.spec
+    {{- else }}
+    spec = api.config.spec.template.spec
+    {{- end }}
+{{- end }}
+
+# resolves path to the spec key for terraform-defined k8s resources
+{{- define "specTF" }}
+    {{- template "api" . }}
+    {{- if eq .resource_type "kubernetes_pod" }}
+    specTF = api.config.spec
+    {{- else if eq .resource_type "kubernetes_pod_security_policy" }}
+    specTF = api.config.spec
+    {{- else if eq .resource_type "kubernetes_cron_job" }}
+    specTF = api.config.spec.job_template.spec.template.spec
+    {{- else }}
+    specTF = api.config.spec.template.spec
+    {{- end }}
+{{- end }}
+
+# resolves path to the containers list
+{{- define "containers" }}
+    {{- template "spec" . }}
+    containers = spec.containers[_]
+{{- end }}
+
+# resolves path to the containers' security context
+{{- define "containersSecurityContext" }}
+    {{- template "containers" . }}
+    containersSecurityContext = containers.securityContext
+{{- end }}
+
+# resolves path to the containers list for terraform-defined k8s resources
+{{- define "containersTF" }}
+    {{- template "specTF" . }}
+    containers = specTF.containers[_]
+{{- end }}
+
+# resolves path to the containers' security context for terraform-defined k8s resources
+{{- define "containersSecurityContextTF" }}
+    {{- template "containersTF" . }}
+    containersSecurityContextTF = containers.security_context
+{{- end }}
+
+# resolves path to the initContainers list
+{{- define "initContainers" }}
+    {{- template "spec" . }}
+    initContainers = spec.initContainers[_]
+{{- end }}
+
+# resolves path to the initContainers' security context
+{{- define "initContainersSecurityContext" }}
+    {{- template "initContainers" . }}
+    initContainersSecurityContext = initContainers.securityContext
+{{- end }}
+
+# resolves path to the initContainers list for terraform-defined k8s resources
+{{- define "initContainersTF" }}
+    {{- template "specTF" . }}
+    initContainersTF = specTF.init_containers[_]
+{{- end }}
+
+# resolves path to the initContainers' security context for terraform-defined k8s resources
+{{- define "initContainersSecurityContextTF" }}
+    {{- template "initContainersTF" . }}
+    initContainersSecurityContextTF = initContainersTF.security_context
+{{- end }}

pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json

@@ -0,0 +1,14 @@
+{
+    "name": "containerHostIpcIsTrue",
+    "file": "containerHostIpcIsTrue.rego",
+    "template_args": {
+        "prefix": "",
+        "resource_type": "kubernetes_cron_job",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Minimize the admission of containers wishing to share the host IPC namespace",
+    "reference_id": "accurics.kubernetes.IAM.17",
+    "category": "Identity and Access Management",
+    "version": 1
+}