From 04ceabedefd6356288ca2b0df22d00df76998bc8 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Thu, 3 Sep 2020 06:18:53 -0700 Subject: [PATCH 1/8] initial kubernetes support - adds support for kubernetes violation detection in yaml using repo - adds default iac versions/types per policy/cloud provider - policies and more unit tests to follow in the next checkin --- go.mod | 1 + go.sum | 2 + pkg/cli/scan.go | 6 +- pkg/data/file/importer.go | 24 ---- pkg/http-server/file-scan.go | 11 ++ pkg/iac-providers/kubernetes.go | 35 +++++ pkg/iac-providers/kubernetes/v1/load-dir.go | 48 +++++++ .../kubernetes/v1/load-dir_test.go | 72 ++++++++++ pkg/iac-providers/kubernetes/v1/load-file.go | 48 +++++++ pkg/iac-providers/kubernetes/v1/normalize.go | 98 +++++++++++++ .../kubernetes/v1/testdata/testfile | 0 .../test_pod.yaml | 33 +++++ pkg/iac-providers/kubernetes/v1/types.go | 42 ++++++ pkg/iac-providers/providers.go | 1 - pkg/policy/aws.go | 6 +- pkg/policy/azure.go | 6 +- pkg/policy/cloud-providers.go | 26 +++- pkg/policy/gcp.go | 6 +- pkg/policy/kubernetes.go | 28 ++++ pkg/policy/opa/engine.go | 10 +- pkg/runtime/validate.go | 11 +- pkg/utils/json.go | 66 +++++++++ pkg/utils/map.go | 20 +++ pkg/utils/path.go | 55 +++++++- pkg/utils/resource.go | 16 +++ pkg/utils/types.go | 10 ++ pkg/utils/yaml.go | 132 ++++++++++++++++++ pkg/version/version.go | 2 +- 28 files changed, 768 insertions(+), 47 deletions(-) delete mode 100644 pkg/data/file/importer.go create mode 100644 pkg/iac-providers/kubernetes.go create mode 100644 pkg/iac-providers/kubernetes/v1/load-dir.go create mode 100644 pkg/iac-providers/kubernetes/v1/load-dir_test.go create mode 100644 pkg/iac-providers/kubernetes/v1/load-file.go create mode 100644 pkg/iac-providers/kubernetes/v1/normalize.go create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/testfile create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/yaml-with-multiple-documents/test_pod.yaml create mode 100644 pkg/iac-providers/kubernetes/v1/types.go create mode 100644 pkg/policy/kubernetes.go create mode 100644 pkg/utils/json.go create mode 100644 pkg/utils/map.go create mode 100644 pkg/utils/types.go create mode 100644 pkg/utils/yaml.go diff --git a/go.mod b/go.mod index 93b2a8d0e..7c521466a 100644 --- a/go.mod +++ b/go.mod @@ -21,6 +21,7 @@ require ( golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.3.0 + gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 k8s.io/apimachinery v0.18.8 // indirect k8s.io/client-go v11.0.0+incompatible ) diff --git a/go.sum b/go.sum index fdcc77d23..ccb527f83 100644 --- a/go.sum +++ b/go.sum @@ -609,6 +609,8 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/pkg/cli/scan.go b/pkg/cli/scan.go index 4eff25af2..dbc547b28 100644 --- a/pkg/cli/scan.go +++ b/pkg/cli/scan.go @@ -55,9 +55,9 @@ func scan(cmd *cobra.Command, args []string) { } func init() { - scanCmd.Flags().StringVarP(&PolicyType, "policy-type", "t", "", " policy type (aws, azure, gcp)") - scanCmd.Flags().StringVarP(&IacType, "iac-type", "i", "terraform", "iac type (terraform)") - scanCmd.Flags().StringVarP(&IacVersion, "iac-version", "", "v12", "iac version (v12)") + scanCmd.Flags().StringVarP(&PolicyType, "policy-type", "t", "", " policy type (aws, azure, gcp, k8s)") + scanCmd.Flags().StringVarP(&IacType, "iac-type", "i", "", "iac type (terraform, k8s)") + scanCmd.Flags().StringVarP(&IacVersion, "iac-version", "", "", "iac version terraform:(v12) k8s:(v1)") scanCmd.Flags().StringVarP(&IacFilePath, "iac-file", "f", "", "path to a single IaC file") scanCmd.Flags().StringVarP(&IacDirPath, "iac-dir", "d", ".", "path to a directory containing one or more IaC files") scanCmd.Flags().StringVarP(&PolicyPath, "policy-path", "p", "", "policy path directory") diff --git a/pkg/data/file/importer.go b/pkg/data/file/importer.go deleted file mode 100644 index fc3b808b7..000000000 --- a/pkg/data/file/importer.go +++ /dev/null @@ -1,24 +0,0 @@ -package file - -// Info File info -type Info struct { - Path string - Hash string - HashType string - Attributes string -} - -// Group Group metadata -type Group struct { - Name string - IsReadOnly bool - VerifySignatures bool - Directories []*Info - Files []*Info -} - -// Metadata File metadata -type Metadata struct { - Version string - Groups []*Group -} diff --git a/pkg/http-server/file-scan.go b/pkg/http-server/file-scan.go index b49ebfc29..5fe443440 100644 --- a/pkg/http-server/file-scan.go +++ b/pkg/http-server/file-scan.go @@ -23,6 +23,8 @@ import ( "net/http" "os" + "github.com/accurics/terrascan/pkg/policy" + "github.com/accurics/terrascan/pkg/runtime" "github.com/gorilla/mux" "go.uber.org/zap" @@ -81,6 +83,15 @@ func (g *APIHandler) scanFile(w http.ResponseWriter, r *http.Request) { // write this byte array to our temporary file tempFile.Write(fileBytes) + // set default iac type/version if not already set + if iacType == "" { + iacType = policy.GetDefaultIacType(cloudType) + } + + if iacVersion == "" { + iacVersion = policy.GetDefaultIacVersion(cloudType) + } + // create a new runtime executor for scanning the uploaded file var executor *runtime.Executor if g.test { diff --git a/pkg/iac-providers/kubernetes.go b/pkg/iac-providers/kubernetes.go new file mode 100644 index 000000000..93b981656 --- /dev/null +++ b/pkg/iac-providers/kubernetes.go @@ -0,0 +1,35 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package iacprovider + +import ( + "reflect" + + k8sv1 "github.com/accurics/terrascan/pkg/iac-providers/kubernetes/v1" +) + +// terraform specific constants +const ( + kubernetes supportedIacType = "k8s" + kubernetesV1 supportedIacVersion = "v1" +) + +// register kubernetes as an IaC provider with terrascan +func init() { + // register iac provider + RegisterIacProvider(kubernetes, kubernetesV1, reflect.TypeOf(k8sv1.K8sV1{})) +} diff --git a/pkg/iac-providers/kubernetes/v1/load-dir.go b/pkg/iac-providers/kubernetes/v1/load-dir.go new file mode 100644 index 000000000..0ffe5bfa2 --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/load-dir.go @@ -0,0 +1,48 @@ +package k8sv1 + +import ( + "path/filepath" + "strings" + + "github.com/accurics/terrascan/pkg/iac-providers/output" + "github.com/accurics/terrascan/pkg/utils" +) + +func (*K8sV1) getFileType(file string) string { + if strings.HasSuffix(file, YAMLExtension) { + return YAMLExtension + } else if strings.HasSuffix(file, YAMLExtension2) { + return YAMLExtension2 + } else if strings.HasSuffix(file, JSONExtension) { + return JSONExtension + } + return UnknownExtension +} + +// LoadIacDir loads all k8s files in the current directory +func (k *K8sV1) LoadIacDir(absRootDir string) (output.AllResourceConfigs, error) { + + allResourcesConfig := make(map[string][]output.ResourceConfig) + + fileMap, err := utils.FindFilesBySuffix(absRootDir, K8sFileExtensions()) + if err != nil { + return allResourcesConfig, err + } + + for _, files := range fileMap { + for i := range files { + file := filepath.Join(absRootDir, *files[i]) + + var configData output.AllResourceConfigs + if configData, err = k.LoadIacFile(file); err != nil { + continue + } + + for key := range configData { + allResourcesConfig[key] = append(allResourcesConfig[key], configData[key]...) + } + } + } + + return allResourcesConfig, nil +} diff --git a/pkg/iac-providers/kubernetes/v1/load-dir_test.go b/pkg/iac-providers/kubernetes/v1/load-dir_test.go new file mode 100644 index 000000000..b60c748d9 --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/load-dir_test.go @@ -0,0 +1,72 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package k8sv1 + +import ( + "fmt" + "os" + "reflect" + "syscall" + "testing" + + "github.com/accurics/terrascan/pkg/iac-providers/output" +) + +func TestLoadIacDir(t *testing.T) { + + table := []struct { + name string + dirPath string + k8sV1 K8sV1 + want output.AllResourceConfigs + wantErr error + }{ + { + name: "empty config", + dirPath: "./testdata/testfile", + k8sV1: K8sV1{}, + wantErr: fmt.Errorf("no directories found for path ./testdata/testfile"), + }, + { + name: "load invalid config dir", + dirPath: "./testdata", + k8sV1: K8sV1{}, + wantErr: nil, + }, + { + name: "invalid dirPath", + dirPath: "not-there", + k8sV1: K8sV1{}, + wantErr: &os.PathError{Err: syscall.ENOENT, Op: "lstat", Path: "not-there"}, + }, + { + name: "yaml with multiple documents", + dirPath: "./testdata/yaml-with-multiple-documents", + k8sV1: K8sV1{}, + wantErr: nil, + }} + + for _, tt := range table { + t.Run(tt.name, func(t *testing.T) { + _, gotErr := tt.k8sV1.LoadIacDir(tt.dirPath) + if !reflect.DeepEqual(gotErr, tt.wantErr) { + t.Errorf("unexpected error; gotErr: '%v', wantErr: '%v'", gotErr, tt.wantErr) + } + }) + } + +} diff --git a/pkg/iac-providers/kubernetes/v1/load-file.go b/pkg/iac-providers/kubernetes/v1/load-file.go new file mode 100644 index 000000000..116a654b6 --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/load-file.go @@ -0,0 +1,48 @@ +package k8sv1 + +import ( + "github.com/accurics/terrascan/pkg/utils" + + "github.com/accurics/terrascan/pkg/iac-providers/output" + "go.uber.org/zap" +) + +// LoadIacFile loads the k8s file specified +// Note that a single k8s yaml file may contain multiple resource definitions +func (k *K8sV1) LoadIacFile(absRootPath string) (allResourcesConfig output.AllResourceConfigs, err error) { + allResourcesConfig = make(map[string][]output.ResourceConfig) + + var iacDocuments []*utils.IacDocument + + fileExt := k.getFileType(absRootPath) + switch fileExt { + case YAMLExtension: + fallthrough + case YAMLExtension2: + iacDocuments, err = utils.LoadYAML(absRootPath) + case JSONExtension: + iacDocuments, err = utils.LoadJSON(absRootPath) + default: + zap.S().Warn("unknown extension found", zap.String("extension", fileExt)) + return allResourcesConfig, err + } + if err != nil { + zap.S().Warn("failed to load file", zap.String("file", absRootPath)) + return allResourcesConfig, err + } + + for _, doc := range iacDocuments { + var config *output.ResourceConfig + config, err = k.normalize(doc) + if err != nil { + zap.S().Warn("unable to normalize data", zap.Error(err), zap.String("file", absRootPath)) + return allResourcesConfig, err + } + + config.Line = doc.StartLine + config.Source = absRootPath + + allResourcesConfig[config.Type] = append(allResourcesConfig[config.Type], *config) + } + return allResourcesConfig, nil +} diff --git a/pkg/iac-providers/kubernetes/v1/normalize.go b/pkg/iac-providers/kubernetes/v1/normalize.go new file mode 100644 index 000000000..6b24e5f8b --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/normalize.go @@ -0,0 +1,98 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package k8sv1 + +import ( + "fmt" + + "github.com/accurics/terrascan/pkg/iac-providers/output" + "github.com/accurics/terrascan/pkg/utils" +) + +var ( + errBadResourceType = fmt.Errorf("bad resource type") + errKeyDoesNotExist = fmt.Errorf("key does not exist") + errMetadataDoesNotExist = fmt.Errorf("metadata does not exist") + errMetadataNameField = fmt.Errorf("unable to parse the metadata name field") + errInvalidNamespaceType = fmt.Errorf("invalid namespace type") +) + +func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error) { + + // if the document is yaml, convert it to json first + var data *map[string]interface{} + if doc.Type == utils.YAMLDoc { + var err error + data, err = utils.YAMLtoJSON(doc.Data) + if err != nil { + return nil, err + } + } + + // resource type + _, ok := (*data)["kind"] + if !ok { + return nil, errBadResourceType + } + + var resourceType string + resourceType, ok = (*data)["kind"].(string) + if !ok { + return nil, errBadResourceType + } + + metadataVal, ok := (*data)["metadata"] + if !ok { + return nil, errKeyDoesNotExist + } + + var metadata map[string]interface{} + metadata, ok = metadataVal.(map[string]interface{}) + if !ok { + return nil, errMetadataDoesNotExist + } + + namespace := "default" + var resourceName string + if resourceType == "Namespace" || resourceType == "ClusterRole" { + resourceName, ok = metadata["name"].(string) + if !ok { + return nil, errMetadataNameField + } + } else { + // sets the namespace + // if no namespace is specified, the default namespace is used + var namespaceVal interface{} + if namespaceVal, ok = metadata["namespace"]; ok { + // set the namespace if available, otherwise use the default + namespace, _ = namespaceVal.(string) + } + + // extract the resource name and set the resource id + resourceName, ok = metadata["name"].(string) + if !ok { + return nil, errInvalidNamespaceType + } + } + + return &output.ResourceConfig{ + Type: kubernetesTypeName + resourceType, + ID: kubernetesTypeName + resourceType + "." + resourceName + "." + namespace, + Name: resourceName, + Config: data, + }, nil +} diff --git a/pkg/iac-providers/kubernetes/v1/testdata/testfile b/pkg/iac-providers/kubernetes/v1/testdata/testfile new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/iac-providers/kubernetes/v1/testdata/yaml-with-multiple-documents/test_pod.yaml b/pkg/iac-providers/kubernetes/v1/testdata/yaml-with-multiple-documents/test_pod.yaml new file mode 100644 index 000000000..dada1636b --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/testdata/yaml-with-multiple-documents/test_pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp + test: someupdate + test2: someupdate3 +spec: + containers: + - name: myapp-container + image: busybox + command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600'] + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: myapp-deployment2 + labels: + app: myapp + test: someupdate + test2: someupdate3 +spec: + template: + spec: + containers: + - name: myapp-container2 + image: busybox + command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600'] + securityContext: + allowPrivilegeEscalation: true diff --git a/pkg/iac-providers/kubernetes/v1/types.go b/pkg/iac-providers/kubernetes/v1/types.go new file mode 100644 index 000000000..9ef1aa19d --- /dev/null +++ b/pkg/iac-providers/kubernetes/v1/types.go @@ -0,0 +1,42 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package k8sv1 + +// K8sV1 struct implements the IacProvider interface +type K8sV1 struct{} + +const ( + // YAMLExtension yaml + YAMLExtension = "yaml" + + // YAMLExtension2 yml + YAMLExtension2 = "yml" + + // JSONExtension json + JSONExtension = "json" + + // UnknownExtension unknown + UnknownExtension = "unknown" + + kubernetesTypeName = "k8s_" + defaultNamespace = "default" +) + +// K8sFileExtensions returns the valid extensions for k8s (yaml, yml, json) +func K8sFileExtensions() []string { + return []string{YAMLExtension, YAMLExtension2, JSONExtension} +} diff --git a/pkg/iac-providers/providers.go b/pkg/iac-providers/providers.go index c7f63818d..ef7e0fb20 100644 --- a/pkg/iac-providers/providers.go +++ b/pkg/iac-providers/providers.go @@ -29,7 +29,6 @@ var ( // NewIacProvider returns a new IacProvider func NewIacProvider(iacType, iacVersion string) (iacProvider IacProvider, err error) { - // get IacProvider from supportedIacProviders iacProviderObject, supported := supportedIacProviders[supportedIacType(iacType)][supportedIacVersion(iacVersion)] if !supported { diff --git a/pkg/policy/aws.go b/pkg/policy/aws.go index 7c52dff75..e0aeb2621 100644 --- a/pkg/policy/aws.go +++ b/pkg/policy/aws.go @@ -17,10 +17,12 @@ package policy const ( - aws supportedCloudType = "aws" + aws supportedCloudType = "aws" + defaultAWSIacType supportedIacType = "aws" + defaultAWSIacVersion supportedIacVersion = "v12" ) func init() { // Register aws as a cloud provider with terrascan - RegisterCloudProvider(aws) + RegisterCloudProvider(aws, defaultAWSIacType, defaultAWSIacVersion) } diff --git a/pkg/policy/azure.go b/pkg/policy/azure.go index 4d0f0fb64..d2e57d773 100644 --- a/pkg/policy/azure.go +++ b/pkg/policy/azure.go @@ -17,10 +17,12 @@ package policy const ( - azure supportedCloudType = "azure" + azure supportedCloudType = "azure" + defaultAzureIacType supportedIacType = "terraform" + defaultAzureIacVersion supportedIacVersion = "v12" ) func init() { // Register azure as a cloud provider with terrascan - RegisterCloudProvider(azure) + RegisterCloudProvider(azure, defaultAzureIacType, defaultAzureIacVersion) } diff --git a/pkg/policy/cloud-providers.go b/pkg/policy/cloud-providers.go index 2d6f370ea..a6b7a9fc5 100644 --- a/pkg/policy/cloud-providers.go +++ b/pkg/policy/cloud-providers.go @@ -23,17 +23,31 @@ import ( // supportedCloudType data type for supported cloud types in terrascan type supportedCloudType string +// supportedIacType data type for supported iac types +type supportedIacType string + +// supportedIacVersion data type for supported iac versions +type supportedIacVersion string + // supportedCloudProvider map of supported cloud provider and its default policy path var supportedCloudProvider = make(map[supportedCloudType]string) +// defaultIacType map of default IaC type for a given policy/cloud provider +var defaultIacType = make(map[supportedCloudType]supportedIacType) + +// defaultIacVersion map of default IaC version for a given policy/cloud provider +var defaultIacVersion = make(map[supportedCloudType]supportedIacVersion) + var ( basePolicyPath = config.GetPolicyBasePath() ) // RegisterCloudProvider registers a cloud provider with terrascan -func RegisterCloudProvider(cloudType supportedCloudType) { +func RegisterCloudProvider(cloudType supportedCloudType, iacTypeDefault supportedIacType, iacVersionDefault supportedIacVersion) { policyPath := basePolicyPath + "/" + string(cloudType) supportedCloudProvider[cloudType] = policyPath + defaultIacType[cloudType] = iacTypeDefault + defaultIacVersion[cloudType] = iacVersionDefault } // IsCloudProviderSupported returns whether a cloud provider is supported in terrascan @@ -46,3 +60,13 @@ func IsCloudProviderSupported(cloudType string) bool { func GetDefaultPolicyPath(cloudType string) string { return supportedCloudProvider[supportedCloudType(cloudType)] } + +// GetDefaultIacType returns the default IaC type for the given cloudType +func GetDefaultIacType(cloudType string) string { + return string(defaultIacType[supportedCloudType(cloudType)]) +} + +// GetDefaultIacVersion returns the default IaC version for the given cloudType +func GetDefaultIacVersion(cloudType string) string { + return string(defaultIacVersion[supportedCloudType(cloudType)]) +} diff --git a/pkg/policy/gcp.go b/pkg/policy/gcp.go index a9fab5778..f49dfe606 100644 --- a/pkg/policy/gcp.go +++ b/pkg/policy/gcp.go @@ -17,10 +17,12 @@ package policy const ( - gcp supportedCloudType = "gcp" + gcp supportedCloudType = "gcp" + defaultGCPIacType supportedIacType = "terraform" + defaultGCPIacVersion supportedIacVersion = "v12" ) func init() { // Register gcp as a cloud provider with terrascan - RegisterCloudProvider(gcp) + RegisterCloudProvider(gcp, defaultGCPIacType, defaultGCPIacVersion) } diff --git a/pkg/policy/kubernetes.go b/pkg/policy/kubernetes.go new file mode 100644 index 000000000..f845efbbc --- /dev/null +++ b/pkg/policy/kubernetes.go @@ -0,0 +1,28 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package policy + +const ( + kubernetes supportedCloudType = "k8s" + defaultKubernetesIacType supportedIacType = "k8s" + defaultKubernetesIacVersion supportedIacVersion = "v1" +) + +func init() { + // Register kubernetes as a provider with terrascan + RegisterCloudProvider(kubernetes, defaultKubernetesIacType, defaultKubernetesIacVersion) +} diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index 52ee00f25..cb2ca3b1b 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -134,15 +134,15 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { } // Load the rego metadata first (*.json) - metadataFiles := utils.FilterFileInfoBySuffix(&fileInfo, RegoMetadataFileSuffix) - if metadataFiles == nil { + metadataFiles := utils.FilterFileInfoBySuffix(&fileInfo, []string{RegoMetadataFileSuffix}) + if len(metadataFiles) == 0 { zap.S().Debug("no metadata files were found", zap.String("dir", dirList[i])) continue } var regoDataList []*RegoData - for j := range *metadataFiles { - filePath := filepath.Join(dirList[i], (*metadataFiles)[j]) + for j := range metadataFiles { + filePath := filepath.Join(dirList[i], *metadataFiles[j]) var regoMetadata *RegoMetadata regoMetadata, err = e.LoadRegoMetadata(filePath) @@ -307,7 +307,7 @@ func (e *Engine) Evaluate(engineInput policy.EngineInput) (policy.EngineOutput, // Execute the prepared query. rs, err := e.regoDataMap[k].PreparedQuery.Eval(e.context, rego.EvalInput(engineInput.InputData)) if err != nil { - zap.S().Warn("failed to run prepared query", zap.String("rule", "'"+k+"'")) + zap.S().Warn("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'")) continue } diff --git a/pkg/runtime/validate.go b/pkg/runtime/validate.go index eb99b115c..d420e421d 100644 --- a/pkg/runtime/validate.go +++ b/pkg/runtime/validate.go @@ -71,7 +71,16 @@ func (e *Executor) ValidateInputs() error { zap.S().Debugf("directory '%s' exists", e.dirPath) } - // check if Iac type is supported + // set default iac type/version if not already set + if e.iacType == "" { + e.iacType = policy.GetDefaultIacType(e.cloudType) + } + + if e.iacVersion == "" { + e.iacVersion = policy.GetDefaultIacVersion(e.cloudType) + } + + // check if IaC type is supported if !IacProvider.IsIacSupported(e.iacType, e.iacVersion) { zap.S().Errorf("iac type '%s', version '%s' not supported", e.iacType, e.iacVersion) return errIacNotSupported diff --git a/pkg/utils/json.go b/pkg/utils/json.go new file mode 100644 index 000000000..2c18db78d --- /dev/null +++ b/pkg/utils/json.go @@ -0,0 +1,66 @@ +package utils + +import ( + "bufio" + "encoding/json" + "io/ioutil" + "os" + + "go.uber.org/zap" +) + +const ( + // JSONDoc type for json files + JSONDoc = "json" +) + +// LoadJSON loads a JSON file into an IacDocument struct +func LoadJSON(filePath string) ([]*IacDocument, error) { + iacDocumentList := make([]*IacDocument, 1) + + fileBytes, err := ioutil.ReadFile(filePath) + if err != nil { + return iacDocumentList, err + } + + // First pass determines line number data + currentLineNumber := 1 + { // Limit the scope for Close() + var file *os.File + file, err = os.Open(filePath) + if err != nil { + return iacDocumentList, err + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + currentLineNumber++ + } + + if err = scanner.Err(); err != nil { + return iacDocumentList, err + } + } + + // Second pass extracts data + var doc IacDocument + dataMap := make(map[string]interface{}) + err = json.Unmarshal(fileBytes, &dataMap) + if err != nil { + zap.S().Warn("unable to unmarshal json file", zap.String("file", filePath)) + return iacDocumentList, err + } + + doc.Data, err = json.Marshal(dataMap) + if err != nil { + zap.S().Warn("unable to marshal json file", zap.String("file", filePath)) + } + + doc.StartLine = 1 + doc.FilePath = filePath + doc.EndLine = currentLineNumber + iacDocumentList[0] = &doc + + return iacDocumentList, nil +} diff --git a/pkg/utils/map.go b/pkg/utils/map.go new file mode 100644 index 000000000..e2e100321 --- /dev/null +++ b/pkg/utils/map.go @@ -0,0 +1,20 @@ +package utils + +// InterfaceToMapStringInterface converts instances of map[interface{}interface{} to map[string]interface{} within a nested +// map data structure such as json +func InterfaceToMapStringInterface(iface interface{}) interface{} { + switch ifaceObj := iface.(type) { + case []interface{}: + for i := range ifaceObj { + ifaceObj[i] = InterfaceToMapStringInterface(ifaceObj[i]) + } + return iface + case map[interface{}]interface{}: + mapData := make(map[string]interface{}) + for k := range ifaceObj { + mapData[k.(string)] = InterfaceToMapStringInterface(ifaceObj[k]) + } + return mapData + } + return iface +} diff --git a/pkg/utils/path.go b/pkg/utils/path.go index 6e38345b4..b47b2c72b 100644 --- a/pkg/utils/path.go +++ b/pkg/utils/path.go @@ -17,9 +17,15 @@ package utils import ( + "errors" + "fmt" + "io/ioutil" "os" "path/filepath" + "sort" "strings" + + "go.uber.org/zap" ) // GetAbsPath returns absolute path from passed file path resolving even ~ to user home dir and any other such symbols that are only @@ -54,13 +60,52 @@ func FindAllDirectories(basePath string) ([]string, error) { } // FilterFileInfoBySuffix Given a list of files, returns a subset of files containing a suffix which matches the input filter -func FilterFileInfoBySuffix(allFileList *[]os.FileInfo, filter string) *[]string { - fileList := make([]string, 0) +func FilterFileInfoBySuffix(allFileList *[]os.FileInfo, filter []string) []*string { + fileList := make([]*string, 0) for i := range *allFileList { - if strings.HasSuffix((*allFileList)[i].Name(), filter) { - fileList = append(fileList, (*allFileList)[i].Name()) + for j := range filter { + if strings.HasSuffix((*allFileList)[i].Name(), filter[j]) { + filename := (*allFileList)[i].Name() + fileList = append(fileList, &filename) + } } } - return &fileList + return fileList +} + +// FindFilesBySuffix finds all files within a given directory that have the specified suffixes +// Returns a map with keys as directories and values as a list of files +func FindFilesBySuffix(basePath string, suffixes []string) (map[string][]*string, error) { + retMap := make(map[string][]*string) + + // Walk the file path and find all directories + dirList, err := FindAllDirectories(basePath) + if err != nil { + return retMap, err + } + + if len(dirList) == 0 { + return retMap, fmt.Errorf("no directories found for path %s", basePath) + } + + sort.Strings(dirList) + for i := range dirList { + // Find all files in the current dir + var fileInfo []os.FileInfo + fileInfo, err = ioutil.ReadDir(dirList[i]) + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + zap.S().Debug("error while searching for files", zap.String("dir", dirList[i])) + } + continue + } + + fileList := FilterFileInfoBySuffix(&fileInfo, suffixes) + if len(fileList) > 0 { + retMap[dirList[i]] = fileList + } + } + + return retMap, nil } diff --git a/pkg/utils/resource.go b/pkg/utils/resource.go index 2d271e493..9912d0b5b 100644 --- a/pkg/utils/resource.go +++ b/pkg/utils/resource.go @@ -1,3 +1,19 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + package utils import ( diff --git a/pkg/utils/types.go b/pkg/utils/types.go new file mode 100644 index 000000000..57c55939c --- /dev/null +++ b/pkg/utils/types.go @@ -0,0 +1,10 @@ +package utils + +// IacDocument contains raw IaC file data and other metadata for a given file +type IacDocument struct { + Type string + StartLine int + EndLine int + FilePath string + Data []byte +} diff --git a/pkg/utils/yaml.go b/pkg/utils/yaml.go new file mode 100644 index 000000000..f19ce14be --- /dev/null +++ b/pkg/utils/yaml.go @@ -0,0 +1,132 @@ +package utils + +import ( + "bufio" + "bytes" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "log" + "os" + "strings" + + "go.uber.org/zap" + + "gopkg.in/yaml.v3" +) + +const ( + // YAMLDoc type for yaml files + YAMLDoc = "yaml" +) + +var ( + errHighDocumentCount = fmt.Errorf("document count was higher than expected count") +) + +// LoadYAML loads a YAML file. Can return one or more IaC Documents. +func LoadYAML(filePath string) ([]*IacDocument, error) { + iacDocumentList := make([]*IacDocument, 0) + + // First pass determines line number data + { // Limit the scope for Close() + file, err := os.Open(filePath) + if err != nil { + return iacDocumentList, err + } + defer file.Close() + + scanner := bufio.NewScanner(file) + startLineNumber := 1 + currentLineNumber := 1 + for scanner.Scan() { + if strings.HasPrefix(scanner.Text(), "---") { + // We've found the end-of-directives marker, so record results for the current document + iacDocumentList = append(iacDocumentList, &IacDocument{ + Type: YAMLDoc, + StartLine: startLineNumber, + EndLine: currentLineNumber, + FilePath: filePath, + }) + startLineNumber = currentLineNumber + 1 + } + currentLineNumber++ + } + + // Add the very last entry + iacDocumentList = append(iacDocumentList, &IacDocument{ + Type: YAMLDoc, + StartLine: startLineNumber, + EndLine: currentLineNumber, + FilePath: filePath, + }) + + if err = scanner.Err(); err != nil { + log.Fatal(err) + } + } + + // Second pass extracts all YAML documents and saves it in the document struct + fileBytes, err := ioutil.ReadFile(filePath) + if err != nil { + return iacDocumentList, err + } + + dec := yaml.NewDecoder(bytes.NewReader(fileBytes)) + i := 0 + for { + // each iteration extracts and marshals one yaml document + var value interface{} + err = dec.Decode(&value) + if err == io.EOF { + break + } + if err != nil { + return iacDocumentList, err + } + if i > (len(iacDocumentList) - 1) { + return iacDocumentList, errHighDocumentCount + } + + var documentBytes []byte + documentBytes, err = yaml.Marshal(value) + if err != nil { + return iacDocumentList, err + } + iacDocumentList[i].Data = documentBytes + i++ + } + + return iacDocumentList, nil +} + +// YAMLtoJSON converts YAML byte data to JSON bytes +func YAMLtoJSON(data []byte) (*map[string]interface{}, error) { + // fetch the YAML data into an interface type + var dataMap interface{} + err := yaml.Unmarshal(data, &dataMap) + if err != nil { + zap.S().Warn("unable to unmarshal yaml data") + return nil, err + } + + // convert map[interface]interface to map[string]interface throughout the YAML data + var dataBytes []byte + dataMap = InterfaceToMapStringInterface(dataMap) + + // marshal to json to produce the json bytes + if dataBytes, err = json.Marshal(dataMap); err != nil { + zap.S().Warn("unable to marshal json during conversion") + return nil, err + } + + // convert back to map[string]interface with the json data + configData := make(map[string]interface{}) + if err = json.Unmarshal(dataBytes, &configData); err != nil { + zap.S().Warn("unable to unmarshal json during conversion") + return nil, err + } + + return &configData, nil +} diff --git a/pkg/version/version.go b/pkg/version/version.go index 8096b2540..31997c6e7 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -17,7 +17,7 @@ package version // Terrascan The Terrascan version -const Terrascan = "v1.0.0" +const Terrascan = "v1.0.1" // Get returns the terrascan version func Get() string { From 42853a78e5fd3ab1bb7d6b3788b121e63321460c Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Fri, 4 Sep 2020 01:42:11 -0700 Subject: [PATCH 2/8] =?UTF-8?q?initial=20kubernetes=20support=20(continued?= =?UTF-8?q?)=20-=20add=20Jon=E2=80=99s=20change=20for=20a=20relative=20dir?= =?UTF-8?q?ectory=20resolve=20bug=20-=20go.mod=20tidy=20-=20don=E2=80=99t?= =?UTF-8?q?=20call=20os.exit()=20from=20run()=20when=20running=20unit=20te?= =?UTF-8?q?sts=20-=20simplify=20k8s=20normalization=E2=80=94no=20manual=20?= =?UTF-8?q?json=20parsing=20-=20fix=20default=20AWS=20IaC=20type=20(was=20?= =?UTF-8?q?set=20to=20was=20instead=20of=20terraform)=20-=20fixed=20JSON?= =?UTF-8?q?=20loading=20bug=20-=20increased=20unit=20test=20coverage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- go.mod | 6 +- go.sum | 61 +-------- pkg/cli/run.go | 3 +- pkg/cli/run_test.go | 56 ++++++++ pkg/cli/testdata/run-test/main.tf | 76 +++++++++++ pkg/cli/testdata/run-test/test_pod.yaml | 33 +++++ pkg/cli/testdata/run-test/variable.tf | 35 +++++ pkg/cli/testdata/run-test/web.tf | 81 ++++++++++++ pkg/iac-providers/kubernetes/v1/load-dir.go | 4 +- .../kubernetes/v1/load-dir_test.go | 21 ++- pkg/iac-providers/kubernetes/v1/load-file.go | 2 +- .../kubernetes/v1/load-file_test.go | 82 ++++++++++++ pkg/iac-providers/kubernetes/v1/normalize.go | 125 ++++++++++-------- .../testdata/file-test-data/empty-file.yaml | 0 .../v1/testdata/file-test-data/pod.json | 37 ++++++ .../testdata/file-test-data/test_bad_kind.yml | 33 +++++ .../file-test-data/test_bad_metadata.yml | 28 ++++ .../file-test-data/test_bad_metadata_name.yml | 29 ++++ .../file-test-data/test_bad_namespace.yml | 33 +++++ .../file-test-data/test_namespace.yaml | 4 + .../test_namespace_bad_metadata_name.yaml | 4 + .../testdata/file-test-data/test_no_kind.yml | 32 +++++ .../file-test-data/test_no_metadata.yml | 32 +++++ .../file-test-data/test_no_metadata_name.yml | 32 +++++ .../v1/testdata/file-test-data/test_pod.yaml | 33 +++++ .../v1/testdata/json-extension/pod.json | 37 ++++++ .../v1/testdata/yaml-extension2/test_pod.yml | 33 +++++ pkg/policy/aws.go | 2 +- pkg/policy/opa/engine_test.go | 1 + pkg/utils/json.go | 36 ++--- pkg/utils/map.go | 20 --- pkg/utils/yaml.go | 37 +----- 32 files changed, 843 insertions(+), 205 deletions(-) create mode 100644 pkg/cli/run_test.go create mode 100644 pkg/cli/testdata/run-test/main.tf create mode 100644 pkg/cli/testdata/run-test/test_pod.yaml create mode 100644 pkg/cli/testdata/run-test/variable.tf create mode 100644 pkg/cli/testdata/run-test/web.tf create mode 100644 pkg/iac-providers/kubernetes/v1/load-file_test.go create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/empty-file.yaml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/pod.json create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_bad_kind.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_bad_metadata.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_bad_metadata_name.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_bad_namespace.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_namespace.yaml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_namespace_bad_metadata_name.yaml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_no_kind.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_no_metadata.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_no_metadata_name.yml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/file-test-data/test_pod.yaml create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/json-extension/pod.json create mode 100644 pkg/iac-providers/kubernetes/v1/testdata/yaml-extension2/test_pod.yml create mode 100644 pkg/policy/opa/engine_test.go delete mode 100644 pkg/utils/map.go diff --git a/go.mod b/go.mod index 7c521466a..4e21118e5 100644 --- a/go.mod +++ b/go.mod @@ -3,12 +3,12 @@ module github.com/accurics/terrascan go 1.14 require ( + github.com/ghodss/yaml v1.0.0 github.com/gorilla/mux v1.7.4 github.com/hashicorp/go-retryablehttp v0.6.6 github.com/hashicorp/go-version v1.2.0 github.com/hashicorp/hcl/v2 v2.3.0 github.com/hashicorp/terraform v0.12.28 - github.com/mitchellh/go-homedir v1.1.0 github.com/open-policy-agent/opa v0.22.0 github.com/pelletier/go-toml v1.8.0 github.com/pkg/errors v0.9.1 @@ -17,11 +17,9 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/zclconf/go-cty v1.2.1 go.uber.org/zap v1.10.0 - golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect + golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 - k8s.io/apimachinery v0.18.8 // indirect - k8s.io/client-go v11.0.0+incompatible ) diff --git a/go.sum b/go.sum index ccb527f83..a5c70353c 100644 --- a/go.sum +++ b/go.sum @@ -27,12 +27,9 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.7 h1:fzrmmkskv067ZQbd9wERNGuxckWw67dyzoMG62p7LMo= github.com/OneOfOne/xxhash v1.2.7/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/QcloudApi/qcloud_sign_golang v0.0.0-20141224014652-e4130a326409/go.mod h1:1pk82RBxDY/JZnPQrtqHlUFfCctgdorsd9M06fMynOM= github.com/Unknwon/com v0.0.0-20151008135407-28b053d5a292/go.mod h1:KYCjqMOeHpNuTOiFQU6WEcTG7poCJrUs0YgyHNtn1no= github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw= @@ -101,22 +98,17 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dnaeon/go-vcr v0.0.0-20180920040454-5637cf3d8a31/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/dylanmei/iso8601 v0.1.0/go.mod h1:w9KhXSgIyROl1DefbMYIE7UVSIvELTbMrCfx+QkYnoQ= github.com/dylanmei/winrmtest v0.0.0-20190225150635-99b7fe2fddf1/go.mod h1:lcy9/2gH1jn/VCLouHA6tOEwLoNVd4GW6zhuKLmHC2Y= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v0.0.0-20200808040245-162e5629780b/go.mod h1:NAJj0yf/KaRKURN6nyi7A9IZydMivZEm9oQLWNjfKDc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -125,11 +117,6 @@ github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aev github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.1/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= @@ -141,15 +128,12 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v0.0.0-20181025225059-d3de96c4c28e/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -165,16 +149,12 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/gophercloud/gophercloud v0.0.0-20190208042652-bc37892e1968/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4= github.com/gophercloud/utils v0.0.0-20190128072930-fbb6ab446f01/go.mod h1:wjDF8z83zTeg5eMLml5EBSlAhbF7G8DobyI1YsMuyzw= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= @@ -237,7 +217,6 @@ github.com/hashicorp/terraform-svchost v0.0.0-20191011084731-65d371908596 h1:hjy github.com/hashicorp/terraform-svchost v0.0.0-20191011084731-65d371908596/go.mod h1:kNDNcF7sN4DocDLBkQYz73HGKwN1ANB1blq4lIYLYvg= github.com/hashicorp/vault v0.10.4/go.mod h1:KfSyffbKxoVyspOdlaGVjIuwLobi07qD1bAbosPMpP0= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -250,8 +229,6 @@ github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeY github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/joyent/triton-go v0.0.0-20180313100802-d8f9c0314926/go.mod h1:U+RSyWxWd04xTqnuOQxnai7XGS2PrPY2cfGoDKtMHjA= github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= @@ -286,7 +263,6 @@ github.com/likexian/simplejson-go v0.0.0-20190419151922-c1f9f0b4f084/go.mod h1:U github.com/likexian/simplejson-go v0.0.0-20190502021454-d8787b4bfa0b/go.mod h1:3BWwtmKP9cXWwYCr5bkoVDEfLywacOv0s06OBEDpyt8= github.com/lusis/go-artifactory v0.0.0-20160115162124-7e4ce345df82/go.mod h1:y54tfGmO3NKssKveTEFFzH8C/akrSOy/iW9qEAUDV84= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/masterzen/simplexml v0.0.0-20160608183007-4572e39b1ab9/go.mod h1:kCEbxUJlNDEBNbdQMkPSp6yaKcRXVI6f4ddk8Riv4bc= github.com/masterzen/winrm v0.0.0-20190223112901-5e5c9a7fe54b/go.mod h1:wr1VqkwW0AB5JS0QLy5GpVMS9E3VtRoSYXUYyVk46KY= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -319,24 +295,15 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh github.com/mitchellh/panicwrap v1.0.0/go.mod h1:pKvZHwWrZowLUzftuFq7coarnxbBXU4aQh3N0BJOeeA= github.com/mitchellh/prefixedio v0.0.0-20190213213902-5733675afd51/go.mod h1:kB1naBgV9ORnkiTVeyJOI1DavaJkG4oNIq0Af6ZVKUo= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mozillazg/go-httpheader v0.2.1/go.mod h1:jJ8xECTlalr6ValeXYdOF8fFUISeBAdw6E61aqQma60= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.1 h1:b3iUnf1v+ppJiOfNX4yxxqfWKMQPZR5yoh8urCTFX88= github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/open-policy-agent/opa v0.22.0 h1:KZvn0uMQIorBIwYk8Vc89dp8No9FIEF8eFl0sc1r/1U= github.com/open-policy-agent/opa v0.22.0/go.mod h1:rrwxoT/b011T0cyj+gg2VvxqTtn6N3gp/jzmr3fjW44= github.com/packer-community/winrmcp v0.0.0-20180102160824-81144009af58/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk= @@ -401,7 +368,6 @@ github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v0.0.0-20181024212040-082b515c9490/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= @@ -478,7 +444,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -497,11 +462,10 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191009170851-d66e71096ffb/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -510,11 +474,9 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -529,12 +491,10 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190804053845-51ab0e2deafa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed h1:J22ig1FUekjjkmZUM7pTKixYm8DvrYsvrBZdunYeIuQ= golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= @@ -545,7 +505,6 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -591,7 +550,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg= @@ -600,13 +558,11 @@ gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOA gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g= gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE= gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= @@ -616,17 +572,4 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc h1:/hemPrYIhOhy8zYrNj+069zDB68us2sMGsfkFJO0iZs= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/apimachinery v0.18.8 h1:jimPrycCqgx2QPearX3to1JePz7wSbVLq+7PdBTTwQ0= -k8s.io/apimachinery v0.18.8/go.mod h1:6sQd+iHEqmOtALqOFjSWp2KZ9F0wlU/nWm0ZgsYWMig= -k8s.io/client-go v1.5.1 h1:XaX/lo2/u3/pmFau8HN+sB5C/b4dc4Dmm2eXjBH4p1E= -k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o= -k8s.io/client-go v11.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/pkg/cli/run.go b/pkg/cli/run.go index 656e86111..4e70a3b91 100644 --- a/pkg/cli/run.go +++ b/pkg/cli/run.go @@ -17,6 +17,7 @@ package cli import ( + "flag" "os" "github.com/accurics/terrascan/pkg/runtime" @@ -41,7 +42,7 @@ func Run(iacType, iacVersion, cloudType, iacFilePath, iacDirPath, configFile, } writer.Write(format, violations, os.Stdout) - if violations.ViolationStore.Count.TotalCount != 0 { + if violations.ViolationStore.Count.TotalCount != 0 && flag.Lookup("test.v") == nil { os.Exit(3) } } diff --git a/pkg/cli/run_test.go b/pkg/cli/run_test.go new file mode 100644 index 000000000..8beaee762 --- /dev/null +++ b/pkg/cli/run_test.go @@ -0,0 +1,56 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package cli + +import ( + "testing" +) + +func TestRun(t *testing.T) { + table := []struct { + name string + iacType string + iacVersion string + cloudType string + iacFilePath string + iacDirPath string + configFile string + want string + wantErr error + }{ + { + name: "normal terraform run", + cloudType: "terraform", + iacDirPath: "testdata/run-test", + want: "", + wantErr: nil, + }, + { + name: "normal k8s run", + cloudType: "k8s", + iacDirPath: "testdata/run-test", + want: "", + wantErr: nil, + }, + } + + for _, tt := range table { + t.Run(tt.name, func(t *testing.T) { + Run(tt.iacType, tt.iacVersion, tt.cloudType, tt.iacFilePath, tt.iacDirPath, tt.configFile, "", "") + }) + } +} diff --git a/pkg/cli/testdata/run-test/main.tf b/pkg/cli/testdata/run-test/main.tf new file mode 100644 index 000000000..261800699 --- /dev/null +++ b/pkg/cli/testdata/run-test/main.tf @@ -0,0 +1,76 @@ +# Specify the provider and access details +provider "aws" { + region = "${var.aws_region}" +} + +provider "kubernetes" { +} + +# Create a VPC to launch our instances into +resource "aws_vpc" "acme_root" { + cidr_block = "10.0.0.0/16" + tags = { + Name = "acme_root" + } +} + +# Create an internet gateway to give our subnet access to the outside world +resource "aws_internet_gateway" "acme_root" { + vpc_id = "${aws_vpc.acme_root.id}" + tags = { + Name = "acme_root" + } +} + +# Grant the VPC internet access on its main route table +resource "aws_route" "acme_root" { + route_table_id = "${aws_vpc.acme_root.main_route_table_id}" + destination_cidr_block = "0.0.0.0/0" + gateway_id = "${aws_internet_gateway.acme_root.id}" +} + +# Create a subnet to launch our instances into +resource "aws_subnet" "acme_web" { + vpc_id = "${aws_vpc.acme_root.id}" + cidr_block = "10.0.1.0/24" + map_public_ip_on_launch = true + tags = { + Name = "acme_web" + } +} + +resource "aws_key_pair" "auth" { + key_name = "${var.key_name}" + public_key = "${file(var.public_key_path)}" +} + +# resource "aws_s3_bucket" "acme_main" { +# bucket = "main-bucket" +# acl = "private" +# } + +resource "aws_ecr_repository" "scanOnPushDisabled" { + name = "test" + + image_scanning_configuration { + scan_on_push = false + } +} + +resource "aws_ecr_repository_policy" "ecrRepoIsPublic" { + repository = "some-Repo-Name" + + policy = < Date: Fri, 4 Sep 2020 02:36:39 -0700 Subject: [PATCH 3/8] fixed merge issue - silenced a noisy log and downgraded the severity of another --- pkg/cli/run.go | 6 +++--- pkg/cli/run_test.go | 3 ++- pkg/iac-providers/kubernetes/v1/load-file.go | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/cli/run.go b/pkg/cli/run.go index dba34da75..ccd76602a 100644 --- a/pkg/cli/run.go +++ b/pkg/cli/run.go @@ -41,13 +41,13 @@ func Run(iacType, iacVersion, cloudType, iacFilePath, iacDirPath, configFile, return } - if configOnly { + if configOnly { writer.Write(format, results.ResourceConfig, os.Stdout) } else { writer.Write(format, results.Violations, os.Stdout) } - - if violations.ViolationStore.Count.TotalCount != 0 && flag.Lookup("test.v") == nil { + + if results.Violations.ViolationStore.Count.TotalCount != 0 && flag.Lookup("test.v") == nil { os.Exit(3) } } diff --git a/pkg/cli/run_test.go b/pkg/cli/run_test.go index 8beaee762..6791532eb 100644 --- a/pkg/cli/run_test.go +++ b/pkg/cli/run_test.go @@ -29,6 +29,7 @@ func TestRun(t *testing.T) { iacFilePath string iacDirPath string configFile string + configOnly bool want string wantErr error }{ @@ -50,7 +51,7 @@ func TestRun(t *testing.T) { for _, tt := range table { t.Run(tt.name, func(t *testing.T) { - Run(tt.iacType, tt.iacVersion, tt.cloudType, tt.iacFilePath, tt.iacDirPath, tt.configFile, "", "") + Run(tt.iacType, tt.iacVersion, tt.cloudType, tt.iacFilePath, tt.iacDirPath, tt.configFile, "", "", tt.configOnly) }) } } diff --git a/pkg/iac-providers/kubernetes/v1/load-file.go b/pkg/iac-providers/kubernetes/v1/load-file.go index a4cb19626..d4a6b872c 100644 --- a/pkg/iac-providers/kubernetes/v1/load-file.go +++ b/pkg/iac-providers/kubernetes/v1/load-file.go @@ -27,7 +27,7 @@ func (k *K8sV1) LoadIacFile(absRootPath string) (allResourcesConfig output.AllRe return allResourcesConfig, err } if err != nil { - zap.S().Warn("failed to load file", zap.String("file", absRootPath)) + zap.S().Info("failed to load file", zap.String("file", absRootPath)) return allResourcesConfig, err } @@ -35,7 +35,7 @@ func (k *K8sV1) LoadIacFile(absRootPath string) (allResourcesConfig output.AllRe var config *output.ResourceConfig config, err = k.normalize(doc) if err != nil { - zap.S().Warn("unable to normalize data", zap.Error(err), zap.String("file", absRootPath)) + zap.S().Debug("unable to normalize data", zap.Error(err), zap.String("file", absRootPath)) continue } From a94f3757e4bb7d6abae57b1ca391bff1125888d2 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Tue, 8 Sep 2020 17:43:26 -0700 Subject: [PATCH 4/8] fixed review comments - error message updates - added config-only unit test - removed unnecessary checks in the api server - changed resource representation to match terraforms resource naming --- pkg/cli/testdata/run-test/config-only.tf | 6 ++++++ pkg/cli/testdata/run-test/config-only.yaml | 4 ++++ pkg/cli/testdata/run-test/main.tf | 14 +++++++------- pkg/cli/testdata/run-test/web.tf | 12 ++++++------ 4 files changed, 23 insertions(+), 13 deletions(-) create mode 100644 pkg/cli/testdata/run-test/config-only.tf create mode 100644 pkg/cli/testdata/run-test/config-only.yaml diff --git a/pkg/cli/testdata/run-test/config-only.tf b/pkg/cli/testdata/run-test/config-only.tf new file mode 100644 index 000000000..5871d8d91 --- /dev/null +++ b/pkg/cli/testdata/run-test/config-only.tf @@ -0,0 +1,6 @@ +resource "aws_subnet" "default" { + vpc_id = aws_vpc.default.id + cidr_block = "10.0.1.0/24" + map_public_ip_on_launch = true +} + diff --git a/pkg/cli/testdata/run-test/config-only.yaml b/pkg/cli/testdata/run-test/config-only.yaml new file mode 100644 index 000000000..39984ba9e --- /dev/null +++ b/pkg/cli/testdata/run-test/config-only.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: accurics diff --git a/pkg/cli/testdata/run-test/main.tf b/pkg/cli/testdata/run-test/main.tf index 261800699..96f4fbdef 100644 --- a/pkg/cli/testdata/run-test/main.tf +++ b/pkg/cli/testdata/run-test/main.tf @@ -1,6 +1,6 @@ # Specify the provider and access details provider "aws" { - region = "${var.aws_region}" + region = "var.aws_region" } provider "kubernetes" { @@ -16,7 +16,7 @@ resource "aws_vpc" "acme_root" { # Create an internet gateway to give our subnet access to the outside world resource "aws_internet_gateway" "acme_root" { - vpc_id = "${aws_vpc.acme_root.id}" + vpc_id = "aws_vpc.acme_root.id" tags = { Name = "acme_root" } @@ -24,14 +24,14 @@ resource "aws_internet_gateway" "acme_root" { # Grant the VPC internet access on its main route table resource "aws_route" "acme_root" { - route_table_id = "${aws_vpc.acme_root.main_route_table_id}" + route_table_id = "aws_vpc.acme_root.main_route_table_id" destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.acme_root.id}" + gateway_id = "aws_internet_gateway.acme_root.id" } # Create a subnet to launch our instances into resource "aws_subnet" "acme_web" { - vpc_id = "${aws_vpc.acme_root.id}" + vpc_id = "aws_vpc.acme_root.id" cidr_block = "10.0.1.0/24" map_public_ip_on_launch = true tags = { @@ -40,8 +40,8 @@ resource "aws_subnet" "acme_web" { } resource "aws_key_pair" "auth" { - key_name = "${var.key_name}" - public_key = "${file(var.public_key_path)}" + key_name = "var.key_name" + public_key = "file(var.public_key_path)" } # resource "aws_s3_bucket" "acme_main" { diff --git a/pkg/cli/testdata/run-test/web.tf b/pkg/cli/testdata/run-test/web.tf index 41f5f9c09..65b9596b7 100644 --- a/pkg/cli/testdata/run-test/web.tf +++ b/pkg/cli/testdata/run-test/web.tf @@ -4,7 +4,7 @@ resource "aws_security_group" "acme_web" { name = "acme_web" description = "Used in the terraform" - vpc_id = "${aws_vpc.acme_root.id}" + vpc_id = "aws_vpc.acme_root.id" tags = { Name = "acme_web" @@ -55,18 +55,18 @@ resource "aws_instance" "acem_web" { # Lookup the correct AMI based on the region # we specified - ami = "${lookup(var.aws_amis, var.aws_region)}" + ami = "lookup(var.aws_amis, var.aws_region)" # The name of our SSH keypair we created above. - key_name = "${aws_key_pair.auth.id}" + key_name = "aws_key_pair.auth.id" # Our Security group to allow HTTP and SSH access - vpc_security_group_ids = ["${aws_security_group.acme_web.id}"] + vpc_security_group_ids = ["aws_security_group.acme_web.id"] # We're going to launch into the same subnet as our ELB. In a production # environment it's more common to have a separate private subnet for # backend instances. - subnet_id = "${aws_subnet.acme_web.id}" + subnet_id = "aws_subnet.acme_web.id" # We run a remote provisioner on the instance after creating it. # In this case, we just install nginx and start it. By default, @@ -78,4 +78,4 @@ resource "aws_instance" "acem_web" { # "sudo service nginx start", # ] # } -} \ No newline at end of file +} From ae346e8e54b6709cdf149c634b06996bef4717ed Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Fri, 11 Sep 2020 00:41:15 -0700 Subject: [PATCH 5/8] add changes missing from the last commit - error message updates - added config-only unit test - removed unnecessary checks in the api server - changed resource representation to match terraforms resource naming - fixed namespace name issue - added specific handling for daemonsets - updated version to 1.1.0 --- go.mod | 3 ++ go.sum | 23 ++++++++++ pkg/cli/run_test.go | 17 +++++-- pkg/http-server/file-scan.go | 11 ----- pkg/http-server/file-scan_test.go | 15 +++++++ pkg/iac-providers/kubernetes/v1/load-dir.go | 3 ++ pkg/iac-providers/kubernetes/v1/load-file.go | 2 +- pkg/iac-providers/kubernetes/v1/normalize.go | 22 +++++++-- pkg/iac-providers/kubernetes/v1/types.go | 2 +- pkg/policy/opa/engine.go | 47 +++++++++++++++----- pkg/utils/path.go | 3 +- pkg/version/version.go | 2 +- 12 files changed, 116 insertions(+), 34 deletions(-) diff --git a/go.mod b/go.mod index 4e21118e5..bc2579684 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ require ( github.com/hashicorp/go-version v1.2.0 github.com/hashicorp/hcl/v2 v2.3.0 github.com/hashicorp/terraform v0.12.28 + github.com/iancoleman/strcase v0.1.1 github.com/open-policy-agent/opa v0.22.0 github.com/pelletier/go-toml v1.8.0 github.com/pkg/errors v0.9.1 @@ -19,7 +20,9 @@ require ( go.uber.org/zap v1.10.0 golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect + golang.org/x/tools v0.0.0-20200911040025-d179df38ff46 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 + honnef.co/go/tools v0.0.1-2020.1.5 // indirect ) diff --git a/go.sum b/go.sum index a5c70353c..b32c6fce5 100644 --- a/go.sum +++ b/go.sum @@ -152,6 +152,7 @@ github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -217,6 +218,8 @@ github.com/hashicorp/terraform-svchost v0.0.0-20191011084731-65d371908596 h1:hjy github.com/hashicorp/terraform-svchost v0.0.0-20191011084731-65d371908596/go.mod h1:kNDNcF7sN4DocDLBkQYz73HGKwN1ANB1blq4lIYLYvg= github.com/hashicorp/vault v0.10.4/go.mod h1:KfSyffbKxoVyspOdlaGVjIuwLobi07qD1bAbosPMpP0= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/iancoleman/strcase v0.1.1 h1:2I+LRClyCYB7JgZb9U0k75VHUiQe9RfknRqDyUfzp7k= +github.com/iancoleman/strcase v0.1.1/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -343,6 +346,7 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a h1:9ZKAASQSHhDYGoxY8uLVpewe1GDZ2vu2Tr/vTdVAkFQ= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= @@ -404,6 +408,7 @@ github.com/xlab/treeprint v0.0.0-20161029104018-1d6e34225557/go.mod h1:ce1O1j6Ut github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b h1:vVRagRXf67ESqAb72hG2C/ZwI8NtJF2u2V76EsuOHGY= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= @@ -428,9 +433,11 @@ golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190222235706-ffb98f73852f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -444,6 +451,9 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -474,6 +484,7 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -519,7 +530,16 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72 h1:bw9doJza/SFBEweII/rHQh338oozWyiFsBRHtrflcws= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112 h1:DmrRJy1qn9VDMf4+GSpRlwfZ51muIF7r96MFBFP4bPM= +golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20200911040025-d179df38ff46 h1:raJJRwvMVMFKqxzg7RylyOftEg8WyqM4BjTmQyG+U48= +golang.org/x/tools v0.0.0-20200911040025-d179df38ff46/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -549,6 +569,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= @@ -572,4 +593,6 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc h1:/hemPrYIhOhy8zYrNj+069zDB68us2sMGsfkFJO0iZs= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= +honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/pkg/cli/run_test.go b/pkg/cli/run_test.go index 6791532eb..6c9ecfe81 100644 --- a/pkg/cli/run_test.go +++ b/pkg/cli/run_test.go @@ -30,6 +30,7 @@ func TestRun(t *testing.T) { iacDirPath string configFile string configOnly bool + stdOut string want string wantErr error }{ @@ -37,15 +38,23 @@ func TestRun(t *testing.T) { name: "normal terraform run", cloudType: "terraform", iacDirPath: "testdata/run-test", - want: "", - wantErr: nil, }, { name: "normal k8s run", cloudType: "k8s", iacDirPath: "testdata/run-test", - want: "", - wantErr: nil, + }, + { + name: "config-only flag terraform", + cloudType: "terraform", + iacFilePath: "testdata/run-test/config-only.tf", + configOnly: true, + }, + { + name: "config-only flag k8s", + cloudType: "k8s", + iacFilePath: "testdata/run-test/config-only.yaml", + configOnly: true, }, } diff --git a/pkg/http-server/file-scan.go b/pkg/http-server/file-scan.go index 5fe443440..b49ebfc29 100644 --- a/pkg/http-server/file-scan.go +++ b/pkg/http-server/file-scan.go @@ -23,8 +23,6 @@ import ( "net/http" "os" - "github.com/accurics/terrascan/pkg/policy" - "github.com/accurics/terrascan/pkg/runtime" "github.com/gorilla/mux" "go.uber.org/zap" @@ -83,15 +81,6 @@ func (g *APIHandler) scanFile(w http.ResponseWriter, r *http.Request) { // write this byte array to our temporary file tempFile.Write(fileBytes) - // set default iac type/version if not already set - if iacType == "" { - iacType = policy.GetDefaultIacType(cloudType) - } - - if iacVersion == "" { - iacVersion = policy.GetDefaultIacVersion(cloudType) - } - // create a new runtime executor for scanning the uploaded file var executor *runtime.Executor if g.test { diff --git a/pkg/http-server/file-scan_test.go b/pkg/http-server/file-scan_test.go index a40016cf4..6928e2b72 100644 --- a/pkg/http-server/file-scan_test.go +++ b/pkg/http-server/file-scan_test.go @@ -34,6 +34,21 @@ func TestUpload(t *testing.T) { cloudType: "aws", wantStatus: http.StatusOK, }, + { + name: "valid file scan default iac type", + path: "./testdata/testconfig.tf", + param: "file", + cloudType: "aws", + wantStatus: http.StatusOK, + }, + { + name: "valid file scan default iac version", + path: "./testdata/testconfig.tf", + param: "file", + iacType: "terraform", + cloudType: "aws", + wantStatus: http.StatusOK, + }, { name: "invalid iacType", path: "./testdata/testconfig.tf", diff --git a/pkg/iac-providers/kubernetes/v1/load-dir.go b/pkg/iac-providers/kubernetes/v1/load-dir.go index 66e86fb52..4c9e7bb85 100644 --- a/pkg/iac-providers/kubernetes/v1/load-dir.go +++ b/pkg/iac-providers/kubernetes/v1/load-dir.go @@ -4,6 +4,8 @@ import ( "path/filepath" "strings" + "go.uber.org/zap" + "github.com/accurics/terrascan/pkg/iac-providers/output" "github.com/accurics/terrascan/pkg/utils" ) @@ -26,6 +28,7 @@ func (k *K8sV1) LoadIacDir(absRootDir string) (output.AllResourceConfigs, error) fileMap, err := utils.FindFilesBySuffix(absRootDir, K8sFileExtensions()) if err != nil { + zap.S().Warn("error while searching for iac files", zap.String("root dir", absRootDir), zap.Error(err)) return allResourcesConfig, err } diff --git a/pkg/iac-providers/kubernetes/v1/load-file.go b/pkg/iac-providers/kubernetes/v1/load-file.go index d4a6b872c..2f663240c 100644 --- a/pkg/iac-providers/kubernetes/v1/load-file.go +++ b/pkg/iac-providers/kubernetes/v1/load-file.go @@ -23,7 +23,7 @@ func (k *K8sV1) LoadIacFile(absRootPath string) (allResourcesConfig output.AllRe case JSONExtension: iacDocuments, err = utils.LoadJSON(absRootPath) default: - zap.S().Warn("unknown extension found", zap.String("extension", fileExt)) + zap.S().Error("unknown extension found", zap.String("extension", fileExt)) return allResourcesConfig, err } if err != nil { diff --git a/pkg/iac-providers/kubernetes/v1/normalize.go b/pkg/iac-providers/kubernetes/v1/normalize.go index 9a5eaf492..09267fb1e 100644 --- a/pkg/iac-providers/kubernetes/v1/normalize.go +++ b/pkg/iac-providers/kubernetes/v1/normalize.go @@ -23,6 +23,7 @@ import ( "github.com/accurics/terrascan/pkg/iac-providers/output" "github.com/accurics/terrascan/pkg/utils" yamltojson "github.com/ghodss/yaml" + "github.com/iancoleman/strcase" "gopkg.in/yaml.v3" ) @@ -70,6 +71,19 @@ func (k *K8sV1) extractResource(doc *utils.IacDocument) (*k8sResource, *[]byte, } } +// getNormalizedName returns the normalized name +// this matches the terraform-defined resource type when applicable +func (k *K8sV1) getNormalizedName(kind string) string { + var name string + switch kind { + case "DaemonSet": + name = kubernetesTypeName + "_daemonset" + default: + name = kubernetesTypeName + "_" + strcase.ToSnake(kind) + } + return name +} + // normalize takes the input document and normalizes it func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error) { @@ -79,6 +93,9 @@ func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error } var resourceConfig output.ResourceConfig + + resourceConfig.Type = k.getNormalizedName(resource.Kind) + switch resource.Kind { case "": // error case @@ -87,7 +104,7 @@ func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error case "ClusterRole": fallthrough case "Namespace": - resourceConfig.ID = kubernetesTypeName + resource.Kind + "." + resource.Metadata.Name + resourceConfig.ID = resourceConfig.Type + "." + resource.Metadata.Name default: // namespaced-resources namespace := resource.Metadata.Namespace @@ -95,7 +112,7 @@ func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error namespace = "default" } - resourceConfig.ID = kubernetesTypeName + resource.Kind + "." + resource.Metadata.Name + "." + namespace + resourceConfig.ID = resourceConfig.Type + "." + resource.Metadata.Name + "." + namespace } configData := make(map[string]interface{}) @@ -103,7 +120,6 @@ func (k *K8sV1) normalize(doc *utils.IacDocument) (*output.ResourceConfig, error return nil, err } - resourceConfig.Type = kubernetesTypeName + resource.Kind resourceConfig.Name = resource.Metadata.Name resourceConfig.Config = configData diff --git a/pkg/iac-providers/kubernetes/v1/types.go b/pkg/iac-providers/kubernetes/v1/types.go index 9ef1aa19d..231dd3bee 100644 --- a/pkg/iac-providers/kubernetes/v1/types.go +++ b/pkg/iac-providers/kubernetes/v1/types.go @@ -32,7 +32,7 @@ const ( // UnknownExtension unknown UnknownExtension = "unknown" - kubernetesTypeName = "k8s_" + kubernetesTypeName = "kubernetes" defaultNamespace = "default" ) diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index cb2ca3b1b..83b57b712 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -53,7 +53,7 @@ func NewEngine(policyPath string) (*Engine, error) { // initialize the engine if err := engine.Init(policyPath); err != nil { - zap.S().Error("failed to initialize OPA policy engine") + zap.S().Error("failed to initialize OPA policy engine", zap.Error(err)) return engine, errInitFailed } @@ -67,7 +67,7 @@ func (e *Engine) LoadRegoMetadata(metaFilename string) (*RegoMetadata, error) { metadata, err := ioutil.ReadFile(metaFilename) if err != nil { if !errors.Is(err, os.ErrNotExist) { - zap.S().Error("failed to load rego metadata", zap.String("file", metaFilename)) + zap.S().Error("failed to load rego metadata", zap.String("file", metaFilename), zap.Error(err)) } return nil, err } @@ -75,7 +75,7 @@ func (e *Engine) LoadRegoMetadata(metaFilename string) (*RegoMetadata, error) { // Read metadata into struct regoMetadata := RegoMetadata{} if err = json.Unmarshal(metadata, ®oMetadata); err != nil { - zap.S().Error("failed to unmarshal rego metadata", zap.String("file", metaFilename)) + zap.S().Error("failed to unmarshal rego metadata", zap.String("file", metaFilename), zap.Error(err)) return nil, err } return ®oMetadata, err @@ -87,7 +87,7 @@ func (e *Engine) loadRawRegoFilesIntoMap(currentDir string, regoDataList []*Rego regoPath := filepath.Join(currentDir, regoDataList[i].Metadata.File) rawRegoData, err := ioutil.ReadFile(regoPath) if err != nil { - zap.S().Debug("failed to load rego file", zap.String("file", regoPath)) + zap.S().Error("failed to load rego file", zap.String("file", regoPath), zap.Error(err)) continue } @@ -95,6 +95,7 @@ func (e *Engine) loadRawRegoFilesIntoMap(currentDir string, regoDataList []*Rego _, ok := (*regoFileMap)[regoPath] if ok { // Already loaded this file, so continue + zap.S().Debug("skipping already loaded rego file", zap.String("file", regoPath)) continue } @@ -147,10 +148,24 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { var regoMetadata *RegoMetadata regoMetadata, err = e.LoadRegoMetadata(filePath) if err != nil { - zap.S().Debug("error loading rego metadata", zap.String("file", filePath)) + zap.S().Error("error loading rego metadata", zap.String("file", filePath), zap.Error(err)) continue } + // Perform some sanity checks + if strings.Contains(regoMetadata.Name, ".") { + zap.S().Error("error loading rego metadata: rule name must not contain a dot character", zap.String("name", regoMetadata.Name), zap.String("file", filePath)) + continue + } + + // Check for default template variable values specified + if val, ok := regoMetadata.TemplateArgs["name"]; ok { + zap.S().Warn("reserved template name arg was specified", zap.String("name", regoMetadata.Name), zap.String("file", filePath), zap.String("template arg", val.(string))) + } else { + // Add reserved template variable values + regoMetadata.TemplateArgs["name"] = regoMetadata.Name + } + regoData := RegoData{ Metadata: *regoMetadata, } @@ -161,7 +176,7 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { // Read in raw rego data from associated rego files if err = e.loadRawRegoFilesIntoMap(dirList[i], regoDataList, &e.regoFileMap); err != nil { - zap.S().Debug("error loading raw rego data", zap.String("dir", dirList[i])) + zap.S().Error("error loading raw rego data", zap.String("dir", dirList[i]), zap.Error(err)) continue } @@ -176,16 +191,20 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { t := template.New("opa") _, err = t.Parse(string(e.regoFileMap[templateFile])) if err != nil { - zap.S().Debug("unable to parse template", zap.String("template", regoDataList[j].Metadata.File)) + zap.S().Error("unable to parse template", zap.String("template", regoDataList[j].Metadata.File), zap.Error(err)) continue } if err = t.Execute(&templateData, regoDataList[j].Metadata.TemplateArgs); err != nil { - zap.S().Debug("unable to execute template", zap.String("template", regoDataList[j].Metadata.File)) + zap.S().Error("unable to execute template", zap.String("template", regoDataList[j].Metadata.File), zap.Error(err)) continue } regoDataList[j].RawRego = templateData.Bytes() - e.regoDataMap[regoDataList[j].Metadata.Name] = regoDataList[j] + if regoDataList[j].RawRego == nil { + zap.S().Debug("raw rego data was null after applying template", zap.String("template", regoDataList[j].Metadata.File)) + continue + } + e.regoDataMap[regoDataList[j].Metadata.ReferenceID] = regoDataList[j] } } @@ -233,13 +252,13 @@ func (e *Engine) Init(policyPath string) error { e.context = context.Background() if err := e.LoadRegoFiles(policyPath); err != nil { - zap.S().Error("error loading rego files", zap.String("policy path", policyPath)) + zap.S().Error("error loading rego files", zap.String("policy path", policyPath), zap.Error(err)) return err } err := e.CompileRegoFiles() if err != nil { - zap.S().Error("error compiling rego files", zap.String("policy path", policyPath)) + zap.S().Error("error compiling rego files", zap.String("policy path", policyPath), zap.Error(err)) return err } @@ -307,16 +326,18 @@ func (e *Engine) Evaluate(engineInput policy.EngineInput) (policy.EngineOutput, // Execute the prepared query. rs, err := e.regoDataMap[k].PreparedQuery.Eval(e.context, rego.EvalInput(engineInput.InputData)) if err != nil { - zap.S().Warn("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'")) + zap.S().Warn("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'"), zap.String("file", e.regoDataMap[k].Metadata.File)) continue } if len(rs) == 0 || len(rs[0].Expressions) == 0 { + zap.S().Debug("query executed but found no matches", zap.Error(err), zap.String("rule", "'"+k+"'")) continue } resourceViolations := rs[0].Expressions[0].Value.([]interface{}) if len(resourceViolations) == 0 { + zap.S().Debug("query executed but found no violations", zap.Error(err), zap.String("rule", "'"+k+"'")) continue } @@ -360,6 +381,8 @@ func (e *Engine) Evaluate(engineInput policy.EngineInput) (policy.EngineOutput, continue } + zap.S().Debug("violation found for rule with rego", zap.String("rego", string("\n")+string(e.regoDataMap[k].RawRego)+string("\n"))) + // Report the violation e.reportViolation(e.regoDataMap[k], resource) } diff --git a/pkg/utils/path.go b/pkg/utils/path.go index b47b2c72b..382ad2200 100644 --- a/pkg/utils/path.go +++ b/pkg/utils/path.go @@ -82,6 +82,7 @@ func FindFilesBySuffix(basePath string, suffixes []string) (map[string][]*string // Walk the file path and find all directories dirList, err := FindAllDirectories(basePath) if err != nil { + zap.S().Error("error encountered traversing directories", zap.String("base path", basePath), zap.Error(err)) return retMap, err } @@ -96,7 +97,7 @@ func FindFilesBySuffix(basePath string, suffixes []string) (map[string][]*string fileInfo, err = ioutil.ReadDir(dirList[i]) if err != nil { if !errors.Is(err, os.ErrNotExist) { - zap.S().Debug("error while searching for files", zap.String("dir", dirList[i])) + zap.S().Debug("error while searching for files", zap.String("dir", dirList[i]), zap.Error(err)) } continue } diff --git a/pkg/version/version.go b/pkg/version/version.go index 31997c6e7..0217e17fc 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -17,7 +17,7 @@ package version // Terrascan The Terrascan version -const Terrascan = "v1.0.1" +const Terrascan = "v1.1.0" // Get returns the terrascan version func Get() string { From d5418b563384a953f812aa47b62881eecdbcb7f1 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Sat, 12 Sep 2020 14:19:47 -0700 Subject: [PATCH 6/8] clean up go.mod/go.sum --- go.mod | 2 -- go.sum | 21 --------------------- 2 files changed, 23 deletions(-) diff --git a/go.mod b/go.mod index bc2579684..db2ddde7d 100644 --- a/go.mod +++ b/go.mod @@ -20,9 +20,7 @@ require ( go.uber.org/zap v1.10.0 golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect - golang.org/x/tools v0.0.0-20200911040025-d179df38ff46 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 - honnef.co/go/tools v0.0.1-2020.1.5 // indirect ) diff --git a/go.sum b/go.sum index b32c6fce5..dd1d60878 100644 --- a/go.sum +++ b/go.sum @@ -152,7 +152,6 @@ github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -346,7 +345,6 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a h1:9ZKAASQSHhDYGoxY8uLVpewe1GDZ2vu2Tr/vTdVAkFQ= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= @@ -408,7 +406,6 @@ github.com/xlab/treeprint v0.0.0-20161029104018-1d6e34225557/go.mod h1:ce1O1j6Ut github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b h1:vVRagRXf67ESqAb72hG2C/ZwI8NtJF2u2V76EsuOHGY= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= @@ -433,11 +430,9 @@ golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190222235706-ffb98f73852f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -451,9 +446,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -484,7 +476,6 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -530,16 +521,7 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72 h1:bw9doJza/SFBEweII/rHQh338oozWyiFsBRHtrflcws= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112 h1:DmrRJy1qn9VDMf4+GSpRlwfZ51muIF7r96MFBFP4bPM= -golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20200911040025-d179df38ff46 h1:raJJRwvMVMFKqxzg7RylyOftEg8WyqM4BjTmQyG+U48= -golang.org/x/tools v0.0.0-20200911040025-d179df38ff46/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -569,7 +551,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= @@ -593,6 +574,4 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc h1:/hemPrYIhOhy8zYrNj+069zDB68us2sMGsfkFJO0iZs= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= -honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= From 3dcd3c7876b9844f15d42d2899042fbdfbc8ef55 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Mon, 14 Sep 2020 07:44:23 -0700 Subject: [PATCH 7/8] fixes a core dump when template_args are not set in the rule --- pkg/policy/opa/engine.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index 83b57b712..00bc22f7f 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -159,9 +159,10 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { } // Check for default template variable values specified - if val, ok := regoMetadata.TemplateArgs["name"]; ok { - zap.S().Warn("reserved template name arg was specified", zap.String("name", regoMetadata.Name), zap.String("file", filePath), zap.String("template arg", val.(string))) - } else { + if _, ok := regoMetadata.TemplateArgs["name"]; !ok { + if regoMetadata.TemplateArgs == nil { + regoMetadata.TemplateArgs = make(map[string]interface{}) + } // Add reserved template variable values regoMetadata.TemplateArgs["name"] = regoMetadata.Name } From 3f3e7b5908c20eeffcba7b4053fadb8339bdcda4 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Mon, 14 Sep 2020 11:33:49 -0700 Subject: [PATCH 8/8] initial policy set for k8s --- .../accurics.kubernetes.IAM.1.json | 15 +++ .../accurics.kubernetes.IAM.10.json | 15 +++ .../accurics.kubernetes.IAM.11.json | 15 +++ .../accurics.kubernetes.IAM.12.json | 15 +++ .../accurics.kubernetes.IAM.13.json | 15 +++ .../accurics.kubernetes.IAM.14.json | 15 +++ .../accurics.kubernetes.IAM.15.json | 15 +++ .../accurics.kubernetes.IAM.16.json | 15 +++ .../accurics.kubernetes.IAM.2.json | 15 +++ .../accurics.kubernetes.IAM.3.json | 15 +++ .../accurics.kubernetes.IAM.4.json | 15 +++ .../accurics.kubernetes.IAM.5.json | 15 +++ .../accurics.kubernetes.IAM.6.json | 15 +++ .../accurics.kubernetes.IAM.7.json | 15 +++ .../accurics.kubernetes.IAM.8.json | 15 +++ .../accurics.kubernetes.IAM.9.json | 15 +++ ...ntainerAllowPrivilegeEscalationIsTrue.rego | 111 +++++++++++++++++ .../accurics.kubernetes.IAM.17.json | 14 +++ .../accurics.kubernetes.IAM.18.json | 14 +++ .../accurics.kubernetes.IAM.19.json | 14 +++ .../accurics.kubernetes.IAM.20.json | 14 +++ .../accurics.kubernetes.IAM.21.json | 14 +++ .../accurics.kubernetes.IAM.22.json | 14 +++ .../accurics.kubernetes.IAM.23.json | 14 +++ .../accurics.kubernetes.IAM.24.json | 14 +++ .../accurics.kubernetes.IAM.33.json | 14 +++ .../accurics.kubernetes.IAM.34.json | 14 +++ .../accurics.kubernetes.IAM.35.json | 14 +++ .../accurics.kubernetes.IAM.36.json | 14 +++ .../accurics.kubernetes.IAM.37.json | 14 +++ .../accurics.kubernetes.IAM.38.json | 14 +++ .../accurics.kubernetes.IAM.39.json | 14 +++ .../accurics.kubernetes.IAM.40.json | 14 +++ .../containerHostIpcIsTrue.rego | 94 +++++++++++++++ .../accurics.kubernetes.IAM.25.json | 14 +++ .../accurics.kubernetes.IAM.26.json | 14 +++ .../accurics.kubernetes.IAM.27.json | 14 +++ .../accurics.kubernetes.IAM.28.json | 14 +++ .../accurics.kubernetes.IAM.29.json | 14 +++ .../accurics.kubernetes.IAM.30.json | 14 +++ .../accurics.kubernetes.IAM.31.json | 14 +++ .../accurics.kubernetes.IAM.32.json | 14 +++ .../accurics.kubernetes.IAM.33.json | 14 +++ .../accurics.kubernetes.IAM.34.json | 14 +++ .../accurics.kubernetes.IAM.35.json | 14 +++ .../accurics.kubernetes.IAM.36.json | 14 +++ .../containerHostNetworkIsTrue.rego | 94 +++++++++++++++ .../accurics.kubernetes.IAM.33.json | 14 +++ .../accurics.kubernetes.IAM.34.json | 14 +++ .../accurics.kubernetes.IAM.35.json | 14 +++ .../accurics.kubernetes.IAM.36.json | 14 +++ .../accurics.kubernetes.IAM.37.json | 14 +++ .../accurics.kubernetes.IAM.38.json | 14 +++ .../accurics.kubernetes.IAM.39.json | 14 +++ .../accurics.kubernetes.IAM.40.json | 14 +++ .../accurics.kubernetes.IAM.41.json | 14 +++ .../accurics.kubernetes.IAM.42.json | 14 +++ .../accurics.kubernetes.IAM.43.json | 14 +++ .../accurics.kubernetes.IAM.44.json | 14 +++ .../accurics.kubernetes.IAM.45.json | 14 +++ .../containerHostPidIsTrue.rego | 95 +++++++++++++++ .../accurics.kubernetes.IAM.41.json | 15 +++ .../accurics.kubernetes.IAM.42.json | 15 +++ .../accurics.kubernetes.IAM.43.json | 15 +++ .../accurics.kubernetes.IAM.44.json | 15 +++ .../accurics.kubernetes.IAM.45.json | 15 +++ .../accurics.kubernetes.IAM.46.json | 15 +++ .../accurics.kubernetes.IAM.47.json | 15 +++ .../accurics.kubernetes.IAM.48.json | 15 +++ .../accurics.kubernetes.IAM.49.json | 15 +++ .../accurics.kubernetes.IAM.50.json | 15 +++ .../accurics.kubernetes.IAM.51.json | 15 +++ .../accurics.kubernetes.IAM.52.json | 15 +++ .../accurics.kubernetes.IAM.53.json | 15 +++ .../accurics.kubernetes.IAM.54.json | 15 +++ .../accurics.kubernetes.IAM.55.json | 15 +++ .../accurics.kubernetes.IAM.56.json | 15 +++ ...ontainerReadOnlyRootFilesystemIsFalse.rego | 110 +++++++++++++++++ .../accurics.kubernetes.EKM.57.json | 15 +++ .../accurics.kubernetes.EKM.58.json | 15 +++ .../accurics.kubernetes.EKM.59.json | 15 +++ .../accurics.kubernetes.EKM.60.json | 15 +++ .../accurics.kubernetes.EKM.61.json | 15 +++ .../accurics.kubernetes.EKM.62.json | 15 +++ .../accurics.kubernetes.EKM.63.json | 15 +++ .../accurics.kubernetes.EKM.64.json | 15 +++ .../accurics.kubernetes.EKM.65.json | 15 +++ .../accurics.kubernetes.EKM.66.json | 15 +++ .../accurics.kubernetes.EKM.67.json | 15 +++ .../accurics.kubernetes.EKM.68.json | 15 +++ .../accurics.kubernetes.EKM.69.json | 15 +++ .../accurics.kubernetes.EKM.70.json | 15 +++ .../accurics.kubernetes.EKM.71.json | 15 +++ .../accurics.kubernetes.EKM.72.json | 15 +++ .../containerUsesSecretsInEnvironmentVar.rego | 114 ++++++++++++++++++ 95 files changed, 1912 insertions(+) create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json create mode 100755 pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json create mode 100644 pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json create mode 100644 pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json create mode 100644 pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json create mode 100755 pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json create mode 100644 pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json create mode 100755 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json create mode 100644 pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json create mode 100755 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json create mode 100644 pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json new file mode 100755 index 000000000..67c6f2bfc --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.1", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json new file mode 100755 index 000000000..a35290bd8 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.10", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json new file mode 100755 index 000000000..20daabb4a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.11", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json new file mode 100755 index 000000000..735ac4231 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.12", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json new file mode 100755 index 000000000..a3a80376f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.13", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json new file mode 100755 index 000000000..482583e32 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.14", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json new file mode 100755 index 000000000..28a8ca56e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.15", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json new file mode 100755 index 000000000..70024174a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.16", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json new file mode 100755 index 000000000..c4aed2689 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.2", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json new file mode 100755 index 000000000..57dd15783 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.3", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json new file mode 100755 index 000000000..b3664f12a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.4", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json new file mode 100755 index 000000000..fac379f18 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.5", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json new file mode 100755 index 000000000..8f045acd4 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.6", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json new file mode 100755 index 000000000..b53736de9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.7", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json new file mode 100755 index 000000000..937f29dae --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.8", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json new file mode 100755 index 000000000..747b9c24f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.9", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego new file mode 100644 index 000000000..9214a4e46 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego @@ -0,0 +1,111 @@ +package accurics + +{{- if eq .is_init true}} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersSecurityContext" . }} + initContainersSecurityContext.allowPrivilegeEscalation == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersSecurityContextTF" . }} + initContainersSecurityContextTF.allow_privilege_escalation == true +} + +{{- else}} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersSecurityContext" . }} + containersSecurityContext.allowPrivilegeEscalation == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersSecurityContextTF" . }} + containersSecurityContextTF.allow_privilege_escalation == true +} + +{{- end}} + + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json new file mode 100755 index 000000000..d6784d39b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.17", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json new file mode 100755 index 000000000..5e23df201 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.18", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json new file mode 100755 index 000000000..25be1cca5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.19", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json new file mode 100755 index 000000000..3751215d2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.20", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json new file mode 100755 index 000000000..c00434152 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.21", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json new file mode 100755 index 000000000..06fc43eab --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.22", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json new file mode 100755 index 000000000..db23b17cb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.23", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json new file mode 100755 index 000000000..6c119bef6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.24", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..f4e3df468 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..16b2d4f90 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..d2f1ed5ff --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..ef7d08217 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json new file mode 100755 index 000000000..c1b66cf5c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.37", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json new file mode 100755 index 000000000..bf2b65277 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.38", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json new file mode 100755 index 000000000..af05bd39f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.39", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json new file mode 100755 index 000000000..e859c01d5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.40", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego new file mode 100644 index 000000000..3a26ef9ae --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego @@ -0,0 +1,94 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "spec" . }} + spec.hostIPC == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "specTF" . }} + specTF.host_ipc == true +} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json new file mode 100755 index 000000000..0a6577a83 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.25", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json new file mode 100755 index 000000000..7383c3599 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.26", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json new file mode 100755 index 000000000..0fa003528 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.27", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json new file mode 100755 index 000000000..40e9ffee3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.28", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json new file mode 100755 index 000000000..fa020e16c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.29", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json new file mode 100755 index 000000000..b361bc75e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.30", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json new file mode 100755 index 000000000..d01322cfe --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.31", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json new file mode 100755 index 000000000..089f5de1a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.32", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..53113fe6c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod_security_policy", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..5633e9ba2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..f1406cc01 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..74db5d4ed --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego new file mode 100644 index 000000000..3966c0e11 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego @@ -0,0 +1,94 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{template "spec" . }} + spec.hostNetwork == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{template "specTF" . }} + specTF.host_network == true +} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..53b782896 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..cf04235fd --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..8760f9bb7 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..685036b86 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json new file mode 100755 index 000000000..6c0c9962e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.37", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json new file mode 100755 index 000000000..0b9a17bc0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.38", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json new file mode 100755 index 000000000..ed69cdd5d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.39", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json new file mode 100755 index 000000000..130130c3d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.40", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json new file mode 100755 index 000000000..191208b75 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.41", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json new file mode 100755 index 000000000..052ce7236 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod_security_policy", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.42", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json new file mode 100755 index 000000000..33f18a23b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.43", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json new file mode 100755 index 000000000..d6c1c634a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.44", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json new file mode 100755 index 000000000..4b9a05107 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.45", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego new file mode 100644 index 000000000..ec586185e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego @@ -0,0 +1,95 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "spec" . }} + spec.hostPID == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "specTF" . }} + specTF.host_pid == true +} + + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json new file mode 100755 index 000000000..976f2104f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.41", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json new file mode 100755 index 000000000..1761369aa --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.42", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json new file mode 100755 index 000000000..24c848cdb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.43", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json new file mode 100755 index 000000000..29fbd19b5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.44", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json new file mode 100755 index 000000000..f1197cab6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.45", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json new file mode 100755 index 000000000..e1bc81390 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.46", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json new file mode 100755 index 000000000..589da7e6a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.47", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json new file mode 100755 index 000000000..9c37dc79e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.48", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json new file mode 100755 index 000000000..305418659 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.49", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json new file mode 100755 index 000000000..7dd79ad20 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.50", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json new file mode 100755 index 000000000..c35eb4f00 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.51", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json new file mode 100755 index 000000000..f219b9ed0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.52", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json new file mode 100755 index 000000000..c8933aa66 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.53", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json new file mode 100755 index 000000000..eedabc123 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.54", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json new file mode 100755 index 000000000..83896b5d5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.55", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json new file mode 100755 index 000000000..6c0ee16d8 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.56", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego new file mode 100644 index 000000000..f904d5003 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego @@ -0,0 +1,110 @@ +package accurics + +{{- if eq .is_init true }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainers" . }} + initContainers.readOnlyRootFilesystem == false +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersTF" . }} + initContainersTF.read_only_root_filesystem == false +} + +{{- else }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containers" . }} + containers.readOnlyRootFilesystem == false +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersTF" . }} + containersTF.read_only_root_filesystem == false +} + +{{- end }} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containersTF = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json new file mode 100755 index 000000000..f079a5ab7 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.57", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json new file mode 100755 index 000000000..5782805f9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.58", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json new file mode 100755 index 000000000..c57f57c8a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.59", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json new file mode 100755 index 000000000..612247dbb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.60", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json new file mode 100755 index 000000000..4a101e0a5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.61", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json new file mode 100755 index 000000000..6637ea307 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.62", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json new file mode 100755 index 000000000..6caad5ad2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.63", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json new file mode 100755 index 000000000..1e259ce23 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.64", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json new file mode 100755 index 000000000..a9416462d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.65", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json new file mode 100755 index 000000000..092d8d2a0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.66", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json new file mode 100755 index 000000000..39d1101c2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.67", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json new file mode 100755 index 000000000..4cb38c74b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.68", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json new file mode 100755 index 000000000..15f21c174 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.69", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json new file mode 100755 index 000000000..642dab2bd --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.70", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json new file mode 100755 index 000000000..c50c1d323 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.71", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json new file mode 100755 index 000000000..f7cc0ac53 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.72", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego new file mode 100644 index 000000000..f1d9d63db --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego @@ -0,0 +1,114 @@ +package accurics + +{{- if eq .is_init true }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainers" . }} + envVars := initContainers.env[_] + envVars.valueFrom.secretKeyRef +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersTF" . }} + envVars := initContainersTF.env[_] + envVars.valueFrom.secretKeyRef +} + +{{- else }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containers" . }} + envVars := containers.env[_] + envVars.valueFrom.secretKeyRef +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersTF" . }} + envVars := containersTF.env[_] + envVars.valueFrom.secretKeyRef +} + +{{- end }} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containersTF = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }}