From 293a98e9d84d5f3f5779d068c2e356f69873ea09 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Thu, 14 Jan 2021 16:18:12 -0800 Subject: [PATCH 1/4] policy update 2021-01-14 37 rule(s) added 0 rule(s) deleted 65 file(s) added 0 file(s) modified 0 file(s) deleted --- .../AC-K8-NS-IN-H-0020.json | 14 ++ .../rego/k8s/kubernetes_ingress/noHttps.rego | 12 ++ .../AC-K8-OE-NS-L-0128.json | 14 ++ .../kubernetes_namespace/noOwnerLabel.rego | 11 + .../kubernetes_pod/AC-K8-CA-PO-H-0165.json | 21 ++ .../kubernetes_pod/AC-K8-DS-PO-M-0176.json | 14 ++ .../kubernetes_pod/AC-K8-DS-PO-M-0177.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-H-0137.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-H-0138.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-H-0168.json | 21 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0105.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0135.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0139.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0140.json | 21 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0141.json | 14 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0143.json | 22 ++ .../kubernetes_pod/AC-K8-IA-PO-M-0162.json | 16 ++ .../kubernetes_pod/AC-K8-IA-PS-M-0112.json | 15 ++ .../kubernetes_pod/AC-K8-NS-PO-H-0117.json | 14 ++ .../kubernetes_pod/AC-K8-NS-PO-H-0170.json | 14 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0122.json | 14 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0133.json | 14 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0163.json | 16 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0164.json | 16 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0171.json | 17 ++ .../kubernetes_pod/AC-K8-NS-PO-M-0182.json | 14 ++ .../kubernetes_pod/AC-K8-OE-PK-M-0034.json | 19 ++ .../kubernetes_pod/AC-K8-OE-PK-M-0155.json | 21 ++ .../kubernetes_pod/AC-K8-OE-PK-M-0156.json | 21 ++ .../kubernetes_pod/AC-K8-OE-PK-M-0157.json | 21 ++ .../kubernetes_pod/AC-K8-OE-PK-M-0158.json | 21 ++ .../kubernetes_pod/AC-K8-OE-PO-L-0129.json | 16 ++ .../kubernetes_pod/AC-K8-OE-PO-L-0130.json | 16 ++ .../kubernetes_pod/AC-K8-OE-PO-L-0134.json | 14 ++ .../kubernetes_pod/AC-K8-OE-PO-M-0166.json | 14 ++ .../k8s/kubernetes_pod/allowedHostPath.rego | 107 ++++++++++ .../k8s/kubernetes_pod/allowedProcMount.rego | 126 +++++++++++ .../k8s/kubernetes_pod/allowedVolumes.rego | 58 ++++++ .../k8s/kubernetes_pod/appArmorProfile.rego | 108 ++++++++++ .../kubernetes_pod/autoMountTokenEnabled.rego | 33 +++ .../k8s/kubernetes_pod/capSysAdminUsed.rego | 69 ++++++ .../k8s/kubernetes_pod/capabilityUsed.rego | 74 +++++++ .../rego/k8s/kubernetes_pod/commandCheck.rego | 14 ++ .../kubernetes_pod/containersAsHighUID.rego | 102 +++++++++ .../kubernetes_pod/disallowedSysCalls.rego | 51 +++++ .../k8s/kubernetes_pod/dockerSockCheck.rego | 35 ++++ .../kubernetes_pod/imageWithLatestTag.rego | 196 ++++++++++++++++++ .../kubernetes_pod/imageWithoutDigest.rego | 105 ++++++++++ .../kubernetes_pod/kubeDashboardEnabled.rego | 6 + .../k8s/kubernetes_pod/otherNamespace.rego | 20 ++ .../rego/k8s/kubernetes_pod/probeCheck.rego | 68 ++++++ .../k8s/kubernetes_pod/secCompProfile.rego | 153 ++++++++++++++ .../kubernetes_pod/secretsAsEnvVariables.rego | 75 +++++++ .../kubernetes_pod/securityContextCheck.rego | 76 +++++++ .../kubernetes_pod/securityContextUsed.rego | 103 +++++++++ .../k8s/kubernetes_pod/specBoolCheck.rego | 36 ++++ .../k8s/kubernetes_pod/tillerDeployed.rego | 35 ++++ .../kubernetes_role/AC-K8-IA-RO-H-0104.json | 14 ++ .../defaultServiceAccountUsed.rego | 13 ++ .../AC-K8-NS-SE-M-0185.json | 14 ++ .../AC-K8-NS-SE-M-0188.json | 14 ++ .../AC-K8-NS-SV-L-0132.json | 14 ++ .../kubernetes_service/ensurePrivateIP.rego | 16 ++ .../rego/k8s/kubernetes_service/nodePort.rego | 7 + .../tillerServiceDeleted.rego | 6 + 65 files changed, 2309 insertions(+) create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_ingress/noHttps.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_namespace/noOwnerLabel.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allowedHostPath.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allowedProcMount.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allowedVolumes.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/appArmorProfile.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/autoMountTokenEnabled.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/capSysAdminUsed.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/capabilityUsed.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/commandCheck.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/containersAsHighUID.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/disallowedSysCalls.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/dockerSockCheck.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithLatestTag.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithoutDigest.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/kubeDashboardEnabled.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/otherNamespace.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/secCompProfile.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/secretsAsEnvVariables.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextUsed.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/specBoolCheck.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/tillerDeployed.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_role/defaultServiceAccountUsed.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/ensurePrivateIP.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/nodePort.rego create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_service/tillerServiceDeleted.rego diff --git a/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json b/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json new file mode 100755 index 000000000..30181cec1 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json @@ -0,0 +1,14 @@ +{ + "name": "noHttps", + "file": "noHttps.rego", + "template_args": { + "name": "noHttps", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "reference_id": "AC-K8-NS-IN-H-0020", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_ingress/noHttps.rego b/pkg/policies/opa/rego/k8s/kubernetes_ingress/noHttps.rego new file mode 100755 index 000000000..a672524a1 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_ingress/noHttps.rego @@ -0,0 +1,12 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[ingress.id] { + ingress = input.kubernetes_ingress[_] + re_match("^(extensions|networking.k8s.io)", ingress.config.apiVersion) #can be from two apis "extensions", "networking.k8s.io" + not https_complete(ingress.config) +} +##two conditions ingress spec should have a tls key map and annotation kubernetes.io/ingress.allow-http = false +https_complete(arg) = true { + object.get(arg.spec, "tls", "undefined") != "undefined" + arg.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json new file mode 100755 index 000000000..2cff9d315 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json @@ -0,0 +1,14 @@ +{ + "name": "noOwnerLabel", + "file": "noOwnerLabel.rego", + "template_args": { + "name": "noOwnerLabel", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No owner for namespace affects the operations", + "reference_id": "AC-K8-OE-NS-L-0128", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/noOwnerLabel.rego b/pkg/policies/opa/rego/k8s/kubernetes_namespace/noOwnerLabel.rego new file mode 100755 index 000000000..5bb59e54a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_namespace/noOwnerLabel.rego @@ -0,0 +1,11 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[namespace.id] { + namespace := input.kubernetes_namespace[_] + object.get(namespace.config.metadata, "labels", "undefined") == "undefined" +} + +{{.prefix}}{{.name}}{{.suffix}}[namespace.id] { + namespace := input.kubernetes_namespace[_] + object.get(namespace.config.metadata.labels, "owner", "undefined") == "undefined" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json new file mode 100755 index 000000000..24409fb1c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json @@ -0,0 +1,21 @@ +{ + "name": "privilegeEscalationCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "false", + "arg1": "cpu", + "arg2": "limits", + "name": "privilegeEscalationCheck", + "not_allowed": "true", + "param": "allowPrivilegeEscalation", + "param1": "securityContext", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "HIGH", + "description": "Containers Should Not Run with AllowPrivilegeEscalation", + "reference_id": "AC-K8-CA-PO-H-0165", + "category": "Cloud Assets Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json new file mode 100755 index 000000000..d0bff541c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json @@ -0,0 +1,14 @@ +{ + "name": "kubeDashboardEnabled", + "file": "kubeDashboardEnabled.rego", + "template_args": { + "name": "kubeDashboardEnabled", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Kubernetes Dashboard Is Not Deployed", + "reference_id": "AC-K8-DS-PO-M-0176", + "category": "Data Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json new file mode 100755 index 000000000..d8a40cc5e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json @@ -0,0 +1,14 @@ +{ + "name": "tillerDeployed", + "file": "tillerDeployed.rego", + "template_args": { + "name": "tillerDeployed", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure That Tiller (Helm V2) Is Not Deployed", + "reference_id": "AC-K8-DS-PO-M-0177", + "category": "Data Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json new file mode 100755 index 000000000..71f74c306 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json @@ -0,0 +1,14 @@ +{ + "name": "disallowedSysCalls", + "file": "disallowedSysCalls.rego", + "template_args": { + "name": "disallowedSysCalls", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Allowing the pod to make system level calls provide access to host/node sensitive information", + "reference_id": "AC-K8-IA-PO-H-0137", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json new file mode 100755 index 000000000..16cfd6d99 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json @@ -0,0 +1,14 @@ +{ + "name": "allowedHostPath", + "file": "allowedHostPath.rego", + "template_args": { + "name": "allowedHostPath", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem", + "reference_id": "AC-K8-IA-PO-H-0138", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json new file mode 100755 index 000000000..f7c9d5424 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json @@ -0,0 +1,21 @@ +{ + "name": "runAsNonRootCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "false", + "arg1": "cpu", + "arg2": "limits", + "name": "runAsNonRootCheck", + "not_allowed": "true", + "param": "runAsNonRoot", + "param1": "securityContext", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "HIGH", + "description": "Minimize Admission of Root Containers", + "reference_id": "AC-K8-IA-PO-H-0168", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json new file mode 100755 index 000000000..6f9be71f1 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json @@ -0,0 +1,14 @@ +{ + "name": "autoMountTokenEnabled", + "file": "autoMountTokenEnabled.rego", + "template_args": { + "name": "autoMountTokenEnabled", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure that Service Account Tokens are only mounted where necessary", + "reference_id": "AC-K8-IA-PO-M-0105", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json new file mode 100755 index 000000000..d7befdd86 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json @@ -0,0 +1,14 @@ +{ + "name": "appArmorProfile", + "file": "appArmorProfile.rego", + "template_args": { + "name": "appArmorProfile", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats", + "reference_id": "AC-K8-IA-PO-M-0135", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json new file mode 100755 index 000000000..5a22d3f4e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json @@ -0,0 +1,14 @@ +{ + "name": "allowedProcMount", + "file": "allowedProcMount.rego", + "template_args": { + "name": "allowedProcMount", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s", + "reference_id": "AC-K8-IA-PO-M-0139", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json new file mode 100755 index 000000000..10fad68ae --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json @@ -0,0 +1,21 @@ +{ + "name": "readOnlyFileSystem", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "false", + "arg1": "limits", + "arg2": "cpu", + "name": "readOnlyFileSystem", + "not_allowed": "true", + "param": "readOnlyRootFilesystem", + "param1": "securityContext", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "MEDIUM", + "description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions", + "reference_id": "AC-K8-IA-PO-M-0140", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json new file mode 100755 index 000000000..5293c73bf --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json @@ -0,0 +1,14 @@ +{ + "name": "secCompProfile", + "file": "secCompProfile.rego", + "template_args": { + "name": "secCompProfile", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Default seccomp profile not enabled will make the container to make non-essential system calls", + "reference_id": "AC-K8-IA-PO-M-0141", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json new file mode 100755 index 000000000..07843f8bf --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json @@ -0,0 +1,22 @@ +{ + "name": "allowedVolumes", + "file": "allowedVolumes.rego", + "template_args": { + "name": "allowedVolumes", + "prefix": "", + "secure_volumes": [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim" + ], + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host", + "reference_id": "AC-K8-IA-PO-M-0143", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json new file mode 100755 index 000000000..a98195db9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json @@ -0,0 +1,16 @@ +{ + "name": "falseHostPID", + "file": "specBoolCheck.rego", + "template_args": { + "name": "falseHostPID", + "param": "hostPID", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "MEDIUM", + "description": "Containers Should Not Share Host Process ID Namespace", + "reference_id": "AC-K8-IA-PO-M-0162", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json new file mode 100755 index 000000000..11f59e9a7 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json @@ -0,0 +1,15 @@ +{ + "name": "netRawCapabilityUsed", + "file": "capabilityUsed.rego", + "template_args": { + "attribute": "requiredDropCapabilities", + "name": "netRawCapabilityUsed", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers with the NET_RAW capability", + "reference_id": "AC-K8-IA-PS-M-0112", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json new file mode 100755 index 000000000..23c8d904d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json @@ -0,0 +1,14 @@ +{ + "name": "secretsAsEnvVariables", + "file": "secretsAsEnvVariables.rego", + "template_args": { + "name": "secretsAsEnvVariables", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Prefer using secrets as files over secrets as environment variables", + "reference_id": "AC-K8-NS-PO-H-0117", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json new file mode 100755 index 000000000..b211361a6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json @@ -0,0 +1,14 @@ +{ + "name": "capSysAdminUsed", + "file": "capSysAdminUsed.rego", + "template_args": { + "name": "capSysAdminUsed", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Do Not Use CAP_SYS_ADMIN Linux Capability", + "reference_id": "AC-K8-NS-PO-H-0170", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json new file mode 100755 index 000000000..43ba2432f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json @@ -0,0 +1,14 @@ +{ + "name": "securityContextUsed", + "file": "securityContextUsed.rego", + "template_args": { + "name": "securityContextUsed", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Apply Security Context to Your Pods and Containers", + "reference_id": "AC-K8-NS-PO-M-0122", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json new file mode 100755 index 000000000..804a12ed4 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json @@ -0,0 +1,14 @@ +{ + "name": "imageWithoutDigest", + "file": "imageWithoutDigest.rego", + "template_args": { + "name": "imageWithoutDigest", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Image without digest affects the integrity principle of image security", + "reference_id": "AC-K8-NS-PO-M-0133", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json new file mode 100755 index 000000000..e96b364da --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json @@ -0,0 +1,16 @@ +{ + "name": "falseHostIPC", + "file": "specBoolCheck.rego", + "template_args": { + "name": "falseHostIPC", + "param": "hostIPC", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "MEDIUM", + "description": "Containers Should Not Share Host IPC Namespace", + "reference_id": "AC-K8-NS-PO-M-0163", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json new file mode 100755 index 000000000..5c893ce0b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json @@ -0,0 +1,16 @@ +{ + "name": "falseHostNetwork", + "file": "specBoolCheck.rego", + "template_args": { + "name": "falseHostNetwork", + "param": "hostNetwork", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "MEDIUM", + "description": "Containers Should Not Share the Host Network Namespace", + "reference_id": "AC-K8-NS-PO-M-0164", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json new file mode 100755 index 000000000..df493d82c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json @@ -0,0 +1,17 @@ +{ + "name": "dontConnectDockerSock", + "file": "dockerSockCheck.rego", + "template_args": { + "attrib": "spec.volumes[_].hostPath", + "name": "dontConnectDockerSock", + "param": "path", + "prefix": "", + "suffix": "", + "value": "/var/run/docker" + }, + "severity": "MEDIUM", + "description": "Restrict Mounting Docker Socket in a Container", + "reference_id": "AC-K8-NS-PO-M-0171", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json new file mode 100755 index 000000000..224310674 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json @@ -0,0 +1,14 @@ +{ + "name": "containersAsHighUID", + "file": "containersAsHighUID.rego", + "template_args": { + "name": "containersAsHighUID", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Containers Should Run as a High UID to Avoid Host Conflict", + "reference_id": "AC-K8-NS-PO-M-0182", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json new file mode 100755 index 000000000..6340d311e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json @@ -0,0 +1,19 @@ +{ + "name": "alwaysPullImages", + "file": "commandCheck.rego", + "template_args": { + "argument": "--enable-admission-plugins", + "name": "alwaysPullImages", + "negation": "", + "optional": "", + "param": "AlwaysPullImages", + "prefix": "", + "presence": "not", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "AlwaysPullImages plugin is not set", + "reference_id": "AC-K8-OE-PK-M-0034", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json new file mode 100755 index 000000000..aebef8612 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json @@ -0,0 +1,21 @@ +{ + "name": "CpuRequestsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "requests", + "arg2": "cpu", + "name": "CpuRequestsCheck", + "not_allowed": "false", + "param": "resources", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "CPU Request Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0155", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json new file mode 100755 index 000000000..c74835c6e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json @@ -0,0 +1,21 @@ +{ + "name": "CpulimitsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "limits", + "arg2": "cpu", + "name": "CpulimitsCheck", + "not_allowed": "false", + "param": "limits", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "CPU Limits Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0156", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json new file mode 100755 index 000000000..691b58895 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json @@ -0,0 +1,21 @@ +{ + "name": "MemoryRequestsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "requests", + "arg2": "memory", + "name": "MemoryRequestsCheck", + "not_allowed": "false", + "param": "resources", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "Memory Request Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0157", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json new file mode 100755 index 000000000..7ab678c76 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json @@ -0,0 +1,21 @@ +{ + "name": "MemorylimitsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "limits", + "arg2": "memory", + "name": "MemorylimitsCheck", + "not_allowed": "false", + "param": "limits", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "Memory Limits Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0158", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json new file mode 100755 index 000000000..9ce09380f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json @@ -0,0 +1,16 @@ +{ + "name": "nolivenessProbe", + "file": "probeCheck.rego", + "template_args": { + "argument": "livenessProbe", + "argumentTF": "liveness_probe", + "name": "nolivenessProbe", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No liveness probe will ensure there is no recovery in case of unexpected errors", + "reference_id": "AC-K8-OE-PO-L-0129", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json new file mode 100755 index 000000000..a0e4058fd --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json @@ -0,0 +1,16 @@ +{ + "name": "noReadinessProbe", + "file": "probeCheck.rego", + "template_args": { + "argument": "readinessProbe", + "argumentTF": "readiness_probe", + "name": "noReadinessProbe", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No readiness probe will affect automatic recovery in case of unexpected errors", + "reference_id": "AC-K8-OE-PO-L-0130", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json new file mode 100755 index 000000000..83eec4e4d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json @@ -0,0 +1,14 @@ +{ + "name": "imageWithLatestTag", + "file": "imageWithLatestTag.rego", + "template_args": { + "name": "imageWithLatestTag", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No tag or container image with :Latest tag makes difficult to rollback and track", + "reference_id": "AC-K8-OE-PO-L-0134", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json new file mode 100755 index 000000000..6e0c8fd97 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json @@ -0,0 +1,14 @@ +{ + "name": "otherNamespace", + "file": "otherNamespace.rego", + "template_args": { + "name": "otherNamespace", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Default Namespace Should Not be Used", + "reference_id": "AC-K8-OE-PO-M-0166", + "category": "Operational Efficiency", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedHostPath.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedHostPath.rego new file mode 100755 index 000000000..e7d8463e1 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedHostPath.rego @@ -0,0 +1,107 @@ +### this policy depends on the parameters specified by the user/client. Here we are considering that no hostPath are allowed### +package accurics + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + vols := pod.config.spec.volumes[_] + parameters := {} + has_field(vols, "hostPath") + allowedPaths := get_allowed_paths(parameters) + input_hostpath_violation(allowedPaths, vols) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + vols := kind.config.spec.template.spec.volumes[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + has_field(vols, "hostPath") + allowedPaths := get_allowed_paths(parameters) + input_hostpath_violation(allowedPaths, vols) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + vols := cron_job.config.spec.jobTemplate.spec.template.spec.volumes[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + has_field(vols, "hostPath") + allowedPaths := get_allowed_paths(parameters) + input_hostpath_violation(allowedPaths, vols) +} + +#function for all KINDs +has_field(object, field) = true { + object[field] +} + +#now allowed paths are null, this function will run## +get_allowed_paths(params) = out { + not params.allowedHostPath == "undefined" + out = [] +} + +input_hostpath_violation(allowedPaths, volume) { + allowedPaths == [] +} + +### below functions are for violation when user has specified the hostPath, for testing uncomment the parameter array of objects at top#### + +get_allowed_paths(params) = out { + out = params.allowedHostPath +} + +input_hostpath_violation(allowedPaths, volume) { + not input_hostpath_allowed(allowedPaths, volume) +} + +input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + not allowedHostPath.readOnly == true +} + +input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + allowedHostPath.readOnly + not writeable_input_volume_mounts(volume.name) +} + +writeable_input_volume_mounts(volume_name) { + containers := input.kubernetes_pod[_].config.spec.containers[_] + mount := containers.volumeMounts[_] + mount.name == volume_name + not mount.readOnly +} + +path_matches(prefix, path) { + a := split(trim(prefix, "/"), "/") + b := split(trim(path, "/"), "/") + prefix_matches(a, b) +} + +prefix_matches(a, b) { + count(a) <= count(b) + not any_not_equal_upto(a, b, count(a)) +} + +any_not_equal_upto(a, b, n) { + a[i] != b[i] + i < n +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedProcMount.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedProcMount.rego new file mode 100755 index 000000000..d8d6e62cc --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedProcMount.rego @@ -0,0 +1,126 @@ +package accurics + +#rule for pod_security_policy +{{.prefix}}{{.name}}{{.suffix}}[psp.id] { + psp := input.kubernetes_pod_security_policy[_] + psp.config.spec.allowProcMountTypes != "Default" +} + +#rule for pod_security_policy terraform +{{.prefix}}{{.name}}{{.suffix}}[psp.id] { + psp := input.kubernetes_pod_security_policy[_] + psp.config.spec.allow_proc_mount_types != "Default" +} + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + parameters := {} + container := pod.config.spec.containers[_] + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + parameters := {} + container := pod.config.spec.initContainers[_] + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + #parameters := { 'allowedHostPath' :[{ 'readOnly': true, 'pathPrefix': '/foo' }] } + parameters := {} + container.securityContext.procMount + allowedProcMount := get_allowed_proc_mount(parameters) + not input_proc_mount_type_allowed(allowedProcMount, container) +} + +###this will get satisfied as no parameters are provided, thus checking with the baseline configuration which is checking that the procmount is default#### +get_allowed_proc_mount(params) = out { + not params.procMount + out = "default" +} + +get_allowed_proc_mount(params) = out { + not valid_proc_mount(params.procMount) + out = "default" +} + +get_allowed_proc_mount(params) = out { + out = lower(params.procMount) +} + +valid_proc_mount(str) { + lower(str) == "default" +} + +valid_proc_mount(str) { + lower(str) == "unmasked" +} + +input_proc_mount_type_allowed(allowedProcMount, c) { + allowedProcMount == "default" + lower(c.securityContext.procMount) == "default" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedVolumes.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedVolumes.rego new file mode 100755 index 000000000..cef0f216d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedVolumes.rego @@ -0,0 +1,58 @@ +package accurics + +####fixed the minimum set of allowed volumes, this may change as per the user#### + +#rule for pod_security_policy +{{.prefix}}{{.name}}{{.suffix}}[psp.id] { + psp := input.kubernetes_pod_security_policy[_] + secure_volumes := [{{range .secure_volumes}}{{- printf "%q" . }},{{end}}] + volume_field := psp.config.spec.volumes[_] + not input_volume_type_allowed(volume_field, secure_volumes) +} + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + secure_volumes := [{{range .secure_volumes}}{{- printf "%q" . }},{{end}}] + volume_fields := {x | pod.config.spec.volumes[_][x]; x != "name"} + field := volume_fields[_] + not input_volume_type_allowed(field, secure_volumes) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + secure_volumes := [{{range .secure_volumes}}{{- printf "%q" . }},{{end}}] + volume_fields := {x | kind.config.spec.template.spec.volumes[_][x]; x != "name"} + field := volume_fields[_] + not input_volume_type_allowed(field, secure_volumes) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + secure_volumes := [{{range .secure_volumes}}{{- printf "%q" . }},{{end}}] + volume_fields := {x | cron_job.config.spec.jobTemplate.spec.template.spec.volumes[_][x]; x != "name"} + field := volume_fields[_] + not input_volume_type_allowed(field, secure_volumes) +} + +input_volume_type_allowed(field, secure_volumes) { + secure_volumes[_] == "*" +} + +input_volume_type_allowed(field, secure_volumes) { + field == secure_volumes[_] +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/appArmorProfile.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/appArmorProfile.rego new file mode 100755 index 000000000..7be8687f3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/appArmorProfile.rego @@ -0,0 +1,108 @@ +package accurics + +#rule for pod security policy, will be valid for terraform pod_security_policy +{{.prefix}}{{.name}}{{.suffix}}[psp.id] { + psp := input.kubernetes_pod_security_policy[_] + psp.config.metadata.annotations["apparmor.security.beta.kubernetes.io/defaultProfileName"] != "runtime/default" +} + +#rule for pod, covers containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + not input_apparmor_allowed(container.name, pod.config.metadata) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.initContainers[_] + not input_apparmor_allowed(container.name, pod.config.metadata) +} + +#terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.init_containers[_] + not input_apparmor_allowed(container.name, pod.config.metadata) +} + +##rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller covers containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + not input_apparmor_allowed(container.name, kind.config.spec.template.metadata) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + not input_apparmor_allowed(container.name, kind.config.spec.template.metadata) +} + +#terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.init_containers[_] + not input_apparmor_allowed(container.name, kind.config.spec.template.metadata) +} + +#rule for cron_job, covers containers +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + not input_apparmor_allowed(container.name, cron_job.config.spec.jobTemplate.spec.template.metadata) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + not input_apparmor_allowed(container.name, cron_job.config.spec.jobTemplate.spec.template.metadata) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.init_containers[_] + not input_apparmor_allowed(container.name, cron_job.config.spec.jobTemplate.spec.template.metadata) +} + +#function for all Kinds +input_apparmor_allowed(containerName, metadata) { + metadata.annotations[key] == "runtime/default" + key == sprintf("container.apparmor.security.beta.kubernetes.io/%v", [containerName]) +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/autoMountTokenEnabled.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/autoMountTokenEnabled.rego new file mode 100755 index 000000000..248878b60 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/autoMountTokenEnabled.rego @@ -0,0 +1,33 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + pod.config.spec.automountServiceAccountToken == true +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_service_account[_] + pod.config.automountServiceAccountToken == true +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + pod.config.spec.template.spec.automountServiceAccountToken == true +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + pod.config.spec.jobTemplate.spec.template.spec.automountServiceAccountToken == true +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/capSysAdminUsed.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/capSysAdminUsed.rego new file mode 100755 index 000000000..d8d1ae40a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/capSysAdminUsed.rego @@ -0,0 +1,69 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + container.securityContext.capabilities.add == "-SYS_ADMIN" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + initcontainer := pod.config.spec.initContainers[_] + initcontainer.securityContext.capabilities.add == "-SYS_ADMIN" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + container := pod.config.spec.jobTemplate.spec.template.spec.containers[_] + container.securityContext.capabilities.add == "-SYS_ADMIN" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + initcontainer := pod.config.spec.jobTemplate.spec.template.spec.initContainers[_] + initcontainer.securityContext.capabilities.add == "-SYS_ADMIN" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + containerCheck(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + initContainerCheck(pod.config.spec.template.spec) +} + +initContainerCheck(spec) { + container := spec.initContainers[_] + container.securityContext.capabilities.add == "-SYS_ADMIN" +} + +containerCheck(spec) { + container := spec.containers[_] + container.securityContext.capabilities.add == "-SYS_ADMIN" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/capabilityUsed.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/capabilityUsed.rego new file mode 100755 index 000000000..9920b3851 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/capabilityUsed.rego @@ -0,0 +1,74 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod_security_policy[_] + pod.config.spec.{{.attribute}} != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + container.{{.attribute}} != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + initcontainer := pod.config.spec.initContainers[_] + initcontainer.{{.attribute}} != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + container := pod.config.spec.jobTemplate.spec.template.spec.containers[_] + container.{{.attribute}} != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + initcontainer := pod.config.spec.jobTemplate.spec.template.spec.initContainers[_] + initcontainer.{{.attribute}} != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + containerCheck(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + initContainerCheck(pod.config.spec.template.spec) +} + +initContainerCheck(spec) { + container := spec.initContainers[_] + container.{{.attribute}} != [] +} + +containerCheck(spec) { + container := spec.containers[_] + container.{{.attribute}} != [] +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/commandCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/commandCheck.rego new file mode 100755 index 000000000..2406ddee3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/commandCheck.rego @@ -0,0 +1,14 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod_kubeapi.id] { + pod_kubeapi := input.kubernetes_pod[_] + cmds := pod_kubeapi.config.spec.containers[_].command + {{.negation}} check(cmds) +} + +check(cmds) { + cmd := cmds[_] + startswith(cmd, "{{.argument}}") + {{.presence}} contains(cmd, "{{.param}}") + {{.optional}} +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/containersAsHighUID.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/containersAsHighUID.rego new file mode 100755 index 000000000..6d6e8e677 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/containersAsHighUID.rego @@ -0,0 +1,102 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + pod.config.spec.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + container.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + initcontainer := pod.config.spec.initContainers[_] + initcontainer.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + pod.config.spec.jobTemplate.spec.template.spec.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + container := pod.config.spec.jobTemplate.spec.template.spec.containers[_] + container.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + initcontainer := pod.config.spec.jobTemplate.spec.template.spec.initContainers[_] + initcontainer.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod_security_policy[_] + ranges := pod.config.spec.runAsUser.ranges[_] + ranges.min < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + pod.config.spec.template.spec.securityContext.runAsUser < 1000 +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkContainer(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkInitContainer(pod.config.spec.template.spec) +} + +checkInitContainer(spec) { + containers := spec.initContainers[_] + containers.securityContext.runAsUser < 1000 +} + +checkContainer(spec) { + containers := spec.containers[_] + containers.securityContext.runAsUser < 1000 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/disallowedSysCalls.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/disallowedSysCalls.rego new file mode 100755 index 000000000..f918cc215 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/disallowedSysCalls.rego @@ -0,0 +1,51 @@ +### this pollicy depends on the parameters specified by the user/client. Here we are considering that no kernel level syscalls are allowed### +package accurics + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + forbiddenSysctls = ["kernel.*"] + sysctl := pod.config.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl, forbiddenSysctls) +} + +##rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + forbiddenSysctls = ["kernel.*"] + sysctl := kind.config.spec.template.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl, forbiddenSysctls) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + forbiddenSysctls = ["kernel.*"] + sysctl := cron_job.config.spec.jobTemplate.spec.template.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl, forbiddenSysctls) +} + +# if all syscalls are forbidden +forbidden_sysctl(sysctl, arg) { + arg[_] == "*" +} + +forbidden_sysctl(sysctl, arg) { + arg[_] == sysctl +} + +forbidden_sysctl(sysctl, arg) { + startswith(sysctl, trim(arg[_], "*")) +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/dockerSockCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/dockerSockCheck.rego new file mode 100755 index 000000000..890439ed6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/dockerSockCheck.rego @@ -0,0 +1,35 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + vol := pod.config.spec.jobTemplate.spec.template.spec.volumes[_] + socketPathCheck(vol.hostPath.path) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + vol := pod.config.spec.volumes[_] + socketPathCheck(vol.hostPath.path) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + vol := pod.config.spec.template.spec.volumes[_] + socketPathCheck(vol.hostPath.path) +} + +socketPathCheck(attrib) { + contains(attrib, "/var/run/docker") +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithLatestTag.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithLatestTag.rego new file mode 100755 index 000000000..de75e611a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithLatestTag.rego @@ -0,0 +1,196 @@ +package accurics + +#rule for pod, covers containers, initContainers, terraform, init_containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.initContainers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.initContainers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.init_containers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.init_containers[_] + checkForPodNoTag(container) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller covers containers, initContainers, terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.init_containers[_] + checkForPodLatest(container) + } + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.init_containers[_] + checkForPodNoTag(container) +} + +#rule for cron_job, covers containers, initContainers, terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.init_containers[_] + checkForPodLatest(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + checkForPodNoTag(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.init_containers[_] + checkForPodNoTag(container) +} + +#check function for All KINDs +checkForPodLatest(arg) { + img_split := split(arg.image, ":") + tag := img_split[count(img_split) - 1] + tag == "latest" +} + +checkForPodNoTag(argument) { + img_split := split(argument.image, ":") + count(img_split) == 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithoutDigest.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithoutDigest.rego new file mode 100755 index 000000000..6cf92e6f6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/imageWithoutDigest.rego @@ -0,0 +1,105 @@ +package accurics + +#rule for pod, same will satisfy terraform pod, covers containers, initContainers, and terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +#rule for init containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.initContainers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +#rule for terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.init_containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +#rule for deployment, daemonset, job, replica_set, replication_controller, stateful_set covers containers, initContainers, terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.init_containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +#rule for cron_job, covers containers, initContainers, terraform init_containers +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.init_containers[_] + satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] + not all(satisfied) +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/kubeDashboardEnabled.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/kubeDashboardEnabled.rego new file mode 100755 index 000000000..d9746d16b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/kubeDashboardEnabled.rego @@ -0,0 +1,6 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + pod.config.metadata.labels.app == "kubernetes-dashboard" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/otherNamespace.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/otherNamespace.rego new file mode 100755 index 000000000..7ce3427d2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/otherNamespace.rego @@ -0,0 +1,20 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_cron_job", "undefined"), + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_pod", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + pod.config.metadata.namespace == "default" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego new file mode 100755 index 000000000..19eaf1aef --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego @@ -0,0 +1,68 @@ +#liveenessprobe and readinessprobe are not applicable for init containers. +package accurics + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + not container["{{.argument}}"] +} + +#rule for pod terraform +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + not container["{{.argumentTF}}"] +} + +#rule for deployment, daemonset, job, replica_Set, replication_controller, stateful_set +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + not container["{{.argument}}"] +} + +#rule for terraform deployment, daemonset, job, replica_Set, replication_controller, stateful_set +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + not container["{{.argumentTF}}"] +} + +#rule for cronjob +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + not container["{{.argument}}"] +} + +#rule for terraform cronjob +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + not container["{{.argumentTF}}"] +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/secCompProfile.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/secCompProfile.rego new file mode 100755 index 000000000..f4bd21aeb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/secCompProfile.rego @@ -0,0 +1,153 @@ +package accurics + +#rule for pod, pod_security_policy covers containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_pod", "undefined"), + object.get(input, "kubernetes_pod_security_policy", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + not input_container_allowed(kind.config.metadata) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller covers containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + not input_container_allowed(kind.config.spec.template.metadata) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + not input_container_allowed(cron_job.config.spec.jobTemplate.spec.template.metadata) +} + +input_container_allowed(metadata) { + metadata.annotations["seccomp.security.alpha.kubernetes.io/pod"] == "runtime/default" +} + +input_container_allowed(metadata) { + metadata.annotations["seccomp.security.alpha.kubernetes.io/pod"] == "docker/default" +} + + ####Kubernetes v1.19 or later######## + +#rule for pod covers containers and checks field seccompProfile at container security context which is found at spec.containers. +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + not check_seccomp(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.initContainers[_] + not check_seccomp(container) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller covers containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.containers[_] + not check_seccomp(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + container := kind.config.spec.template.spec.initContainers[_] + not check_seccomp(container) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] + not check_seccomp(container) +} + +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + container := cron_job.config.spec.jobTemplate.spec.template.spec.initContainers[_] + not check_seccomp(container) +} + +##rule to check seccompProfile at PodSecurityContext which is found at PodSpec## + +#rule for pod +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + not check_seccomp(pod.config.spec) +} + +#rule for deployment, daemonset, job, replica_set, stateful_set, replication_controller covers containers +{{.prefix}}{{.name}}{{.suffix}}[kind.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + kind := item[_] + not check_seccomp(kind.config.spec.template.spec) +} + +#rule for cron_job +{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { + cron_job := input.kubernetes_cron_job[_] + not check_seccomp(cron_job.config.spec.jobTemplate.spec.template.spec) +} + +#function for all Kinds and scenarios +check_seccomp(container) { + container.securityContext.seccompProfile.type == "RuntimeDefault" +} + +check_seccomp(container) { + container.securityContext.seccompProfile.type == "DockerDefault" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/secretsAsEnvVariables.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/secretsAsEnvVariables.rego new file mode 100755 index 000000000..780bb4577 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/secretsAsEnvVariables.rego @@ -0,0 +1,75 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + containers := pod.config.spec.containers[_] + env := containers.env[_] + env.valueFrom != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + initcontainer := pod.config.spec.initContainers[_] + env := initcontainer.env[_] + env.valueFrom != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + containers := pod.config.spec.jobTemplate.spec.template.spec.containers[_] + env := containers.env[_] + env.valueFrom != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + initcontainer := pod.config.spec.jobTemplate.spec.template.spec.initContainers[_] + env := initcontainer.env[_] + env.valueFrom != [] +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkContainer(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkInitContainer(pod.config.spec.template.spec) +} + +checkInitContainer(spec) { + containers := spec.initContainers[_] + env := containers.env[_] + env.valueFrom != [] +} + +checkContainer(spec) { + containers := spec.containers[_] + env := containers.env[_] + env.valueFrom != [] +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego new file mode 100755 index 000000000..f76c53966 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego @@ -0,0 +1,76 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + checkCorrectAttribute(pod.config.spec.jobTemplate.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkCorrectAttribute(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + checkCorrectAttribute(pod.config.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod_security_policy[_] + podSecurityCheck(pod.config.spec) +} + +checkCorrectAttribute(spec) { + container := spec.containers[_] + containerSecurityCheck(container) +} + +checkCorrectAttribute(spec) { + container := spec.initContainers[_] + containerSecurityCheck(container) +} + +checkCorrectAttribute(spec) { + secContext := spec.securityContext + podSecurityCheck(secContext) +} + +containerSecurityCheck(container) { + {{.not_allowed}} + container.{{.param1}}.{{.param}} == {{.value}} +} + +containerSecurityCheck(container) { + object.get(container, "{{.param1}}", "undefined") == "undefined" +} + +containerSecurityCheck(container) { + not container.{{.param1}}.{{.param}} +} + +containerSecurityCheck(container) { + {{.allowed}} + not container.{{.param1}}.{{.arg1}}.{{.arg2}} +} + +podSecurityCheck(secContext) { + {{.not_allowed}} + secContext.{{.param}} == {{.value}} +} + +podSecurityCheck(secContext) { + {{.not_allowed}} + object.get(secContext, "{{.param}}", "undefined") == "undefined" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextUsed.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextUsed.rego new file mode 100755 index 000000000..5d24387ea --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextUsed.rego @@ -0,0 +1,103 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + container := pod.config.spec.containers[_] + not container.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + initcontainer := pod.config.spec.initContainers[_] + not initcontainer.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + not pod.config.spec.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + container := pod.config.spec.jobTemplate.spec.template.spec.containers[_] + not container.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + initcontainer := pod.config.spec.jobTemplate.spec.template.spec.initContainers[_] + not initcontainer.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + not pod.config.spec.jobTemplate.spec.template.spec.securityContext +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined"), + object.get(input, "kubernetes_cron_job", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkPod(pod) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined"), + object.get(input, "kubernetes_cron_job", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkInitContainer(pod.config.spec.template.spec) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined"), + object.get(input, "kubernetes_cron_job", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkContainer(pod.config.spec.template.spec) +} + +checkContainer(spec) { + containers := spec.containers[_] + not containers.securityContext +} + +checkInitContainer(spec) { + containers := spec.initContainers[_] + not containers.securityContext +} + +checkPod(pod) { + not pod.config.spec.template.spec.securityContext +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/specBoolCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/specBoolCheck.rego new file mode 100755 index 000000000..579448722 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/specBoolCheck.rego @@ -0,0 +1,36 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + attribute := pod.config.spec.jobTemplate.spec.template.spec + boolCheck(attribute) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + attribute := pod.config.spec + boolCheck(attribute) +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + attribute := pod.config.spec.template.spec + + boolCheck(attribute) +} + +boolCheck(attribute) { + attribute.{{.param}} == {{.value}} +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/tillerDeployed.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/tillerDeployed.rego new file mode 100755 index 000000000..f4b90f2e4 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/tillerDeployed.rego @@ -0,0 +1,35 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + pod.config.metadata.labels.app == "helm" + pod.config.metadata.labels.name == "tiller" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_cron_job[_] + pod.config.spec.jobTemplate.spec.template.metadata.labels.app == "helm" + pod.config.spec.jobTemplate.spec.template.metadata.labels.name == "tiller" +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + item_list := [ + object.get(input, "kubernetes_daemonset", "undefined"), + object.get(input, "kubernetes_deployment", "undefined"), + object.get(input, "kubernetes_job", "undefined"), + object.get(input, "kubernetes_replica_set", "undefined"), + object.get(input, "kubernetes_replication_controller", "undefined"), + object.get(input, "kubernetes_stateful_set", "undefined") + ] + + item = item_list[_] + item != "undefined" + + pod := item[_] + checkPod(pod) +} + +checkPod(pod) { + pod.config.spec.template.metadata.labels.app == "helm" + pod.config.spec.template.metadata.labels.name == "tiller" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json b/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json new file mode 100755 index 000000000..a7d32a080 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json @@ -0,0 +1,14 @@ +{ + "name": "defaultServiceAccountUsed", + "file": "defaultServiceAccountUsed.rego", + "template_args": { + "name": "defaultServiceAccountUsed", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure that default service accounts are not actively used", + "reference_id": "AC-K8-IA-RO-H-0104", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_role/defaultServiceAccountUsed.rego b/pkg/policies/opa/rego/k8s/kubernetes_role/defaultServiceAccountUsed.rego new file mode 100755 index 000000000..fa6bd3469 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_role/defaultServiceAccountUsed.rego @@ -0,0 +1,13 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[role.id] { + role := input.kubernetes_cluster_role[_] + role.config.roleRef.name == "default" + role.config.roleRef.kind == "role" +} + +{{.prefix}}{{.name}}{{.suffix}}[role.id] { + role := input.kubernetes_role_binding[_] + role.config.roleRef.name == "default" + role.config.roleRef.kind == "role" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json new file mode 100755 index 000000000..aa41b50a5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json @@ -0,0 +1,14 @@ +{ + "name": "tillerServiceDeleted", + "file": "tillerServiceDeleted.rego", + "template_args": { + "name": "tillerServiceDeleted", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure that the Tiller Service (Helm v2) is deleted", + "reference_id": "AC-K8-NS-SE-M-0185", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json new file mode 100755 index 000000000..bb063812d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json @@ -0,0 +1,14 @@ +{ + "name": "ensurePrivateIP", + "file": "ensurePrivateIP.rego", + "template_args": { + "name": "ensurePrivateIP", + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Restrict the use of externalIPs", + "reference_id": "AC-K8-NS-SE-M-0188", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json new file mode 100755 index 000000000..ac5daf9e4 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json @@ -0,0 +1,14 @@ +{ + "name": "nodePort", + "file": "nodePort.rego", + "template_args": { + "name": "nodePort", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "Nodeport service can expose the worker nodes as they have public interface", + "reference_id": "AC-K8-NS-SV-L-0132", + "category": "Network Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/ensurePrivateIP.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/ensurePrivateIP.rego new file mode 100755 index 000000000..7d5545dd3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/ensurePrivateIP.rego @@ -0,0 +1,16 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[service.id] { + service := input.kubernetes_service[_] + service.config.kind == "Service" + type_check(service.config.spec) + object.get(service.config.spec, "externalIPs", "undefined") != "undefined" +} + +type_check(spec) { + spec.type == "ClusterIP" +} + +type_check(spec) { + object.get(spec, "type", "undefined") == "undefined" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/nodePort.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/nodePort.rego new file mode 100755 index 000000000..32afe15bb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/nodePort.rego @@ -0,0 +1,7 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[service.id] { + service := input.kubernetes_service[_] + service_config := service.config + service_config.spec.type == "NodePort" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/tillerServiceDeleted.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/tillerServiceDeleted.rego new file mode 100755 index 000000000..08d0a58a9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/tillerServiceDeleted.rego @@ -0,0 +1,6 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[service.id] { + service := input.kubernetes_service[_] + service.config.metadata.labels.name == "tiller-deploy" +} \ No newline at end of file From eeab9fee450f90636e608384e59bb1d8926a6ab8 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Thu, 14 Jan 2021 16:22:18 -0800 Subject: [PATCH 2/4] remove rules that have been replaced by the newer format --- .../accurics.kubernetes.IAM.1.json | 16 --- .../accurics.kubernetes.IAM.10.json | 16 --- .../accurics.kubernetes.IAM.11.json | 16 --- .../accurics.kubernetes.IAM.12.json | 16 --- .../accurics.kubernetes.IAM.13.json | 16 --- .../accurics.kubernetes.IAM.14.json | 16 --- .../accurics.kubernetes.IAM.15.json | 16 --- .../accurics.kubernetes.IAM.16.json | 16 --- .../accurics.kubernetes.IAM.2.json | 16 --- .../accurics.kubernetes.IAM.3.json | 16 --- .../accurics.kubernetes.IAM.4.json | 16 --- .../accurics.kubernetes.IAM.5.json | 16 --- .../accurics.kubernetes.IAM.6.json | 16 --- .../accurics.kubernetes.IAM.7.json | 16 --- .../accurics.kubernetes.IAM.8.json | 16 --- .../accurics.kubernetes.IAM.9.json | 16 --- ...ntainerAllowPrivilegeEscalationIsTrue.rego | 111 ------------------ .../accurics.kubernetes.IAM.17.json | 15 --- .../accurics.kubernetes.IAM.18.json | 15 --- .../accurics.kubernetes.IAM.19.json | 15 --- .../accurics.kubernetes.IAM.20.json | 15 --- .../accurics.kubernetes.IAM.21.json | 15 --- .../accurics.kubernetes.IAM.22.json | 15 --- .../accurics.kubernetes.IAM.23.json | 15 --- .../accurics.kubernetes.IAM.24.json | 15 --- .../containerHostIpcIsTrue.rego | 95 --------------- .../accurics.kubernetes.IAM.25.json | 15 --- .../accurics.kubernetes.IAM.26.json | 15 --- .../accurics.kubernetes.IAM.27.json | 15 --- .../accurics.kubernetes.IAM.28.json | 15 --- .../accurics.kubernetes.IAM.29.json | 15 --- .../accurics.kubernetes.IAM.30.json | 15 --- .../accurics.kubernetes.IAM.31.json | 15 --- .../accurics.kubernetes.IAM.32.json | 15 --- .../containerHostNetworkIsTrue.rego | 95 --------------- .../accurics.kubernetes.IAM.33.json | 15 --- .../accurics.kubernetes.IAM.34.json | 15 --- .../accurics.kubernetes.IAM.35.json | 15 --- .../accurics.kubernetes.IAM.36.json | 15 --- .../accurics.kubernetes.IAM.37.json | 15 --- .../accurics.kubernetes.IAM.38.json | 15 --- .../accurics.kubernetes.IAM.39.json | 15 --- .../accurics.kubernetes.IAM.40.json | 15 --- .../containerHostPidIsTrue.rego | 95 --------------- .../accurics.kubernetes.IAM.41.json | 16 --- .../accurics.kubernetes.IAM.42.json | 16 --- .../accurics.kubernetes.IAM.43.json | 16 --- .../accurics.kubernetes.IAM.44.json | 16 --- .../accurics.kubernetes.IAM.45.json | 16 --- .../accurics.kubernetes.IAM.46.json | 16 --- .../accurics.kubernetes.IAM.47.json | 16 --- .../accurics.kubernetes.IAM.48.json | 16 --- .../accurics.kubernetes.IAM.49.json | 16 --- .../accurics.kubernetes.IAM.50.json | 16 --- .../accurics.kubernetes.IAM.51.json | 16 --- .../accurics.kubernetes.IAM.52.json | 16 --- .../accurics.kubernetes.IAM.53.json | 16 --- .../accurics.kubernetes.IAM.54.json | 16 --- .../accurics.kubernetes.IAM.55.json | 16 --- .../accurics.kubernetes.IAM.56.json | 16 --- ...ontainerReadOnlyRootFilesystemIsFalse.rego | 111 ------------------ 61 files changed, 1379 deletions(-) delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.1.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.10.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.11.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.12.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.13.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.14.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.15.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.16.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.2.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.3.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.4.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.5.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.6.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.7.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.8.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.9.json delete mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.17.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.18.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.19.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.20.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.21.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.22.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.23.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.24.json delete mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/containerHostIpcIsTrue.rego delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.25.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.26.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.27.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.28.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.29.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.30.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.31.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.32.json delete mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/containerHostNetworkIsTrue.rego delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.33.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.34.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.35.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.36.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.37.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.38.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.39.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.40.json delete mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/containerHostPidIsTrue.rego delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json delete mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json delete mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.1.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.1.json deleted file mode 100755 index 2fad12491..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.1.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.1", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.10.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.10.json deleted file mode 100755 index 4110279fb..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.10.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.10", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.11.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.11.json deleted file mode 100755 index 300f05ef0..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.11.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.11", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.12.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.12.json deleted file mode 100755 index 7532811fa..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.12.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.12", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.13.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.13.json deleted file mode 100755 index c3c7e9205..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.13.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.13", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.14.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.14.json deleted file mode 100755 index 5e9a614d2..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.14.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.14", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.15.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.15.json deleted file mode 100755 index 3562295ef..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.15.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.15", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.16.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.16.json deleted file mode 100755 index 5b2554d97..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.16.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.16", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.2.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.2.json deleted file mode 100755 index 5088dc6d5..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.2.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.2", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.3.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.3.json deleted file mode 100755 index 471d9d589..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.3.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.3", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.4.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.4.json deleted file mode 100755 index bcf861fc2..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.4.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.4", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.5.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.5.json deleted file mode 100755 index b72aff074..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.5.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.5", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.6.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.6.json deleted file mode 100755 index 501e83d12..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.6.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.6", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.7.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.7.json deleted file mode 100755 index 1430e6ae5..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.7.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.7", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.8.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.8.json deleted file mode 100755 index 631a173df..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.8.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": false, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.8", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.9.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.9.json deleted file mode 100755 index 795aad41e..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/accurics.kubernetes.IAM.9.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerAllowPrivilegeEscalationIsTrue", - "file": "containerAllowPrivilegeEscalationIsTrue.rego", - "template_args": { - "is_init": true, - "name": "containerAllowPrivilegeEscalationIsTrue", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of privileged containers", - "reference_id": "accurics.kubernetes.IAM.9", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego deleted file mode 100644 index c86595450..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego +++ /dev/null @@ -1,111 +0,0 @@ -package accurics - -{{- if eq .is_init true}} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "initContainersSecurityContext" . }} - initContainersSecurityContext.allowPrivilegeEscalation == true -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "initContainersSecurityContextTF" . }} - initContainersSecurityContextTF.allow_privilege_escalation == true -} - -{{- else}} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "containersSecurityContext" . }} - containersSecurityContext.allowPrivilegeEscalation == true -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "containersSecurityContextTF" . }} - containersSecurityContextTF.allow_privilege_escalation == true -} - -{{- end}} - - -################################## -### Template definitions below ### -################################## -{{- define "api" }} - api = input.{{.resource_type}}[_] -{{- end}} - -# resolves path to the spec key -{{- define "spec" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - spec = api.config.spec.jobTemplate.spec.template.spec - {{- else }} - spec = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the spec key for terraform-defined k8s resources -{{- define "specTF" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - specTF = api.config.spec.job_template.spec.template.spec - {{- else }} - specTF = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the containers list -{{- define "containers" }} - {{- template "spec" . }} - containers = spec.containers[_] -{{- end }} - -# resolves path to the containers' security context -{{- define "containersSecurityContext" }} - {{- template "containers" . }} - containersSecurityContext = containers.securityContext -{{- end }} - -# resolves path to the containers list for terraform-defined k8s resources -{{- define "containersTF" }} - {{- template "specTF" . }} - containersTF = specTF.containers[_] -{{- end }} - -# resolves path to the containers' security context for terraform-defined k8s resources -{{- define "containersSecurityContextTF" }} - {{- template "containersTF" . }} - containersSecurityContextTF = containersTF.security_context -{{- end }} - -# resolves path to the initContainers list -{{- define "initContainers" }} - {{- template "spec" . }} - initContainers = spec.initContainers[_] -{{- end }} - -# resolves path to the initContainers' security context -{{- define "initContainersSecurityContext" }} - {{- template "initContainers" . }} - initContainersSecurityContext = initContainers.securityContext -{{- end }} - -# resolves path to the initContainers list for terraform-defined k8s resources -{{- define "initContainersTF" }} - {{- template "specTF" . }} - initContainersTF = specTF.init_containers[_] -{{- end }} - -# resolves path to the initContainers' security context for terraform-defined k8s resources -{{- define "initContainersSecurityContextTF" }} - {{- template "initContainersTF" . }} - initContainersSecurityContextTF = initContainersTF.security_context -{{- end }} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.17.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.17.json deleted file mode 100755 index ca1a528b8..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.17.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.17", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.18.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.18.json deleted file mode 100755 index 55800774e..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.18.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.18", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.19.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.19.json deleted file mode 100755 index 88d0f374f..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.19.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.19", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.20.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.20.json deleted file mode 100755 index eeca93418..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.20.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.20", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.21.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.21.json deleted file mode 100755 index a060cb58c..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.21.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.21", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.22.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.22.json deleted file mode 100755 index 7d6a05b18..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.22.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.22", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.23.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.23.json deleted file mode 100755 index 816da121a..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.23", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.24.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.24.json deleted file mode 100755 index 9d69ed01e..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/accurics.kubernetes.IAM.24.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostIpcIsTrue", - "file": "containerHostIpcIsTrue.rego", - "template_args": { - "name": "containerHostIpcIsTrue", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host IPC namespace", - "reference_id": "accurics.kubernetes.IAM.24", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/containerHostIpcIsTrue.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/containerHostIpcIsTrue.rego deleted file mode 100644 index 16ebf8803..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_ipc/containerHostIpcIsTrue.rego +++ /dev/null @@ -1,95 +0,0 @@ -package accurics - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "spec" .}} - spec.hostIPC == true -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "specTF" .}} - specTF.host_ipc == true -} - - -################################## -### Template definitions below ### -################################## -{{- define "api" }} - api = input.{{.resource_type}}[_] -{{- end}} - -# resolves path to the spec key -{{- define "spec" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - spec = api.config.spec.jobTemplate.spec.template.spec - {{- else }} - spec = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the spec key for terraform-defined k8s resources -{{- define "specTF" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - specTF = api.config.spec.job_template.spec.template.spec - {{- else }} - specTF = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the containers list -{{- define "containers" }} - {{- template "spec" . }} - containers = spec.containers[_] -{{- end }} - -# resolves path to the containers' security context -{{- define "containersSecurityContext" }} - {{- template "containers" . }} - containersSecurityContext = containers.securityContext -{{- end }} - -# resolves path to the containers list for terraform-defined k8s resources -{{- define "containersTF" }} - {{- template "specTF" . }} - containersTF = specTF.containers[_] -{{- end }} - -# resolves path to the containers' security context for terraform-defined k8s resources -{{- define "containersSecurityContextTF" }} - {{- template "containersTF" . }} - containersSecurityContextTF = containersTF.security_context -{{- end }} - -# resolves path to the initContainers list -{{- define "initContainers" }} - {{- template "spec" . }} - initContainers = spec.initContainers[_] -{{- end }} - -# resolves path to the initContainers' security context -{{- define "initContainersSecurityContext" }} - {{- template "initContainers" . }} - initContainersSecurityContext = initContainers.securityContext -{{- end }} - -# resolves path to the initContainers list for terraform-defined k8s resources -{{- define "initContainersTF" }} - {{- template "specTF" . }} - initContainersTF = specTF.init_containers[_] -{{- end }} - -# resolves path to the initContainers' security context for terraform-defined k8s resources -{{- define "initContainersSecurityContextTF" }} - {{- template "initContainersTF" . }} - initContainersSecurityContextTF = initContainersTF.security_context -{{- end }} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.25.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.25.json deleted file mode 100755 index 73a4bc462..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.25.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.25", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.26.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.26.json deleted file mode 100755 index c4f78694f..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.26.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.26", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.27.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.27.json deleted file mode 100755 index d16a7a4c5..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.27.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.27", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.28.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.28.json deleted file mode 100755 index 4fdf4e95a..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.28.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.28", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.29.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.29.json deleted file mode 100755 index ce7b51fd6..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.29.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.29", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.30.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.30.json deleted file mode 100755 index 0924bc3f7..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.30.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.30", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.31.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.31.json deleted file mode 100755 index 1bf6e9f2b..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.31.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.31", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.32.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.32.json deleted file mode 100755 index 28ef496d1..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/accurics.kubernetes.IAM.32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostNetworkIsTrue", - "file": "containerHostNetworkIsTrue.rego", - "template_args": { - "name": "containerHostNetworkIsTrue", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host network namespace", - "reference_id": "accurics.kubernetes.IAM.32", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/containerHostNetworkIsTrue.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/containerHostNetworkIsTrue.rego deleted file mode 100644 index 61d441630..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_network/containerHostNetworkIsTrue.rego +++ /dev/null @@ -1,95 +0,0 @@ -package accurics - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{template "spec" .}} - spec.hostNetwork == true -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{template "specTF" .}} - specTF.host_network == true -} - - -################################## -### Template definitions below ### -################################## -{{- define "api" }} - api = input.{{.resource_type}}[_] -{{- end}} - -# resolves path to the spec key -{{- define "spec" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - spec = api.config.spec.jobTemplate.spec.template.spec - {{- else }} - spec = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the spec key for terraform-defined k8s resources -{{- define "specTF" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - specTF = api.config.spec.job_template.spec.template.spec - {{- else }} - specTF = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the containers list -{{- define "containers" }} - {{- template "spec" . }} - containers = spec.containers[_] -{{- end }} - -# resolves path to the containers' security context -{{- define "containersSecurityContext" }} - {{- template "containers" . }} - containersSecurityContext = containers.securityContext -{{- end }} - -# resolves path to the containers list for terraform-defined k8s resources -{{- define "containersTF" }} - {{- template "specTF" . }} - containersTF = specTF.containers[_] -{{- end }} - -# resolves path to the containers' security context for terraform-defined k8s resources -{{- define "containersSecurityContextTF" }} - {{- template "containersTF" . }} - containersSecurityContextTF = containersTF.security_context -{{- end }} - -# resolves path to the initContainers list -{{- define "initContainers" }} - {{- template "spec" . }} - initContainers = spec.initContainers[_] -{{- end }} - -# resolves path to the initContainers' security context -{{- define "initContainersSecurityContext" }} - {{- template "initContainers" . }} - initContainersSecurityContext = initContainers.securityContext -{{- end }} - -# resolves path to the initContainers list for terraform-defined k8s resources -{{- define "initContainersTF" }} - {{- template "specTF" . }} - initContainersTF = specTF.init_containers[_] -{{- end }} - -# resolves path to the initContainers' security context for terraform-defined k8s resources -{{- define "initContainersSecurityContextTF" }} - {{- template "initContainersTF" . }} - initContainersSecurityContextTF = initContainersTF.security_context -{{- end }} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.33.json deleted file mode 100755 index da15f2afd..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.33.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.33", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.34.json deleted file mode 100755 index 76f6ff572..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.34.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.34", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.35.json deleted file mode 100755 index b3bd1d49e..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.35.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.35", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.36.json deleted file mode 100755 index fdd65eea0..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.36.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.36", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.37.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.37.json deleted file mode 100755 index 675b8bb5f..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.37.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.37", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.38.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.38.json deleted file mode 100755 index 64c1318d0..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.38.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.38", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.39.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.39.json deleted file mode 100755 index d5c8c1166..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.39.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.39", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.40.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.40.json deleted file mode 100755 index a30cd44fa..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/accurics.kubernetes.IAM.40.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "containerHostPidIsTrue", - "file": "containerHostPidIsTrue.rego", - "template_args": { - "name": "containerHostPidIsTrue", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Minimize the admission of containers wishing to share the host process ID namespace", - "reference_id": "accurics.kubernetes.IAM.40", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/containerHostPidIsTrue.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/containerHostPidIsTrue.rego deleted file mode 100644 index 51180d3a5..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_host_pid/containerHostPidIsTrue.rego +++ /dev/null @@ -1,95 +0,0 @@ -package accurics - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "spec" .}} - spec.hostPID == true -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "specTF" .}} - specTF.host_pid == true -} - - -################################## -### Template definitions below ### -################################## -{{- define "api" }} - api = input.{{.resource_type}}[_] -{{- end}} - -# resolves path to the spec key -{{- define "spec" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - spec = api.config.spec.jobTemplate.spec.template.spec - {{- else }} - spec = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the spec key for terraform-defined k8s resources -{{- define "specTF" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - specTF = api.config.spec.job_template.spec.template.spec - {{- else }} - specTF = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the containers list -{{- define "containers" }} - {{- template "spec" . }} - containers = spec.containers[_] -{{- end }} - -# resolves path to the containers' security context -{{- define "containersSecurityContext" }} - {{- template "containers" . }} - containersSecurityContext = containers.securityContext -{{- end }} - -# resolves path to the containers list for terraform-defined k8s resources -{{- define "containersTF" }} - {{- template "specTF" . }} - containersTF = specTF.containers[_] -{{- end }} - -# resolves path to the containers' security context for terraform-defined k8s resources -{{- define "containersSecurityContextTF" }} - {{- template "containersTF" . }} - containersSecurityContextTF = containersTF.security_context -{{- end }} - -# resolves path to the initContainers list -{{- define "initContainers" }} - {{- template "spec" . }} - initContainers = spec.initContainers[_] -{{- end }} - -# resolves path to the initContainers' security context -{{- define "initContainersSecurityContext" }} - {{- template "initContainers" . }} - initContainersSecurityContext = initContainers.securityContext -{{- end }} - -# resolves path to the initContainers list for terraform-defined k8s resources -{{- define "initContainersTF" }} - {{- template "specTF" . }} - initContainersTF = specTF.init_containers[_] -{{- end }} - -# resolves path to the initContainers' security context for terraform-defined k8s resources -{{- define "initContainersSecurityContextTF" }} - {{- template "initContainersTF" . }} - initContainersSecurityContextTF = initContainersTF.security_context -{{- end }} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json deleted file mode 100755 index 2ca9f036a..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.41", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json deleted file mode 100755 index e6f5183e8..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.42", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json deleted file mode 100755 index 04955fafa..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.43", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json deleted file mode 100755 index 5888a5463..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.44", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json deleted file mode 100755 index 52d942d70..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.45", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json deleted file mode 100755 index 431097b65..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.46", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json deleted file mode 100755 index 6c13e3a50..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.47", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json deleted file mode 100755 index dd7644f13..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": false, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.48", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json deleted file mode 100755 index 3c942a2cf..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_cron_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.49", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json deleted file mode 100755 index d54bf09d1..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_daemonset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.50", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json deleted file mode 100755 index ac3b7f7b7..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_deployment", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.51", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json deleted file mode 100755 index e90a124d4..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_job", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.52", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json deleted file mode 100755 index fbdbb7988..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_pod", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.53", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json deleted file mode 100755 index 9feb98f30..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_replicaset", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.54", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json deleted file mode 100755 index 61cf69675..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_replication_controller", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.55", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json deleted file mode 100755 index c928b7d30..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "name": "containerReadOnlyRootFilesystemIsFalse", - "file": "containerReadOnlyRootFilesystemIsFalse.rego", - "template_args": { - "is_init": true, - "name": "containerReadOnlyRootFilesystemIsFalse", - "prefix": "", - "resource_type": "kubernetes_stateful_set", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Container's root filesystem is not read-only", - "reference_id": "accurics.kubernetes.IAM.56", - "category": "Identity and Access Management", - "version": 1 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego deleted file mode 100644 index 269b8538f..000000000 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego +++ /dev/null @@ -1,111 +0,0 @@ -package accurics - -{{- if eq .is_init true }} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "initContainersSecurityContext" .}} - initContainersSecurityContext.readOnlyRootFilesystem == false -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "initContainersSecurityContextTF" .}} - initContainersSecurityContextTF.read_only_root_filesystem == false -} - -{{- else }} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "containersSecurityContext" .}} - containersSecurityContext.readOnlyRootFilesystem == false -} - -{{.prefix}}{{.name}}{{.suffix}}[api.id] { - {{- template "containersSecurityContextTF" .}} - containersSecurityContextTF.read_only_root_filesystem == false -} - -{{- end }} - - -################################## -### Template definitions below ### -################################## -{{- define "api" }} - api = input.{{.resource_type}}[_] -{{- end}} - -# resolves path to the spec key -{{- define "spec" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - spec = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - spec = api.config.spec.jobTemplate.spec.template.spec - {{- else }} - spec = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the spec key for terraform-defined k8s resources -{{- define "specTF" }} - {{- template "api" . }} - {{- if eq .resource_type "kubernetes_pod" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_pod_security_policy" }} - specTF = api.config.spec - {{- else if eq .resource_type "kubernetes_cron_job" }} - specTF = api.config.spec.job_template.spec.template.spec - {{- else }} - specTF = api.config.spec.template.spec - {{- end }} -{{- end }} - -# resolves path to the containers list -{{- define "containers" }} - {{- template "spec" . }} - containers = spec.containers[_] -{{- end }} - -# resolves path to the containers' security context -{{- define "containersSecurityContext" }} - {{- template "containers" . }} - containersSecurityContext = containers.securityContext -{{- end }} - -# resolves path to the containers list for terraform-defined k8s resources -{{- define "containersTF" }} - {{- template "specTF" . }} - containersTF = specTF.containers[_] -{{- end }} - -# resolves path to the containers' security context for terraform-defined k8s resources -{{- define "containersSecurityContextTF" }} - {{- template "containersTF" . }} - containersSecurityContextTF = containersTF.security_context -{{- end }} - -# resolves path to the initContainers list -{{- define "initContainers" }} - {{- template "spec" . }} - initContainers = spec.initContainers[_] -{{- end }} - -# resolves path to the initContainers' security context -{{- define "initContainersSecurityContext" }} - {{- template "initContainers" . }} - initContainersSecurityContext = initContainers.securityContext -{{- end }} - -# resolves path to the initContainers list for terraform-defined k8s resources -{{- define "initContainersTF" }} - {{- template "specTF" . }} - initContainersTF = specTF.init_containers[_] -{{- end }} - -# resolves path to the initContainers' security context for terraform-defined k8s resources -{{- define "initContainersSecurityContextTF" }} - {{- template "initContainersTF" . }} - initContainersSecurityContextTF = initContainersTF.security_context -{{- end }} From fe0c7246b71065ac4dcf01e5eea8e5f64e437268 Mon Sep 17 00:00:00 2001 From: Willie Sana Date: Thu, 14 Jan 2021 17:54:09 -0800 Subject: [PATCH 3/4] add check for privileged containers (rule 106) --- .../k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json | 14 ++++++++++++++ .../priviledgedContainersEnabled.rego | 11 +++++++++++ 2 files changed, 25 insertions(+) create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json create mode 100755 pkg/policies/opa/rego/k8s/kubernetes_pod/priviledgedContainersEnabled.rego diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json new file mode 100755 index 000000000..d07858d49 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json @@ -0,0 +1,14 @@ +{ + "name": "priviledgedContainersEnabled", + "file": "priviledgedContainersEnabled.rego", + "template_args": { + "name": "priviledgedContainersEnabled", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Minimize the admission of privileged containers", + "reference_id": "AC-K8-IA-PO-H-0106", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/priviledgedContainersEnabled.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/priviledgedContainersEnabled.rego new file mode 100755 index 000000000..148651ed3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/priviledgedContainersEnabled.rego @@ -0,0 +1,11 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod[_] + pod.config.spec.privileged == true +} + +{{.prefix}}{{.name}}{{.suffix}}[pod.id] { + pod := input.kubernetes_pod_security_policy[_] + pod.config.spec.privileged == true +} \ No newline at end of file From 66bdd4f0c6b3a55a61e83542118342c81a9a9eb5 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 14 Jan 2021 21:06:49 -0500 Subject: [PATCH 4/4] docs updates for policies --- docs/policies/k8s.md | 111 +++++++++++++++++++++---------------------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/docs/policies/k8s.md b/docs/policies/k8s.md index 3ab350e03..9b9b1298b 100644 --- a/docs/policies/k8s.md +++ b/docs/policies/k8s.md @@ -1,23 +1,54 @@ +### kubernetes_service +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | json | MEDIUM | Restrict the use of externalIPs | AC-K8-NS-SE-M-0188 | +| Network Security | json | MEDIUM | Ensure that the Tiller Service (Helm v2) is deleted | AC-K8-NS-SE-M-0185 | +| Network Security | json | LOW | Nodeport service can expose the worker nodes as they have public interface | AC-K8-NS-SV-L-0132 | +| Network Security | json | MEDIUM | Vulnerable to CVE-2020-8554 | AC-K8-NS-SE-M-0188 | + + +### kubernetes_ingress +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | json | HIGH | TLS disabled can affect the confidentiality of the data in transit | AC-K8-NS-IN-H-0020 | + + ### kubernetes_pod | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.15 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.1 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.14 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.6 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.13 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.12 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.7 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.4 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.11 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.8 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.9 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.10 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.5 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.2 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.3 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.16 | +| Network Security | json | MEDIUM | Containers Should Not Share the Host Network Namespace | AC-K8-NS-PO-M-0164 | +| Network Security | json | MEDIUM | Image without digest affects the integrity principle of image security | AC-K8-NS-PO-M-0133 | +| Identity and Access Management | json | HIGH | Minimize Admission of Root Containers | AC-K8-IA-PO-H-0168 | +| Operational Efficiency | json | Medium | CPU Request Not Set in config file. | AC-K8-OE-PK-M-0155 | +| Operational Efficiency | json | MEDIUM | Default Namespace Should Not be Used | AC-K8-OE-PO-M-0166 | +| Network Security | json | HIGH | Do Not Use CAP_SYS_ADMIN Linux Capability | AC-K8-NS-PO-H-0170 | +| Operational Efficiency | json | Medium | Memory Limits Not Set in config file. | AC-K8-OE-PK-M-0158 | +| Data Security | json | MEDIUM | Ensure That Tiller (Helm V2) Is Not Deployed | AC-K8-DS-PO-M-0177 | +| Operational Efficiency | json | LOW | No readiness probe will affect automatic recovery in case of unexpected errors | AC-K8-OE-PO-L-0130 | +| Identity and Access Management | json | MEDIUM | Default seccomp profile not enabled will make the container to make non-essential system calls | AC-K8-IA-PO-M-0141 | +| Identity and Access Management | json | MEDIUM | Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions | AC-K8-IA-PO-M-0140 | +| Network Security | json | HIGH | Prefer using secrets as files over secrets as environment variables | AC-K8-NS-PO-H-0117 | +| Network Security | json | MEDIUM | Containers Should Not Share Host IPC Namespace | AC-K8-NS-PO-M-0163 | +| Network Security | json | MEDIUM | Apply Security Context to Your Pods and Containers | AC-K8-NS-PO-M-0122 | +| Data Security | json | MEDIUM | Ensure Kubernetes Dashboard Is Not Deployed | AC-K8-DS-PO-M-0176 | +| Identity and Access Management | json | HIGH | Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem | AC-K8-IA-PO-H-0138 | +| Identity and Access Management | json | MEDIUM | Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host | AC-K8-IA-PO-M-0143 | +| Identity and Access Management | json | HIGH | Allowing the pod to make system level calls provide access to host/node sensitive information | AC-K8-IA-PO-H-0137 | +| Operational Efficiency | json | MEDIUM | AlwaysPullImages plugin is not set | AC-K8-OE-PK-M-0034 | +| Identity and Access Management | json | MEDIUM | Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s | AC-K8-IA-PO-M-0139 | +| Identity and Access Management | json | MEDIUM | AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats | AC-K8-IA-PO-M-0135 | +| Identity and Access Management | json | MEDIUM | Containers Should Not Share Host Process ID Namespace | AC-K8-IA-PO-M-0162 | +| Network Security | json | MEDIUM | Containers Should Run as a High UID to Avoid Host Conflict | AC-K8-NS-PO-M-0182 | +| Identity and Access Management | json | MEDIUM | Minimize the admission of containers with the NET_RAW capability | AC-K8-IA-PS-M-0112 | +| Operational Efficiency | json | LOW | No liveness probe will ensure there is no recovery in case of unexpected errors | AC-K8-OE-PO-L-0129 | +| Operational Efficiency | json | LOW | No tag or container image with :Latest tag makes difficult to rollback and track | AC-K8-OE-PO-L-0134 | +| Operational Efficiency | json | Medium | Memory Request Not Set in config file. | AC-K8-OE-PK-M-0157 | +| Cloud Assets Management | json | HIGH | Containers Should Not Run with AllowPrivilegeEscalation | AC-K8-CA-PO-H-0165 | +| Identity and Access Management | json | HIGH | Minimize the admission of privileged containers | AC-K8-IA-PO-H-0106 | +| Operational Efficiency | json | Medium | CPU Limits Not Set in config file. | AC-K8-OE-PK-M-0156 | +| Network Security | json | MEDIUM | Restrict Mounting Docker Socket in a Container | AC-K8-NS-PO-M-0171 | +| Identity and Access Management | json | MEDIUM | Ensure that Service Account Tokens are only mounted where necessary | AC-K8-IA-PO-M-0105 | | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.120 | | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.116 | | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.117 | @@ -34,30 +65,7 @@ | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.114 | | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.115 | | Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.119 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.54 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.42 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.43 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.55 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.48 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.52 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.44 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.45 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.53 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.49 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.46 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.50 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.51 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.47 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.56 | -| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.41 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.19 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.23 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.22 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.18 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.24 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.17 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.21 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.20 | +| Data Security | json | MEDIUM | Vulnerable to CVE-2020-8555 (affected version of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8,< v1.15.11 | AC-K8-DS-PO-M-0143 | | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.64 | | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.72 | | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.68 | @@ -74,14 +82,6 @@ | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.66 | | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.67 | | Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.71 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.39 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.35 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.34 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.38 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.33 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.40 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.37 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.36 | | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.81 | | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.78 | | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.74 | @@ -98,14 +98,12 @@ | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.76 | | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.77 | | Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.82 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.25 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.29 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.28 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.32 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.27 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.31 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.30 | -| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.26 | + + +### kubernetes_role +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | json | HIGH | Ensure that default service accounts are not actively used | AC-K8-IA-RO-H-0104 | ### kubernetes_namespace @@ -114,5 +112,6 @@ | Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.462 | | Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.460 | | Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.461 | +| Operational Efficiency | json | LOW | No owner for namespace affects the operations | AC-K8-OE-NS-L-0128 |