fix(query): fixed issue containers_running_as_root #3412

assets/queries/k8s/containers_running_as_root/query.rego

@@ -2,24 +2,28 @@ package Cx
 
 import data.generic.k8s as k8sLib
 
+types := {"initContainers", "containers"}
+
+# if the node is Pod type
 CxPolicy[result] {
 	document := input.document[i]
 	document.kind == "Pod"
 
 	spec := document.spec
 
 	metadata := document.metadata
-	result := checkRootParent(spec, "spec", metadata, input.document[i].id)
+	result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_],"spec", metadata,input.document[i].id)
 }
 
+# if the node is CronJob type
 CxPolicy[result] {
 	document := input.document[i]
 	document.kind == "CronJob"
 
 	spec := document.spec.jobTemplate.spec.template.spec
 
 	metadata := document.metadata
-	result := checkRootParent(spec, "spec.jobTemplate.spec.template.spec", metadata, input.document[i].id)
+	result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_], "spec.jobTemplate.spec.template.spec", metadata,input.document[i].id)
 }
 
 CxPolicy[result] {
@@ -31,98 +35,122 @@ CxPolicy[result] {
 	spec := document.spec.template.spec
 
 	metadata := document.metadata
-	result := checkRootParent(spec, "spec.template.spec", metadata, input.document[i].id)
+	result := checkRootParent(spec.securityContext, types[x], spec[types[x]][_], "spec.template.spec", metadata,input.document[i].id)
 }
 
-checkRootParent(spec, path, metadata, id) = result {
-	nonRootParent := object.get(spec.securityContext, "runAsNonRoot", "undefined")
+#if pod runAsNonRoot==true and container runAsNonRoot==true (container not runs as root)
+#if pod runAsNonRoot==true and container runAsNonRoot==false 
+							#if	container runAsUser>0 (container not runs as root)
+							#if container runAsUser<=0 (container runs as root)
+checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result {
+	nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined")
 	is_boolean(nonRootParent)
 
 	nonRootParent == true
 
-	result := checkRootContainer(spec, path, metadata, id)
+	result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id)
 }
 
-checkRootParent(spec, path, metadata, id) = result {
-	nonRootParent := object.get(spec.securityContext, "runAsNonRoot", "undefined")
+#if pod runAsNonRoot==false and pod runAsUser>0
+	#if container runAsUser>0
+		#if container runAsNonRoot==false (container runs as non root)
+		#if container runAsNonRoot==true (container runs as non root)
+	#if container runAsUser<=0
+		#if container runAsNonRoot==false (container runs as root)
+		#if container runAsNonRoot==true (container runs as root)
+checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result {
+	nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined")
 	is_boolean(nonRootParent)
 
 	nonRootParent == false
 
-	userParent := object.get(spec.securityContext, "runAsUser", "undefined")
+	userParent := object.get(rootSecurityContext, "runAsUser", "undefined")
 	is_number(userParent)
 
 	userParent > 0
 
-	result := checkUserContainer(spec, path, metadata, id)
+	result := checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id)
 }
+#if pod runAsNonRoot==false and pod runAsUser<=0
+	#if container runAsUser>0
+		#if container runAsNonRoot==false (container runs as non root)
+		#if container runAsNonRoot==true (container runs as non root)
+	#if container runAsUser<=0
+		#if container runAsNonRoot==false (container runs as root)
+		#if container runAsNonRoot==true (container runs as non root)
+checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result {
+	nonRootParent := object.get(rootSecurityContext, "runAsNonRoot", "undefined")
+	is_boolean(nonRootParent)
+
+	nonRootParent == false
+
+	userParent := object.get(rootSecurityContext, "runAsUser", "undefined")
+	is_number(userParent)
 
-checkRootParent(spec, path, metadata, id) = result {
-	object.get(spec.securityContext, "runAsNonRoot", "undefined") == "undefined"
-	object.get(spec.securityContext, "runAsUser", "undefined") == "undefined"
+	userParent <= 0
 
-	result := checkRootContainer(spec, path, metadata, id)
+	result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id)
 }
 
-types := {"initContainers", "containers"}
 
-checkRootContainer(spec, path, metadata, id) = result {
-	some j
-	container := spec[types[x]][j]
+checkRootParent(rootSecurityContext, containerType, container, path, metadata,id) = result {
+	object.get(rootSecurityContext, "runAsNonRoot", "undefined") == "undefined"
+	object.get(rootSecurityContext, "runAsUser", "undefined") == "undefined"
+
+	result := checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id)
+}
+
+checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) = result {
+
 	not container.securityContext.runAsNonRoot
 	uid := container.securityContext.runAsUser
 	to_number(uid) <= 0
 
 	result := {
 		"documentId": id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, types[x], container.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, containerType, container.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, types[x], j]),
-		"keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, types[x], j]),
+		"keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, containerType]),
+		"keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, containerType]),
 	}
 }
 
-checkRootContainer(spec, path, metadata, id) = result {
-	some j
-	container := spec[types[x]][j]
+checkRootContainer(rootSecurityContext, containerType, container, path, metadata,id) = result {
+
 	not container.securityContext.runAsNonRoot
 	object.get(container.securityContext, "runAsUser", "undefined") == "undefined"
 
 	result := {
 		"documentId": id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, types[x], container.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, containerType, container.name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is defined", [path, types[x], j]),
-		"keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is undefined", [path, types[x], j]),
+		"keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]),
+		"keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]),
 	}
 }
 
-checkUserContainer(spec, path, metadata, id) = result {
-	some j
-	container := spec[types[x]][j]
+checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id) = result {
 	uid := container.securityContext.runAsUser
 	to_number(uid) <= 0
 
 	result := {
 		"documentId": id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, types[x], container.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.%s", [metadata.name, path, containerType, container.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, types[x], j]),
-		"keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, types[x], j]),
+		"keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is higher than 0 and/or 'runAsNonRoot' is true", [path, containerType]),
+		"keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is 0 and 'runAsNonRoot' is not set to true", [path, containerType]),
 	}
 }
 
-checkUserContainer(spec, path, metadata, id) = result {
-	some j
-	container := spec[types[x]][j]
+checkUserContainer(rootSecurityContext, containerType, container, path, metadata,id) = result {
 	not container.securityContext.runAsNonRoot
 	object.get(container.securityContext, "runAsUser", "undefined") == "undefined"
 
 	result := {
 		"documentId": id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, types[x], container.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.{{%s}}.securityContext", [metadata.name, path, containerType, container.name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is defined", [path, types[x], j]),
-		"keyActualValue": sprintf("'%s.%s[%d].securityContext.runAsUser' is undefined", [path, types[x], j]),
+		"keyExpectedValue": sprintf("'%s.%s.securityContext.runAsUser' is defined", [path, containerType]),
+		"keyActualValue": sprintf("'%s.%s.securityContext.runAsUser' is undefined", [path, containerType]),
 	}
-}
+}