From 6ab99f50fe0adb2101fd082cc11ab2050b6c64fb Mon Sep 17 00:00:00 2001
From: Johannes Feichtner <Churro@users.noreply.github.com>
Date: Sun, 27 Feb 2022 23:36:59 +0100
Subject: [PATCH] fix(query): Extend container_is_privileged k8s rule to cover
 additional resource kinds

---
 .../k8s/container_is_privileged/metadata.json |  2 +-
 .../k8s/container_is_privileged/query.rego    | 19 ++++++++++-------
 .../test/{positive.yaml => positive1.yaml}    |  0
 .../test/positive2.yaml                       | 21 +++++++++++++++++++
 .../test/positive_expected_result.json        | 12 +++++++++--
 5 files changed, 43 insertions(+), 11 deletions(-)
 rename assets/queries/k8s/container_is_privileged/test/{positive.yaml => positive1.yaml} (100%)
 create mode 100644 assets/queries/k8s/container_is_privileged/test/positive2.yaml

diff --git a/assets/queries/k8s/container_is_privileged/metadata.json b/assets/queries/k8s/container_is_privileged/metadata.json
index 80c0a15fe8b..cf76355b3b7 100644
--- a/assets/queries/k8s/container_is_privileged/metadata.json
+++ b/assets/queries/k8s/container_is_privileged/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Container Is Privileged",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Do not allow container to be privileged.",
+  "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false",
   "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers",
   "platform": "Kubernetes",
   "descriptionID": "55f59030"
diff --git a/assets/queries/k8s/container_is_privileged/query.rego b/assets/queries/k8s/container_is_privileged/query.rego
index 720d54af124..da64317a568 100644
--- a/assets/queries/k8s/container_is_privileged/query.rego
+++ b/assets/queries/k8s/container_is_privileged/query.rego
@@ -1,20 +1,23 @@
 package Cx
 
+import data.generic.k8s as k8sLib
+
+types := {"initContainers", "containers"}
+
 CxPolicy[result] {
 	document := input.document[i]
-	spec := document.spec
-	types := {"initContainers", "containers"}
-	containers := spec[types[x]]
+	metadata := document.metadata
 
-	containers[c].securityContext.privileged == true
+	specInfo := k8sLib.getSpecInfo(document)
+	container := specInfo.spec[types[x]][_]
 
-	metadata := document.metadata
+	container.securityContext.privileged == true
 
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.securityContext.privileged", [metadata.name, types[x], containers[c].name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.privileged", [metadata.name, specInfo.path, types[x], container.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("spec.%s.name={{%s}}.securityContext.privileged is false", [types[x], containers[c].name]),
-		"keyActualValue": sprintf("spec.%s.name={{%s}}.securityContext.privileged is true", [types[x], containers[c].name]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.privileged is unset or false", [metadata.name, specInfo.path, types[x], container.name]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.privileged is true", [metadata.name, specInfo.path, types[x], container.name]),
 	}
 }
diff --git a/assets/queries/k8s/container_is_privileged/test/positive.yaml b/assets/queries/k8s/container_is_privileged/test/positive1.yaml
similarity index 100%
rename from assets/queries/k8s/container_is_privileged/test/positive.yaml
rename to assets/queries/k8s/container_is_privileged/test/positive1.yaml
diff --git a/assets/queries/k8s/container_is_privileged/test/positive2.yaml b/assets/queries/k8s/container_is_privileged/test/positive2.yaml
new file mode 100644
index 00000000000..b1ec34cfcf4
--- /dev/null
+++ b/assets/queries/k8s/container_is_privileged/test/positive2.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+  labels:
+    app: test
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: test
+  template:
+    metadata:
+      labels:
+        app: test
+    spec:
+      containers:
+        - name:  pause
+          image: k8s.gcr.io/pause
+          securityContext:
+            privileged: true
diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json
index bc968bfd6cb..82fa1663583 100644
--- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json
+++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json
@@ -2,11 +2,19 @@
   {
     "queryName": "Container Is Privileged",
     "severity": "HIGH",
-    "line": 10
+    "line": 10,
+		"fileName": "positive1.yaml"
   },
   {
     "queryName": "Container Is Privileged",
     "severity": "HIGH",
-    "line": 23
+    "line": 23,
+		"fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "Container Is Privileged",
+    "severity": "HIGH",
+    "line": 21,
+		"fileName": "positive2.yaml"
   }
 ]