fix(query): Revise list of unsafe sysctls in cluster_allows_unsafe_sysctls k8s rule

assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Cluster Allows Unsafe Sysctls",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.",
+  "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.",
   "descriptionUrl": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/",
   "platform": "Kubernetes",
   "descriptionID": "6eb994bc"

assets/queries/k8s/cluster_allows_unsafe_sysctls/query.rego

@@ -1,5 +1,7 @@
 package Cx
 
+import data.generic.k8s as k8sLib
+
 CxPolicy[result] {
 	document := input.document[i]
 	document.kind == "PodSecurityPolicy"
@@ -11,33 +13,37 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name=%s.spec", [metadata.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.spec.allowedUnsafeSysctls", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("metadata.name=%s.spec.allowedUnsafeSysctls is undefined", [metadata.name]),
-		"keyActualValue": sprintf("metadata.name=%s.spec.allowedUnsafeSysctls is defined", [metadata.name]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.spec.allowedUnsafeSysctls is undefined", [metadata.name]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.spec.allowedUnsafeSysctls is defined", [metadata.name]),
 	}
 }
 
 CxPolicy[result] {
 	document := input.document[i]
-	document.kind == "Pod"
-	spec := document.spec
+	metadata := document.metadata
 
-	sysctl := spec.securityContext.sysctls[_].name
+	specInfo := k8sLib.getSpecInfo(document)
+	sysctl := specInfo.spec.securityContext.sysctls[_].name
 	check_unsafe(sysctl)
 
-	metadata := document.metadata
-
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name=%s.spec.securityContext.sysctls", [metadata.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.securityContext.sysctls.name={{%s}}", [metadata.name, specInfo.path, sysctl]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("metadata.name=%s.spec.securityContext.sysctls does not have an unsafe sysctl", [metadata.name]),
-		"keyActualValue": sprintf("metadata.name=%s.spec.securityContext.sysctls has an unsafe sysctl", [metadata.name]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.securityContext.sysctls.name={{%s}} is not used", [metadata.name, specInfo.path, sysctl]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.%s.securityContext.sysctls.name={{%s}} is an unsafe sysctl", [metadata.name, specInfo.path, sysctl]),
 	}
 }
 
 check_unsafe(sysctl) {
-	safeSysctls = {"kernel.shm_rmid_forced", "net.ipv4.ip_local_port_range", "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range"}
+	safeSysctls := {
+		"kernel.shm_rmid_forced", "kernel/shm_rmid_forced",
+		"net.ipv4.ip_local_port_range", "net/ipv4/ip_local_port_range",
+		"net.ipv4.ip_unprivileged_port_start", "net/ipv4/ip_unprivileged_port_start",
+		"net.ipv4.tcp_syncookies", "net/ipv4/tcp_syncookies",
+		"net.ipv4.ping_group_range", "net/ipv4/tcp_syncookies",
+	}
 	not safeSysctls[sysctl]
 }

assets/queries/k8s/cluster_allows_unsafe_sysctls/test/negative2.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app-neg
+  labels:
+    app: test-app-neg
+spec:
+  selector:
+    matchLabels:
+      app: test-app-neg
+  template:
+    metadata:
+      labels:
+        app: test-app-neg
+    spec:
+      securityContext:
+        sysctls:
+        - name: kernel.shm_rmid_forced
+          value: "0"
+        - name: net/ipv4/tcp_syncookies
+          value: "1"
+      containers:
+      - name: test-ubuntu
+        image: ubuntu

assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive2.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app
+  labels:
+    app: test-app
+spec:
+  selector:
+    matchLabels:
+      app: test-app
+  template:
+    metadata:
+      labels:
+        app: test-app
+    spec:
+      securityContext:
+        sysctls:
+        - name: kernel.sem
+          value: "128 32768 128 4096"
+      containers:
+      - name: test-ubuntu
+        image: ubuntu

assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json

@@ -2,11 +2,25 @@
 	{
 		"queryName": "Cluster Allows Unsafe Sysctls",
 		"severity": "HIGH",
-		"line": 8
+		"line": 11,
+		"fileName": "positive1.yaml"
 	},
 	{
 		"queryName": "Cluster Allows Unsafe Sysctls",
 		"severity": "HIGH",
-		"line": 23
+		"line": 13,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Cluster Allows Unsafe Sysctls",
+		"severity": "HIGH",
+		"line": 24,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Cluster Allows Unsafe Sysctls",
+		"severity": "HIGH",
+		"line": 18,
+		"fileName": "positive2.yaml"
 	}
 ]