Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(query): fixed searchKey and resource kind in pod_or_container_without_resource_quota k8s rule #5199

Merged
merged 2 commits into from
Apr 20, 2022
Merged

fix(query): fixed searchKey and resource kind in pod_or_container_without_resource_quota k8s rule #5199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8174836
fix(query): fixed searchKey and resource kind in pod_or_container_wit…
Churro Apr 15, 2022
26e0255
capitalization
Churro Apr 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"queryName": "Pod or Container Without ResourceQuota",
"severity": "LOW",
"category": "Insecure Configurations",
"descriptionText": "Pod or Container should have a ResourceQuota associated",
"descriptionText": "Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume",
"descriptionUrl": "https://kubernetes.io/docs/concepts/policy/resource-quotas/",
"platform": "Kubernetes",
"descriptionID": "86499ed5"
Expand Down
52 changes: 12 additions & 40 deletions assets/queries/k8s/pod_or_container_without_resource_quota/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,61 +1,33 @@
package Cx

import data.generic.k8s as k8s_lib
import data.generic.common as common_lib
import data.generic.k8s as k8sLib

types := {"initContainers", "containers"}
listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob", "PersistentVolumeClaim"]

CxPolicy[result] {
document := input.document[i]
specInfo := k8s_lib.getSpecInfo(document)
k8sLib.checkKind(document.kind, listKinds)
metadata := document.metadata

pod_or_container(specInfo, document)
namespace := object.get(metadata, "namespace", "default")

namespace := document.metadata.namespace

count({ x | doc := input.document[x]; doc.kind == "ResourceQuota"; doc.metadata.namespace == namespace}) == 0

result := {
"documentId": document.id,
"issueType": "MissingAttribute",
"searchKey": sprintf("metadata.name={{%s}}.namespace", [metadata.name]),
"keyExpectedValue": sprintf("metadata.name={{%s}} has a 'ResourceQuota' associated", [metadata.name]),
"keyActualValue": sprintf("metadata.name={{%s}} does not have a 'ResourceQuota' associated", [metadata.name]),
"searchLine": common_lib.build_search_line(["metadata", "namespace"], [])
}
}

CxPolicy[result] {
document := input.document[i]
specInfo := k8s_lib.getSpecInfo(document)
metadata := document.metadata

pod_or_container(specInfo, document)

is_default(document)

count({ x | doc := input.document[x]; doc.kind == "ResourceQuota"; is_default(doc)}) == 0
resourceQuota := [doc | doc := input.document[_]; doc.kind == "ResourceQuota"; matchNamespace(doc, namespace)]
count(resourceQuota) == 0

result := {
"documentId": document.id,
"issueType": "MissingAttribute",
"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
"keyExpectedValue": sprintf("metadata.name={{%s}} has a 'ResourceQuota' associated", [metadata.name]),
"keyActualValue": sprintf("metadata.name={{%s}} does not have a 'ResourceQuota' associated", [metadata.name]),
"searchLine": common_lib.build_search_line(["metadata"], [])
"keyExpectedValue": sprintf("metadata.name={{%s}} has a 'ResourceQuota' policy associated", [metadata.name]),
"keyActualValue": sprintf("metadata.name={{%s}} does not have a 'ResourceQuota' policy associated", [metadata.name]),
"searchLine": common_lib.build_search_line(["metadata", "namespace"], [])
}
}

is_default(document) {
document.metadata.namespace == "default"
matchNamespace(document, namespace) {
document.metadata.namespace == namespace
} else {
namespace == "default"
not common_lib.valid_key(document.metadata, "namespace")
}

pod_or_container(specInfo, document) {
specInfo.spec[types[x]]
document.kind != "Pod"
} else {
document.kind == "Pod"
}
12 changes: 12 additions & 0 deletions assets/queries/k8s/pod_or_container_without_resource_quota/test/positive4.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: webcontent
namespace: k8s-test9
annotations:
volume.alpha.kubernetes.io/storage-class: default
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 5Gi
6 changes: 6 additions & 0 deletions ...ts/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,11 @@
"severity": "LOW",
"line": 5,
"fileName": "positive3.yaml"
},
{
"queryName": "Pod or Container Without ResourceQuota",
"severity": "LOW",
"line": 5,
"fileName": "positive4.yaml"
}
]