feat: add DeploymentConfig support

Signed-off-by: szubersk <[email protected]>

checks/kubernetes/advanced/default_namespace_should_not_be_used.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/manages_etc_hosts.rego

@@ -18,6 +18,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego

@@ -18,6 +18,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego

@@ -18,6 +18,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego

@@ -18,6 +18,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego

@@ -18,6 +18,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/CPU_not_limited.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/CPU_requests_not_specified.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/SYS_ADMIN_capability.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/SYS_MODULE_capability.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/capabilities_no_drop_all.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/default_security_context.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/file_system_not_read_only.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/memory_not_limited.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/memory_requests_not_specified.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/mounts_docker_socket.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/net_raw_capability.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/runs_with_GID_le_10000.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/runs_with_UID_le_10000.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/general/uses_image_tag_latest.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/10_windows_host_process.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/11_seccomp_profile_unconfined.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego

@@ -21,6 +21,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/1_host_ipc.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/1_host_network.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/1_host_pid.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/2_privileged.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/5_access_to_host_ports.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/restricted/1_non_core_volume_types.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/restricted/3_runs_as_root.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

checks/kubernetes/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego

@@ -20,6 +20,7 @@
 #         - kind: replicaset
 #         - kind: replicationcontroller
 #         - kind: deployment
+#         - kind: deploymentconfig
 #         - kind: statefulset
 #         - kind: daemonset
 #         - kind: cronjob

lib/kubernetes/kubernetes.rego

@@ -51,10 +51,17 @@ is_cronjob {
 
 default is_controller = false
 
+api_version = object.apiVersion
+
 is_controller {
 	kind = "Deployment"
 }
 
+is_controller {
+	api_version = "apps.openshift.io/v1"
+	kind = "DeploymentConfig"
+}
+
 is_controller {
 	kind = "StatefulSet"
 }

lib/kubernetes/kubernetes_test.rego

@@ -64,6 +64,42 @@ test_deployment {
 	test_pods[_].spec.containers[_].name == "hello-deployment"
 }
 
+test_deploymentconfig {
+	# spec -> template
+	mock = {
+		"apiVersion": "apps.openshift.io/v1",
+		"kind": "DeploymentConfig",
+		"metadata": {"name": "hello"},
+		"spec": {"template": {"spec": {
+			"containers": [{
+				"command": [
+					"sh",
+					"-c",
+					"echo 'Hello !' && sleep 1h",
+				],
+				"image": "busybox",
+				"name": "hello-deploymentconfig-1",
+			}],
+			"volumes": [
+				{
+					"name": "hello-volume-1",
+					"emptyDir": {},
+				},
+				{
+					"name": "hello-volume-2",
+					"emptyDir": {},
+				},
+			],
+		}}},
+	}
+
+	test_containers := containers with input as mock
+	test_volumes := volumes with input as mock
+
+	test_containers[_].name == "hello-deploymentconfig-1"
+	test_volumes[_].name == "hello-volume-2"
+}
+
 test_stateful_set {
 	# spec -> template
 	test_pods := pods with input as {