Skip to content

Commit

Permalink
Merge pull request #471 from kubescape/C-0012-hot-fix
Browse files Browse the repository at this point in the history 
add check for env values for wl
  • Loading branch information
@YiscahLevySilas1
YiscahLevySilas1 authored Jul 20, 2023
2 parents b693905 + c2aef7b commit 2d9670d
Show file tree
Hide file tree
Showing 5 changed files with 158 additions and 5 deletions.
95 changes: 92 additions & 3 deletions rules/rule-credentials-in-env-var/raw.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
container := pod.spec.containers[i]
env := container.env[j]

contains(lower(env.name), key_name)
contains(lower(env.name), lower(key_name))
env.value != ""
# check that value wasn't allowed by user
not is_allowed_value(env.value)
Expand Down Expand Up @@ -41,7 +41,7 @@
container := wl.spec.template.spec.containers[i]
env := container.env[j]

contains(lower(env.name), key_name)
contains(lower(env.name), lower(key_name))
env.value != ""
# check that value wasn't allowed by user
not is_allowed_value(env.value)
Expand Down Expand Up @@ -71,7 +71,7 @@
container := wl.spec.jobTemplate.spec.template.spec.containers[i]
env := container.env[j]

contains(lower(env.name), key_name)
contains(lower(env.name), lower(key_name))

env.value != ""
# check that value wasn't allowed by user
Expand All @@ -93,6 +93,95 @@
}
}

# check sensitive values
deny[msga] {
pod := input[_]
pod.kind == "Pod"
# see default-config-inputs.json for list values
sensitive_values := data.postureControlInputs.sensitiveValues
value := sensitive_values[_]
container := pod.spec.containers[i]
env := container.env[j]

# check that value wasn't allowed by user
not is_allowed_value(env.value)
contains(lower(env.value), lower(value))

is_not_reference(env)

path := sprintf("spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)])

msga := {
"alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]),
"alertScore": 9,
"fixPaths": [],
"failedPaths": [path],
"packagename": "armo_builtins",
"alertObject": {
"k8sApiObjects": [pod]
}
}
}

deny[msga] {
wl := input[_]
spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
spec_template_spec_patterns[wl.kind]

# see default-config-inputs.json for list values
sensitive_values := data.postureControlInputs.sensitiveValues
value := sensitive_values[_]
container := wl.spec.template.spec.containers[i]
env := container.env[j]

not is_allowed_value(env.value)
contains(lower(env.value), lower(value))
# check that value wasn't allowed by user

is_not_reference(env)

path := sprintf("spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)])

msga := {
"alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]),
"alertScore": 9,
"fixPaths": [],
"failedPaths": [path],
"packagename": "armo_builtins",
"alertObject": {
"k8sApiObjects": [wl]
}
}
}

deny[msga] {
wl := input[_]
wl.kind == "CronJob"
# see default-config-inputs.json for list values
sensitive_values := data.postureControlInputs.sensitiveValues
value := sensitive_values[_]
container := wl.spec.jobTemplate.spec.template.spec.containers[i]
env := container.env[j]

# check that value wasn't allowed by user
not is_allowed_value(env.value)
contains(lower(env.value), lower(value))

is_not_reference(env)

path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)])

msga := {
"alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]),
"alertScore": 9,
"fixPaths": [],
"failedPaths": [path],
"packagename": "armo_builtins",
"alertObject": {
"k8sApiObjects": [wl]
}
}
}


is_not_reference(env)
Expand Down
26 changes: 26 additions & 0 deletions rules/rule-credentials-in-env-var/test/deployment/expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[
{
"alertMessage": "Deployment: test2 has sensitive information in environment variables",
"failedPaths": [
"spec.template.spec.containers[1].env[1].name"
],
"fixPaths": [],
"ruleStatus": "",
"packagename": "armo_builtins",
"alertScore": 9,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"app": "audit-pod"
},
"name": "test2"
}
}
]
}
}
]
36 changes: 36 additions & 0 deletions rules/rule-credentials-in-env-var/test/deployment/input/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: default
name: test2
labels:
app: audit-pod
spec:
replicas: 3
selector:
matchLabels:
app: audit-pod
template:
metadata:
labels:
app: audit-pod
spec :
containers :
-
name : test-container
env :
-
name : random
value : "Hello from the environment"
image : hashicorp/http-echo:0.2.3
securityContext :
allowPrivilegeEscalation : true
-
name : test-container2
env :
-
name : bla
value : "Hello from the environment"
- name : some-name
value : JWT
image : hashicorp/http-echo:0.2.3
2 changes: 1 addition & 1 deletion rules/rule-credentials-in-env-var/test/pod/expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
"alertMessage": "Pod: audit-pod has sensitive information in environment variables",
"failedPaths": [
"spec.containers[0].env[0].name"
"spec.containers[0].env[1].name"
],
"fixPaths": [],
"ruleStatus": "",
Expand Down
4 changes: 3 additions & 1 deletion rules/rule-credentials-in-env-var/test/pod/input/pod.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ spec:
containers:
- name: test-container
env :
- name : azure_batch_key
- name : random
value : "Hello from the environment"
- name: some-name
value: my_key_value
image: hashicorp/http-echo:0.2.3
securityContext:
allowPrivilegeEscalation: true
Expand Down

0 comments on commit 2d9670d

Please sign in to comment.