anonymous auth disabled by default

Signed-off-by: YiscahLevySilas1 <[email protected]>

rules/anonymous-requests-to-kubelet-updated/raw.rego

@@ -22,25 +22,6 @@ deny[msga] {
 	}
 }
 
-deny[msga] {
-	obj := input[_]
-	is_kubelet_info(obj)
-	command := obj.data.cmdLine
-
-	not contains(command, "--anonymous-auth")
-	not contains(command, "--config")
-
-	external_obj := json.filter(obj, ["apiVersion", "data/cmdLine", "kind", "metadata"])
-
-	msga := {
-		"alertMessage": "Anonymous requests is enabled.",
-		"alertScore": 7,
-		"failedPaths": [],
-		"fixPaths": [],
-		"packagename": "armo_builtins",
-		"alertObject": {"externalObjects": external_obj},
-	}
-}
 
 deny[msga] {
 	obj := input[_]
@@ -52,7 +33,7 @@ deny[msga] {
 
 	decodedConfigContent := base64.decode(obj.data.configFile.content)
 	yamlConfig := yaml.unmarshal(decodedConfigContent)
-	not yamlConfig.authentication.anonymous.enabled == false
+	yamlConfig.authentication.anonymous.enabled == true
 
 	msga := {
 		"alertMessage": "Anonymous requests is enabled.",

rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json

@@ -1,28 +1 @@
-[
-   {
-      "alertMessage": "Anonymous requests is enabled.",
-      "alertObject": {
-         "externalObjects": {
-            "apiVersion": "hostdata.kubescape.cloud/v1beta0",
-            "data": {
-               "configFile": {
-                  "content": "apiVersion: kubelet.config.k8s.io/v1beta1\nstreamingConnectionIdleTimeout: 0\neventRecordQPS: 0\nprotectKernelDefaults: false\nauthentication:\n  webhook:\n    cacheTTL: 0s\n    enabled: true\n  x509:\n    clientCAFile: /var/lib/minikube/certs/ca.crt\nauthorization:\n  mode: Webhook\n  webhook:\n    cacheAuthorizedTTL: 0s\n    cacheUnauthorizedTTL: 0s"
-               }
-            },
-            "kind": "KubeletInfo",
-            "metadata": {
-               "name": ""
-            }
-         }
-      },
-      "alertScore": 7,
-      "reviewPaths": [
-         "authentication.anonymous.enabled"
-     ],
-      "failedPaths": [
-          "authentication.anonymous.enabled"
-      ],
-      "fixPaths": [],
-      "packagename": "armo_builtins"
-   }
-]
+[]

rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json

@@ -1,22 +1 @@
-[
-   {
-      "alertMessage": "Anonymous requests is enabled.",
-      "alertObject": {
-         "externalObjects": {
-            "apiVersion": "hostdata.kubescape.cloud/v1beta0",
-            "data": {
-               "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet  --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf"
-            },
-            "kind": "KubeletInfo",
-            "metadata": {
-               "name": ""
-            }
-         }
-      },
-      "alertScore": 7,
-      "failedPaths": [],
-      "fixPaths": [],
-      "ruleStatus": "",
-      "packagename": "armo_builtins"
-   }
-]
+[]

rules/anonymous-requests-to-kubelet-updated/test/valid-cli/input/kubelet-info.json

@@ -2,7 +2,7 @@
     "apiVersion": "hostdata.kubescape.cloud/v1beta0",
     "kind": "KubeletInfo",
     "data": {
-        "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet  --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --anonymous-auth=false --config=ss",
+        "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet  --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --config=ss",
         "configFile": {
             "content": "YXBpVmVyc2lvbjoga3ViZWxldC5jb25maWcuazhzLmlvL3YxYmV0YTEKc3RyZWFtaW5nQ29ubmVjdGlvbklkbGVUaW1lb3V0OiAwCmV2ZW50UmVjb3JkUVBTOiAwCnByb3RlY3RLZXJuZWxEZWZhdWx0czogZmFsc2UKYXV0aGVudGljYXRpb246CiAgYW5vbnltb3VzOgogICAgZW5hYmxlZDogZmFsc2UKICB3ZWJob29rOgogICAgY2FjaGVUVEw6IDBzCiAgICBlbmFibGVkOiB0cnVlCiAgeDUwOToKICAgIGNsaWVudENBRmlsZTogL3Zhci9saWIvbWluaWt1YmUvY2VydHMvY2EuY3J0CmF1dGhvcml6YXRpb246CiAgbW9kZTogV2ViaG9vawogIHdlYmhvb2s6CiAgICBjYWNoZUF1dGhvcml6ZWRUVEw6IDBzCiAgICBjYWNoZVVuYXV0aG9yaXplZFRUTDogMHM="
         }