changes following review

Signed-off-by: YiscahLevySilas1 <[email protected]>

rules/exposure-to-internet/raw.rego

@@ -4,10 +4,10 @@ package armo_builtins
 deny[msga] {
     service := input[_]
     service.kind == "Service"
-    is_unsafe_service(service)
+    is_exposed_service(service)
 
     wl := input[_]
-    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job"}
+    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
     spec_template_spec_patterns[wl.kind]
     wl_connected_to_service(wl, service)
     failPath := ["spec.type"]
@@ -34,10 +34,10 @@ deny[msga] {
 
     svc := input[_]
     svc.kind == "Service"
-    not is_unsafe_service(svc)
+    not is_exposed_service(svc)
 
     wl := input[_]
-    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job"}
+    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
     spec_template_spec_patterns[wl.kind]
     wl_connected_to_service(wl, svc)
 
@@ -61,11 +61,11 @@ deny[msga] {
 
 # ====================================================================================
 
-is_unsafe_service(svc) {
+is_exposed_service(svc) {
     svc.spec.type == "NodePort"
 }
 
-is_unsafe_service(svc) {
+is_exposed_service(svc) {
     svc.spec.type == "LoadBalancer"
 }
 
@@ -81,7 +81,7 @@ wl_connected_to_service(wl, svc) {
 svc_connected_to_ingress(svc, ingress) = result {
     rule := ingress.spec.rules[i]
     paths := rule.http.paths[j]
-    svc.metadata.name == paths.backend.serviceName
-    result := [sprintf("ingress.spec.rules[%d].http.paths[%d].backend.serviceName", [i,j])]
+    svc.metadata.name == paths.backend.service.name
+    result := [sprintf("ingress.spec.rules[%d].http.paths[%d].backend.service.name", [i,j])]
 }
 

rules/exposure-to-internet/test/failed_with_ingress/expected.json

@@ -34,7 +34,9 @@
                                     "paths": [
                                         {
                                             "backend": {
-                                                "serviceName": "my-service"
+                                                "service": {
+                                                    "name": "my-service"
+                                                }
                                             },
                                             "path": "/"
                                         }
@@ -45,7 +47,7 @@
                     }
                 },
                 "failedPaths": [
-                    "ingress.spec.rules[0].http.paths[0].backend.serviceName"
+                    "ingress.spec.rules[0].http.paths[0].backend.service.name"
                 ],
                 "fixPaths": null
             }

rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: my-ingress
@@ -9,5 +9,9 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: my-service
+          service:
+            name: my-service
+            port:
+              number: 80

rules/exposure-to-internet/test/success_with_ingress/input/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: my-ingress
@@ -9,5 +9,9 @@ spec:
     http:
       paths:
       - path: /
+        pathType: ImplementationSpecific
         backend:
-          serviceName: my-service-b
+          service:
+            name: my-service-b
+            port:
+              number: 80