Merge pull request #484 from kubescape/split-default-namespace-rules

Split default namespace rules
kubescape · Aug 1, 2023 · 693cb02 · 693cb02
2 parents d3e4c90 + 999051d
commit 693cb02
Show file tree

Hide file tree

Showing 88 changed files with 1,586 additions and 169 deletions.
diff --git a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json
@@ -14,13 +14,28 @@
     },
     "rulesNames": [
         "pods-in-default-namespace",
-        "resources-rbac-in-default-namespace",
-        "resources-core1-in-default-namespace",
-        "resources-core2-in-default-namespace",
-        "resources-other1-in-default-namespace",
-        "resources-other2-in-default-namespace",
+        "rolebinding-in-default-namespace",
+        "role-in-default-namespace",
+        "configmap-in-default-namespace",
+        "endpoints-in-default-namespace",
+        "limitrange-in-default-namespace",
+        "persistentvolumeclaim-in-default-namespace",
+        "podtemplate-in-default-namespace",
+        "replicationcontroller-in-default-namespace",
+        "resourcequota-in-default-namespace",
+        "service-in-default-namespace",
+        "serviceaccount-in-default-namespace",
+        "controllerrevision-in-default-namespace",
+        "endpointslice-in-default-namespace",
+        "horizontalpodautoscaler-in-default-namespace",
+        "lease-in-default-namespace",
+        "csistoragecapacity-in-default-namespace",
+        "ingress-in-default-namespace",
+        "networkpolicy-in-default-namespace",
+        "poddisruptionbudget-in-default-namespace",
         "resources-secret-in-default-namespace",
-        "resources-event-in-default-namespace"
+        "resources-event-1-in-default-namespace",
+        "resources-event-2-in-default-namespace"
     ],
     "baseScore": 4,
     "impact_statement": "None",

diff --git a/...urces-core1-in-default-namespace/raw.rego → ...s/configmap-in-default-namespace/raw.rego b/...urces-core1-in-default-namespace/raw.rego → ...s/configmap-in-default-namespace/raw.rego
diff --git a/rules/configmap-in-default-namespace/rule.metadata.json b/rules/configmap-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "configmap-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "ConfigMap"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/...lt-namespace/test/configmap/expected.json → ...lt-namespace/test/configmap/expected.json b/...lt-namespace/test/configmap/expected.json → ...lt-namespace/test/configmap/expected.json
diff --git a/...space/test/configmap/input/configmap.yaml → ...space/test/configmap/input/configmap.yaml b/...space/test/configmap/input/configmap.yaml → ...space/test/configmap/input/configmap.yaml
diff --git a/...urces-core2-in-default-namespace/raw.rego → ...lerrevision-in-default-namespace/raw.rego b/...urces-core2-in-default-namespace/raw.rego → ...lerrevision-in-default-namespace/raw.rego
diff --git a/rules/controllerrevision-in-default-namespace/rule.metadata.json b/rules/controllerrevision-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "controllerrevision-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "apps"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+            "ControllerRevision"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/rules/controllerrevision-in-default-namespace/test/controllerrevision/expected.json b/rules/controllerrevision-in-default-namespace/test/controllerrevision/expected.json
@@ -0,0 +1,23 @@
+[
+    {
+        "alertMessage": "ControllerRevision: kubescape is in the 'default' namespace",
+        "failedPaths": [
+            "metadata.namespace"
+        ],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 3,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "apps/v1",
+                    "kind": "ControllerRevision",
+                    "metadata": {
+                        "name": "kubescape"
+                    }
+                }
+            ]
+        }
+    }
+]
diff --git a/...rollerrevision-in-default-namespace/test/controllerrevision/input/controllerrevision.yaml b/...rollerrevision-in-default-namespace/test/controllerrevision/input/controllerrevision.yaml
@@ -0,0 +1,8 @@
+apiVersion: apps/v1
+kind: ControllerRevision
+metadata:
+  name: kubescape
+  namespace: default
+revision: 1
+data:
+  raw: Serialized-Object
diff --git a/...urces-event-in-default-namespace/raw.rego → ...agecapacity-in-default-namespace/raw.rego b/...urces-event-in-default-namespace/raw.rego → ...agecapacity-in-default-namespace/raw.rego
diff --git a/rules/csistoragecapacity-in-default-namespace/rule.metadata.json b/rules/csistoragecapacity-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "csistoragecapacity-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "storage.k8s.io"
+        ],
+        "apiVersions": [
+          "v1beta1"
+        ],
+        "resources": [
+            "CSIStorageCapacity"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json b/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json
@@ -0,0 +1,23 @@
+[
+    {
+        "alertMessage": "CSIStorageCapacity: kubescape is in the 'default' namespace",
+        "failedPaths": [
+            "metadata.namespace"
+        ],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 3,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "storage.k8s.io/v1beta1",
+                    "kind": "CSIStorageCapacity",
+                    "metadata": {
+                        "name": "kubescape"
+                    }
+                }
+            ]
+        }
+    }
+]
diff --git a/...toragecapacity-in-default-namespace/test/csistoragecapacity/input/csistoragecapacity.yaml b/...toragecapacity-in-default-namespace/test/csistoragecapacity/input/csistoragecapacity.yaml
@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1beta1
+kind: CSIStorageCapacity
+metadata:
+  name: kubescape
+  namespace: default
+topology:
+  segments:
+    topology.storage.k8s.io/zone: us-east-1a
+storageClassName: example-storageclass
diff --git a/...rces-other1-in-default-namespace/raw.rego → ...s/endpoints-in-default-namespace/raw.rego b/...rces-other1-in-default-namespace/raw.rego → ...s/endpoints-in-default-namespace/raw.rego
diff --git a/rules/endpoints-in-default-namespace/rule.metadata.json b/rules/endpoints-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "endpoints-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "Endpoints"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/...lt-namespace/test/configmap/expected.json → ...lt-namespace/test/endpoints/expected.json b/...lt-namespace/test/configmap/expected.json → ...lt-namespace/test/endpoints/expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "alertMessage": "ConfigMap: kubescape is in the 'default' namespace",
+        "alertMessage": "Endpoints: kubescape is in the 'default' namespace",
         "failedPaths": [
             "metadata.namespace"
         ],
@@ -12,7 +12,7 @@
             "k8sApiObjects": [
                 {
                     "apiVersion": "v1",
-                    "kind": "ConfigMap",
+                    "kind": "Endpoints",
                     "metadata": {
                         "name": "kubescape"
                     }

diff --git a/rules/endpoints-in-default-namespace/test/endpoints/input/endpoints.yaml b/rules/endpoints-in-default-namespace/test/endpoints/input/endpoints.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: kubescape
+  namespace: default
+subsets:
+  - addresses:
+      - ip: 192.0.2.42
+    ports:
+      - port: 9376
diff --git a/...rces-other2-in-default-namespace/raw.rego → ...dpointslice-in-default-namespace/raw.rego b/...rces-other2-in-default-namespace/raw.rego → ...dpointslice-in-default-namespace/raw.rego
diff --git a/rules/endpointslice-in-default-namespace/rule.metadata.json b/rules/endpointslice-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "endpointslice-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "discovery.k8s.io"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+            "EndpointSlice"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json b/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json
@@ -0,0 +1,23 @@
+[
+    {
+        "alertMessage": "EndpointSlice: kubescape is in the 'default' namespace",
+        "failedPaths": [
+            "metadata.namespace"
+        ],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 3,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "discovery.k8s.io/v1",
+                    "kind": "EndpointSlice",
+                    "metadata": {
+                        "name": "kubescape"
+                    }
+                }
+            ]
+        }
+    }
+]
diff --git a/rules/endpointslice-in-default-namespace/test/endpointslice/input/endpointslice.yaml b/rules/endpointslice-in-default-namespace/test/endpointslice/input/endpointslice.yaml
@@ -0,0 +1,14 @@
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  name: kubescape
+  namespace: default
+addressType: IPv4
+ports:
+  - name: http
+    protocol: TCP
+    port: 80
+endpoints:
+  - addresses: ["10.1.2.3"]
+    conditions:
+      ready: true
diff --git a/...ources-rbac-in-default-namespace/raw.rego → ...dautoscaler-in-default-namespace/raw.rego b/...ources-rbac-in-default-namespace/raw.rego → ...dautoscaler-in-default-namespace/raw.rego
diff --git a/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json b/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "horizontalpodautoscaler-in-default-namespace",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "autoscaling"
+        ],
+        "apiVersions": [
+          "v2"
+        ],
+        "resources": [
+            "HorizontalPodAutoscaler"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/...s/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json b/...s/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json
@@ -0,0 +1,23 @@
+[
+    {
+        "alertMessage": "HorizontalPodAutoscaler: kubescape is in the 'default' namespace",
+        "failedPaths": [
+            "metadata.namespace"
+        ],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 3,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "autoscaling/v2",
+                    "kind": "HorizontalPodAutoscaler",
+                    "metadata": {
+                        "name": "kubescape"
+                    }
+                }
+            ]
+        }
+    }
+]
diff --git a/...aler-in-default-namespace/test/horizontalpodautoscaler/input/horizontalpodautoscaler.yaml b/...aler-in-default-namespace/test/horizontalpodautoscaler/input/horizontalpodautoscaler.yaml
@@ -0,0 +1,13 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: kubescape
+  namespace: default
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: my-application
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 50