Merge pull request #616 from kubescape/fix-0048

C-0048 - fix to valid remediation
kubescape · Apr 3, 2024 · ab73dad · ab73dad
2 parents 20fef05 + d956002
commit ab73dad
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 39 deletions.
diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego
@@ -9,14 +9,17 @@ deny[msga] {
 	start_of_path := "spec."
 	result  := is_dangerous_volume(volume, start_of_path, i)
     podname := pod.metadata.name
+	volumeMounts := pod.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("spec.containers[%v]", [j]))
+	finalPath := array.concat([result], pathMounts)
 
 
 	msga := {
 		"alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"deletePaths": [result],
-		"failedPaths": [result],
+		"deletePaths": finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertObject": {
 			"k8sApiObjects": [pod]
@@ -33,14 +36,17 @@ deny[msga] {
     volume := volumes[i]
 	start_of_path := "spec.template.spec."
     result  := is_dangerous_volume(volume, start_of_path, i)
+	volumeMounts := wl.spec.template.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.template.spec.containers[%v]", [j]))
+	finalPath := array.concat([result], pathMounts)
 
 
 	msga := {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"deletePaths": [result],
-		"failedPaths": [result],
+		"deletePaths": finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertObject": {
 			"k8sApiObjects": [wl]
@@ -56,12 +62,16 @@ deny[msga] {
     volume := volumes[i]
 	start_of_path := "spec.jobTemplate.spec.template.spec."
     result  := is_dangerous_volume(volume, start_of_path, i)
+	volumeMounts := wl.spec.jobTemplate.spec.template.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.jobTemplate.spec.template.spec.containers[%v]", [j]))
+	finalPath := array.concat([result], pathMounts)
+
 	msga := {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"deletePaths": [result],
-		"failedPaths": [result],
+		"deletePaths": finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertObject": {
 			"k8sApiObjects": [wl]
@@ -71,5 +81,10 @@ deny[msga] {
 
 is_dangerous_volume(volume, start_of_path, i) = path {
     volume.hostPath.path
-    path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)])
-}
+    path = sprintf("%vvolumes[%v]", [start_of_path, format_int(i, 10)])
+}
+
+volume_mounts(name, volume_mounts, str) = [path] {
+	name == volume_mounts[j].name
+	path := sprintf("%s.volumeMounts[%v]", [str, j])
+} else = []
diff --git a/rules/alert-any-hostpath/test/deployment/expected.json b/rules/alert-any-hostpath/test/deployment/expected.json
@@ -1,11 +1,13 @@
 [
     {
         "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume",
-        "deletePaths": [
-            "spec.template.spec.volumes[0].hostPath.path"
-        ],
         "failedPaths": [
-            "spec.template.spec.volumes[0].hostPath.path"
+            "spec.template.spec.volumes[0]",
+            "spec.template.spec.containers[0].volumeMounts[0]"
+        ],
+        "deletePaths": [
+            "spec.template.spec.volumes[0]",
+            "spec.template.spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",
@@ -28,11 +30,13 @@
     },
     {
         "alertMessage": "Deployment: my-deployment has: test-volume2 as hostPath volume",
-        "deletePaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
-        ],
         "failedPaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]",
+            "spec.template.spec.containers[0].volumeMounts[1]"
+        ],
+        "deletePaths": [
+            "spec.template.spec.volumes[1]",
+            "spec.template.spec.containers[0].volumeMounts[1]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/alert-any-hostpath/test/deployment/input/deployment.yaml b/rules/alert-any-hostpath/test/deployment/input/deployment.yaml
@@ -23,7 +23,7 @@ spec:
               name : test-volume
 
             - mountPath : /test-pd2
-              name : test-volume
+              name : test-volume2
       volumes :
         - name : test-volume
           hostPath :

diff --git a/rules/alert-any-hostpath/test/pod/expected.json b/rules/alert-any-hostpath/test/pod/expected.json
@@ -1,24 +1,28 @@
-{
-	"alertMessage": "pod: test-pd has: test-volume as hostPath volume",
-	"deletePaths": [
-		"spec.volumes[0].hostPath.path"
-	],
-	"failedPaths": [
-		"spec.volumes[0].hostPath.path"
-	],
-	"fixPaths": [],
-	"ruleStatus": "",
-	"packagename": "armo_builtins",
-	"alertScore": 7,
-	"alertObject": {
-		"k8sApiObjects": [
-			{
-				"apiVersion": "v1",
-				"kind": "Pod",
-				"metadata": {
-					"name": "test-pd"
+[
+	{
+		"alertMessage": "pod: test-pd has: test-volume as hostPath volume",
+		"failedPaths": [
+			"spec.volumes[0]",
+			"spec.containers[0].volumeMounts[0]"
+		],
+		"deletePaths": [
+			"spec.volumes[0]",
+			"spec.containers[0].volumeMounts[0]"
+		],
+		"fixPaths": [],
+		"ruleStatus": "",
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"alertObject": {
+			"k8sApiObjects": [
+				{
+					"apiVersion": "v1",
+					"kind": "Pod",
+					"metadata": {
+						"name": "test-pd"
+					}
 				}
-			}
-        ]
+			]
+		}
 	}
-}
+]