diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 581e43660..2bc5e3b19 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -9,14 +9,17 @@ deny[msga] { start_of_path := "spec." result := is_dangerous_volume(volume, start_of_path, i) podname := pod.metadata.name + volumeMounts := pod.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) msga := { "alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [pod] @@ -33,14 +36,17 @@ deny[msga] { volume := volumes[i] start_of_path := "spec.template.spec." result := is_dangerous_volume(volume, start_of_path, i) + volumeMounts := wl.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [wl] @@ -56,12 +62,16 @@ deny[msga] { volume := volumes[i] start_of_path := "spec.jobTemplate.spec.template.spec." result := is_dangerous_volume(volume, start_of_path, i) + volumeMounts := wl.spec.jobTemplate.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.jobTemplate.spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) + msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [wl] @@ -71,5 +81,10 @@ deny[msga] { is_dangerous_volume(volume, start_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)]) -} \ No newline at end of file + path = sprintf("%vvolumes[%v]", [start_of_path, format_int(i, 10)]) +} + +volume_mounts(name, volume_mounts, str) = [path] { + name == volume_mounts[j].name + path := sprintf("%s.volumeMounts[%v]", [str, j]) +} else = [] \ No newline at end of file diff --git a/rules/alert-any-hostpath/test/deployment/expected.json b/rules/alert-any-hostpath/test/deployment/expected.json index 7c9507a2d..4825bb3f9 100644 --- a/rules/alert-any-hostpath/test/deployment/expected.json +++ b/rules/alert-any-hostpath/test/deployment/expected.json @@ -1,11 +1,13 @@ [ { "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", - "deletePaths": [ - "spec.template.spec.volumes[0].hostPath.path" - ], "failedPaths": [ - "spec.template.spec.volumes[0].hostPath.path" + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", @@ -28,11 +30,13 @@ }, { "alertMessage": "Deployment: my-deployment has: test-volume2 as hostPath volume", - "deletePaths": [ - "spec.template.spec.volumes[1].hostPath.path" - ], "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" + ], + "deletePaths": [ + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/alert-any-hostpath/test/deployment/input/deployment.yaml b/rules/alert-any-hostpath/test/deployment/input/deployment.yaml index c25ccfec4..5585f9402 100644 --- a/rules/alert-any-hostpath/test/deployment/input/deployment.yaml +++ b/rules/alert-any-hostpath/test/deployment/input/deployment.yaml @@ -23,7 +23,7 @@ spec: name : test-volume - mountPath : /test-pd2 - name : test-volume + name : test-volume2 volumes : - name : test-volume hostPath : diff --git a/rules/alert-any-hostpath/test/pod/expected.json b/rules/alert-any-hostpath/test/pod/expected.json index d93123451..d4c433aeb 100644 --- a/rules/alert-any-hostpath/test/pod/expected.json +++ b/rules/alert-any-hostpath/test/pod/expected.json @@ -1,24 +1,28 @@ -{ - "alertMessage": "pod: test-pd has: test-volume as hostPath volume", - "deletePaths": [ - "spec.volumes[0].hostPath.path" - ], - "failedPaths": [ - "spec.volumes[0].hostPath.path" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "test-pd" +[ + { + "alertMessage": "pod: test-pd has: test-volume as hostPath volume", + "failedPaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } } - } - ] + ] + } } -} \ No newline at end of file +] \ No newline at end of file