k8s policy changes

tenable · May 19, 2021 · 31fd3f3 · 31fd3f3
1 parent 0fa06ff
commit 31fd3f3
Show file tree

Hide file tree

Showing 91 changed files with 534 additions and 352 deletions.
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json b/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json
@@ -1,14 +1,16 @@
 {
-  "name": "noHttps",
-  "file": "noHttps.rego",
-  "template_args": {
     "name": "noHttps",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "HIGH",
-  "description": "TLS disabled can affect the confidentiality of the data in transit",
-  "reference_id": "AC-K8-NS-IN-H-0020",
-  "category": "Infrastructure Security",
-  "version": 1
-}
+    "file": "noHttps.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_ingress",
+    "template_args": {
+        "name": "noHttps",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "TLS disabled can affect the confidentiality of the data in transit",
+    "reference_id": "AC-K8-NS-IN-H-0020",
+    "category": "Infrastructure Security",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json
@@ -1,14 +1,16 @@
 {
-  "name": "noOwnerLabel",
-  "file": "noOwnerLabel.rego",
-  "template_args": {
     "name": "noOwnerLabel",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "LOW",
-  "description": "No owner for namespace affects the operations",
-  "reference_id": "AC-K8-OE-NS-L-0128",
-  "category": "Security Best Practices",
-  "version": 1
-}
+    "file": "noOwnerLabel.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_namespace",
+    "template_args": {
+        "name": "noOwnerLabel",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "LOW",
+    "description": "No owner for namespace affects the operations",
+    "reference_id": "AC-K8-OE-NS-L-0128",
+    "category": "Security Best Practices",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.460.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.460.json
@@ -1,6 +1,8 @@
 {
     "name": "defaultNamespaceUsed",
     "file": "defaultNamespaceUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_namespace",
     "template_args": {
         "generate_name": "generate_name",
         "name": "defaultNamespaceUsed",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.461.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.461.json
@@ -1,6 +1,8 @@
 {
     "name": "defaultNamespaceUsed2",
     "file": "defaultNamespaceUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_namespace",
     "template_args": {
         "generate_name": "generate_name",
         "name": "defaultNamespaceUsed2",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.462.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/accurics.kubernetes.OPS.462.json
@@ -1,6 +1,8 @@
 {
     "name": "defaultNamespaceUsed4",
     "file": "defaultNamespaceUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_namespace",
     "template_args": {
         "generate_name": "generate_name",
         "name": "defaultNamespaceUsed4",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json
@@ -1,21 +1,23 @@
 {
-  "name": "privilegeEscalationCheck",
-  "file": "securityContextCheck.rego",
-  "template_args": {
-    "allowed": "false",
-    "arg1": "cpu",
-    "arg2": "limits",
     "name": "privilegeEscalationCheck",
-    "not_allowed": "true",
-    "param": "allowPrivilegeEscalation",
-    "param1": "securityContext",
-    "prefix": "",
-    "suffix": "",
-    "value": "true"
-  },
-  "severity": "HIGH",
-  "description": "Containers Should Not Run with AllowPrivilegeEscalation",
-  "reference_id": "AC-K8-CA-PO-H-0165",
-  "category": "Compliance Validation",
-  "version": 1
-}
+    "file": "securityContextCheck.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "allowed": "false",
+        "arg1": "cpu",
+        "arg2": "limits",
+        "name": "privilegeEscalationCheck",
+        "not_allowed": "true",
+        "param": "allowPrivilegeEscalation",
+        "param1": "securityContext",
+        "prefix": "",
+        "suffix": "",
+        "value": "true"
+    },
+    "severity": "HIGH",
+    "description": "Containers Should Not Run with AllowPrivilegeEscalation",
+    "reference_id": "AC-K8-CA-PO-H-0165",
+    "category": "Compliance Validation",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json
@@ -1,14 +1,16 @@
 {
-  "name": "kubeDashboardEnabled",
-  "file": "kubeDashboardEnabled.rego",
-  "template_args": {
     "name": "kubeDashboardEnabled",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "MEDIUM",
-  "description": "Ensure Kubernetes Dashboard Is Not Deployed",
-  "reference_id": "AC-K8-DS-PO-M-0176",
-  "category": "Data Protection",
-  "version": 1
-}
+    "file": "kubeDashboardEnabled.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "name": "kubeDashboardEnabled",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Kubernetes Dashboard Is Not Deployed",
+    "reference_id": "AC-K8-DS-PO-M-0176",
+    "category": "Data Protection",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json
@@ -1,14 +1,16 @@
 {
-  "name": "tillerDeployed",
-  "file": "tillerDeployed.rego",
-  "template_args": {
     "name": "tillerDeployed",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "MEDIUM",
-  "description": "Ensure That Tiller (Helm V2) Is Not Deployed",
-  "reference_id": "AC-K8-DS-PO-M-0177",
-  "category": "Data Protection",
-  "version": 1
-}
+    "file": "tillerDeployed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "name": "tillerDeployed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure That Tiller (Helm V2) Is Not Deployed",
+    "reference_id": "AC-K8-DS-PO-M-0177",
+    "category": "Data Protection",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json
@@ -1,6 +1,8 @@
 {
     "name": "priviledgedContainersEnabled",
     "file": "priviledgedContainersEnabled.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "priviledgedContainersEnabled",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json
@@ -1,6 +1,8 @@
 {
     "name": "disallowedSysCalls",
     "file": "disallowedSysCalls.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "disallowedSysCalls",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json
@@ -1,6 +1,8 @@
 {
     "name": "allowedHostPath",
     "file": "allowedHostPath.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "allowedHostPath",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json
@@ -1,6 +1,8 @@
 {
     "name": "runAsNonRootCheck",
     "file": "securityContextCheck.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "allowed": "false",
         "arg1": "cpu",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json
@@ -1,6 +1,8 @@
 {
     "name": "autoMountTokenEnabled",
     "file": "autoMountTokenEnabled.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "autoMountTokenEnabled",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json
@@ -1,6 +1,8 @@
 {
     "name": "appArmorProfile",
     "file": "appArmorProfile.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "appArmorProfile",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json
@@ -1,6 +1,8 @@
 {
     "name": "allowedProcMount",
     "file": "allowedProcMount.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "allowedProcMount",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json
@@ -1,6 +1,8 @@
 {
     "name": "readOnlyFileSystem",
     "file": "securityContextCheck.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "allowed": "false",
         "arg1": "limits",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json
@@ -1,6 +1,8 @@
 {
     "name": "secCompProfile",
     "file": "secCompProfile.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "secCompProfile",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json
@@ -1,6 +1,8 @@
 {
     "name": "allowedVolumes",
     "file": "allowedVolumes.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "allowedVolumes",
         "prefix": "",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json
@@ -1,6 +1,8 @@
 {
     "name": "falseHostPID",
     "file": "specBoolCheck.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "name": "falseHostPID",
         "param": "hostPID",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json
@@ -1,6 +1,8 @@
 {
     "name": "netRawCapabilityUsed",
     "file": "capabilityUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
     "template_args": {
         "attribute": "requiredDropCapabilities",
         "name": "netRawCapabilityUsed",

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json
@@ -1,14 +1,16 @@
 {
-  "name": "secretsAsEnvVariables",
-  "file": "secretsAsEnvVariables.rego",
-  "template_args": {
     "name": "secretsAsEnvVariables",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "HIGH",
-  "description": "Prefer using secrets as files over secrets as environment variables",
-  "reference_id": "AC-K8-NS-PO-H-0117",
-  "category": "Infrastructure Security",
-  "version": 1
-}
+    "file": "secretsAsEnvVariables.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "name": "secretsAsEnvVariables",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Prefer using secrets as files over secrets as environment variables",
+    "reference_id": "AC-K8-NS-PO-H-0117",
+    "category": "Infrastructure Security",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json
@@ -1,14 +1,16 @@
 {
-  "name": "capSysAdminUsed",
-  "file": "capSysAdminUsed.rego",
-  "template_args": {
     "name": "capSysAdminUsed",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "HIGH",
-  "description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
-  "reference_id": "AC-K8-NS-PO-H-0170",
-  "category": "Infrastructure Security",
-  "version": 1
-}
+    "file": "capSysAdminUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "name": "capSysAdminUsed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
+    "reference_id": "AC-K8-NS-PO-H-0170",
+    "category": "Infrastructure Security",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json
@@ -1,14 +1,16 @@
 {
-  "name": "securityContextUsed",
-  "file": "securityContextUsed.rego",
-  "template_args": {
     "name": "securityContextUsed",
-    "prefix": "",
-    "suffix": ""
-  },
-  "severity": "MEDIUM",
-  "description": "Apply Security Context to Your Pods and Containers",
-  "reference_id": "AC-K8-NS-PO-M-0122",
-  "category": "Infrastructure Security",
-  "version": 1
-}
+    "file": "securityContextUsed.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_pod",
+    "template_args": {
+        "name": "securityContextUsed",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Apply Security Context to Your Pods and Containers",
+    "reference_id": "AC-K8-NS-PO-M-0122",
+    "category": "Infrastructure Security",
+    "version": 1
+}