-
Notifications
You must be signed in to change notification settings - Fork 119
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
we introduced three new rego checks to the oss. These checks are curr…
…ently part of the commercial but not included in the oss. Additionally, there are certain checks in the oss where two checks are combined into a single check. However, in the commercial, these checks are treated as two separate checks. Therefore, we will be splitting the combined checks from the oss into two distinct checks to align with the commercial implementation.
- Loading branch information
1 parent
9af96f6
commit 2c6c5a8
Showing
21 changed files
with
958 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
Full control of the resources within a namespace. In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux) | ||
|
||
### Impact | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound. | ||
|
||
### Impact | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs. | ||
|
||
### Impact | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
Ability to add AWS IAM to RBAC bindings via special EKS configmap. | ||
|
||
### Impact | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID. | ||
|
||
### Impact | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- https://kubesec.io/basics/containers-securitycontext-runasuser/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# METADATA | ||
# title: "Manage all resources at the namespace" | ||
# description: "Full control of the resources within a namespace. In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux)" | ||
# scope: package | ||
# schemas: | ||
# - input: schema["kubernetes"] | ||
# related_resources: | ||
# - https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
# custom: | ||
# id: KSV112 | ||
# avd_id: AVD-KSV-0112 | ||
# severity: CRITICAL | ||
# short_code: no-wildcard-resource-role | ||
# recommended_actions: "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by role in namespace" | ||
# input: | ||
# selector: | ||
# - type: kubernetes | ||
package builtin.kubernetes.KSV112 | ||
|
||
import data.lib.kubernetes | ||
import data.lib.utils | ||
|
||
readVerbs := ["create", "update", "delete", "deletecollection", "impersonate", "*", "list", "get"] | ||
|
||
readKinds := ["Role"] | ||
|
||
managingAllResourcesAtNamespace[input.rules[ru]] { | ||
some ru, r, v | ||
input.kind == readKinds[_] | ||
input.rules[ru].resources[r] == "*" | ||
input.rules[ru].verbs[v] == readVerbs[_] | ||
} | ||
|
||
deny[res] { | ||
badRule := managingAllResourcesAtNamespace[_] | ||
msg := kubernetes.format(sprintf("%s '%s' shouldn't manage all resources at the namespace '%s'", [kubernetes.kind, kubernetes.name, kubernetes.namespace])) | ||
res := result.new(msg, badRule) | ||
} |
2 changes: 1 addition & 1 deletion
2
...s/policies/general/any_resource_test.rego → ..._all_resources_at_the_namespace_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
145 changes: 145 additions & 0 deletions
145
rules/kubernetes/policies/general/manage_all_resources_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
package builtin.kubernetes.KSV046 | ||
|
||
test_resource_verb_role_secrets { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["delete"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_verb_role_pods { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["deletecollection"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_verb_role_deployments { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["create"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_verb_role_daemonsets { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["list"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_verb_role_statefulsets { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["get"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_verb_role_replicationcontrollers { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["impersonate"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} | ||
|
||
test_resource_resource_role_no_specific_verb { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["impersonate"], | ||
"verbs": ["aaa"], | ||
}], | ||
} | ||
|
||
count(r) == 0 | ||
} | ||
|
||
test_resource_verb_role_no_any_verb { | ||
r := deny with input as { | ||
"apiVersion": "rbac.authorization.k8s.io/v1", | ||
"kind": "ClusterRole", | ||
"metadata": { | ||
"namespace": "default", | ||
"name": "pod-reader", | ||
}, | ||
"rules": [{ | ||
"apiGroups": ["*"], | ||
"resources": ["*"], | ||
"verbs": ["*"], | ||
}], | ||
} | ||
|
||
count(r) > 0 | ||
} |
43 changes: 43 additions & 0 deletions
43
rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# METADATA | ||
# title: "Manage EKS IAM Auth ConfigMap" | ||
# description: "Ability to add AWS IAM to RBAC bindings via special EKS configmap." | ||
# scope: package | ||
# schemas: | ||
# - input: schema["kubernetes"] | ||
# related_resources: | ||
# - https://kubernetes.io/docs/concepts/security/rbac-good-practices/ | ||
# custom: | ||
# id: KSV115 | ||
# avd_id: AVD-KSV-0115 | ||
# severity: CRITICAL | ||
# short_code: eks-iam-configmap | ||
# recommended_actions: "Remove write permission verbs for resource 'configmaps' named 'aws-auth'" | ||
# input: | ||
# selector: | ||
# - type: kubernetes | ||
package builtin.kubernetes.KSV115 | ||
|
||
import data.lib.kubernetes | ||
import data.lib.utils | ||
|
||
readVerbs := ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"] | ||
|
||
readKinds := ["Role", "ClusterRole"] | ||
|
||
readResource = "configmaps" | ||
|
||
resourceName := "aws-auth" | ||
|
||
manageEKSIAMAuthConfigmap[input.rules[ru]] { | ||
some ru, r, v | ||
input.kind == readKinds[_] | ||
input.rules[ru].resources[r] == readResource | ||
input.rules[ru].verbs[v] == readVerbs[_] | ||
input.rules[ru].resourceNames[rn] == resourceName | ||
} | ||
|
||
deny[res] { | ||
badRule := manageEKSIAMAuthConfigmap[_] | ||
msg := kubernetes.format(sprintf("%s '%s' should not have access to resource '%s' named '%s' for verbs %s", [kubernetes.kind, kubernetes.name, readResource, resourceName, readVerbs])) | ||
res := result.new(msg, badRule) | ||
} |
Oops, something went wrong.