refactor(checks): migrate Kubernetes network to Rego

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Nov 27, 2024 · 11152df · 11152df
1 parent 08abf3c
commit 11152df
Show file tree

Hide file tree

Showing 15 changed files with 585 additions and 281 deletions.
diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md b/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md
@@ -2,67 +2,66 @@
 Remove public access except where explicitly required
 
 ```hcl
- resource "kubernetes_network_policy" "good_example" {
-   metadata {
-     name      = "terraform-example-network-policy"
-     namespace = "default"
-   }
- 
-   spec {
-     pod_selector {
-       match_expressions {
-         key      = "name"
-         operator = "In"
-         values   = ["webfront", "api"]
-       }
-     }
- 
-     ingress {
-       ports {
-         port     = "http"
-         protocol = "TCP"
-       }
-       ports {
-         port     = "8125"
-         protocol = "UDP"
-       }
- 
-       from {
-         ip_block {
-           cidr = "10.0.0.0/16"
-           except = [
-             "10.0.0.0/24",
-             "10.0.1.0/24",
-           ]
-         }
-       }
-     }
- 
-     egress {
-       ports {
-         port     = "http"
-         protocol = "TCP"
-       }
-       ports {
-         port     = "8125"
-         protocol = "UDP"
-       }
- 
-       to {
-         ip_block {
-           cidr = "0.0.0.0/0"
-           except = [
-             "10.0.0.0/24",
-             "10.0.1.0/24",
-           ]
-         }
-       }
-     }
- 
-     policy_types = ["Ingress", "Egress"]
-   }
- }
- 
+resource "kubernetes_network_policy" "good_example" {
+  metadata {
+    name      = "terraform-example-network-policy"
+    namespace = "default"
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "name"
+        operator = "In"
+        values   = ["webfront", "api"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "http"
+        protocol = "TCP"
+      }
+      ports {
+        port     = "8125"
+        protocol = "UDP"
+      }
+
+      from {
+        ip_block {
+          cidr = "10.0.0.0/16"
+          except = [
+            "10.0.0.0/24",
+            "10.0.1.0/24",
+          ]
+        }
+      }
+    }
+
+    egress {
+      ports {
+        port     = "http"
+        protocol = "TCP"
+      }
+      ports {
+        port     = "8125"
+        protocol = "UDP"
+      }
+
+      to {
+        ip_block {
+          cidr = "0.0.0.0/0"
+          except = [
+            "10.0.0.0/24",
+            "10.0.1.0/24",
+          ]
+        }
+      }
+    }
+
+    policy_types = ["Ingress", "Egress"]
+  }
+}
 ```
 
 #### Remediation Links

diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md b/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md
@@ -2,7 +2,7 @@
 You should not expose infrastructure to the public internet except where explicitly required
 
 ### Impact
-Exposure of infrastructure to the public internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md b/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md
@@ -2,69 +2,68 @@
 Remove public access except where explicitly required
 
 ```hcl
- resource "kubernetes_network_policy" "good_example" {
-   metadata {
-     name      = "terraform-example-network-policy"
-     namespace = "default"
-   }
- 
-   spec {
-     pod_selector {
-       match_expressions {
-         key      = "name"
-         operator = "In"
-         values   = ["webfront", "api"]
-       }
-     }
- 
-     egress {
-       ports {
-         port     = "http"
-         protocol = "TCP"
-       }
-       ports {
-         port     = "8125"
-         protocol = "UDP"
-       }
- 
-       to {
-         ip_block {
-           cidr = "10.0.0.0/16"
-           except = [
-             "10.0.0.0/24",
-             "10.0.1.0/24",
-           ]
-         }
-       }
-     }
- 
-     ingress {
-       ports {
-         port     = "http"
-         protocol = "TCP"
-       }
-       ports {
-         port     = "8125"
-         protocol = "UDP"
-       }
- 
-       from {
-         ip_block {
-           cidr = "10.0.0.0/16"
-           except = [
-             "10.0.0.0/24",
-             "10.0.1.0/24",
-           ]
-         }
-       }
-     }
- 
-     policy_types = ["Ingress", "Egress"]
-   }
- }
- 
+resource "kubernetes_network_policy" "good_example" {
+  metadata {
+    name      = "terraform-example-network-policy"
+    namespace = "default"
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "name"
+        operator = "In"
+        values   = ["webfront", "api"]
+      }
+    }
+
+    egress {
+      ports {
+        port     = "http"
+        protocol = "TCP"
+      }
+      ports {
+        port     = "8125"
+        protocol = "UDP"
+      }
+
+      to {
+        ip_block {
+          cidr = "10.0.0.0/16"
+          except = [
+            "10.0.0.0/24",
+            "10.0.1.0/24",
+          ]
+        }
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "http"
+        protocol = "TCP"
+      }
+      ports {
+        port     = "8125"
+        protocol = "UDP"
+      }
+
+      from {
+        ip_block {
+          cidr = "10.0.0.0/16"
+          except = [
+            "10.0.0.0/24",
+            "10.0.1.0/24",
+          ]
+        }
+      }
+    }
+
+    policy_types = ["Ingress", "Egress"]
+  }
+}
 ```
 
 #### Remediation Links
- - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr
+ - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr
 
diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md b/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md
@@ -2,7 +2,7 @@
 You should not expose infrastructure to the public internet except where explicitly required
 
 ### Impact
-Exfiltration of data to the public internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/kubernetes/network/no_public_egress.go b/checks/kubernetes/network/no_public_egress.go
@@ -26,7 +26,8 @@ var CheckNoPublicEgress = rules.Register(
 			Links:               terraformNoPublicEgressLinks,
 			RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, policy := range s.Kubernetes.NetworkPolicies {

diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego
@@ -0,0 +1,38 @@
+# METADATA
+# title: Public egress should not be allowed via network policies
+# description: You should not expose infrastructure to the public internet except where explicitly required
+# scope: package
+# schemas:
+# - input: schema["cloud"]
+# custom:
+#   id: AVD-KUBE-0002
+#   avd_id: AVD-KUBE-0002
+#   provider: kubernetes
+#   service: network
+#   severity: HIGH
+#   short_code: no-public-egress
+#   recommended_action: Remove public access except where explicitly required
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#           - provider: kubernetes
+#             service: networkpolicies
+#   terraform:
+#     good_examples: checks/kubernetes/network/no_public_egress.yaml
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr
+package builtin.kube.network.kube0002
+
+import rego.v1
+
+deny contains res if {
+	some policy in input.kubernetes.networkpolicies
+	isManaged(policy)
+	some dest in policy.spec.egress.destinationcidrs
+	cidr.is_public(dest.value)
+	res := result.new(
+		"Network policy allows egress to the public internet.",
+		dest,
+	)
+}