From 5b2e1c0c416e8fc9e2113a332ec76c6fc28973f8 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 26 Nov 2024 14:29:48 +0600 Subject: [PATCH] refactor(checks): migrate Kubernetes network to Rego Signed-off-by: Nikita Pivkin --- .../network/AVD-KUBE-0001/Terraform.md | 121 +++++++++-------- .../kubernetes/network/AVD-KUBE-0001/docs.md | 2 +- .../network/AVD-KUBE-0002/Terraform.md | 123 +++++++++-------- .../kubernetes/network/AVD-KUBE-0002/docs.md | 2 +- checks/kubernetes/network/no_public_egress.go | 3 +- .../kubernetes/network/no_public_egress.rego | 38 ++++++ .../kubernetes/network/no_public_egress.yaml | 126 ++++++++++++++++++ .../network/no_public_egress_test.go | 77 ----------- .../network/no_public_egress_test.rego | 16 +++ .../kubernetes/network/no_public_ingress.go | 3 +- .../kubernetes/network/no_public_ingress.rego | 38 ++++++ .../kubernetes/network/no_public_ingress.yaml | 126 ++++++++++++++++++ .../network/no_public_ingress_test.go | 77 ----------- .../network/no_public_ingress_test.rego | 16 +++ test/rego/kubernetes_test.go | 98 ++++++++++++++ 15 files changed, 585 insertions(+), 281 deletions(-) create mode 100644 checks/kubernetes/network/no_public_egress.rego create mode 100644 checks/kubernetes/network/no_public_egress.yaml delete mode 100644 checks/kubernetes/network/no_public_egress_test.go create mode 100644 checks/kubernetes/network/no_public_egress_test.rego create mode 100644 checks/kubernetes/network/no_public_ingress.rego create mode 100644 checks/kubernetes/network/no_public_ingress.yaml delete mode 100644 checks/kubernetes/network/no_public_ingress_test.go create mode 100644 checks/kubernetes/network/no_public_ingress_test.rego create mode 100644 test/rego/kubernetes_test.go diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md b/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md index 475ca5aa..f4156bbd 100644 --- a/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md +++ b/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md @@ -2,67 +2,66 @@ Remove public access except where explicitly required ```hcl - resource "kubernetes_network_policy" "good_example" { - metadata { - name = "terraform-example-network-policy" - namespace = "default" - } - - spec { - pod_selector { - match_expressions { - key = "name" - operator = "In" - values = ["webfront", "api"] - } - } - - ingress { - ports { - port = "http" - protocol = "TCP" - } - ports { - port = "8125" - protocol = "UDP" - } - - from { - ip_block { - cidr = "10.0.0.0/16" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - } - - egress { - ports { - port = "http" - protocol = "TCP" - } - ports { - port = "8125" - protocol = "UDP" - } - - to { - ip_block { - cidr = "0.0.0.0/0" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - } - - policy_types = ["Ingress", "Egress"] - } - } - +resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } +} ``` #### Remediation Links diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md b/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md index d99ebb93..eb36c092 100644 --- a/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md +++ b/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md @@ -2,7 +2,7 @@ You should not expose infrastructure to the public internet except where explicitly required ### Impact -Exposure of infrastructure to the public internet + {{ remediationActions }} diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md b/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md index 5d4db9e6..f7571839 100644 --- a/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md +++ b/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md @@ -2,69 +2,68 @@ Remove public access except where explicitly required ```hcl - resource "kubernetes_network_policy" "good_example" { - metadata { - name = "terraform-example-network-policy" - namespace = "default" - } - - spec { - pod_selector { - match_expressions { - key = "name" - operator = "In" - values = ["webfront", "api"] - } - } - - egress { - ports { - port = "http" - protocol = "TCP" - } - ports { - port = "8125" - protocol = "UDP" - } - - to { - ip_block { - cidr = "10.0.0.0/16" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - } - - ingress { - ports { - port = "http" - protocol = "TCP" - } - ports { - port = "8125" - protocol = "UDP" - } - - from { - ip_block { - cidr = "10.0.0.0/16" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - } - - policy_types = ["Ingress", "Egress"] - } - } - +resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } +} ``` #### Remediation Links - - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr + - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md b/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md index 53664db8..eb36c092 100644 --- a/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md +++ b/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md @@ -2,7 +2,7 @@ You should not expose infrastructure to the public internet except where explicitly required ### Impact -Exfiltration of data to the public internet + {{ remediationActions }} diff --git a/checks/kubernetes/network/no_public_egress.go b/checks/kubernetes/network/no_public_egress.go index 689307e9..1dc735a8 100755 --- a/checks/kubernetes/network/no_public_egress.go +++ b/checks/kubernetes/network/no_public_egress.go @@ -26,7 +26,8 @@ var CheckNoPublicEgress = rules.Register( Links: terraformNoPublicEgressLinks, RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, }, - Severity: severity.High, + Severity: severity.High, + Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, policy := range s.Kubernetes.NetworkPolicies { diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego new file mode 100644 index 00000000..0f1185a1 --- /dev/null +++ b/checks/kubernetes/network/no_public_egress.rego @@ -0,0 +1,38 @@ +# METADATA +# title: Public egress should not be allowed via network policies +# description: You should not expose infrastructure to the public internet except where explicitly required +# scope: package +# schemas: +# - input: schema["cloud"] +# custom: +# id: AVD-KUBE-0002 +# avd_id: AVD-KUBE-0002 +# provider: kubernetes +# service: network +# severity: HIGH +# short_code: no-public-egress +# recommended_action: Remove public access except where explicitly required +# input: +# selector: +# - type: cloud +# subtypes: +# - provider: kubernetes +# service: networkpolicies +# terraform: +# good_examples: checks/kubernetes/network/no_public_egress.yaml +# links: +# - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr +package builtin.kube.network.kube0002 + +import rego.v1 + +deny contains res if { + some policy in input.kubernetes.networkpolicies + isManaged(policy) + some dest in policy.spec.egress.destinationcidrs + cidr.is_public(dest.value) + res := result.new( + "Network policy allows egress to the public internet.", + dest, + ) +} diff --git a/checks/kubernetes/network/no_public_egress.yaml b/checks/kubernetes/network/no_public_egress.yaml new file mode 100644 index 00000000..af3a1373 --- /dev/null +++ b/checks/kubernetes/network/no_public_egress.yaml @@ -0,0 +1,126 @@ +terraform: + good: + - |- + resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } + bad: + - |- + resource "kubernetes_network_policy" "bad_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } + diff --git a/checks/kubernetes/network/no_public_egress_test.go b/checks/kubernetes/network/no_public_egress_test.go deleted file mode 100644 index c0ee6be0..00000000 --- a/checks/kubernetes/network/no_public_egress_test.go +++ /dev/null @@ -1,77 +0,0 @@ -package network - -import ( - "testing" - - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" - - "github.com/aquasecurity/trivy/pkg/iac/state" - - "github.com/aquasecurity/trivy/pkg/iac/providers/kubernetes" - "github.com/aquasecurity/trivy/pkg/iac/scan" - - "github.com/stretchr/testify/assert" -) - -func TestCheckNoPublicEgress(t *testing.T) { - tests := []struct { - name string - input []kubernetes.NetworkPolicy - expected bool - }{ - { - name: "Public destination CIDR", - input: []kubernetes.NetworkPolicy{ - { - Metadata: trivyTypes.NewTestMetadata(), - Spec: kubernetes.NetworkPolicySpec{ - Metadata: trivyTypes.NewTestMetadata(), - Egress: kubernetes.Egress{ - Metadata: trivyTypes.NewTestMetadata(), - DestinationCIDRs: []trivyTypes.StringValue{ - trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()), - }, - }, - }, - }, - }, - expected: true, - }, - { - name: "Private destination CIDR", - input: []kubernetes.NetworkPolicy{ - { - Metadata: trivyTypes.NewTestMetadata(), - Spec: kubernetes.NetworkPolicySpec{ - Metadata: trivyTypes.NewTestMetadata(), - Egress: kubernetes.Egress{ - Metadata: trivyTypes.NewTestMetadata(), - DestinationCIDRs: []trivyTypes.StringValue{ - trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), - }, - }, - }, - }, - }, - expected: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - var testState state.State - testState.Kubernetes.NetworkPolicies = test.input - results := CheckNoPublicEgress.Evaluate(&testState) - var found bool - for _, result := range results { - if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicEgress.LongID() { - found = true - } - } - if test.expected { - assert.True(t, found, "Rule should have been found") - } else { - assert.False(t, found, "Rule should not have been found") - } - }) - } -} diff --git a/checks/kubernetes/network/no_public_egress_test.rego b/checks/kubernetes/network/no_public_egress_test.rego new file mode 100644 index 00000000..b3919692 --- /dev/null +++ b/checks/kubernetes/network/no_public_egress_test.rego @@ -0,0 +1,16 @@ +package builtin.kube.network.kube0002_test + +import rego.v1 + +import data.builtin.kube.network.kube0002 as check +import data.lib.test + +test_allow_private_source if { + inp := {"kubernetes": {"networkpolicies": [{"spec": {"egress": {"destinationcidrs": [{"value": "10.0.0.0/16"}]}}}]}} + test.assert_empty(check.deny) with input as inp +} + +test_deny_public_source if { + inp := {"kubernetes": {"networkpolicies": [{"spec": {"egress": {"destinationcidrs": [{"value": "0.0.0.0/0"}]}}}]}} + test.assert_count(check.deny, 1) with input as inp +} diff --git a/checks/kubernetes/network/no_public_ingress.go b/checks/kubernetes/network/no_public_ingress.go index 33178789..41d435b6 100755 --- a/checks/kubernetes/network/no_public_ingress.go +++ b/checks/kubernetes/network/no_public_ingress.go @@ -26,7 +26,8 @@ var CheckNoPublicIngress = rules.Register( Links: terraformNoPublicIngressLinks, RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, }, - Severity: severity.High, + Severity: severity.High, + Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, policy := range s.Kubernetes.NetworkPolicies { diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego new file mode 100644 index 00000000..29f3c51b --- /dev/null +++ b/checks/kubernetes/network/no_public_ingress.rego @@ -0,0 +1,38 @@ +# METADATA +# title: Public ingress should not be allowed via network policies +# description: You should not expose infrastructure to the public internet except where explicitly required +# scope: package +# schemas: +# - input: schema["cloud"] +# custom: +# id: AVD-KUBE-0001 +# avd_id: AVD-KUBE-0001 +# provider: kubernetes +# service: network +# severity: HIGH +# short_code: no-public-ingress +# recommended_action: Remove public access except where explicitly required +# input: +# selector: +# - type: cloud +# subtypes: +# - provider: kubernetes +# service: networkpolicies +# terraform: +# good_examples: checks/kubernetes/network/no_public_ingress.yaml +# links: +# - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr +package builtin.kube.network.kube0001 + +import rego.v1 + +deny contains res if { + some policy in input.kubernetes.networkpolicies + isManaged(policy) + some source in policy.spec.ingress.sourcecidrs + cidr.is_public(source.value) + res := result.new( + "Network policy allows ingress from the public internet.", + source, + ) +} diff --git a/checks/kubernetes/network/no_public_ingress.yaml b/checks/kubernetes/network/no_public_ingress.yaml new file mode 100644 index 00000000..607ad63a --- /dev/null +++ b/checks/kubernetes/network/no_public_ingress.yaml @@ -0,0 +1,126 @@ +terraform: + good: + - |- + resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } + + bad: + - |- + resource "kubernetes_network_policy" "bad_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } diff --git a/checks/kubernetes/network/no_public_ingress_test.go b/checks/kubernetes/network/no_public_ingress_test.go deleted file mode 100644 index c5c1ee4c..00000000 --- a/checks/kubernetes/network/no_public_ingress_test.go +++ /dev/null @@ -1,77 +0,0 @@ -package network - -import ( - "testing" - - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" - - "github.com/aquasecurity/trivy/pkg/iac/state" - - "github.com/aquasecurity/trivy/pkg/iac/providers/kubernetes" - "github.com/aquasecurity/trivy/pkg/iac/scan" - - "github.com/stretchr/testify/assert" -) - -func TestCheckNoPublicIngress(t *testing.T) { - tests := []struct { - name string - input []kubernetes.NetworkPolicy - expected bool - }{ - { - name: "Public source CIDR", - input: []kubernetes.NetworkPolicy{ - { - Metadata: trivyTypes.NewTestMetadata(), - Spec: kubernetes.NetworkPolicySpec{ - Metadata: trivyTypes.NewTestMetadata(), - Ingress: kubernetes.Ingress{ - Metadata: trivyTypes.NewTestMetadata(), - SourceCIDRs: []trivyTypes.StringValue{ - trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()), - }, - }, - }, - }, - }, - expected: true, - }, - { - name: "Private source CIDR", - input: []kubernetes.NetworkPolicy{ - { - Metadata: trivyTypes.NewTestMetadata(), - Spec: kubernetes.NetworkPolicySpec{ - Metadata: trivyTypes.NewTestMetadata(), - Ingress: kubernetes.Ingress{ - Metadata: trivyTypes.NewTestMetadata(), - SourceCIDRs: []trivyTypes.StringValue{ - trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), - }, - }, - }, - }, - }, - expected: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - var testState state.State - testState.Kubernetes.NetworkPolicies = test.input - results := CheckNoPublicIngress.Evaluate(&testState) - var found bool - for _, result := range results { - if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIngress.LongID() { - found = true - } - } - if test.expected { - assert.True(t, found, "Rule should have been found") - } else { - assert.False(t, found, "Rule should not have been found") - } - }) - } -} diff --git a/checks/kubernetes/network/no_public_ingress_test.rego b/checks/kubernetes/network/no_public_ingress_test.rego new file mode 100644 index 00000000..be3cc948 --- /dev/null +++ b/checks/kubernetes/network/no_public_ingress_test.rego @@ -0,0 +1,16 @@ +package builtin.kube.network.kube0001_test + +import rego.v1 + +import data.builtin.kube.network.kube0001 as check +import data.lib.test + +test_allow_private_source if { + inp := {"kubernetes": {"networkpolicies": [{"spec": {"ingress": {"sourcecidrs": [{"value": "10.0.0.0/16"}]}}}]}} + test.assert_empty(check.deny) with input as inp +} + +test_deny_public_source if { + inp := {"kubernetes": {"networkpolicies": [{"spec": {"ingress": {"sourcecidrs": [{"value": "0.0.0.0/0"}]}}}]}} + test.assert_count(check.deny, 1) with input as inp +} diff --git a/test/rego/kubernetes_test.go b/test/rego/kubernetes_test.go new file mode 100644 index 00000000..587639e2 --- /dev/null +++ b/test/rego/kubernetes_test.go @@ -0,0 +1,98 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/kubernetes" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +func init() { + addTests(kubernetesTestCases) +} + +var kubernetesTestCases = testCases{ + "AVD-KUBE-0001": []testCase{ + { + name: "Public source CIDR", + input: state.State{Kubernetes: kubernetes.Kubernetes{ + NetworkPolicies: []kubernetes.NetworkPolicy{ + { + Metadata: trivyTypes.NewTestMetadata(), + Spec: kubernetes.NetworkPolicySpec{ + Metadata: trivyTypes.NewTestMetadata(), + Ingress: kubernetes.Ingress{ + Metadata: trivyTypes.NewTestMetadata(), + SourceCIDRs: []trivyTypes.StringValue{ + trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}, + expected: true, + }, + { + name: "Private source CIDR", + input: state.State{Kubernetes: kubernetes.Kubernetes{ + NetworkPolicies: []kubernetes.NetworkPolicy{ + { + Metadata: trivyTypes.NewTestMetadata(), + Spec: kubernetes.NetworkPolicySpec{ + Metadata: trivyTypes.NewTestMetadata(), + Ingress: kubernetes.Ingress{ + Metadata: trivyTypes.NewTestMetadata(), + SourceCIDRs: []trivyTypes.StringValue{ + trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}, + expected: false, + }, + }, + "AVD-KUBE-0002": []testCase{ + { + name: "Public destination CIDR", + input: state.State{Kubernetes: kubernetes.Kubernetes{ + NetworkPolicies: []kubernetes.NetworkPolicy{ + { + Metadata: trivyTypes.NewTestMetadata(), + Spec: kubernetes.NetworkPolicySpec{ + Metadata: trivyTypes.NewTestMetadata(), + Egress: kubernetes.Egress{ + Metadata: trivyTypes.NewTestMetadata(), + DestinationCIDRs: []trivyTypes.StringValue{ + trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}, + expected: true, + }, + { + name: "Private destination CIDR", + input: state.State{Kubernetes: kubernetes.Kubernetes{ + NetworkPolicies: []kubernetes.NetworkPolicy{ + { + Metadata: trivyTypes.NewTestMetadata(), + Spec: kubernetes.NetworkPolicySpec{ + Metadata: trivyTypes.NewTestMetadata(), + Egress: kubernetes.Egress{ + Metadata: trivyTypes.NewTestMetadata(), + DestinationCIDRs: []trivyTypes.StringValue{ + trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}, + expected: false, + }, + }, +}