Skip to content

Commit

Permalink
Add versioned kubernetes resources to terraform kubernetes checks (Pa…
Browse files Browse the repository at this point in the history 
…rt 2/5)
  • Loading branch information
@ugrave
ugrave committed Oct 13, 2022
1 parent 85143e3 commit 02ee939
Show file tree
Hide file tree
Showing 19 changed files with 2,420 additions and 116 deletions.
18 changes: 13 additions & 5 deletions checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,19 @@ def __init__(self):
# CIS-1.5 5.7.4
name = "The default namespace should not be used"
id = "CKV_K8S_21"
supported_resources = ["kubernetes_pod", "kubernetes_deployment", "kubernetes_daemonset",
"kubernetes_stateful_set", "kubernetes_replication_controller", "kubernetes_job",
"kubernetes_cron_job", "kubernetes_service", "kubernetes_secret",
"kubernetes_service_account", "kubernetes_role_binding", "kubernetes_config_map",
"kubernetes_ingress"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"
"kubernetes_deployment", "kubernetes_deployment_v1",
"kubernetes_daemonset", "kubernetes_daemon_set_v1"
"kubernetes_stateful_set", "kubernetes_stateful_set_v1",
"kubernetes_replication_controller", "kubernetes_replication_controller_v1",
"kubernetes_job", "kubernetes_job_v1"
"kubernetes_cron_job", "kubernetes_cron_job_v1",
"kubernetes_service", "kubernetes_api_service_v1",
"kubernetes_secret", "kubernetes_secret_v1"
"kubernetes_service_account", "kubernetes_service_account_v1",
"kubernetes_role_binding", "kubernetes_role_binding_v1",
"kubernetes_config_map", "kubernetes_config_map_v1"
"kubernetes_ingress", "kubernetes_ingress_v1"]

categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
Expand Down
2 changes: 1 addition & 1 deletion checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def __init__(self) -> None:
name = "Ensure that default service accounts are not actively used"
# Check automountServiceAccountToken in default service account in runtime
id = "CKV_K8S_41"
supported_resources = ["kubernetes_service_account"]
supported_resources = ["kubernetes_service_account", "kubernetes_service_account_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand Down
3 changes: 2 additions & 1 deletion checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ def __init__(self):
name = "Ensure that default service accounts are not actively used"
# Check no role/clusterrole is bound to a default service account (to ensure not actively used)
id = "CKV_K8S_42"
supported_resources = ["kubernetes_role_binding", "kubernetes_cluster_role_binding"]
supported_resources = ["kubernetes_role_binding", "kubernetes_role_binding_v1",
"kubernetes_cluster_role_binding", "kubernetes_cluster_role_binding_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand Down
4 changes: 3 additions & 1 deletion checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ def __init__(self) -> None:
# Location: *.spec.template.spec.volumes[].hostPath.path
id = "CKV_K8S_27"
name = "Do not expose the docker daemon socket to containers"
supported_resources = ("kubernetes_pod", "kubernetes_deployment", "kubernetes_daemonset")
supported_resources = ("kubernetes_pod", "kubernetes_pod_v1",
"kubernetes_deployment", "kubernetes_deployment_v1",
"kubernetes_daemonset", "kubernetes_daemon_set_v1")
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand Down
2 changes: 1 addition & 1 deletion checkov/terraform/checks/resource/kubernetes/DropCapabilities.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ def __init__(self):
name = "Minimize the admission of containers with the NET_RAW capability"
id = "CKV_K8S_28"

supported_resources = ('kubernetes_pod',)
supported_resources = ('kubernetes_pod', 'kubernetes_pod_v1')
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand Down
2 changes: 1 addition & 1 deletion checkov/terraform/checks/resource/kubernetes/HostPort.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ def __init__(self):
"""
name = "Do not specify hostPort unless absolutely necessary"
id = "CKV_K8S_26"
supported_resources = ["kubernetes_pod"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand Down
Loading

0 comments on commit 02ee939

Please sign in to comment.