Add versioned kubernetes resources to terraform kubernetes checks (Pa…

…rt 5/5)

checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py

@@ -11,7 +11,7 @@ def __init__(self):
         # CIS-1.5 5.2.3
         name = "Do not admit containers wishing to share the host IPC namespace"
         id = "CKV_K8S_18"
-        supported_resources = ["kubernetes_pod"]
+        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 

checkov/terraform/checks/resource/kubernetes/ShareHostPID.py

@@ -11,7 +11,7 @@ def __init__(self):
         # CIS-1.5 5.2.2
         name = "Do not admit containers wishing to share the host process ID namespace"
         id = "CKV_K8S_17"
-        supported_resources = ["kubernetes_pod"]
+        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
                          missing_block_result=CheckResult.PASSED)

checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py

@@ -11,7 +11,7 @@ def __init__(self):
         # CIS-1.5 5.2.4
         name = "Do not admit containers wishing to share the host network namespace"
         id = "CKV_K8S_19"
-        supported_resources = ["kubernetes_pod"]
+        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
         categories = [CheckCategories.NETWORKING]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
                          missing_block_result=CheckResult.PASSED)

checkov/terraform/checks/resource/kubernetes/Tiller.py

@@ -10,7 +10,7 @@ class Tiller(BaseResourceCheck):
     def __init__(self) -> None:
         name = "Ensure that Tiller (Helm v2) is not deployed"
         id = "CKV_K8S_34"
-        supported_resources = ["kubernetes_pod"]
+        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 

checkov/terraform/checks/resource/kubernetes/TillerService.py

@@ -10,7 +10,7 @@ class TillerService(BaseResourceCheck):
     def __init__(self) -> None:
         name = "Ensure that the Tiller Service (Helm v2) is deleted"
         id = "CKV_K8S_44"
-        supported_resources = ["kubernetes_service"]
+        supported_resources = ["kubernetes_service", "kubernetes_service_v1"]
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 

checkov/terraform/checks/resource/kubernetes/WildcardRoles.py

@@ -8,7 +8,8 @@ class WildcardRoles(BaseResourceCheck):
     def __init__(self):
         name = "Minimize wildcard use in Roles and ClusterRoles"
         id = "CKV_K8S_49"
-        supported_resources = ["kubernetes_role", "kubernetes_cluster_role"]
+        supported_resources = ["kubernetes_role", "kubernetes_role_v1",
+                               "kubernetes_cluster_role", "kubernetes_cluster_role_v1"]
 
         categories = [CheckCategories.IAM]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

tests/terraform/checks/resource/kubernetes/example_ShareHostIPC/main.tf

@@ -56,6 +56,63 @@ resource "kubernetes_pod" "fail" {
   }
 }
 
+resource "kubernetes_pod_v1" "fail" {
+  metadata {
+    name = "terraform-example"
+  }
+
+  spec {
+    host_ipc = true
+    host_pid = true
+
+    container {
+      image = "nginx:1.7.9"
+      name  = "example"
+
+
+      env {
+        name  = "environment"
+        value = "test"
+      }
+
+      port {
+        container_port = 8080
+      }
+
+      liveness_probe {
+        http_get {
+          path = "/nginx_status"
+          port = 80
+
+          http_header {
+            name  = "X-Custom-Header"
+            value = "Awesome"
+          }
+        }
+
+        initial_delay_seconds = 3
+        period_seconds        = 3
+      }
+    }
+
+    dns_config {
+      nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+      searches    = ["example.com"]
+
+      option {
+        name  = "ndots"
+        value = 1
+      }
+
+      option {
+        name = "use-vc"
+      }
+    }
+
+    dns_policy = "None"
+  }
+}
+
 resource "kubernetes_pod" "pass" {
   metadata {
     name = "terraform-example"
@@ -114,6 +171,64 @@ resource "kubernetes_pod" "pass" {
   }
 }
 
+resource "kubernetes_pod_v1" "pass" {
+  metadata {
+    name = "terraform-example"
+  }
+
+  spec {
+
+    host_pid = false
+    host_ipc = false
+
+    container {
+      image = "nginx:1.7.9"
+      name  = "example"
+
+
+      env {
+        name  = "environment"
+        value = "test"
+      }
+
+      port {
+        container_port = 8080
+      }
+
+      liveness_probe {
+        http_get {
+          path = "/nginx_status"
+          port = 80
+
+          http_header {
+            name  = "X-Custom-Header"
+            value = "Awesome"
+          }
+        }
+
+        initial_delay_seconds = 3
+        period_seconds        = 3
+      }
+    }
+
+    dns_config {
+      nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+      searches    = ["example.com"]
+
+      option {
+        name  = "ndots"
+        value = 1
+      }
+
+      option {
+        name = "use-vc"
+      }
+    }
+
+    dns_policy = "None"
+  }
+}
+
 resource "kubernetes_pod" "pass2" {
   metadata {
     name = "terraform-example"
@@ -168,3 +283,58 @@ resource "kubernetes_pod" "pass2" {
     dns_policy = "None"
   }
 }
+
+resource "kubernetes_pod_v1" "pass2" {
+  metadata {
+    name = "terraform-example"
+  }
+
+  spec {
+
+    container {
+      image = "nginx:1.7.9"
+      name  = "example"
+
+
+      env {
+        name  = "environment"
+        value = "test"
+      }
+
+      port {
+        container_port = 8080
+      }
+
+      liveness_probe {
+        http_get {
+          path = "/nginx_status"
+          port = 80
+
+          http_header {
+            name  = "X-Custom-Header"
+            value = "Awesome"
+          }
+        }
+
+        initial_delay_seconds = 3
+        period_seconds        = 3
+      }
+    }
+
+    dns_config {
+      nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+      searches    = ["example.com"]
+
+      option {
+        name  = "ndots"
+        value = 1
+      }
+
+      option {
+        name = "use-vc"
+      }
+    }
+
+    dns_policy = "None"
+  }
+}