Include pods of kubernetes_deployment in kubernetes_pod checks (1/4)

checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py

@@ -14,7 +14,8 @@ def __init__(self):
 
         name = "Containers should not run with allowPrivilegeEscalation"
         id = "CKV_K8S_20"
-        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1']
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
@@ -24,6 +25,14 @@ def scan_resource_conf(self, conf) -> CheckResult:
             return CheckResult.UNKNOWN
         spec = spec_list[0]
         if spec:
+            evaluated_keys_path = "spec"
+
+            if spec.get("template") and isinstance(spec.get("template"), list):
+                template = spec.get("template")[0]
+                if template.get("spec") and isinstance(template.get("spec"), list):
+                    spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
+
             containers = spec.get("container")
             if not containers:
                 return CheckResult.UNKNOWN
@@ -34,7 +43,7 @@ def scan_resource_conf(self, conf) -> CheckResult:
                     context = container.get("security_context")[0]
                     if context.get("allow_privilege_escalation"):
                         if context.get("allow_privilege_escalation") == [True]:
-                            self.evaluated_keys = [f'spec/[0]/container/[{idx}]/security_context/[0]/'
+                            self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/security_context/[0]/'
                                                    f'allow_privilege_escalation']
                             return CheckResult.FAILED
             return CheckResult.PASSED

checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py

@@ -12,12 +12,21 @@ def __init__(self):
 
         id = "CKV_K8S_25"
 
-        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1']
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf) -> CheckResult:
         spec = conf.get('spec', [None])[0]
+        evaluated_keys_path = "spec"
+
+        if spec.get("template") and isinstance(spec.get("template"), list):
+            template = spec.get("template")[0]
+            if template.get("spec") and isinstance(template.get("spec"), list):
+                spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
+
         if isinstance(spec, dict) and spec.get("container"):
             containers = spec.get("container")
 
@@ -31,8 +40,9 @@ def scan_resource_conf(self, conf) -> CheckResult:
                         if capabilities.get("add"):
                             add = capabilities.get("add")[0]
                             if add:
-                                self.evaluated_keys = [f'spec/[0]/container/[{idx}]/'
+                                self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/'
                                                        f'security_context/[0]/capabilities/add']
+
                                 return CheckResult.FAILED
         return CheckResult.PASSED
 

checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py

@@ -10,12 +10,21 @@ def __init__(self):
         # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
         id = "CKV_K8S_39"
 
-        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1']
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf) -> CheckResult:
         spec = conf.get('spec', [None])[0]
+        evaluated_keys_path = "spec"
+
+        if spec.get("template") and isinstance(spec.get("template"), list):
+            template = spec.get("template")[0]
+            if template.get("spec") and isinstance(template.get("spec"), list):
+                spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
+
         if isinstance(spec, dict) and spec.get("container"):
             containers = spec.get("container")
 
@@ -29,7 +38,7 @@ def scan_resource_conf(self, conf) -> CheckResult:
                         if capabilities.get("add") and isinstance(capabilities.get("add"), list):
                             add = capabilities.get("add")[0]
                             if "SYS_ADMIN" in add:
-                                self.evaluated_keys = [f'spec/[0]/container/[{idx}]/'
+                                self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/'
                                                        f'security_context/[0]/capabilities/add']
                                 return CheckResult.FAILED
         return CheckResult.PASSED

checkov/terraform/checks/resource/kubernetes/CPULimits.py

@@ -10,7 +10,8 @@ class CPULimits(BaseResourceCheck):
     def __init__(self) -> None:
         name = "CPU Limits should be set"
         id = "CKV_K8S_11"
-        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
@@ -19,6 +20,13 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
             self.evaluated_keys = [""]
             return CheckResult.FAILED
         spec = conf['spec'][0]
+        evaluated_keys_path = "spec"
+
+        if spec.get("template") and isinstance(spec.get("template"), list):
+            template = spec.get("template")[0]
+            if template.get("spec") and isinstance(template.get("spec"), list):
+                spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
 
         containers = spec.get("container")
         if not containers:
@@ -32,11 +40,11 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
                     limits = resources.get('limits')[0]
                     if isinstance(limits, dict) and limits.get('cpu'):
                         return CheckResult.PASSED
-                    self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources/[0]/limits']
+                    self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources/[0]/limits']
                     return CheckResult.FAILED
-                self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources']
+                self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources']
                 return CheckResult.FAILED
-            self.evaluated_keys = [f'spec/[0]/container/[{idx}]']
+            self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]']
             return CheckResult.FAILED
         return CheckResult.PASSED
 

checkov/terraform/checks/resource/kubernetes/CPURequests.py

@@ -6,7 +6,8 @@ class CPURequests(BaseResourceCheck):
     def __init__(self):
         name = "CPU requests should be set"
         id = "CKV_K8S_10"
-        supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
@@ -15,6 +16,13 @@ def scan_resource_conf(self, conf) -> CheckResult:
             self.evaluated_keys = [""]
             return CheckResult.FAILED
         spec = conf['spec'][0]
+        evaluated_keys_path = "spec"
+
+        if spec.get("template") and isinstance(spec.get("template"), list):
+            template = spec.get("template")[0]
+            if template.get("spec") and isinstance(template.get("spec"), list):
+                spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
 
         containers = spec.get("container")
         if containers is None:
@@ -28,11 +36,11 @@ def scan_resource_conf(self, conf) -> CheckResult:
                     limits = resources.get('requests')[0]
                     if isinstance(limits, dict) and limits.get('cpu'):
                         return CheckResult.PASSED
-                    self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources/[0]/requests']
+                    self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources/[0]/requests']
                     return CheckResult.FAILED
-                self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources']
+                self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources']
                 return CheckResult.FAILED
-            self.evaluated_keys = [f'spec/[0]/container/[{idx}]']
+            self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]']
             return CheckResult.FAILED
         return CheckResult.PASSED
 

checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py

@@ -11,20 +11,29 @@ def __init__(self):
         # Location: container .securityContext
         id = "CKV_K8S_30"
 
-        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1']
+        supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1',
+                               'kubernetes_deployment', 'kubernetes_deployment_v1']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf) -> CheckResult:
         spec = conf.get('spec', [None])[0]
+        evaluated_keys_path = "spec"
+
+        if spec.get("template") and isinstance(spec.get("template"), list):
+            template = spec.get("template")[0]
+            if template.get("spec") and isinstance(template.get("spec"), list):
+                spec = template.get("spec")[0]
+                evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'
+
         if isinstance(spec, dict) and spec.get("container"):
             containers = spec.get("container")
 
             for idx, container in enumerate(containers):
                 if type(container) != dict:
                     return CheckResult.UNKNOWN
                 if not container.get("security_context"):
-                    self.evaluated_keys = [f'spec/[0]/container/[{idx}]/security_context']
+                    self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/security_context']
                     return CheckResult.FAILED
         return CheckResult.PASSED