From 33224f8da8b577481c0c94fdfdd1874593b1653e Mon Sep 17 00:00:00 2001 From: Ulrich Grave Date: Thu, 13 Oct 2022 09:32:05 +0200 Subject: [PATCH] Add versioned kubernetes resources to terraform kubernetes checks (Part 2/5) --- .../resource/kubernetes/DefaultNamespace.py | 18 +- .../kubernetes/DefaultServiceAccount.py | 2 +- .../DefaultServiceAccountBinding.py | 3 +- .../resource/kubernetes/DockerSocketVolume.py | 4 +- .../resource/kubernetes/DropCapabilities.py | 2 +- .../checks/resource/kubernetes/HostPort.py | 2 +- .../example_DefaultNamespace/main.tf | 1409 +++++++++++++++-- .../example_DefaultServiceAccount/main.tf | 27 + .../main.tf | 98 +- .../example_DockerSocketVolume/main.tf | 399 ++++- .../example_DropCapabilities/main.tf | 376 +++++ .../kubernetes/example_HostPort/main.tf | 101 ++ .../kubernetes/example_HostPort/main3.tf | 21 + .../kubernetes/test_DefaultNamespace.py | 31 +- .../kubernetes/test_DefaultServiceAccount.py | 8 +- .../test_DefaultServiceAccountBinding.py | 8 +- .../kubernetes/test_DockerSocketVolume.py | 10 +- .../kubernetes/test_DropCapabilities.py | 10 +- .../resource/kubernetes/test_HostPort.py | 7 +- 19 files changed, 2420 insertions(+), 116 deletions(-) diff --git a/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py b/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py index 89942e563b0..d2ef67b99e0 100644 --- a/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py +++ b/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py @@ -7,11 +7,19 @@ def __init__(self): # CIS-1.5 5.7.4 name = "The default namespace should not be used" id = "CKV_K8S_21" - supported_resources = ["kubernetes_pod", "kubernetes_deployment", "kubernetes_daemonset", - "kubernetes_stateful_set", "kubernetes_replication_controller", "kubernetes_job", - "kubernetes_cron_job", "kubernetes_service", "kubernetes_secret", - "kubernetes_service_account", "kubernetes_role_binding", "kubernetes_config_map", - "kubernetes_ingress"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1" + "kubernetes_deployment", "kubernetes_deployment_v1", + "kubernetes_daemonset", "kubernetes_daemon_set_v1" + "kubernetes_stateful_set", "kubernetes_stateful_set_v1", + "kubernetes_replication_controller", "kubernetes_replication_controller_v1", + "kubernetes_job", "kubernetes_job_v1" + "kubernetes_cron_job", "kubernetes_cron_job_v1", + "kubernetes_service", "kubernetes_api_service_v1", + "kubernetes_secret", "kubernetes_secret_v1" + "kubernetes_service_account", "kubernetes_service_account_v1", + "kubernetes_role_binding", "kubernetes_role_binding_v1", + "kubernetes_config_map", "kubernetes_config_map_v1" + "kubernetes_ingress", "kubernetes_ingress_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py b/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py index e81989771e3..979ea70692e 100644 --- a/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py +++ b/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py @@ -12,7 +12,7 @@ def __init__(self) -> None: name = "Ensure that default service accounts are not actively used" # Check automountServiceAccountToken in default service account in runtime id = "CKV_K8S_41" - supported_resources = ["kubernetes_service_account"] + supported_resources = ["kubernetes_service_account", "kubernetes_service_account_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py b/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py index c22e4ab71fd..8cae2e62bf8 100644 --- a/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py +++ b/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py @@ -8,7 +8,8 @@ def __init__(self): name = "Ensure that default service accounts are not actively used" # Check no role/clusterrole is bound to a default service account (to ensure not actively used) id = "CKV_K8S_42" - supported_resources = ["kubernetes_role_binding", "kubernetes_cluster_role_binding"] + supported_resources = ["kubernetes_role_binding", "kubernetes_role_binding_v1", + "kubernetes_cluster_role_binding", "kubernetes_cluster_role_binding_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py b/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py index 35aa405d8e2..e0d019bfb7c 100644 --- a/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py +++ b/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py @@ -15,7 +15,9 @@ def __init__(self) -> None: # Location: *.spec.template.spec.volumes[].hostPath.path id = "CKV_K8S_27" name = "Do not expose the docker daemon socket to containers" - supported_resources = ("kubernetes_pod", "kubernetes_deployment", "kubernetes_daemonset") + supported_resources = ("kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1", + "kubernetes_daemonset", "kubernetes_daemon_set_v1") categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py b/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py index 634ce1f8997..648b62026ec 100644 --- a/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py +++ b/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py @@ -11,7 +11,7 @@ def __init__(self): name = "Minimize the admission of containers with the NET_RAW capability" id = "CKV_K8S_28" - supported_resources = ('kubernetes_pod',) + supported_resources = ('kubernetes_pod', 'kubernetes_pod_v1') categories = (CheckCategories.GENERAL_SECURITY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/kubernetes/HostPort.py b/checkov/terraform/checks/resource/kubernetes/HostPort.py index 1ae9b9a254a..6ef184f7db7 100644 --- a/checkov/terraform/checks/resource/kubernetes/HostPort.py +++ b/checkov/terraform/checks/resource/kubernetes/HostPort.py @@ -16,7 +16,7 @@ def __init__(self): """ name = "Do not specify hostPort unless absolutely necessary" id = "CKV_K8S_26" - supported_resources = ["kubernetes_pod"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/tests/terraform/checks/resource/kubernetes/example_DefaultNamespace/main.tf b/tests/terraform/checks/resource/kubernetes/example_DefaultNamespace/main.tf index 154ba2170c9..5448ec08feb 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DefaultNamespace/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DefaultNamespace/main.tf @@ -48,6 +48,54 @@ resource "kubernetes_pod" "fail" { } } +resource "kubernetes_pod_v1" "fail" { + metadata { + name = "terraform-example" + } + + spec { + host_ipc = true + host_pid = true + + + container { + image = "nginx" + image_pull_policy = "Never" + name = "example" + + security_context { + privileged = true + allow_privilege_escalation = true + } + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + #set default resource "kubernetes_pod" "fail2" { metadata { @@ -98,6 +146,55 @@ resource "kubernetes_pod" "fail2" { } } +resource "kubernetes_pod_v1" "fail2" { + metadata { + name = "terraform-example" + namespace = "default" + } + + spec { + host_ipc = true + host_pid = true + + + container { + image = "nginx" + image_pull_policy = "Never" + name = "example" + + security_context { + privileged = true + allow_privilege_escalation = true + } + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -147,6 +244,55 @@ resource "kubernetes_pod" "pass" { } } +resource "kubernetes_pod_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "brian" + } + + spec { + host_ipc = true + host_pid = true + + + container { + image = "nginx" + image_pull_policy = "Never" + name = "example" + + security_context { + privileged = true + allow_privilege_escalation = true + } + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + resource "kubernetes_deployment" "fail" { metadata { name = "terraform-example" @@ -207,10 +353,9 @@ resource "kubernetes_deployment" "fail" { } } -resource "kubernetes_deployment" "pass" { +resource "kubernetes_deployment_v1" "fail" { metadata { name = "terraform-example" - namespace = "brian" labels = { k8s-app = "prometheus" } @@ -268,26 +413,28 @@ resource "kubernetes_deployment" "pass" { } } -resource "kubernetes_daemonset" "pass" { +resource "kubernetes_deployment" "pass" { metadata { - name = "terraform-example" - namespace = "something" + name = "terraform-example" + namespace = "brian" labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } spec { + replicas = 3 + selector { match_labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } template { metadata { labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } @@ -321,32 +468,34 @@ resource "kubernetes_daemonset" "pass" { initial_delay_seconds = 3 period_seconds = 3 } - } } } } } -resource "kubernetes_daemonset" "fail" { +resource "kubernetes_deployment_v1" "pass" { metadata { - name = "terraform-example" + name = "terraform-example" + namespace = "brian" labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } spec { + replicas = 3 + selector { match_labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } template { metadata { labels = { - test = "MyExampleApp" + k8s-app = "prometheus" } } @@ -380,108 +529,714 @@ resource "kubernetes_daemonset" "fail" { initial_delay_seconds = 3 period_seconds = 3 } - } } } } } -resource "kubernetes_stateful_set" "fail" { +resource "kubernetes_daemonset" "pass" { metadata { - annotations = { - SomeAnnotation = "foobar" - } - + name = "terraform-example" + namespace = "something" labels = { - k8s-app = "prometheus" - "kubernetes.io/cluster-service" = "true" - "addonmanager.kubernetes.io/mode" = "Reconcile" - version = "v2.2.1" + test = "MyExampleApp" } - - name = "prometheus" } spec { - pod_management_policy = "Parallel" - replicas = 1 - revision_history_limit = 5 - selector { match_labels = { - k8s-app = "prometheus" + test = "MyExampleApp" } } - service_name = "prometheus" - template { metadata { labels = { - k8s-app = "prometheus" + test = "MyExampleApp" } - - annotations = {} } spec { - service_account_name = "prometheus" - - init_container { - name = "init-chown-data" - image = "busybox:latest" - image_pull_policy = "IfNotPresent" - command = ["chown", "-R", "65534:65534", "/data"] - - volume_mount { - name = "prometheus-data" - mount_path = "/data" - sub_path = "" - } - } - container { - name = "prometheus-server-configmap-reload" - image = "jimmidyson/configmap-reload:v0.1" - image_pull_policy = "IfNotPresent" - - args = [ - "--volume-dir=/etc/config", - "--webhook-url=http://localhost:9090/-/reload", - ] - - volume_mount { - name = "config-volume" - mount_path = "/etc/config" - read_only = true - } + image = "nginx:1.7.8" + name = "example" resources { limits = { - cpu = "10m" - memory = "10Mi" + cpu = "0.5" + memory = "512Mi" } - requests = { - cpu = "10m" - memory = "10Mi" + cpu = "250m" + memory = "50Mi" } } - } - container { - name = "prometheus-server" - image = "prom/prometheus:v2.2.1" - image_pull_policy = "IfNotPresent" + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 - args = [ - "--config.file=/etc/config/prometheus.yml", - "--storage.tsdb.path=/data", - "--web.console.libraries=/etc/prometheus/console_libraries", - "--web.console.templates=/etc/prometheus/consoles", - "--web.enable-lifecycle", - ] + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_daemon_set_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "something" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_daemonset" "fail" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_daemon_set_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_stateful_set" "fail" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +resource "kubernetes_stateful_set_v1" "fail" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +resource "kubernetes_stateful_set" "pass" { + metadata { + namespace = "brian" + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] port { container_port = 9090 @@ -571,7 +1326,7 @@ resource "kubernetes_stateful_set" "fail" { } } -resource "kubernetes_stateful_set" "pass" { +resource "kubernetes_stateful_set_v1" "pass" { metadata { namespace = "brian" annotations = { @@ -814,6 +1569,64 @@ resource "kubernetes_replication_controller" "fail" { } } +resource "kubernetes_replication_controller_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector = { + test = "MyExampleApp" + } + template { + metadata { + labels = { + test = "MyExampleApp" + } + annotations = { + "key1" = "value1" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + liveness_probe { + http_get { + path = "/nginx_status" + port = 8080 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + } + } + } + } +} + resource "kubernetes_replication_controller" "pass" { metadata { name = "terraform-example" @@ -873,6 +1686,65 @@ resource "kubernetes_replication_controller" "pass" { } } +resource "kubernetes_replication_controller_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + namespace = "brian" + } + + spec { + selector = { + test = "MyExampleApp" + } + template { + metadata { + labels = { + test = "MyExampleApp" + } + annotations = { + "key1" = "value1" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + liveness_probe { + http_get { + path = "/nginx_status" + port = 8080 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + } + } + } + } +} + resource "kubernetes_job" "fail" { metadata { name = "demo" @@ -894,6 +1766,27 @@ resource "kubernetes_job" "fail" { wait_for_completion = false } +resource "kubernetes_job_v1" "fail" { + metadata { + name = "demo" + } + spec { + template { + metadata {} + spec { + container { + name = "pi" + image = "perl" + command = ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + } + restart_policy = "Never" + } + } + backoff_limit = 4 + } + wait_for_completion = false +} + resource "kubernetes_job" "pass" { metadata { name = "demo" @@ -903,22 +1796,105 @@ resource "kubernetes_job" "pass" { template { metadata {} spec { - container { - name = "pi" - image = "perl" - command = ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + container { + name = "pi" + image = "perl" + command = ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + } + restart_policy = "Never" + } + } + backoff_limit = 4 + } + wait_for_completion = false +} + +resource "kubernetes_job_v1" "pass" { + metadata { + name = "demo" + namespace = "brian" + } + spec { + template { + metadata {} + spec { + container { + name = "pi" + image = "perl" + command = ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + } + restart_policy = "Never" + } + } + backoff_limit = 4 + } + wait_for_completion = false +} + +resource "kubernetes_cron_job" "fail" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_cron_job_v1" "fail" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } } - restart_policy = "Never" } } - backoff_limit = 4 } - wait_for_completion = false } -resource "kubernetes_cron_job" "fail" { +resource "kubernetes_cron_job" "pass" { metadata { name = "demo" + namespace = "brian" } spec { concurrency_policy = "Replace" @@ -946,7 +1922,7 @@ resource "kubernetes_cron_job" "fail" { } } -resource "kubernetes_cron_job" "pass" { +resource "kubernetes_cron_job_v1" "pass" { metadata { name = "demo" namespace = "brian" @@ -1016,6 +1992,45 @@ resource "kubernetes_ingress" "fail" { } } +resource "kubernetes_ingress_v1" "fail" { + metadata { + name = "example-ingress" + } + + spec { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + rule { + http { + path { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + path = "/app1/*" + } + + path { + backend { + service_name = "MyApp2" + service_port = 8080 + } + + path = "/app2/*" + } + } + } + + tls { + secret_name = "tls-secret" + } + } +} + resource "kubernetes_ingress" "pass" { metadata { name = "example-ingress" @@ -1056,6 +2071,46 @@ resource "kubernetes_ingress" "pass" { } } +resource "kubernetes_ingress_v1" "pass" { + metadata { + name = "example-ingress" + namespace = "brian" + } + + spec { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + rule { + http { + path { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + path = "/app1/*" + } + + path { + backend { + service_name = "MyApp2" + service_port = 8080 + } + + path = "/app2/*" + } + } + } + + tls { + secret_name = "tls-secret" + } + } +} + resource "kubernetes_config_map" "fail" { metadata { name = "my-config" @@ -1072,6 +2127,22 @@ resource "kubernetes_config_map" "fail" { } } +resource "kubernetes_config_map_v1" "fail" { + metadata { + name = "my-config" + } + + data = { + api_host = "myhost:443" + db_host = "dbhost:5432" + "my_config_file.yml" = "${file("${path.module}/my_config_file.yml")}" + } + + binary_data = { + "my_payload.bin" = "${filebase64("${path.module}/my_payload.bin")}" + } +} + resource "kubernetes_config_map" "pass" { metadata { namespace = "brian" @@ -1089,6 +2160,23 @@ resource "kubernetes_config_map" "pass" { } } +resource "kubernetes_config_map_v1" "pass" { + metadata { + namespace = "brian" + name = "my-config" + } + + data = { + api_host = "myhost:443" + db_host = "dbhost:5432" + "my_config_file.yml" = "${file("${path.module}/my_config_file.yml")}" + } + + binary_data = { + "my_payload.bin" = "${filebase64("${path.module}/my_payload.bin")}" + } +} + resource "kubernetes_role_binding" "fail" { metadata { name = "terraform-example" @@ -1116,6 +2204,33 @@ resource "kubernetes_role_binding" "fail" { } } +resource "kubernetes_role_binding_v1" "fail" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + resource "kubernetes_role_binding" "pass" { metadata { name = "terraform-example" @@ -1143,6 +2258,33 @@ resource "kubernetes_role_binding" "pass" { } } +resource "kubernetes_role_binding_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "brian" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + resource "kubernetes_service_account" "fail" { metadata { name = "terraform-example" @@ -1152,6 +2294,15 @@ resource "kubernetes_service_account" "fail" { } } +resource "kubernetes_service_account_v1" "fail" { + metadata { + name = "terraform-example" + } + secret { + name = "${kubernetes_secret_v1.example.metadata.0.name}" + } +} + resource "kubernetes_service_account" "pass" { metadata { name = "terraform-example" @@ -1162,6 +2313,16 @@ resource "kubernetes_service_account" "pass" { } } +resource "kubernetes_service_account_v1" "pass" { + metadata { + name = "terraform-example" + namespace="brian" + } + secret { + name = "${kubernetes_secret_v1.example.metadata.0.name}" + } +} + resource "kubernetes_secret" "fail" { metadata { name = "basic-auth" @@ -1175,6 +2336,19 @@ resource "kubernetes_secret" "fail" { type = "kubernetes.io/basic-auth" } +resource "kubernetes_secret_v1" "fail" { + metadata { + name = "basic-auth" + } + + data = { + username = "admin" + password = "P4ssw0rd" + } + + type = "kubernetes.io/basic-auth" +} + resource "kubernetes_secret" "pass" { metadata { name = "basic-auth" @@ -1189,6 +2363,20 @@ resource "kubernetes_secret" "pass" { type = "kubernetes.io/basic-auth" } +resource "kubernetes_secret_v1" "pass" { + metadata { + name = "basic-auth" + namespace = "brian" + } + + data = { + username = "admin" + password = "P4ssw0rd" + } + + type = "kubernetes.io/basic-auth" +} + resource "kubernetes_service" "fail" { metadata { name = "terraform-example" @@ -1207,6 +2395,24 @@ resource "kubernetes_service" "fail" { } } +resource "kubernetes_service_v1" "fail" { + metadata { + name = "terraform-example" + } + spec { + selector = { + app = kubernetes_pod_v1.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + resource "kubernetes_service" "pass" { metadata { name = "terraform-example" @@ -1222,6 +2428,25 @@ resource "kubernetes_service" "pass" { target_port = 80 } + type = "LoadBalancer" + } +} + +resource "kubernetes_service_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "brian" + } + spec { + selector = { + app = kubernetes_pod_v1.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + type = "LoadBalancer" } } \ No newline at end of file diff --git a/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccount/main.tf b/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccount/main.tf index 961d4a47929..8d4f77bab33 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccount/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccount/main.tf @@ -4,6 +4,12 @@ resource "kubernetes_service_account" "fail" { } } +resource "kubernetes_service_account_v1" "fail" { + metadata { + name = "default" + } +} + resource "kubernetes_service_account" "fail2" { metadata { name = "default" @@ -11,6 +17,13 @@ resource "kubernetes_service_account" "fail2" { automount_service_account_token=true } +resource "kubernetes_service_account_v1" "fail2" { + metadata { + name = "default" + } + automount_service_account_token=true +} + resource "kubernetes_service_account" "pass" { metadata { name = "default" @@ -18,8 +31,22 @@ resource "kubernetes_service_account" "pass" { automount_service_account_token=false } +resource "kubernetes_service_account_v1" "pass" { + metadata { + name = "default" + } + automount_service_account_token=false +} + + resource "kubernetes_service_account" "pass2" { metadata { name = "terraform-example" } } + +resource "kubernetes_service_account_v1" "pass2" { + metadata { + name = "terraform-example" + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccountBinding/main.tf b/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccountBinding/main.tf index 780717dda88..18962eca127 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccountBinding/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DefaultServiceAccountBinding/main.tf @@ -25,6 +25,33 @@ resource "kubernetes_role_binding" "fail" { } } +resource "kubernetes_role_binding_v1" "fail" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + resource "kubernetes_role_binding" "pass" { metadata { name = "terraform-example" @@ -47,6 +74,28 @@ resource "kubernetes_role_binding" "pass" { } } +resource "kubernetes_role_binding_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + resource "kubernetes_cluster_role_binding" "fail" { metadata { name = "terraform-example" @@ -73,6 +122,32 @@ resource "kubernetes_cluster_role_binding" "fail" { } } +resource "kubernetes_cluster_role_binding_v1" "fail" { + metadata { + name = "terraform-example" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + resource "kubernetes_cluster_role_binding" "pass" { metadata { name = "terraform-example" @@ -92,4 +167,25 @@ resource "kubernetes_cluster_role_binding" "pass" { name = "system:masters" api_group = "rbac.authorization.k8s.io" } -} \ No newline at end of file +} + +resource "kubernetes_cluster_role_binding_v1" "pass" { + metadata { + name = "terraform-example" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_DockerSocketVolume/main.tf b/tests/terraform/checks/resource/kubernetes/example_DockerSocketVolume/main.tf index 3f48e9a87e4..e4df8d4bdee 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DockerSocketVolume/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DockerSocketVolume/main.tf @@ -68,6 +68,75 @@ resource "kubernetes_pod" "fail" { } +resource "kubernetes_pod_v1" "fail" { + metadata { + name = "terraform-example" + } + + spec { + + volume { + host_path { + path = "/var/run/docker.sock" + type = "Directory" + } + } + + volume { + host_path { + path = "/var/run/docker.sock" + type = "Directory" + } + } + + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -129,6 +198,67 @@ resource "kubernetes_pod" "pass" { } +resource "kubernetes_pod_v1" "pass" { + metadata { + name = "terraform-example" + } + + spec { + + volume { + host_path { + path = "/var/log" + } + } + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + resource "kubernetes_deployment" "pass" { metadata { name = "terraform-example" @@ -195,6 +325,72 @@ resource "kubernetes_deployment" "pass" { } } +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + + volume { + host_path { + path = "/var/log" + } + } + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + resource "kubernetes_deployment" "fail" { metadata { name = "terraform-example" @@ -261,6 +457,72 @@ resource "kubernetes_deployment" "fail" { } } +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + volume { + host_path { + path = "/var/run/docker.sock" + type = "Directory" + } + } + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + resource "kubernetes_daemonset" "fail" { metadata { name = "terraform-example" @@ -329,6 +591,74 @@ resource "kubernetes_daemonset" "fail" { } } +resource "kubernetes_daemon_set_v1" "fail" { + metadata { + name = "terraform-example" + namespace = "something" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + volume { + host_path { + path = "/var/run/docker.sock" + type = "Directory" + } + } + + container { + image = "nginx:1.21.6" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + resource "kubernetes_daemonset" "pass" { metadata { name = "terraform-example" @@ -394,4 +724,71 @@ resource "kubernetes_daemonset" "pass" { } } } -} \ No newline at end of file +} + +resource "kubernetes_daemon_set_v1" "pass" { + metadata { + name = "terraform-example" + namespace = "something" + labels = { + test = "MyExampleApp" + } + } + + spec { + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + volume { + host_path { + path = "/var/log" + type = "Directory" + } + } + + container { + image = "nginx:1.21.6" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf b/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf index 3a72340cc25..220ac52affe 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf @@ -5,6 +5,13 @@ resource "kubernetes_pod" "fail" { } } +# fails no spec +resource "kubernetes_pod_v1" "fail" { + metadata { + name = "terraform-example" + } +} + #no capabilities resource "kubernetes_pod" "fail4" { metadata { @@ -65,6 +72,66 @@ resource "kubernetes_pod" "fail4" { } } +#no capabilities +resource "kubernetes_pod_v1" "fail4" { + metadata { + name = "terraform-example" + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + #no context resource "kubernetes_pod" "fail5" { metadata { @@ -120,6 +187,61 @@ resource "kubernetes_pod" "fail5" { } } +#no context +resource "kubernetes_pod_v1" "fail5" { + metadata { + name = "terraform-example" + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + #doesnt drop any or net_raw resource "kubernetes_pod" "fail2" { metadata { @@ -216,6 +338,102 @@ resource "kubernetes_pod" "fail2" { } } +#doesnt drop any or net_raw +resource "kubernetes_pod_v1" "fail2" { + metadata { + name = "terraform-example" + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + #wrong drop resource "kubernetes_pod" "fail3" { metadata { @@ -278,6 +496,68 @@ resource "kubernetes_pod" "fail3" { } +#wrong drop +resource "kubernetes_pod_v1" "fail3" { + metadata { + name = "terraform-example" + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -355,6 +635,102 @@ resource "kubernetes_pod" "pass" { } + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_pod_v1" "pass" { + metadata { + name = "terraform-example" + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["NET_BIND_SERVICE", "ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] diff --git a/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf b/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf index bbe8e194286..68fbf3b5668 100644 --- a/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf @@ -5,6 +5,13 @@ resource "kubernetes_pod" "fail2" { } } +# fails no spec +resource "kubernetes_pod_v1" "fail2" { + metadata { + name = "terraform-example" + } +} + # fails no resource resource "kubernetes_pod" "fail" { metadata { @@ -49,6 +56,50 @@ resource "kubernetes_pod" "fail" { } } +# fails no resource +resource "kubernetes_pod_v1" "fail" { + metadata { + name = "terraform-example" + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -98,3 +149,53 @@ resource "kubernetes_pod" "pass" { dns_policy = "None" } } + +resource "kubernetes_pod_v1" "pass" { + metadata { + name = "terraform-example" + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_HostPort/main3.tf b/tests/terraform/checks/resource/kubernetes/example_HostPort/main3.tf index b2a4a60240b..204f11b98d4 100644 --- a/tests/terraform/checks/resource/kubernetes/example_HostPort/main3.tf +++ b/tests/terraform/checks/resource/kubernetes/example_HostPort/main3.tf @@ -18,3 +18,24 @@ resource "kubernetes_pod" "examplePod" { } } } + +resource "kubernetes_pod_v1" "examplePod" { + metadata { + name = "terraform-example" + namespace = "default" + labels = { + test = "MyExampleApp" + } + } + + spec { + automount_service_account_token = true + security_context{ + } + selector { + match_labels = { + test = "MyExampleApp" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/test_DefaultNamespace.py b/tests/terraform/checks/resource/kubernetes/test_DefaultNamespace.py index f6020d62bbd..a04c96859cb 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DefaultNamespace.py +++ b/tests/terraform/checks/resource/kubernetes/test_DefaultNamespace.py @@ -31,6 +31,19 @@ def test(self): "kubernetes_role_binding.pass", "kubernetes_config_map.pass", "kubernetes_ingress.pass", + "kubernetes_pod_v1.pass", + "kubernetes_deployment_v1.pass", + "kubernetes_daemon_set_v1.pass", + "kubernetes_stateful_set_v1.pass", + "kubernetes_replication_controller_v1.pass", + "kubernetes_job_v1.pass", + "kubernetes_cron_job_v1.pass", + "kubernetes_service_v1.pass", + "kubernetes_secret_v1.pass", + "kubernetes_service_account_v1.pass", + "kubernetes_role_binding_v1.pass", + "kubernetes_config_map_v1.pass", + "kubernetes_ingress_v1.pass", } failing_resources = { @@ -48,13 +61,27 @@ def test(self): "kubernetes_role_binding.fail", "kubernetes_config_map.fail", "kubernetes_ingress.fail" + "kubernetes_pod_v1.fail", + "kubernetes_pod_v1.fail2", + "kubernetes_deployment_v1.fail", + "kubernetes_daemon_set_v1.fail", + "kubernetes_stateful_set_v1.fail", + "kubernetes_replication_controller_v1.fail", + "kubernetes_job_v1.fail", + "kubernetes_cron_job_v1.fail", + "kubernetes_service_v1.fail", + "kubernetes_secret_v1.fail", + "kubernetes_service_account_v1.fail", + "kubernetes_role_binding_v1.fail", + "kubernetes_config_map_v1.fail", + "kubernetes_ingress_v1.fail" } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 13) - self.assertEqual(summary["failed"], 14) + self.assertEqual(summary["passed"], 13 * 2) + self.assertEqual(summary["failed"], 14 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccount.py b/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccount.py index 4b108fdb0ea..db35db1bd8b 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccount.py +++ b/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccount.py @@ -20,18 +20,22 @@ def test(self): passing_resources = { "kubernetes_service_account.pass", "kubernetes_service_account.pass2", + "kubernetes_service_account_v1.pass", + "kubernetes_service_account_v1.pass2", } failing_resources = { "kubernetes_service_account.fail", "kubernetes_service_account.fail2", + "kubernetes_service_account_v1.fail", + "kubernetes_service_account_v1.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccountBinding.py b/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccountBinding.py index 89cc7cd8948..ed4f316a958 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccountBinding.py +++ b/tests/terraform/checks/resource/kubernetes/test_DefaultServiceAccountBinding.py @@ -20,18 +20,22 @@ def test(self): passing_resources = { "kubernetes_cluster_role_binding.pass", "kubernetes_role_binding.pass", + "kubernetes_cluster_role_binding_v1.pass", + "kubernetes_role_binding_v1.pass", } failing_resources = { "kubernetes_cluster_role_binding.fail", "kubernetes_role_binding.fail", + "kubernetes_cluster_role_binding_v1.fail", + "kubernetes_role_binding_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_DockerSocketVolume.py b/tests/terraform/checks/resource/kubernetes/test_DockerSocketVolume.py index 5334516f117..6e4068185e8 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DockerSocketVolume.py +++ b/tests/terraform/checks/resource/kubernetes/test_DockerSocketVolume.py @@ -21,19 +21,25 @@ def test(self): "kubernetes_pod.pass", "kubernetes_deployment.pass", "kubernetes_daemonset.pass", + "kubernetes_pod_v1.pass", + "kubernetes_deployment_v1.pass", + "kubernetes_daemon_set_v1.pass", } failing_resources = { "kubernetes_pod.fail", "kubernetes_deployment.fail", "kubernetes_daemonset.fail", + "kubernetes_pod_v1.fail", + "kubernetes_deployment_v1.fail", + "kubernetes_daemon_set_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 3) - self.assertEqual(summary["failed"], 3) + self.assertEqual(summary["passed"], 3 * 2) + self.assertEqual(summary["failed"], 3 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py b/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py index 71b069cec10..ec596ef32ba 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py +++ b/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py @@ -19,6 +19,7 @@ def test(self): passing_resources = { "kubernetes_pod.pass", + "kubernetes_pod_v1.pass", } failing_resources = { @@ -27,13 +28,18 @@ def test(self): "kubernetes_pod.fail3", "kubernetes_pod.fail4", "kubernetes_pod.fail5", + "kubernetes_pod_v1.fail", + "kubernetes_pod_v1.fail2", + "kubernetes_pod_v1.fail3", + "kubernetes_pod_v1.fail4", + "kubernetes_pod_v1.fail5", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1) - self.assertEqual(summary["failed"], 5) + self.assertEqual(summary["passed"], 1 * 2) + self.assertEqual(summary["failed"], 5 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_HostPort.py b/tests/terraform/checks/resource/kubernetes/test_HostPort.py index 9d38dca0764..6dfe28fb054 100644 --- a/tests/terraform/checks/resource/kubernetes/test_HostPort.py +++ b/tests/terraform/checks/resource/kubernetes/test_HostPort.py @@ -19,18 +19,21 @@ def test(self): passing_resources = { "kubernetes_pod.pass", + "kubernetes_pod_v1.pass", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod.fail2", + "kubernetes_pod_v1.fail", + "kubernetes_pod_v1.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1) - self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["passed"], 1 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0)