From 70b8df15f0947a30a71cf22a9d087a6039fb4fc4 Mon Sep 17 00:00:00 2001 From: Ulrich Grave Date: Tue, 18 Oct 2022 18:07:48 +0200 Subject: [PATCH] Include pods of kubernetes_deployment in kubernetes_pod checks (1/4) --- .../kubernetes/AllowPrivilegeEscalation.py | 15 +- .../kubernetes/AllowedCapabilities.py | 16 +- .../kubernetes/AllowedCapabilitiesSysAdmin.py | 15 +- .../checks/resource/kubernetes/CPULimits.py | 18 +- .../checks/resource/kubernetes/CPURequests.py | 18 +- .../kubernetes/ContainerSecurityContext.py | 15 +- .../example_AllowPrivilegeEscalation/main.tf | 953 +++++++++++++++++- .../example_AllowedCapabilities/main.tf | 777 ++++++++++++++ .../main.tf | 787 ++++++++++++++- .../kubernetes/example_CPULimits/main.tf | 669 +++++++++++- .../kubernetes/example_CPURequests/main.tf | 569 +++++++++++ .../kubernetes/example_CPURequests/main2.tf | 564 +++++++++++ .../kubernetes/example_CPURequests/main3.tf | 77 ++ .../example_ContainerSecurityContext/main.tf | 359 +++++++ .../test_AllowPrivilegeEscalation.py | 10 +- .../kubernetes/test_AllowedCapabilities.py | 10 +- .../test_AllowedCapabilitiesSysAdmin.py | 10 +- .../resource/kubernetes/test_CPULimits.py | 14 +- .../resource/kubernetes/test_CPURequests.py | 16 +- .../test_ContainerSecurityContext.py | 8 +- 20 files changed, 4855 insertions(+), 65 deletions(-) diff --git a/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py b/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py index d63f3ab2aff..7703c739fc6 100644 --- a/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py +++ b/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py @@ -14,7 +14,8 @@ def __init__(self): name = "Containers should not run with allowPrivilegeEscalation" id = "CKV_K8S_20" - supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1'] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) @@ -24,6 +25,16 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.UNKNOWN spec = spec_list[0] if spec: + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + containers = spec.get("container") if not containers: return CheckResult.UNKNOWN @@ -34,7 +45,7 @@ def scan_resource_conf(self, conf) -> CheckResult: context = container.get("security_context")[0] if context.get("allow_privilege_escalation"): if context.get("allow_privilege_escalation") == [True]: - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/security_context/[0]/' + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/security_context/[0]/' f'allow_privilege_escalation'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py b/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py index e1aaf71b7ba..0e0011f4ac2 100644 --- a/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py +++ b/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py @@ -12,12 +12,23 @@ def __init__(self): id = "CKV_K8S_25" - supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1'] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + if isinstance(spec, dict) and spec.get("container"): containers = spec.get("container") @@ -31,8 +42,9 @@ def scan_resource_conf(self, conf) -> CheckResult: if capabilities.get("add"): add = capabilities.get("add")[0] if add: - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/' + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/' f'security_context/[0]/capabilities/add'] + return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py b/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py index 9663b10da7d..56c28c0f914 100644 --- a/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py +++ b/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py @@ -10,12 +10,23 @@ def __init__(self): # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ id = "CKV_K8S_39" - supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1'] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + if isinstance(spec, dict) and spec.get("container"): containers = spec.get("container") @@ -29,7 +40,7 @@ def scan_resource_conf(self, conf) -> CheckResult: if capabilities.get("add") and isinstance(capabilities.get("add"), list): add = capabilities.get("add")[0] if "SYS_ADMIN" in add: - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/' + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/' f'security_context/[0]/capabilities/add'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/CPULimits.py b/checkov/terraform/checks/resource/kubernetes/CPULimits.py index a0d5db8b851..597d61662f3 100644 --- a/checkov/terraform/checks/resource/kubernetes/CPULimits.py +++ b/checkov/terraform/checks/resource/kubernetes/CPULimits.py @@ -10,7 +10,8 @@ class CPULimits(BaseResourceCheck): def __init__(self) -> None: name = "CPU Limits should be set" id = "CKV_K8S_11" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) @@ -19,6 +20,15 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: self.evaluated_keys = [""] return CheckResult.FAILED spec = conf['spec'][0] + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' containers = spec.get("container") if not containers: @@ -32,11 +42,11 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: limits = resources.get('limits')[0] if isinstance(limits, dict) and limits.get('cpu'): return CheckResult.PASSED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources/[0]/limits'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources/[0]/limits'] return CheckResult.FAILED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources'] return CheckResult.FAILED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/CPURequests.py b/checkov/terraform/checks/resource/kubernetes/CPURequests.py index e032dac30b8..8e07780ae68 100644 --- a/checkov/terraform/checks/resource/kubernetes/CPURequests.py +++ b/checkov/terraform/checks/resource/kubernetes/CPURequests.py @@ -6,7 +6,8 @@ class CPURequests(BaseResourceCheck): def __init__(self): name = "CPU requests should be set" id = "CKV_K8S_10" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) @@ -15,6 +16,15 @@ def scan_resource_conf(self, conf) -> CheckResult: self.evaluated_keys = [""] return CheckResult.FAILED spec = conf['spec'][0] + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' containers = spec.get("container") if containers is None: @@ -28,11 +38,11 @@ def scan_resource_conf(self, conf) -> CheckResult: limits = resources.get('requests')[0] if isinstance(limits, dict) and limits.get('cpu'): return CheckResult.PASSED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources/[0]/requests'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources/[0]/requests'] return CheckResult.FAILED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/resources'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/resources'] return CheckResult.FAILED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py b/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py index b280d368240..15d5c2c0836 100644 --- a/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py +++ b/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py @@ -11,12 +11,23 @@ def __init__(self): # Location: container .securityContext id = "CKV_K8S_30" - supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1'] + supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1'] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] + evaluated_keys_path = "spec" + + template = spec.get("template") + if template and isinstance(template, list): + template = template[0] + template_spec = template.get("spec") + if template_spec and isinstance(template_spec, list): + spec = template_spec[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + if isinstance(spec, dict) and spec.get("container"): containers = spec.get("container") @@ -24,7 +35,7 @@ def scan_resource_conf(self, conf) -> CheckResult: if type(container) != dict: return CheckResult.UNKNOWN if not container.get("security_context"): - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/security_context'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/security_context'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/tests/terraform/checks/resource/kubernetes/example_AllowPrivilegeEscalation/main.tf b/tests/terraform/checks/resource/kubernetes/example_AllowPrivilegeEscalation/main.tf index d890910e93f..55c80987f29 100644 --- a/tests/terraform/checks/resource/kubernetes/example_AllowPrivilegeEscalation/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_AllowPrivilegeEscalation/main.tf @@ -92,7 +92,6 @@ resource "kubernetes_pod" "unknown" { } } - #ignore as old tf resource "kubernetes_pod_v1" "unknown" { metadata { @@ -187,6 +186,233 @@ resource "kubernetes_pod_v1" "unknown" { } } +#ignore as old tf +resource "kubernetes_deployment" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#ignore as old tf +resource "kubernetes_deployment_v1" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} resource "kubernetes_pod" "fail" { metadata { @@ -371,6 +597,230 @@ resource "kubernetes_pod_v1" "fail" { } } +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = true + allow_privilege_escalation = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = true + allow_privilege_escalation = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #not set resource "kubernetes_pod" "pass" { @@ -554,6 +1004,228 @@ resource "kubernetes_pod_v1" "pass" { } } +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #set to false resource "kubernetes_pod" "pass2" { metadata { @@ -676,6 +1348,167 @@ resource "kubernetes_pod_v1" "pass2" { } } +resource "kubernetes_deployment" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + allow_privilege_escalation = false + } + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + allow_privilege_escalation = false + } + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} resource "kubernetes_pod" "unknown_2" { metadata { @@ -689,3 +1522,121 @@ resource "kubernetes_pod_v1" "unknown_2" { name = "terraform-example" } } + +resource "kubernetes_deployment" "unknown_2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + +} + +resource "kubernetes_deployment_v1" "unknown_2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + +} + +resource "kubernetes_deployment" "unknown_3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + } + +} + +resource "kubernetes_deployment_v1" "unknown_3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + } + +} + +resource "kubernetes_deployment" "unknown_4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + } + } + +} + +resource "kubernetes_deployment_v1" "unknown_4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + } + } + +} diff --git a/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilities/main.tf b/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilities/main.tf index 99a1d58d306..03f2e4cedcf 100644 --- a/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilities/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilities/main.tf @@ -184,6 +184,232 @@ resource "kubernetes_pod_v1" "ignore" { } } +resource "kubernetes_deployment" "ignore" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "ignore" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "fail" { metadata { name = "terraform-example" @@ -376,6 +602,239 @@ resource "kubernetes_pod_v1" "fail" { } } +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} resource "kubernetes_pod" "pass2" { metadata { @@ -495,6 +954,166 @@ resource "kubernetes_pod_v1" "pass2" { } } +resource "kubernetes_deployment" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = [] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = [] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -610,3 +1229,161 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilitiesSysAdmin/main.tf b/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilitiesSysAdmin/main.tf index 5989dca1b7f..f883478d63c 100644 --- a/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilitiesSysAdmin/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_AllowedCapabilitiesSysAdmin/main.tf @@ -185,6 +185,234 @@ resource "kubernetes_pod_v1" "ignore" { } } +resource "kubernetes_deployment" "ignore" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "ignore" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "fail" { metadata { @@ -379,63 +607,235 @@ resource "kubernetes_pod_v1" "fail" { } } - -resource "kubernetes_pod" "pass2" { +resource "kubernetes_deployment" "fail" { metadata { name = "terraform-example" + labels = { + k8s-app = "nginx" + } } spec { - container { - image = "nginx:1.7.9" - name = "example22" + replicas = 3 - security_context { - capabilities { - add = [] - } + selector { + match_labels = { + k8s-app = "nginx" } + } - env { - name = "environment" - value = "test" + template { + metadata { + labels = { + k8s-app = "nginx" + } } - port { - container_port = 8080 - } + spec { + container { + image = "nginx:1.7.9" + name = "example22" - liveness_probe { - http_get { - path = "/nginx_status" - port = 80 + security_context { + capabilities { + add = ["SYS_ADMIN"] + } + } - http_header { - name = "X-Custom-Header" - value = "Awesome" + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 } } - initial_delay_seconds = 3 - period_seconds = 3 + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" } } + } +} - dns_config { - nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] - searches = ["example.com"] +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } - option { - name = "ndots" - value = 1 - } + spec { + replicas = 3 - option { - name = "use-vc" + selector { + match_labels = { + k8s-app = "nginx" } } - dns_policy = "None" + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = ["SYS_ADMIN"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } } } @@ -499,6 +899,7 @@ resource "kubernetes_pod" "pass2" { } } + resource "kubernetes_pod_v1" "pass2" { metadata { name = "terraform-example" @@ -558,6 +959,166 @@ resource "kubernetes_pod_v1" "pass2" { } } +resource "kubernetes_deployment" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = [] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + add = [] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -673,3 +1234,161 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + capabilities { + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_CPULimits/main.tf b/tests/terraform/checks/resource/kubernetes/example_CPULimits/main.tf index b4af077a766..a50fc7cb470 100644 --- a/tests/terraform/checks/resource/kubernetes/example_CPULimits/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_CPULimits/main.tf @@ -5,7 +5,6 @@ resource "kubernetes_pod" "fail2" { } } - # fails no spec resource "kubernetes_pod_v1" "fail2" { metadata { @@ -13,6 +12,27 @@ resource "kubernetes_pod_v1" "fail2" { } } +# fails no spec +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + +# fails no spec +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + + # fails no resource resource "kubernetes_pod" "fail3" { metadata { @@ -99,6 +119,135 @@ resource "kubernetes_pod_v1" "fail3" { } } +# fails no resource +resource "kubernetes_deployment" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no resource +resource "kubernetes_deployment_v1" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + # fails no limits resource "kubernetes_pod" "fail" { metadata { @@ -193,6 +342,143 @@ resource "kubernetes_pod_v1" "fail" { } } +# fails no limits +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no limits +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + # fails no cpu limit resource "kubernetes_pod" "fail4" { metadata { @@ -242,7 +528,6 @@ resource "kubernetes_pod" "fail4" { } } - # fails no cpu limit resource "kubernetes_pod_v1" "fail4" { metadata { @@ -292,6 +577,147 @@ resource "kubernetes_pod_v1" "fail4" { } } +# fails no cpu limit +resource "kubernetes_deployment" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no cpu limit +resource "kubernetes_deployment_v1" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -392,6 +818,149 @@ resource "kubernetes_pod_v1" "pass" { } } +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + resource "kubernetes_pod" "unknown" { metadata { name = "terraform-example" @@ -445,3 +1014,99 @@ resource "kubernetes_pod_v1" "unknown" { dns_policy = "None" } } + +resource "kubernetes_deployment" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main.tf b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main.tf index ead03ba4bdb..f5258b2f1fe 100644 --- a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main.tf @@ -12,6 +12,27 @@ resource "kubernetes_pod_v1" "fail2" { } } +# fails no spec +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + +# fails no spec +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + + # fails no resource resource "kubernetes_pod" "fail3" { metadata { @@ -98,6 +119,134 @@ resource "kubernetes_pod_v1" "fail3" { } } +# fails no resource +resource "kubernetes_deployment" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no resource +resource "kubernetes_deployment_v1" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + # fails no requests resource "kubernetes_pod" "fail" { @@ -193,6 +342,143 @@ resource "kubernetes_pod_v1" "fail" { } } +# fails no requests +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no requests +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + # fails no cpu limit resource "kubernetes_pod" "fail4" { metadata { @@ -291,6 +577,147 @@ resource "kubernetes_pod_v1" "fail4" { } } +# fails no cpu limit +resource "kubernetes_deployment" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no cpu limit +resource "kubernetes_deployment_v1" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -390,3 +817,145 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main2.tf b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main2.tf index 23513ace83d..6769479b99f 100644 --- a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main2.tf +++ b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main2.tf @@ -12,6 +12,27 @@ resource "kubernetes_pod_v1" "fail2" { } } +# fails no spec +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + +# fails no spec +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + + # fails no resource resource "kubernetes_pod" "fail3" { metadata { @@ -98,6 +119,135 @@ resource "kubernetes_pod_v1" "fail3" { } } +# fails no resource +resource "kubernetes_deployment" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no resource +resource "kubernetes_deployment_v1" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + # fails no requests resource "kubernetes_pod" "fail" { metadata { @@ -192,6 +342,142 @@ resource "kubernetes_pod_v1" "fail" { } } +# fails no requests +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no requests +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + # fails no cpu limit resource "kubernetes_pod" "fail4" { @@ -291,6 +577,146 @@ resource "kubernetes_pod_v1" "fail4" { } } +# fails no cpu limit +resource "kubernetes_deployment" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +# fails no cpu limit +resource "kubernetes_deployment_v1" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = { + memory = "1Gi" + } + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "fail5" { metadata { @@ -387,3 +813,141 @@ resource "kubernetes_pod_v1" "fail5" { dns_policy = "None" } } + +resource "kubernetes_deployment" "fail5" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = "x" + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail5" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + requests = "x" + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main3.tf b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main3.tf index 204f11b98d4..5ab50b7f5f3 100644 --- a/tests/terraform/checks/resource/kubernetes/example_CPURequests/main3.tf +++ b/tests/terraform/checks/resource/kubernetes/example_CPURequests/main3.tf @@ -39,3 +39,80 @@ resource "kubernetes_pod_v1" "examplePod" { } } } + +resource "kubernetes_deployment" "examplePod" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + automount_service_account_token = true + security_context { + } + selector { + match_labels = { + test = "MyExampleApp" + } + } + } + } + } +} + +resource "kubernetes_deployment_v1" "examplePod" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + automount_service_account_token = true + security_context { + } + selector { + match_labels = { + test = "MyExampleApp" + } + } + } + } + } +} + diff --git a/tests/terraform/checks/resource/kubernetes/example_ContainerSecurityContext/main.tf b/tests/terraform/checks/resource/kubernetes/example_ContainerSecurityContext/main.tf index 5a95502b411..a76ad2d88cb 100644 --- a/tests/terraform/checks/resource/kubernetes/example_ContainerSecurityContext/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_ContainerSecurityContext/main.tf @@ -167,6 +167,217 @@ resource "kubernetes_pod_v1" "fail" { } } + +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -271,3 +482,151 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + + container { + image = "nginx" + image_pull_policy = "Never" + name = "example" + + security_context { + privileged = true + allow_privilege_escalation = true + capabilities { + add = ["NET_RAW"] + drop = ["NET_BIND_SERVICE"] + } + } + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + + container { + image = "nginx" + image_pull_policy = "Never" + name = "example" + + security_context { + privileged = true + allow_privilege_escalation = true + capabilities { + add = ["NET_RAW"] + drop = ["NET_BIND_SERVICE"] + } + } + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/test_AllowPrivilegeEscalation.py b/tests/terraform/checks/resource/kubernetes/test_AllowPrivilegeEscalation.py index 77a3332f101..77f9e2d7d0a 100644 --- a/tests/terraform/checks/resource/kubernetes/test_AllowPrivilegeEscalation.py +++ b/tests/terraform/checks/resource/kubernetes/test_AllowPrivilegeEscalation.py @@ -22,18 +22,24 @@ def test(self): "kubernetes_pod.pass2", "kubernetes_pod_v1.pass", "kubernetes_pod_v1.pass2", + "kubernetes_deployment.pass", + "kubernetes_deployment.pass2", + "kubernetes_deployment_v1.pass", + "kubernetes_deployment_v1.pass2", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 4 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilities.py b/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilities.py index 5cf3e279e7a..03b00e4765f 100644 --- a/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilities.py +++ b/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilities.py @@ -22,18 +22,24 @@ def test(self): "kubernetes_pod.pass2", "kubernetes_pod_v1.pass", "kubernetes_pod_v1.pass2", + "kubernetes_deployment.pass", + "kubernetes_deployment.pass2", + "kubernetes_deployment_v1.pass", + "kubernetes_deployment_v1.pass2", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 4 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilitiesSysAdmin.py b/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilitiesSysAdmin.py index b8470985948..c2d3fc314cb 100644 --- a/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilitiesSysAdmin.py +++ b/tests/terraform/checks/resource/kubernetes/test_AllowedCapabilitiesSysAdmin.py @@ -22,18 +22,24 @@ def test(self): "kubernetes_pod.pass2", "kubernetes_pod_v1.pass", "kubernetes_pod_v1.pass2", + "kubernetes_deployment.pass", + "kubernetes_deployment.pass2", + "kubernetes_deployment_v1.pass", + "kubernetes_deployment_v1.pass2", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 4 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_CPULimits.py b/tests/terraform/checks/resource/kubernetes/test_CPULimits.py index 903a91f14e5..ce4a824a5ee 100644 --- a/tests/terraform/checks/resource/kubernetes/test_CPULimits.py +++ b/tests/terraform/checks/resource/kubernetes/test_CPULimits.py @@ -20,6 +20,8 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { @@ -31,13 +33,21 @@ def test(self): "kubernetes_pod_v1.fail2", "kubernetes_pod_v1.fail3", "kubernetes_pod_v1.fail4", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment.fail3", + "kubernetes_deployment.fail4", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", + "kubernetes_deployment_v1.fail3", + "kubernetes_deployment_v1.fail4", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 4 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 8 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_CPURequests.py b/tests/terraform/checks/resource/kubernetes/test_CPURequests.py index 1aa4b866fc9..4806401bb39 100644 --- a/tests/terraform/checks/resource/kubernetes/test_CPURequests.py +++ b/tests/terraform/checks/resource/kubernetes/test_CPURequests.py @@ -20,6 +20,8 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { @@ -33,13 +35,23 @@ def test(self): "kubernetes_pod_v1.fail3", "kubernetes_pod_v1.fail4", "kubernetes_pod_v1.fail5", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment.fail3", + "kubernetes_deployment.fail4", + "kubernetes_deployment.fail5", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", + "kubernetes_deployment_v1.fail3", + "kubernetes_deployment_v1.fail4", + "kubernetes_deployment_v1.fail5", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 9 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 18 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_ContainerSecurityContext.py b/tests/terraform/checks/resource/kubernetes/test_ContainerSecurityContext.py index 3ff7b191e2a..55a5ab19e92 100644 --- a/tests/terraform/checks/resource/kubernetes/test_ContainerSecurityContext.py +++ b/tests/terraform/checks/resource/kubernetes/test_ContainerSecurityContext.py @@ -20,18 +20,22 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0)