Skip to content

Commit

Permalink
feat(terraform): include pods of kubernetes_deployment in kubernetes_…
Browse files Browse the repository at this point in the history
…pod checks (4/4) (#3738)

Include pods of kubernetes_deployment in kubernetes_pod checks (4/4)
  • Loading branch information
ugrave authored Nov 7, 2022
1 parent 834f12b commit 7494e1a
Show file tree
Hide file tree
Showing 15 changed files with 4,226 additions and 217 deletions.
17 changes: 14 additions & 3 deletions checkov/terraform/checks/resource/kubernetes/Secrets.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ def __init__(self):
name = "Prefer using secrets as files over secrets as environment variables"
id = "CKV_K8S_35"

supported_resources = ['kubernetes_pod', 'kubernetes_pod_v1']
supported_resources = ['kubernetes_pod', "kubernetes_pod_v1",
'kubernetes_deployment', 'kubernetes_deployment_v1']
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand All @@ -18,6 +19,16 @@ def scan_resource_conf(self, conf) -> CheckResult:
self.evaluated_keys = [""]
return CheckResult.FAILED
spec = conf['spec'][0]
evaluated_keys_path = "spec"

template = spec.get("template")
if template and isinstance(template, list):
template = template[0]
template_spec = template.get("spec")
if template_spec and isinstance(template_spec, list):
spec = template_spec[0]
evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'

containers = spec.get("container")
if containers:

Expand All @@ -33,14 +44,14 @@ def scan_resource_conf(self, conf) -> CheckResult:
value_from = env.get("value_from")[0]
if value_from.get("secret_key_ref"):
self.evaluated_keys = \
[f"spec/[0]/container/[{idx}]/env/[{idy}]/value_from/secret_key_ref"]
[f"{evaluated_keys_path}/[0]/container/[{idx}]/env/[{idy}]/value_from/secret_key_ref"]
return CheckResult.FAILED
if container.get("env_from") and isinstance(container.get("env_from"), list):
env_from = container.get("env_from")[0]
for idy, ef in enumerate(env_from):
if "secret_ref" in ef:
self.evaluated_keys = \
[f"spec/[0]/container/[{idx}]/env_from/[{idy}]/secret_ref"]
[f"{evaluated_keys_path}/[0]/container/[{idx}]/env_from/[{idy}]/secret_ref"]
return CheckResult.FAILED
return CheckResult.PASSED

Expand Down
5 changes: 4 additions & 1 deletion checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@ def __init__(self):
# CIS-1.5 5.2.3
name = "Do not admit containers wishing to share the host IPC namespace"
id = "CKV_K8S_18"
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1",
"kubernetes_deployment", "kubernetes_deployment_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self):
if "kubernetes_deployment" == self.entity_type or "kubernetes_deployment_v1" == self.entity_type:
return "spec/[0]/template/[0]/spec/[0]/host_ipc"
return "spec/[0]/host_ipc"

def get_forbidden_values(self) -> List[Any]:
Expand Down
5 changes: 4 additions & 1 deletion checkov/terraform/checks/resource/kubernetes/ShareHostPID.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,15 @@ def __init__(self):
# CIS-1.5 5.2.2
name = "Do not admit containers wishing to share the host process ID namespace"
id = "CKV_K8S_17"
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1",
"kubernetes_deployment", "kubernetes_deployment_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)

def get_inspected_key(self) -> str:
if "kubernetes_deployment" == self.entity_type or "kubernetes_deployment_v1" == self.entity_type:
return "spec/[0]/template/[0]/spec/[0]/host_pid"
return "spec/[0]/host_pid"

def get_expected_value(self) -> Any:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,15 @@ def __init__(self):
# CIS-1.5 5.2.4
name = "Do not admit containers wishing to share the host network namespace"
id = "CKV_K8S_19"
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1",
"kubernetes_deployment", "kubernetes_deployment_v1"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)

def get_inspected_key(self) -> str:
if "kubernetes_deployment" == self.entity_type or "kubernetes_deployment_v1" == self.entity_type:
return "spec/[0]/template/[0]/spec/[0]/host_network"
return "spec/[0]/host_network"

def get_expected_value(self) -> Any:
Expand Down
28 changes: 26 additions & 2 deletions checkov/terraform/checks/resource/kubernetes/Tiller.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ class Tiller(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Tiller (Helm v2) is not deployed"
id = "CKV_K8S_34"
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"]
supported_resources = ["kubernetes_pod", "kubernetes_pod_v1",
"kubernetes_deployment", "kubernetes_deployment_v1"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

Expand All @@ -32,6 +33,29 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
self.evaluated_keys = [""]
return CheckResult.FAILED
spec = conf['spec'][0]
evaluated_keys_path = "spec"

template = spec.get("template")
if template and isinstance(template, list):
template = template[0]
metadata = template.get("metadata")
if metadata and isinstance(metadata, list):
metadata = metadata[0]

if metadata.get("labels") and isinstance(metadata.get("labels"), list) and isinstance(metadata.get("labels")[0], dict):
labels = metadata.get("labels")[0]
self.evaluated_keys = [f"{evaluated_keys_path}/[0]/template/[0]/metadata/[0]/labels"]
if labels.get("app") == "helm":
self.evaluated_keys = [f"{evaluated_keys_path}/[0]/template/[0]/metadata/[0]/labels/[0]/app"]
return CheckResult.FAILED
elif labels.get("name") == "tiller":
self.evaluated_keys = [f"{evaluated_keys_path}/[0]/template/[0]/metadata/[0]/labels/[0]/name"]
return CheckResult.FAILED

template_spec = template.get("spec")
if template_spec and isinstance(template_spec, list):
spec = template_spec[0]
evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec'

containers = spec.get("container")
if not containers:
Expand All @@ -42,7 +66,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
if container.get("image") and isinstance(container.get("image"), list):
image = container.get("image")[0]
if "tiller" in image:
self.evaluated_keys = [f'spec/[0]/container/[{idx}]/image']
self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/image']
return CheckResult.FAILED

return CheckResult.PASSED
Expand Down
Loading

0 comments on commit 7494e1a

Please sign in to comment.