diff --git a/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py b/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py index 648b62026ec..71024e6536a 100644 --- a/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py +++ b/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py @@ -11,7 +11,8 @@ def __init__(self): name = "Minimize the admission of containers with the NET_RAW capability" id = "CKV_K8S_28" - supported_resources = ('kubernetes_pod', 'kubernetes_pod_v1') + supported_resources = ('kubernetes_pod', 'kubernetes_pod_v1', + 'kubernetes_deployment', 'kubernetes_deployment_v1', ) categories = (CheckCategories.GENERAL_SECURITY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) @@ -20,6 +21,14 @@ def scan_resource_conf(self, conf) -> CheckResult: self.evaluated_keys = [""] return CheckResult.FAILED spec = conf['spec'][0] + evaluated_keys_path = "spec" + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + if spec.get("container"): containers = spec.get("container") @@ -39,13 +48,13 @@ def scan_resource_conf(self, conf) -> CheckResult: if not dropped: return CheckResult.FAILED else: - self.evaluated_keys = [f"spec/[0]/container/{idx}/security_context/[0]/capabilities"] + self.evaluated_keys = [f"{evaluated_keys_path}/[0]/container/{idx}/security_context/[0]/capabilities"] return CheckResult.FAILED else: - self.evaluated_keys = [f"spec/[0]/container/{idx}/security_context"] + self.evaluated_keys = [f"{evaluated_keys_path}/[0]/container/{idx}/security_context"] return CheckResult.FAILED else: - self.evaluated_keys = [f"spec/[0]/container/{idx}"] + self.evaluated_keys = [f"{evaluated_keys_path}/[0]/container/{idx}"] return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/kubernetes/HostPort.py b/checkov/terraform/checks/resource/kubernetes/HostPort.py index 6ef184f7db7..76eb5adb737 100644 --- a/checkov/terraform/checks/resource/kubernetes/HostPort.py +++ b/checkov/terraform/checks/resource/kubernetes/HostPort.py @@ -16,7 +16,8 @@ def __init__(self): """ name = "Do not specify hostPort unless absolutely necessary" id = "CKV_K8S_26" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) @@ -26,7 +27,16 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.FAILED spec = conf.get('spec')[0] + evaluated_keys_path = "spec" + if spec: + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + containers = spec.get("container") if containers is None: return CheckResult.UNKNOWN @@ -36,7 +46,7 @@ def scan_resource_conf(self, conf) -> CheckResult: if container.get("port"): for idy, port in enumerate(container["port"]): if "host_port" in port: - self.evaluated_keys = [f"spec/[0]/container/[{idx}]/port/[{idy}]/host_port"] + self.evaluated_keys = [f"{evaluated_keys_path}/[0]/container/[{idx}]/port/[{idy}]/host_port"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/ImageDigest.py b/checkov/terraform/checks/resource/kubernetes/ImageDigest.py index b1b59f217ec..34cd64b39c1 100644 --- a/checkov/terraform/checks/resource/kubernetes/ImageDigest.py +++ b/checkov/terraform/checks/resource/kubernetes/ImageDigest.py @@ -15,13 +15,22 @@ def __init__(self): """ name = "Image should use digest" id = "CKV_K8S_43" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec')[0] if spec: + evaluated_keys_path = "spec" + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + containers = spec.get("container") if containers is None: return CheckResult.UNKNOWN @@ -31,7 +40,7 @@ def scan_resource_conf(self, conf) -> CheckResult: if container.get("image") and isinstance(container.get("image"), list): name = container.get("image")[0] if "@" not in name: - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/image'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/image'] return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py b/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py index 5e32906d5fa..8e2ab8af4a5 100644 --- a/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py +++ b/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py @@ -14,13 +14,22 @@ def __init__(self): """ name = "Image Pull Policy should be Always" id = "CKV_K8S_15" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] if isinstance(spec, dict) and spec: + evaluated_keys_path = "spec" + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + containers = spec.get("container") if containers is None: return CheckResult.UNKNOWN @@ -36,7 +45,7 @@ def scan_resource_conf(self, conf) -> CheckResult: name = container.get("image")[0] if "latest" in name: break - self.evaluated_keys = [f'spec/[0]/container/[{idx}]'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]'] return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py b/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py index 97df050af5a..26a67d0609f 100644 --- a/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py +++ b/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py @@ -12,32 +12,42 @@ def __init__(self): """ name = "Image Tag should be fixed - not latest or blank" id = "CKV_K8S_14" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] - if isinstance(spec, dict) and spec.get("container"): - containers = spec.get("container") - for idx, container in enumerate(containers): - if not isinstance(container, dict): - return CheckResult.UNKNOWN - if container.get("image"): - name = container.get("image")[0] - if ":" in name: - if name.split(":")[1] in ("latest", ""): - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/image'] - return CheckResult.FAILED - continue - if "@" in name: - continue - self.evaluated_keys = [f'spec/[0]/container/[{idx}]/image'] + if isinstance(spec, dict) and spec: + evaluated_keys_path = "spec" + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + + if spec.get("container"): + containers = spec.get("container") + for idx, container in enumerate(containers): + if not isinstance(container, dict): + return CheckResult.UNKNOWN + if container.get("image"): + name = container.get("image")[0] + if ":" in name: + if name.split(":")[1] in ("latest", ""): + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/image'] + return CheckResult.FAILED + continue + if "@" in name: + continue + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]/image'] + return CheckResult.FAILED + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]'] return CheckResult.FAILED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]'] - return CheckResult.FAILED - return CheckResult.PASSED - return CheckResult.FAILED + return CheckResult.PASSED + return CheckResult.FAILED check = ImageTagFixed() diff --git a/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py b/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py index ea31a3b2d7e..3fa815e1078 100644 --- a/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py +++ b/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py @@ -9,7 +9,8 @@ class LivenessProbe(BaseResourceValueCheck): def __init__(self): name = "Liveness Probe Should be Configured" id = "CKV_K8S_8" - supported_resources = ["kubernetes_pod", "kubernetes_pod_v1"] + supported_resources = ["kubernetes_pod", "kubernetes_pod_v1", + "kubernetes_deployment", "kubernetes_deployment_v1"] categories = [CheckCategories.GENERAL_SECURITY] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_block_result=CheckResult.FAILED) @@ -19,7 +20,16 @@ def get_inspected_key(self) -> str: def scan_resource_conf(self, conf) -> CheckResult: spec = conf.get('spec', [None])[0] - if spec and isinstance(spec, dict): + + if isinstance(spec, dict) and spec: + evaluated_keys_path = "spec" + + if spec.get("template") and isinstance(spec.get("template"), list): + template = spec.get("template")[0] + if template.get("spec") and isinstance(template.get("spec"), list): + spec = template.get("spec")[0] + evaluated_keys_path = f'{evaluated_keys_path}/[0]/template/[0]/spec' + containers = spec.get("container") if containers is None: return CheckResult.UNKNOWN @@ -28,7 +38,7 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.UNKNOWN if container.get("liveness_probe"): return CheckResult.PASSED - self.evaluated_keys = [f'spec/[0]/container/[{idx}]'] + self.evaluated_keys = [f'{evaluated_keys_path}/[0]/container/[{idx}]'] return CheckResult.FAILED return CheckResult.FAILED diff --git a/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf b/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf index 220ac52affe..117e2490639 100644 --- a/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_DropCapabilities/main.tf @@ -12,6 +12,26 @@ resource "kubernetes_pod_v1" "fail" { } } +# fails no spec +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + +# fails no spec +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + #no capabilities resource "kubernetes_pod" "fail4" { metadata { @@ -132,6 +152,169 @@ resource "kubernetes_pod_v1" "fail4" { } } +#no capabilities +resource "kubernetes_deployment" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#no capabilities +resource "kubernetes_deployment_v1" "fail4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + #no context resource "kubernetes_pod" "fail5" { metadata { @@ -242,6 +425,159 @@ resource "kubernetes_pod_v1" "fail5" { } } +#no context +resource "kubernetes_deployment" "fail5" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#no context +resource "kubernetes_deployment_v1" "fail5" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + #doesnt drop any or net_raw resource "kubernetes_pod" "fail2" { metadata { @@ -434,6 +770,239 @@ resource "kubernetes_pod_v1" "fail2" { } } +#doesnt drop any or net_raw +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #wrong drop resource "kubernetes_pod" "fail3" { metadata { @@ -557,6 +1126,239 @@ resource "kubernetes_pod_v1" "fail3" { } } +#wrong drop +resource "kubernetes_deployment" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#wrong drop +resource "kubernetes_deployment_v1" "fail3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} resource "kubernetes_pod" "pass" { metadata { @@ -653,7 +1455,6 @@ resource "kubernetes_pod" "pass" { } } - resource "kubernetes_pod_v1" "pass" { metadata { name = "terraform-example" @@ -748,3 +1549,235 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["NET_BIND_SERVICE", "ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["NET_BIND_SERVICE", "ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example2" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf b/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf index 68fbf3b5668..00cf8417774 100644 --- a/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_HostPort/main.tf @@ -12,6 +12,26 @@ resource "kubernetes_pod_v1" "fail2" { } } +# fails no spec +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + +# fails no spec +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } +} + # fails no resource resource "kubernetes_pod" "fail" { metadata { @@ -100,6 +120,135 @@ resource "kubernetes_pod_v1" "fail" { } } +# fails no resource +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "pass" { metadata { name = "terraform-example" @@ -199,3 +348,145 @@ resource "kubernetes_pod_v1" "pass" { dns_policy = "None" } } + +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + host_ipc = true + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + resources { + limits = { + cpu = "500m" + } + + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_ImageDigest/main.tf b/tests/terraform/checks/resource/kubernetes/example_ImageDigest/main.tf index c6b522d8082..2a1c3ea5c9a 100644 --- a/tests/terraform/checks/resource/kubernetes/example_ImageDigest/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_ImageDigest/main.tf @@ -186,6 +186,234 @@ resource "kubernetes_pod_v1" "unknown" { } } +#not set +resource "kubernetes_deployment" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#not set +resource "kubernetes_deployment_v1" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #not set modern resource "kubernetes_pod" "fail" { metadata { @@ -277,6 +505,230 @@ resource "kubernetes_pod" "fail" { } } +#not set modern +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#not set modern +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #not set modern resource "kubernetes_pod_v1" "fail" { metadata { @@ -477,4 +929,152 @@ resource "kubernetes_pod_v1" "pass" { } } +#digest +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx@sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#digest +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx@sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_ImagePullPolicyAlways/main.tf b/tests/terraform/checks/resource/kubernetes/example_ImagePullPolicyAlways/main.tf index 8cf7a702033..f7b65fa6780 100644 --- a/tests/terraform/checks/resource/kubernetes/example_ImagePullPolicyAlways/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_ImagePullPolicyAlways/main.tf @@ -186,6 +186,238 @@ resource "kubernetes_pod_v1" "unknown" { } } +#not set +resource "kubernetes_deployment" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + + } + } +} + +#not set +resource "kubernetes_deployment_v1" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + + } + } +} + #not set modern resource "kubernetes_pod" "fail" { metadata { @@ -244,6 +476,164 @@ resource "kubernetes_pod" "fail" { } } +#not set modern +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#not set modern +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #not set modern resource "kubernetes_pod_v1" "fail" { metadata { @@ -417,6 +807,163 @@ resource "kubernetes_pod_v1" "fail2" { dns_policy = "None" } } +#latest but specified wrong +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + image_pull_policy = "Never" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#latest but specified wrong +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + image_pull_policy = "Never" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} #latest so pass resource "kubernetes_pod" "pass" { @@ -475,6 +1022,162 @@ resource "kubernetes_pod" "pass" { } } +#latest so pass +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#latest so pass +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #latest so pass resource "kubernetes_pod_v1" "pass" { metadata { @@ -649,3 +1352,163 @@ resource "kubernetes_pod_v1" "pass2" { dns_policy = "None" } } + +#happy path +resource "kubernetes_deployment" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + image_pull_policy = "Always" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#happy path +resource "kubernetes_deployment_v1" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + image_pull_policy = "Always" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_ImageTagFixed/main.tf b/tests/terraform/checks/resource/kubernetes/example_ImageTagFixed/main.tf index cbeecd31872..a943e7635f2 100644 --- a/tests/terraform/checks/resource/kubernetes/example_ImageTagFixed/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_ImageTagFixed/main.tf @@ -186,6 +186,234 @@ resource "kubernetes_pod_v1" "unknown" { } } +#not set +resource "kubernetes_deployment" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#not set +resource "kubernetes_deployment_v1" "unknown" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container = [ + { + image = "nginx" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #not set modern resource "kubernetes_pod" "fail" { metadata { @@ -368,6 +596,230 @@ resource "kubernetes_pod_v1" "fail" { } } +#not set modern +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#not set modern +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx" + name = "example22" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #latest resource "kubernetes_pod" "fail2" { metadata { @@ -548,6 +1000,228 @@ resource "kubernetes_pod_v1" "fail2" { } } +#latest +resource "kubernetes_deployment" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#latest +resource "kubernetes_deployment_v1" "fail2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:latest" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + #regular resource "kubernetes_pod" "pass" { metadata { @@ -730,6 +1404,231 @@ resource "kubernetes_pod_v1" "pass" { } } +#regular +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#regular +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example22" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + + #digest resource "kubernetes_pod" "pass2" { metadata { @@ -903,3 +1802,219 @@ resource "kubernetes_pod_v1" "pass2" { dns_policy = "None" } } + +#digest +resource "kubernetes_deployment" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx@sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +#digest +resource "kubernetes_deployment_v1" "pass2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx@sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108" + name = "example22" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + container { + image = "nginx:1.7.9" + name = "example22222" + + security_context { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main.tf b/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main.tf index 3f333b3efa0..30bce2bcdd7 100644 --- a/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main.tf +++ b/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main.tf @@ -104,6 +104,154 @@ resource "kubernetes_pod_v1" "pass" { } } +resource "kubernetes_deployment" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "pass" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + resource "kubernetes_pod" "fail" { metadata { name = "terraform-example" @@ -181,3 +329,124 @@ resource "kubernetes_pod_v1" "fail" { dns_policy = "None" } } + + +resource "kubernetes_deployment" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} + +resource "kubernetes_deployment_v1" "fail" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } + } + } +} diff --git a/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main3.tf b/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main3.tf index 9a341b5b59f..ecc48507e11 100644 --- a/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main3.tf +++ b/tests/terraform/checks/resource/kubernetes/example_LivenessProbe/main3.tf @@ -40,3 +40,42 @@ resource "kubernetes_pod_v1" "examplePod" { } } + +resource "kubernetes_deployment" "examplePod" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "nginx" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "nginx" + } + } + + template { + metadata { + labels = { + k8s-app = "nginx" + } + } + + spec { + automount_service_account_token = true + security_context { + } + selector { + match_labels = { + test = "MyExampleApp" + } + } + } + } + } +} + diff --git a/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py b/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py index ec596ef32ba..4d5bac62148 100644 --- a/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py +++ b/tests/terraform/checks/resource/kubernetes/test_DropCapabilities.py @@ -20,6 +20,8 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { @@ -33,13 +35,23 @@ def test(self): "kubernetes_pod_v1.fail3", "kubernetes_pod_v1.fail4", "kubernetes_pod_v1.fail5", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment.fail3", + "kubernetes_deployment.fail4", + "kubernetes_deployment.fail5", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", + "kubernetes_deployment_v1.fail3", + "kubernetes_deployment_v1.fail4", + "kubernetes_deployment_v1.fail5", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 5 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 10 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_HostPort.py b/tests/terraform/checks/resource/kubernetes/test_HostPort.py index 6dfe28fb054..ecd7beb594f 100644 --- a/tests/terraform/checks/resource/kubernetes/test_HostPort.py +++ b/tests/terraform/checks/resource/kubernetes/test_HostPort.py @@ -20,6 +20,8 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { @@ -27,13 +29,17 @@ def test(self): "kubernetes_pod.fail2", "kubernetes_pod_v1.fail", "kubernetes_pod_v1.fail2", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 2 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 4 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_ImageDigest.py b/tests/terraform/checks/resource/kubernetes/test_ImageDigest.py index ebbc3eff5dd..c5802384cf8 100644 --- a/tests/terraform/checks/resource/kubernetes/test_ImageDigest.py +++ b/tests/terraform/checks/resource/kubernetes/test_ImageDigest.py @@ -20,18 +20,22 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_ImagePullPolicyAlways.py b/tests/terraform/checks/resource/kubernetes/test_ImagePullPolicyAlways.py index 6aa69da377d..5065e5ce80e 100644 --- a/tests/terraform/checks/resource/kubernetes/test_ImagePullPolicyAlways.py +++ b/tests/terraform/checks/resource/kubernetes/test_ImagePullPolicyAlways.py @@ -22,6 +22,10 @@ def test(self): "kubernetes_pod.pass2", "kubernetes_pod_v1.pass", "kubernetes_pod_v1.pass2", + "kubernetes_deployment.pass", + "kubernetes_deployment.pass2", + "kubernetes_deployment_v1.pass", + "kubernetes_deployment_v1.pass2", } failing_resources = { @@ -29,13 +33,17 @@ def test(self): "kubernetes_pod.fail2", "kubernetes_pod_v1.fail", "kubernetes_pod_v1.fail2", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2 * 2) - self.assertEqual(summary["failed"], 2 * 2) + self.assertEqual(summary["passed"], 4 * 2) + self.assertEqual(summary["failed"], 4 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_ImageTagFixed.py b/tests/terraform/checks/resource/kubernetes/test_ImageTagFixed.py index a633f8e46bd..549aee045e8 100644 --- a/tests/terraform/checks/resource/kubernetes/test_ImageTagFixed.py +++ b/tests/terraform/checks/resource/kubernetes/test_ImageTagFixed.py @@ -22,6 +22,10 @@ def test(self): "kubernetes_pod.pass2", "kubernetes_pod_v1.pass", "kubernetes_pod_v1.pass2", + "kubernetes_deployment.pass", + "kubernetes_deployment.pass2", + "kubernetes_deployment_v1.pass", + "kubernetes_deployment_v1.pass2", } failing_resources = { @@ -29,13 +33,17 @@ def test(self): "kubernetes_pod.fail2", "kubernetes_pod_v1.fail", "kubernetes_pod_v1.fail2", + "kubernetes_deployment.fail", + "kubernetes_deployment.fail2", + "kubernetes_deployment_v1.fail", + "kubernetes_deployment_v1.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2 * 2) - self.assertEqual(summary["failed"], 2 * 2) + self.assertEqual(summary["passed"], 4 * 2) + self.assertEqual(summary["failed"], 4 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/kubernetes/test_LivenessProbe.py b/tests/terraform/checks/resource/kubernetes/test_LivenessProbe.py index 6c592cd922f..69730621605 100644 --- a/tests/terraform/checks/resource/kubernetes/test_LivenessProbe.py +++ b/tests/terraform/checks/resource/kubernetes/test_LivenessProbe.py @@ -20,18 +20,22 @@ def test(self): passing_resources = { "kubernetes_pod.pass", "kubernetes_pod_v1.pass", + "kubernetes_deployment.pass", + "kubernetes_deployment_v1.pass", } failing_resources = { "kubernetes_pod.fail", "kubernetes_pod_v1.fail", + "kubernetes_deployment.fail", + "kubernetes_deployment_v1.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1 * 2) - self.assertEqual(summary["failed"], 1 * 2) + self.assertEqual(summary["passed"], 2 * 2) + self.assertEqual(summary["failed"], 2 * 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0)