From eb86e1aa1142c7ed3b639f3f011fd2603ebd6ff1 Mon Sep 17 00:00:00 2001 From: yaaraverner Date: Mon, 24 Oct 2022 14:44:19 +0300 Subject: [PATCH 1/3] handle edge-case of res not a dict --- .../checks/resource/k8s/CPURequests.py | 2 ++ .../pod-requests-limits-UNKNOWN.yaml | 20 +++++++++++++++++++ tests/kubernetes/checks/test_CPURequests.py | 2 +- 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 tests/kubernetes/checks/example_Requests_Limits/pod-requests-limits-UNKNOWN.yaml diff --git a/checkov/kubernetes/checks/resource/k8s/CPURequests.py b/checkov/kubernetes/checks/resource/k8s/CPURequests.py index 2e94b1c8c08..c934bb2188c 100644 --- a/checkov/kubernetes/checks/resource/k8s/CPURequests.py +++ b/checkov/kubernetes/checks/resource/k8s/CPURequests.py @@ -15,6 +15,8 @@ def scan_container_conf(self, metadata: Dict[str, Any], conf: Dict[str, Any]) -> self.evaluated_container_keys = ["resources/requests/cpu"] res = conf.get("resources") if res: + if not isinstance(res, dict): + return CheckResult.UNKNOWN requests = res.get("requests") if requests and requests.get("cpu"): return CheckResult.PASSED diff --git a/tests/kubernetes/checks/example_Requests_Limits/pod-requests-limits-UNKNOWN.yaml b/tests/kubernetes/checks/example_Requests_Limits/pod-requests-limits-UNKNOWN.yaml new file mode 100644 index 00000000000..e6bf227ce27 --- /dev/null +++ b/tests/kubernetes/checks/example_Requests_Limits/pod-requests-limits-UNKNOWN.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: db + image: mysql + env: + - name: MYSQL_ROOT_PASSWORD + value: "password" + resources: + - requests: + memory: "64Mi" + cpu: "250m" + ephemeral-storage: "2Gi" + limits: + memory: "128Mi" + cpu: "500m" + ephemeral-storage: "4Gi" diff --git a/tests/kubernetes/checks/test_CPURequests.py b/tests/kubernetes/checks/test_CPURequests.py index d473dcfa2de..023f9987f85 100644 --- a/tests/kubernetes/checks/test_CPURequests.py +++ b/tests/kubernetes/checks/test_CPURequests.py @@ -13,7 +13,7 @@ def test_summary(self): current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_Requests_Limits" - report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) From a4d8484c9292da2033e955ad3c4c31544a7c05e0 Mon Sep 17 00:00:00 2001 From: yaaraverner Date: Mon, 24 Oct 2022 15:09:32 +0300 Subject: [PATCH 2/3] fixes --- checkov/kubernetes/checks/resource/k8s/MemoryLimits.py | 2 ++ checkov/kubernetes/checks/resource/k8s/MemoryRequests.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py b/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py index cb62f8d4e50..5fddc2d0a7b 100644 --- a/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py +++ b/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py @@ -15,6 +15,8 @@ def scan_container_conf(self, metadata: Dict[str, Any], conf: Dict[str, Any]) -> self.evaluated_container_keys = ["resources/limits/memory"] res = conf.get("resources") if res: + if not isinstance(res, dict): + return CheckResult.UNKNOWN limits = res.get("limits") if limits and limits.get("memory"): return CheckResult.PASSED diff --git a/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py b/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py index 32d9124b4b5..efa5919b3fd 100644 --- a/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py +++ b/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py @@ -15,6 +15,8 @@ def scan_container_conf(self, metadata: Dict[str, Any], conf: Dict[str, Any]) -> self.evaluated_container_keys = ["resources/requests/memory"] res = conf.get("resources") if res: + if not isinstance(res, dict): + return CheckResult.UNKNOWN requests = res.get("requests") if requests and requests.get("memory"): return CheckResult.PASSED From bc12e8157b960522b32870226be4f87bc895f9cf Mon Sep 17 00:00:00 2001 From: yaaraverner Date: Mon, 24 Oct 2022 16:01:15 +0300 Subject: [PATCH 3/3] fixes --- checkov/kubernetes/checks/resource/k8s/CPULimits.py | 4 +++- tests/kubernetes/checks/test_CPULimits.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/checkov/kubernetes/checks/resource/k8s/CPULimits.py b/checkov/kubernetes/checks/resource/k8s/CPULimits.py index ef25ffcbb8e..10e440171de 100644 --- a/checkov/kubernetes/checks/resource/k8s/CPULimits.py +++ b/checkov/kubernetes/checks/resource/k8s/CPULimits.py @@ -14,7 +14,9 @@ def __init__(self) -> None: def scan_container_conf(self, metadata: Dict[str, Any], conf: Dict[str, Any]) -> CheckResult: self.evaluated_container_keys = ["resources/limits/cpu"] res = conf.get("resources") - if res and isinstance(res, dict): + if res: + if not isinstance(res, dict): + return CheckResult.UNKNOWN limits = res.get("limits") if limits and limits.get("cpu"): return CheckResult.PASSED diff --git a/tests/kubernetes/checks/test_CPULimits.py b/tests/kubernetes/checks/test_CPULimits.py index fab1433628a..558dec1a736 100644 --- a/tests/kubernetes/checks/test_CPULimits.py +++ b/tests/kubernetes/checks/test_CPULimits.py @@ -13,7 +13,7 @@ def test_summary(self): current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_Requests_Limits" - report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1)