-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: YiscahLevySilas1 <[email protected]>
- Loading branch information
1 parent
34f4a02
commit 0c72268
Showing
2 changed files
with
60 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,74 +1,47 @@ | ||
| package armo_builtins | ||
|
|
||
| import future.keywords.if | ||
|
|
||
| untrusted_image_repo[msga] { | ||
| pod := input[_] | ||
| pod.kind == "Pod" | ||
| container := pod.spec.containers[i] | ||
| image := container.image | ||
| not image_in_allowed_list(image) | ||
| path := sprintf("spec.containers[%v].image", [format_int(i, 10)]) | ||
|
|
||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "alertScore": 2, | ||
| "packagename": "armo_builtins", | ||
| "failedPaths": [path], | ||
| "fixPaths":[], | ||
| "alertObject": { | ||
| "k8sApiObjects": [pod] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| untrusted_image_repo[msga] { | ||
| wl := input[_] | ||
| spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} | ||
| spec_template_spec_patterns[wl.kind] | ||
| container := wl.spec.template.spec.containers[i] | ||
| image := container.image | ||
| not image_in_allowed_list(image) | ||
|
|
||
| path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) | ||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "alertScore": 2, | ||
| "packagename": "armo_builtins", | ||
| "failedPaths": [path], | ||
| "fixPaths":[], | ||
| "alertObject": { | ||
| "k8sApiObjects": [wl] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| untrusted_image_repo[msga] { | ||
| untrustedImageRepo[msga] { | ||
| wl := input[_] | ||
| wl.kind == "CronJob" | ||
| container := wl.spec.jobTemplate.spec.template.spec.containers[i] | ||
| image := container.image | ||
| not image_in_allowed_list(image) | ||
| containers_path := get_containers_path(wl) | ||
| containers := object.get(wl, containers_path, []) | ||
| container := containers[i] | ||
| name := image.parse_normalized_name(container.image) | ||
| not image_in_allowed_list(name) | ||
| path := sprintf("%s[%d].image", [concat(".", containers_path), i]) | ||
|
|
||
| path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].image", [format_int(i, 10)]) | ||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [name, container.name]), | ||
| "packagename": "armo_builtins", | ||
| "alertScore": 2, | ||
| "packagename": "armo_builtins", | ||
| "fixPaths": [], | ||
| "failedPaths": [path], | ||
| "fixPaths":[], | ||
| "alertObject": { | ||
| "k8sApiObjects": [wl] | ||
| } | ||
| "alertObject": {"k8sApiObjects": [wl]}, | ||
| } | ||
| } | ||
|
|
||
| # image_in_allowed_list - rule to check if an image complies with imageRepositoryAllowList. | ||
| image_in_allowed_list(image){ | ||
|
|
||
| # see default-config-inputs.json for list values | ||
| allowedlist := data.postureControlInputs.imageRepositoryAllowList | ||
| registry := allowedlist[_] | ||
| startswith(image, registry) | ||
| } | ||
|
|
||
| # get_containers_path - get resource containers paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} | ||
| get_containers_path(resource) := result { | ||
| resource_kinds := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} | ||
| resource_kinds[resource.kind] | ||
| result = ["spec", "template", "spec", "containers"] | ||
| } | ||
|
|
||
| # get_containers_path - get resource containers paths for "Pod" | ||
| get_containers_path(resource) := result { | ||
| resource.kind == "Pod" | ||
| result = ["spec", "containers"] | ||
| } | ||
|
|
||
| startswith(image.parse_normalized_name(image), registry) | ||
| # get_containers_path - get resource containers paths for "CronJob" | ||
| get_containers_path(resource) := result { | ||
| resource.kind == "CronJob" | ||
| result = ["spec", "jobTemplate", "spec", "template", "spec", "containers"] | ||
| } |
86 changes: 30 additions & 56 deletions
86
rules/rule-identify-blocklisted-image-registries-v1/raw.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,80 +1,54 @@ | ||
| package armo_builtins | ||
|
|
||
| # Check for images from blocklisted repos | ||
|
|
||
| untrustedImageRepo[msga] { | ||
| pod := input[_] | ||
| k := pod.kind | ||
| k == "Pod" | ||
| container := pod.spec.containers[i] | ||
| path := sprintf("spec.containers[%v].image", [format_int(i, 10)]) | ||
| image := container.image | ||
| untrusted_or_public_registries(image) | ||
|
|
||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "packagename": "armo_builtins", | ||
| "alertScore": 2, | ||
| "fixPaths": [], | ||
| "failedPaths": [path], | ||
| "alertObject": { | ||
| "k8sApiObjects": [pod] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| untrustedImageRepo[msga] { | ||
| wl := input[_] | ||
| spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} | ||
| spec_template_spec_patterns[wl.kind] | ||
| container := wl.spec.template.spec.containers[i] | ||
| path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) | ||
| image := container.image | ||
| untrusted_or_public_registries(image) | ||
| containers_path := get_containers_path(wl) | ||
| containers := object.get(wl, containers_path, []) | ||
| container := containers[i] | ||
| name := image.parse_normalized_name(container.image) | ||
| untrusted_or_public_registries(name) | ||
| path := sprintf("%s[%d].image", [concat(".", containers_path), i]) | ||
|
|
||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [name, container.name]), | ||
| "packagename": "armo_builtins", | ||
| "alertScore": 2, | ||
| "fixPaths": [], | ||
| "failedPaths": [path], | ||
| "alertObject": { | ||
| "k8sApiObjects": [wl] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| untrustedImageRepo[msga] { | ||
| wl := input[_] | ||
| wl.kind == "CronJob" | ||
| container := wl.spec.jobTemplate.spec.template.spec.containers[i] | ||
| path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].image", [format_int(i, 10)]) | ||
| image := container.image | ||
| untrusted_or_public_registries(image) | ||
|
|
||
| msga := { | ||
| "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), | ||
| "packagename": "armo_builtins", | ||
| "alertScore": 2, | ||
| "fixPaths": [], | ||
| "failedPaths": [path], | ||
| "alertObject": { | ||
| "k8sApiObjects": [wl] | ||
| } | ||
| } | ||
| "alertObject": {"k8sApiObjects": [wl]}, | ||
| } | ||
| } | ||
|
|
||
| untrusted_or_public_registries(image){ | ||
| # see default-config-inputs.json for list values | ||
| untrusted_registries := data.postureControlInputs.untrustedRegistries | ||
| registry := untrusted_registries[_] | ||
| startswith(image.parse_normalized_name(image), registry) | ||
| startswith(image, registry) | ||
|
|
||
| } | ||
|
|
||
| untrusted_or_public_registries(image){ | ||
| # see default-config-inputs.json for list values | ||
| public_registries := data.postureControlInputs.publicRegistries | ||
| registry := public_registries[_] | ||
| startswith(image.parse_normalized_name(image), registry) | ||
| startswith(image, registry) | ||
| } | ||
|
|
||
| # get_containers_path - get resource containers paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} | ||
| get_containers_path(resource) := result { | ||
| resource_kinds := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} | ||
| resource_kinds[resource.kind] | ||
| result = ["spec", "template", "spec", "containers"] | ||
| } | ||
|
|
||
| # get_containers_path - get resource containers paths for "Pod" | ||
| get_containers_path(resource) := result { | ||
| resource.kind == "Pod" | ||
| result = ["spec", "containers"] | ||
| } | ||
|
|
||
| # get_containers_path - get resource containers paths for "CronJob" | ||
| get_containers_path(resource) := result { | ||
| resource.kind == "CronJob" | ||
| result = ["spec", "jobTemplate", "spec", "template", "spec", "containers"] | ||
| } |