Skip to content

Commit

Permalink
Merge pull request #580 from kubescape/C-0211-fix
Browse files Browse the repository at this point in the history
fix C-0211 sysctls fixpath
  • Loading branch information
YiscahLevySilas1 authored Feb 18, 2024
2 parents 84627a0 + 65343a8 commit 76b5600
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 60 deletions.
12 changes: 9 additions & 3 deletions rules/set-sysctls-params/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,14 @@ deny[msga] {
not pod.spec.securityContext.sysctls

path := "spec.securityContext.sysctls"
fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"},
{"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}]
msga := {
"alertMessage": sprintf("Pod: %v does not set 'securityContext.sysctls'", [pod.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"fixPaths": fixPaths,
"alertObject": {
"k8sApiObjects": [pod]
}
Expand All @@ -37,12 +39,14 @@ deny[msga] {
not wl.spec.template.spec.securityContext.sysctls

path := "spec.template.spec.securityContext.sysctls"
fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"},
{"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}]
msga := {
"alertMessage": sprintf("Workload: %v does not set 'securityContext.sysctls'", [wl.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"fixPaths": fixPaths,
"alertObject": {
"k8sApiObjects": [wl]
}
Expand All @@ -61,12 +65,14 @@ deny[msga] {
not cj.spec.jobTemplate.spec.template.spec.securityContext.sysctls

path := "spec.jobTemplate.spec.template.spec.securityContext.sysctls"
fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"},
{"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}]
msga := {
"alertMessage": sprintf("CronJob: %v does not set 'securityContext.sysctls'", [cj.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"fixPaths": fixPaths,
"alertObject": {
"k8sApiObjects": [cj]
}
Expand Down
45 changes: 27 additions & 18 deletions rules/set-sysctls-params/test/cronjob/expected.json
Original file line number Diff line number Diff line change
@@ -1,21 +1,30 @@
[
{
"alertMessage": "CronJob: hello does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "batch/v1beta1",
"kind": "CronJob",
"metadata": {
"name": "hello"
}
}
]
{
"alertMessage": "CronJob: hello does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [
{
"path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls.name",
"value": "YOUR_VALUE"
},
{
"path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls.value",
"value": "YOUR_VALUE"
}
],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "batch/v1beta1",
"kind": "CronJob",
"metadata": {
"name": "hello"
}
}
]
}
]
}
]
44 changes: 26 additions & 18 deletions rules/set-sysctls-params/test/pod/expected.json
Original file line number Diff line number Diff line change
@@ -1,21 +1,29 @@
[
{
"alertMessage": "Pod: nginx does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": "spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nginx"
}
}
]
{
"alertMessage": "Pod: nginx does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [
{
"path": "spec.securityContext.sysctls.name",
"value": "YOUR_VALUE"
},
{
"path": "spec.securityContext.sysctls.value",
"value": "YOUR_VALUE"}
],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nginx"
}
}
]
}
]
}
]
51 changes: 30 additions & 21 deletions rules/set-sysctls-params/test/workload/expected.json
Original file line number Diff line number Diff line change
@@ -1,24 +1,33 @@
[
{
"alertMessage": "Workload: my-deployment does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [{"path": "spec.template.spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "my-deployment",
"labels": {
"app": "goproxy"
}
}
}
]
{
"alertMessage": "Workload: my-deployment does not set 'securityContext.sysctls'",
"packagename": "armo_builtins",
"alertScore": 7,
"failedPaths": [],
"fixPaths": [
{
"path": "spec.template.spec.securityContext.sysctls.name",
"value": "YOUR_VALUE"
},
{
"path": "spec.template.spec.securityContext.sysctls.value",
"value": "YOUR_VALUE"
}
],
"ruleStatus": "",
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "my-deployment",
"labels": {
"app": "goproxy"
}
}
}
]
}
]
}
]

0 comments on commit 76b5600

Please sign in to comment.