From 28f6129873c7142e8bcc8316655c5bb9a80a9154 Mon Sep 17 00:00:00 2001
From: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
Date: Mon, 16 Oct 2023 15:22:46 +0300
Subject: [PATCH 1/4] Fix in exposure to internet rule: making sure that
 service and ingress are in the same namespace

Signed-off-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
---
 rules/exposure-to-internet/raw.rego | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego
index e31379b8b..f059c6811 100644
--- a/rules/exposure-to-internet/raw.rego
+++ b/rules/exposure-to-internet/raw.rego
@@ -35,6 +35,10 @@ deny[msga] {
     
     svc := input[_]
     svc.kind == "Service"
+
+    # Make sure that they belong to the same namespace
+    svc.metadata.namespace == ingress.metadata.namespace
+
     # avoid duplicate alerts
     # if service is already exposed through NodePort or LoadBalancer workload will fail on that
     not is_exposed_service(svc)

From f9fa144f5c7de8d7f1dcc82d62e6d2487dead343 Mon Sep 17 00:00:00 2001
From: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
Date: Mon, 16 Oct 2023 15:29:09 +0300
Subject: [PATCH 2/4] adding service to related objects

Signed-off-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
---
 rules/exposure-to-internet/raw.rego | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego
index f059c6811..942e7e4e6 100644
--- a/rules/exposure-to-internet/raw.rego
+++ b/rules/exposure-to-internet/raw.rego
@@ -59,11 +59,16 @@ deny[msga] {
         "alertObject": {
             "k8sApiObjects": [wl]
         },
-        "relatedObjects": [{
-            "object": ingress,
+        "relatedObjects": [
+		{
+	            "object": ingress,
 		    "reviewPaths": result,
-            "failedPaths": result,
-        }]
+	            "failedPaths": result,
+	        },
+		{
+	            "object": svc,
+		}
+        ]
     }
 } 
 

From 9e388645fe3021c79cb591122ce6d693927b252c Mon Sep 17 00:00:00 2001
From: YiscahLevySilas1 <yiscahls@armosec.io>
Date: Mon, 16 Oct 2023 17:00:14 +0300
Subject: [PATCH 3/4] fix test

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>
---
 .../test/failed_with_ingress/expected.json    | 25 ++++++++++++++++++-
 .../failed_with_ingress/input/ingress.yaml    |  1 +
 .../failed_with_ingress/input/service.yaml    |  1 +
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/rules/exposure-to-internet/test/failed_with_ingress/expected.json b/rules/exposure-to-internet/test/failed_with_ingress/expected.json
index 958f9eaf0..5ce02f86b 100644
--- a/rules/exposure-to-internet/test/failed_with_ingress/expected.json
+++ b/rules/exposure-to-internet/test/failed_with_ingress/expected.json
@@ -23,7 +23,8 @@
                     "apiVersion": "networking.k8s.io/v1",
                     "kind": "Ingress",
                     "metadata": {
-                        "name": "my-ingress"
+                        "name": "my-ingress",
+                        "namespace": "default"
                     },
                     "spec": {
                         "ingressClassName": "nginx",
@@ -54,6 +55,28 @@
                     "spec.rules[0].http.paths[0].backend.service.name"
                 ],
                 "fixPaths": null
+            },
+            {
+                "object": {
+                    "apiVersion": "v1",
+                    "kind": "Service",
+                    "metadata": {
+                        "name": "my-service",
+                        "namespace": "default"
+                    },
+                    "spec": {
+                        "ports": [
+                            {
+                                "port": 80,
+                                "targetPort": 80
+                            }
+                        ],
+                        "selector": {
+                            "app": "my-app"
+                        },
+                        "type": "ClusterIP"
+                    }
+                }
             }
         ]
     }
diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml
index 096c24a22..4cc9b174d 100644
--- a/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml
+++ b/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml
@@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: my-ingress
+  namespace: default
 spec:
   ingressClassName: nginx
   rules:
diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml
index 7ba441575..9ad14d173 100644
--- a/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml
+++ b/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: my-service
+  namespace: default
 spec:
   selector:
     app: my-app

From 303565815f80c6b896c35f2457439355305e6d63 Mon Sep 17 00:00:00 2001
From: YiscahLevySilas1 <yiscahls@armosec.io>
Date: Mon, 16 Oct 2023 17:00:52 +0300
Subject: [PATCH 4/4] change control scope

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>
---
 controls/C-0256-exposuretointernet.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json
index cc35d4e7b..a65f5b3f5 100644
--- a/controls/C-0256-exposuretointernet.json
+++ b/controls/C-0256-exposuretointernet.json
@@ -28,8 +28,7 @@
     "baseScore": 7.0,
     "scanningScope": {
         "matches": [
-            "cluster",
-            "file"
+            "cluster"
         ]
     }
 }