forked from elastic/csp-security-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test.rego
37 lines (29 loc) · 860 Bytes
/
test.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package compliance.cis_eks.rules.cis_4_2_2
import data.kubernetes_common.test_data
import data.lib.test
test_violation {
test.assert_fail(finding) with input as rule_input(violating_psp)
}
test_pass {
test.assert_pass(finding) with input as rule_input(non_violating_psp)
test.assert_pass(finding) with input as rule_input(non_violating_psp2)
}
test_not_evaluated {
not finding with input as {"type": "no-kube-api"}
}
rule_input(resource) = test_data.kube_api_input(resource)
violating_psp = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"hostPID": true},
}
non_violating_psp = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {},
}
non_violating_psp2 = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"hostPID": false},
}