From 3fb0f441b2670c3e1f8027075d3950bc8a42174c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20R=C3=BCger?= Date: Wed, 12 Feb 2025 09:48:20 +0100 Subject: [PATCH] Update rego --- .github/workflows/pull_request.yaml | 2 +- examples/any-warn-deprecated-api-versions/src.rego | 5 +++-- .../any-warn-deprecated-api-versions/src_test.rego | 8 +++++--- examples/container-deny-added-caps/src.rego | 5 +++-- examples/container-deny-added-caps/src_test.rego | 6 ++++-- examples/container-deny-escalation/src.rego | 9 +++++---- examples/container-deny-escalation/src_test.rego | 6 ++++-- examples/container-deny-latest-tag/src.rego | 7 ++++--- examples/container-deny-latest-tag/src_test.rego | 8 +++++--- .../container-deny-privileged-if-tenant/src.rego | 7 ++++--- .../src_test.rego | 8 +++++--- examples/container-deny-privileged/src.rego | 7 ++++--- examples/container-deny-privileged/src_test.rego | 8 +++++--- .../src.rego | 5 +++-- .../src_test.rego | 10 ++++++---- examples/container-warn-no-ro-fs/src.rego | 7 ++++--- examples/container-warn-no-ro-fs/src_test.rego | 6 ++++-- examples/pod-deny-host-alias/src.rego | 5 +++-- examples/pod-deny-host-alias/src_test.rego | 6 ++++-- examples/pod-deny-host-ipc/src.rego | 5 +++-- examples/pod-deny-host-ipc/src_test.rego | 6 ++++-- examples/pod-deny-host-network/src.rego | 5 +++-- examples/pod-deny-host-network/src_test.rego | 6 ++++-- examples/pod-deny-host-pid/src.rego | 5 +++-- examples/pod-deny-host-pid/src_test.rego | 6 ++++-- examples/pod-deny-without-runasnonroot/src.rego | 5 +++-- .../pod-deny-without-runasnonroot/src_test.rego | 8 +++++--- examples/psp-deny-added-caps/src.rego | 5 +++-- examples/psp-deny-added-caps/src_test.rego | 10 ++++++---- examples/psp-deny-escalation/src.rego | 7 ++++--- examples/psp-deny-escalation/src_test.rego | 8 +++++--- examples/psp-deny-host-alias/src.rego | 5 +++-- examples/psp-deny-host-alias/src_test.rego | 6 ++++-- examples/psp-deny-host-ipc/src.rego | 5 +++-- examples/psp-deny-host-ipc/src_test.rego | 6 ++++-- examples/psp-deny-host-network/src.rego | 5 +++-- examples/psp-deny-host-network/src_test.rego | 6 ++++-- examples/psp-deny-host-pid/src.rego | 5 +++-- examples/psp-deny-host-pid/src_test.rego | 6 ++++-- examples/psp-deny-privileged/src.rego | 5 +++-- examples/psp-deny-privileged/src_test.rego | 6 ++++-- examples/psp-warn-no-ro-fs/src.rego | 7 ++++--- examples/psp-warn-no-ro-fs/src_test.rego | 8 +++++--- examples/required-labels/src.rego | 5 +++-- examples/required-labels/src_test.rego | 14 ++++++++------ examples/role-deny-use-privileged-psp/src.rego | 11 ++++++----- .../role-deny-use-privileged-psp/src_test.rego | 14 ++++++++------ 47 files changed, 192 insertions(+), 123 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index c07a1dbc..dd85df65 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -106,7 +106,7 @@ jobs: - name: setup regal uses: styrainc/setup-regal@v1.0.0 - with: + with version: 0.31.0 - name: regal lint diff --git a/examples/any-warn-deprecated-api-versions/src.rego b/examples/any-warn-deprecated-api-versions/src.rego index f0573808..4d1f8130 100644 --- a/examples/any-warn-deprecated-api-versions/src.rego +++ b/examples/any-warn-deprecated-api-versions/src.rego @@ -15,12 +15,13 @@ package any_warn_deprecated_api_versions import data.lib.core +import rego.v1 policyID := "P0001" -warn[msg] { - resources := ["DaemonSet", "Deployment"] +warn[msg] if { core.apiVersion == "extensions/v1beta1" + resources := ["DaemonSet", "Deployment"] core.kind == resources[_] msg := core.format_with_id( diff --git a/examples/any-warn-deprecated-api-versions/src_test.rego b/examples/any-warn-deprecated-api-versions/src_test.rego index c91c5a5f..a0cad9c2 100644 --- a/examples/any-warn-deprecated-api-versions/src_test.rego +++ b/examples/any-warn-deprecated-api-versions/src_test.rego @@ -1,6 +1,8 @@ package any_warn_deprecated_api_versions -test_matching { +import rego.v1 + +test_matching if { warns := warn with input as { "kind": "Deployment", "metadata": {"name": "test"}, @@ -9,7 +11,7 @@ test_matching { count(warns) == 1 } -test_different_kind { +test_different_kind if { warns := warn with input as { "kind": "test", "metadata": {"name": "test"}, @@ -18,7 +20,7 @@ test_different_kind { count(warns) == 0 } -test_different_apiversion { +test_different_apiversion if { warns := warn with input as { "kind": "Deployment", "metadata": {"name": "test"}, diff --git a/examples/container-deny-added-caps/src.rego b/examples/container-deny-added-caps/src.rego index 4e04f02d..128fcc9e 100644 --- a/examples/container-deny-added-caps/src.rego +++ b/examples/container-deny-added-caps/src.rego @@ -24,10 +24,11 @@ package container_deny_added_caps import data.lib.core import data.lib.pods import data.lib.security +import rego.v1 policyID := "P1001" -violation[msg] { +violation[msg] if { some container pods.containers[container] not container_dropped_all_capabilities(container) @@ -38,6 +39,6 @@ violation[msg] { ) } -container_dropped_all_capabilities(container) { +container_dropped_all_capabilities(container) if { security.dropped_capability(container, "all") } diff --git a/examples/container-deny-added-caps/src_test.rego b/examples/container-deny-added-caps/src_test.rego index cdcc8e14..fa9eb241 100644 --- a/examples/container-deny-added-caps/src_test.rego +++ b/examples/container-deny-added-caps/src_test.rego @@ -1,9 +1,11 @@ package container_deny_added_caps -test_dropped_all { +import rego.v1 + +test_dropped_all if { container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["all"]}}}) } -test_dropped_none { +test_dropped_none if { not container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["none"]}}}) } diff --git a/examples/container-deny-escalation/src.rego b/examples/container-deny-escalation/src.rego index 564ede2d..8cc5b5ea 100644 --- a/examples/container-deny-escalation/src.rego +++ b/examples/container-deny-escalation/src.rego @@ -20,10 +20,11 @@ package container_deny_escalation import data.lib.core import data.lib.pods +import rego.v1 policyID := "P1002" -violation[msg] { +violation[msg] if { some container pods.containers[container] container_allows_escalation(container) @@ -31,14 +32,14 @@ violation[msg] { msg := core.format_with_id(sprintf("%s/%s: Allows privilege escalation", [core.kind, core.name]), policyID) } -container_allows_escalation(c) { +container_allows_escalation(c) if { c.securityContext.allowPrivilegeEscalation == true } -container_allows_escalation(c) { +container_allows_escalation(c) if { core.missing_field(c, "securityContext") } -container_allows_escalation(c) { +container_allows_escalation(c) if { core.missing_field(c.securityContext, "allowPrivilegeEscalation") } diff --git a/examples/container-deny-escalation/src_test.rego b/examples/container-deny-escalation/src_test.rego index a64da4f2..0fd2025c 100644 --- a/examples/container-deny-escalation/src_test.rego +++ b/examples/container-deny-escalation/src_test.rego @@ -1,9 +1,11 @@ package container_deny_escalation -test_allowescalation_false { +import rego.v1 + +test_allowescalation_false if { not container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": false}}) } -test_allowescalation_true { +test_allowescalation_true if { container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": true}}) } diff --git a/examples/container-deny-latest-tag/src.rego b/examples/container-deny-latest-tag/src.rego index 4a8591d2..d74d8628 100644 --- a/examples/container-deny-latest-tag/src.rego +++ b/examples/container-deny-latest-tag/src.rego @@ -35,10 +35,11 @@ package container_deny_latest_tag import data.lib.core import data.lib.pods +import rego.v1 policyID := "P2001" -violation[msg] { +violation[msg] if { some container pods.containers[container] has_latest_tag(container) @@ -49,10 +50,10 @@ violation[msg] { ) } -has_latest_tag(c) { +has_latest_tag(c) if { endswith(c.image, ":latest") } -has_latest_tag(c) { +has_latest_tag(c) if { contains(c.image, ":") == false } diff --git a/examples/container-deny-latest-tag/src_test.rego b/examples/container-deny-latest-tag/src_test.rego index 3ed6563f..67b89ff8 100644 --- a/examples/container-deny-latest-tag/src_test.rego +++ b/examples/container-deny-latest-tag/src_test.rego @@ -1,13 +1,15 @@ package container_deny_latest_tag -test_input_as_image_without_latest_tag { +import rego.v1 + +test_input_as_image_without_latest_tag if { not has_latest_tag({"name": "test", "image": "image:1.0.0"}) } -test_input_as_image_with_latest_tag { +test_input_as_image_with_latest_tag if { has_latest_tag({"name": "test", "image": "image:latest"}) } -test_input_as_image_with_no_tag { +test_input_as_image_with_no_tag if { has_latest_tag({"name": "test", "image": "image"}) } diff --git a/examples/container-deny-privileged-if-tenant/src.rego b/examples/container-deny-privileged-if-tenant/src.rego index acc12c8c..448066f7 100644 --- a/examples/container-deny-privileged-if-tenant/src.rego +++ b/examples/container-deny-privileged-if-tenant/src.rego @@ -27,10 +27,11 @@ package container_deny_privileged_if_tenant import data.lib.core import data.lib.pods import data.lib.security +import rego.v1 policyID := "P2006" -violation[msg] { +violation[msg] if { some container pods.containers[container] container_is_privileged(container) @@ -41,10 +42,10 @@ violation[msg] { ) } -container_is_privileged(container) { +container_is_privileged(container) if { container.securityContext.privileged } -container_is_privileged(container) { +container_is_privileged(container) if { security.added_capability(container, "CAP_SYS_ADMIN") } diff --git a/examples/container-deny-privileged-if-tenant/src_test.rego b/examples/container-deny-privileged-if-tenant/src_test.rego index 51347e93..e8f4e4b5 100644 --- a/examples/container-deny-privileged-if-tenant/src_test.rego +++ b/examples/container-deny-privileged-if-tenant/src_test.rego @@ -1,13 +1,15 @@ package container_deny_privileged -test_privileged_true { +import rego.v1 + +test_privileged_true if { container_is_privileged({"securityContext": {"privileged": true}}) } -test_privileged_false { +test_privileged_false if { not container_is_privileged({"securityContext": {"privileged": false}}) } -test_added_capability { +test_added_capability if { container_is_privileged({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}) } diff --git a/examples/container-deny-privileged/src.rego b/examples/container-deny-privileged/src.rego index d9ea6a12..4255d3b2 100644 --- a/examples/container-deny-privileged/src.rego +++ b/examples/container-deny-privileged/src.rego @@ -22,10 +22,11 @@ package container_deny_privileged import data.lib.core import data.lib.pods import data.lib.security +import rego.v1 policyID := "P1003" -violation[msg] { +violation[msg] if { some container pods.containers[container] container_is_privileged(container) @@ -36,10 +37,10 @@ violation[msg] { ) } -container_is_privileged(container) { +container_is_privileged(container) if { container.securityContext.privileged } -container_is_privileged(container) { +container_is_privileged(container) if { security.added_capability(container, "CAP_SYS_ADMIN") } diff --git a/examples/container-deny-privileged/src_test.rego b/examples/container-deny-privileged/src_test.rego index 51347e93..e8f4e4b5 100644 --- a/examples/container-deny-privileged/src_test.rego +++ b/examples/container-deny-privileged/src_test.rego @@ -1,13 +1,15 @@ package container_deny_privileged -test_privileged_true { +import rego.v1 + +test_privileged_true if { container_is_privileged({"securityContext": {"privileged": true}}) } -test_privileged_false { +test_privileged_false if { not container_is_privileged({"securityContext": {"privileged": false}}) } -test_added_capability { +test_added_capability if { container_is_privileged({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}) } diff --git a/examples/container-deny-without-resource-constraints/src.rego b/examples/container-deny-without-resource-constraints/src.rego index 9cbf0ebd..fd86a335 100644 --- a/examples/container-deny-without-resource-constraints/src.rego +++ b/examples/container-deny-without-resource-constraints/src.rego @@ -20,10 +20,11 @@ package container_deny_without_resource_constraints import data.lib.core import data.lib.pods +import rego.v1 policyID := "P2002" -violation[msg] { +violation[msg] if { some container pods.containers[container] not container_resources_provided(container) @@ -34,7 +35,7 @@ violation[msg] { ) } -container_resources_provided(container) { +container_resources_provided(container) if { container.resources.requests.cpu container.resources.requests.memory container.resources.limits.cpu diff --git a/examples/container-deny-without-resource-constraints/src_test.rego b/examples/container-deny-without-resource-constraints/src_test.rego index da5f5d5d..7a0a5019 100644 --- a/examples/container-deny-without-resource-constraints/src_test.rego +++ b/examples/container-deny-without-resource-constraints/src_test.rego @@ -1,24 +1,26 @@ package container_deny_without_resource_constraints -test_input_as_container_missing_resources { +import rego.v1 + +test_input_as_container_missing_resources if { container := {} not container_resources_provided(container) } -test_input_as_container_with_missing_memory_requests { +test_input_as_container_with_missing_memory_requests if { container := {"resources": {"requests": {"cpu": "1"}}} not container_resources_provided(container) } -test_input_as_container_with_missing_limits_constraint { +test_input_as_container_with_missing_limits_constraint if { container := {"resources": {"requests": {"cpu": "1", "memory": "1"}}} not container_resources_provided(container) } -test_input_as_container_with_all_constraints { +test_input_as_container_with_all_constraints if { container := {"resources": {"requests": {"cpu": "1", "memory": "1"}, "limits": {"cpu": "1", "memory": "1"}}} container_resources_provided(container) diff --git a/examples/container-warn-no-ro-fs/src.rego b/examples/container-warn-no-ro-fs/src.rego index 3f02077a..9b4bad54 100644 --- a/examples/container-warn-no-ro-fs/src.rego +++ b/examples/container-warn-no-ro-fs/src.rego @@ -20,10 +20,11 @@ package container_warn_no_ro_fs import data.lib.core import data.lib.pods +import rego.v1 policyID := "P2003" -warn[msg] { +warn[msg] if { some container pods.containers[container] no_read_only_filesystem(container) @@ -34,11 +35,11 @@ warn[msg] { ) } -no_read_only_filesystem(container) { +no_read_only_filesystem(container) if { core.has_field(container.securityContext, "readOnlyRootFilesystem") not container.securityContext.readOnlyRootFilesystem } -no_read_only_filesystem(container) { +no_read_only_filesystem(container) if { core.missing_field(container.securityContext, "readOnlyRootFilesystem") } diff --git a/examples/container-warn-no-ro-fs/src_test.rego b/examples/container-warn-no-ro-fs/src_test.rego index 779a1228..4fe042f3 100644 --- a/examples/container-warn-no-ro-fs/src_test.rego +++ b/examples/container-warn-no-ro-fs/src_test.rego @@ -1,9 +1,11 @@ package container_warn_no_ro_fs -test_rofs_true { +import rego.v1 + +test_rofs_true if { not no_read_only_filesystem({"securityContext": {"readOnlyRootFilesystem": true}}) } -test_rofs_false { +test_rofs_false if { no_read_only_filesystem({"securityContext": {"readOnlyRootFilesystem": false}}) } diff --git a/examples/pod-deny-host-alias/src.rego b/examples/pod-deny-host-alias/src.rego index a9a7f6b4..4969b045 100644 --- a/examples/pod-deny-host-alias/src.rego +++ b/examples/pod-deny-host-alias/src.rego @@ -22,15 +22,16 @@ import data.lib.core.format_with_id import data.lib.core.kind import data.lib.core.name import data.lib.pods +import rego.v1 policyID := "P1004" -violation[msg] { +violation[msg] if { pod_host_alias msg := format_with_id(sprintf("%s/%s: Pod has hostAliases defined", [kind, name]), policyID) } -pod_host_alias { +pod_host_alias if { pods.pod.spec.hostAliases } diff --git a/examples/pod-deny-host-alias/src_test.rego b/examples/pod-deny-host-alias/src_test.rego index 86e3ac98..56ac8cb2 100644 --- a/examples/pod-deny-host-alias/src_test.rego +++ b/examples/pod-deny-host-alias/src_test.rego @@ -1,10 +1,12 @@ package pod_deny_host_alias -test_input_with_alias_missing { +import rego.v1 + +test_input_with_alias_missing if { not pod_host_alias with input as {"kind": "Pod"} } -test_input_with_alias { +test_input_with_alias if { pod_host_alias with input as { "kind": "Pod", "spec": {"hostAliases": [{"ip": "127.0.0.1", "hostnames": ["foo.local"]}]}, diff --git a/examples/pod-deny-host-ipc/src.rego b/examples/pod-deny-host-ipc/src.rego index d5ec740a..bc7a0c28 100644 --- a/examples/pod-deny-host-ipc/src.rego +++ b/examples/pod-deny-host-ipc/src.rego @@ -20,15 +20,16 @@ package pod_deny_host_ipc import data.lib.core import data.lib.pods +import rego.v1 policyID := "P1005" -violation[msg] { +violation[msg] if { pod_has_hostipc msg := core.format_with_id(sprintf("%s/%s: Pod allows for accessing the host IPC", [core.kind, core.name]), policyID) } -pod_has_hostipc { +pod_has_hostipc if { pods.pod.spec.hostIPC } diff --git a/examples/pod-deny-host-ipc/src_test.rego b/examples/pod-deny-host-ipc/src_test.rego index f7a3b4ae..5870ccd5 100644 --- a/examples/pod-deny-host-ipc/src_test.rego +++ b/examples/pod-deny-host-ipc/src_test.rego @@ -1,6 +1,8 @@ package pod_deny_host_ipc -test_hostipc_false { +import rego.v1 + +test_hostipc_false if { not pod_has_hostipc with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, @@ -8,7 +10,7 @@ test_hostipc_false { } } -test_hostipc_true { +test_hostipc_true if { pod_has_hostipc with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, diff --git a/examples/pod-deny-host-network/src.rego b/examples/pod-deny-host-network/src.rego index fb234c74..c002c3d2 100644 --- a/examples/pod-deny-host-network/src.rego +++ b/examples/pod-deny-host-network/src.rego @@ -20,10 +20,11 @@ package pod_deny_host_network import data.lib.core import data.lib.pods +import rego.v1 policyID := "P1006" -violation[msg] { +violation[msg] if { pod_has_hostnetwork msg := core.format_with_id( @@ -32,6 +33,6 @@ violation[msg] { ) } -pod_has_hostnetwork { +pod_has_hostnetwork if { pods.pod.spec.hostNetwork } diff --git a/examples/pod-deny-host-network/src_test.rego b/examples/pod-deny-host-network/src_test.rego index 3686bfd8..d5d990a4 100644 --- a/examples/pod-deny-host-network/src_test.rego +++ b/examples/pod-deny-host-network/src_test.rego @@ -1,6 +1,8 @@ package pod_deny_host_network -test_hostnetwork_false { +import rego.v1 + +test_hostnetwork_false if { not pod_has_hostnetwork with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, @@ -8,7 +10,7 @@ test_hostnetwork_false { } } -test_hostnetwork_true { +test_hostnetwork_true if { pod_has_hostnetwork with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, diff --git a/examples/pod-deny-host-pid/src.rego b/examples/pod-deny-host-pid/src.rego index 1865eefc..f78ce547 100644 --- a/examples/pod-deny-host-pid/src.rego +++ b/examples/pod-deny-host-pid/src.rego @@ -21,10 +21,11 @@ package pod_deny_host_pid import data.lib.core import data.lib.pods +import rego.v1 policyID := "P1007" -violation[msg] { +violation[msg] if { pod_has_hostpid msg := core.format_with_id( @@ -33,6 +34,6 @@ violation[msg] { ) } -pod_has_hostpid { +pod_has_hostpid if { pods.pod.spec.hostPID } diff --git a/examples/pod-deny-host-pid/src_test.rego b/examples/pod-deny-host-pid/src_test.rego index da80983b..17e87af2 100644 --- a/examples/pod-deny-host-pid/src_test.rego +++ b/examples/pod-deny-host-pid/src_test.rego @@ -1,6 +1,8 @@ package pod_deny_host_pid -test_hostpid_false { +import rego.v1 + +test_hostpid_false if { not pod_has_hostpid with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, @@ -8,7 +10,7 @@ test_hostpid_false { } } -test_hostpid_true { +test_hostpid_true if { pod_has_hostpid with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, diff --git a/examples/pod-deny-without-runasnonroot/src.rego b/examples/pod-deny-without-runasnonroot/src.rego index 66d1f9a9..8ea95833 100644 --- a/examples/pod-deny-without-runasnonroot/src.rego +++ b/examples/pod-deny-without-runasnonroot/src.rego @@ -20,16 +20,17 @@ package pod_deny_without_runasnonroot import data.lib.core import data.lib.pods +import rego.v1 policyID := "P1008" -violation[msg] { +violation[msg] if { pods.pod not pod_runasnonroot msg := core.format_with_id(sprintf("%s/%s: Pod allows running as root", [core.kind, core.name]), policyID) } -pod_runasnonroot { +pod_runasnonroot if { pods.pod.spec.securityContext.runAsNonRoot } diff --git a/examples/pod-deny-without-runasnonroot/src_test.rego b/examples/pod-deny-without-runasnonroot/src_test.rego index 041c33d6..89d561fc 100644 --- a/examples/pod-deny-without-runasnonroot/src_test.rego +++ b/examples/pod-deny-without-runasnonroot/src_test.rego @@ -1,6 +1,8 @@ package pod_deny_without_runasnonroot -test_runasnonroot_true { +import rego.v1 + +test_runasnonroot_true if { pod_runasnonroot with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, @@ -8,14 +10,14 @@ test_runasnonroot_true { } } -test_runasnonroot_null { +test_runasnonroot_null if { not pod_runasnonroot with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, } } -test_runasnonroot_false { +test_runasnonroot_false if { not pod_runasnonroot with input as { "kind": "Pod", "metadata": {"name": "test-pod"}, diff --git a/examples/psp-deny-added-caps/src.rego b/examples/psp-deny-added-caps/src.rego index 4b217034..6fa35e59 100644 --- a/examples/psp-deny-added-caps/src.rego +++ b/examples/psp-deny-added-caps/src.rego @@ -16,10 +16,11 @@ package psp_deny_added_caps import data.lib.core import data.lib.psps import data.lib.security +import rego.v1 policyID := "P1009" -violation[msg] { +violation[msg] if { not psp_dropped_all_capabilities msg := core.format_with_id( @@ -28,7 +29,7 @@ violation[msg] { ) } -psp_dropped_all_capabilities { +psp_dropped_all_capabilities if { some psp psps.psps[psp] security.dropped_capability(psp, "all") diff --git a/examples/psp-deny-added-caps/src_test.rego b/examples/psp-deny-added-caps/src_test.rego index 79dac57a..c6ef560c 100644 --- a/examples/psp-deny-added-caps/src_test.rego +++ b/examples/psp-deny-added-caps/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_added_caps -test_dropped_all { +import rego.v1 + +test_dropped_all if { psp_dropped_all_capabilities with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_dropped_all { } } -test_case_insensitivty { +test_case_insensitivty if { psp_dropped_all_capabilities with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -16,7 +18,7 @@ test_case_insensitivty { } } -test_null { +test_null if { not psp_dropped_all_capabilities with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -24,7 +26,7 @@ test_null { } } -test_dropped_none { +test_dropped_none if { not psp_dropped_all_capabilities with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-escalation/src.rego b/examples/psp-deny-escalation/src.rego index 754f2c57..a1ac6260 100644 --- a/examples/psp-deny-escalation/src.rego +++ b/examples/psp-deny-escalation/src.rego @@ -14,10 +14,11 @@ package psp_deny_escalation import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1010" -violation[msg] { +violation[msg] if { some psp psps.psps[psp] allows_escalation(psp) @@ -25,10 +26,10 @@ violation[msg] { msg := core.format_with_id(sprintf("%s/%s: Allows privilege escalation", [core.kind, core.name]), policyID) } -allows_escalation(p) { +allows_escalation(p) if { p.spec.allowPrivilegeEscalation == true } -allows_escalation(p) { +allows_escalation(p) if { core.missing_field(p.spec, "allowPrivilegeEscalation") } diff --git a/examples/psp-deny-escalation/src_test.rego b/examples/psp-deny-escalation/src_test.rego index 8b506b6c..473f7018 100644 --- a/examples/psp-deny-escalation/src_test.rego +++ b/examples/psp-deny-escalation/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_escalation -test_allowescalation_false { +import rego.v1 + +test_allowescalation_false if { not allows_escalation({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_allowescalation_false { }) } -test_null { +test_null if { allows_escalation({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -16,7 +18,7 @@ test_null { }) } -test_allowescalation_true { +test_allowescalation_true if { allows_escalation({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-host-alias/src.rego b/examples/psp-deny-host-alias/src.rego index 64db925f..2ae5416c 100644 --- a/examples/psp-deny-host-alias/src.rego +++ b/examples/psp-deny-host-alias/src.rego @@ -14,15 +14,16 @@ package psp_deny_host_alias import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1011" -violation[msg] { +violation[msg] if { psp_allows_hostaliases msg := core.format_with_id(sprintf("%s/%s: Allows for managing host aliases", [core.kind, core.name]), policyID) } -psp_allows_hostaliases { +psp_allows_hostaliases if { psps.psps[_].spec.hostAliases } diff --git a/examples/psp-deny-host-alias/src_test.rego b/examples/psp-deny-host-alias/src_test.rego index 1f375fe8..d8ad10a7 100644 --- a/examples/psp-deny-host-alias/src_test.rego +++ b/examples/psp-deny-host-alias/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_host_alias -test_hostaliases_false { +import rego.v1 + +test_hostaliases_false if { not psp_allows_hostaliases with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_hostaliases_false { } } -test_hostaliases_true { +test_hostaliases_true if { psp_allows_hostaliases with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-host-ipc/src.rego b/examples/psp-deny-host-ipc/src.rego index 5d793837..d75dead9 100644 --- a/examples/psp-deny-host-ipc/src.rego +++ b/examples/psp-deny-host-ipc/src.rego @@ -14,10 +14,11 @@ package psp_deny_host_ipc import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1012" -violation[msg] { +violation[msg] if { psp_allows_hostipc msg := core.format_with_id( @@ -26,6 +27,6 @@ violation[msg] { ) } -psp_allows_hostipc { +psp_allows_hostipc if { psps.psps[_].spec.hostIPC } diff --git a/examples/psp-deny-host-ipc/src_test.rego b/examples/psp-deny-host-ipc/src_test.rego index bdfb9599..09642ed8 100644 --- a/examples/psp-deny-host-ipc/src_test.rego +++ b/examples/psp-deny-host-ipc/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_host_ipc -test_hostipc_false { +import rego.v1 + +test_hostipc_false if { not psp_allows_hostipc with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_hostipc_false { } } -test_hostipc_true { +test_hostipc_true if { psp_allows_hostipc with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-host-network/src.rego b/examples/psp-deny-host-network/src.rego index ab5df1d5..fe09135a 100644 --- a/examples/psp-deny-host-network/src.rego +++ b/examples/psp-deny-host-network/src.rego @@ -15,15 +15,16 @@ package psp_deny_host_network import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1013" -violation[msg] { +violation[msg] if { psp_allows_hostnetwork msg := core.format_with_id(sprintf("%s/%s: Allows for accessing the host network", [core.kind, core.name]), policyID) } -psp_allows_hostnetwork { +psp_allows_hostnetwork if { psps.psps[_].spec.hostNetwork } diff --git a/examples/psp-deny-host-network/src_test.rego b/examples/psp-deny-host-network/src_test.rego index 9cb0da0c..b59c523a 100644 --- a/examples/psp-deny-host-network/src_test.rego +++ b/examples/psp-deny-host-network/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_host_network -test_hostnetwork_false { +import rego.v1 + +test_hostnetwork_false if { not psp_allows_hostnetwork with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_hostnetwork_false { } } -test_hostnetwork_true { +test_hostnetwork_true if { psp_allows_hostnetwork with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-host-pid/src.rego b/examples/psp-deny-host-pid/src.rego index 5a6af04d..1b37cbef 100644 --- a/examples/psp-deny-host-pid/src.rego +++ b/examples/psp-deny-host-pid/src.rego @@ -15,10 +15,11 @@ package psp_deny_host_pid import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1014" -violation[msg] { +violation[msg] if { psp_allows_hostpid msg = core.format_with_id( @@ -27,6 +28,6 @@ violation[msg] { ) } -psp_allows_hostpid { +psp_allows_hostpid if { psps.psps[_].spec.hostPID } diff --git a/examples/psp-deny-host-pid/src_test.rego b/examples/psp-deny-host-pid/src_test.rego index 1b07e2a0..ec328b48 100644 --- a/examples/psp-deny-host-pid/src_test.rego +++ b/examples/psp-deny-host-pid/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_host_pid -test_hostpid_false { +import rego.v1 + +test_hostpid_false if { not psp_allows_hostpid with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_hostpid_false { } } -test_hostpid_true { +test_hostpid_true if { psp_allows_hostpid with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-deny-privileged/src.rego b/examples/psp-deny-privileged/src.rego index dec6fc15..9ec8f8e8 100644 --- a/examples/psp-deny-privileged/src.rego +++ b/examples/psp-deny-privileged/src.rego @@ -14,15 +14,16 @@ package psp_deny_privileged import data.lib.core import data.lib.psps +import rego.v1 policyID := "P1015" -violation[msg] { +violation[msg] if { psp_allows_privileged msg := core.format_with_id(sprintf("%s/%s: Allows for privileged workloads", [core.kind, core.name]), policyID) } -psp_allows_privileged { +psp_allows_privileged if { psps.psps[_].spec.privileged } diff --git a/examples/psp-deny-privileged/src_test.rego b/examples/psp-deny-privileged/src_test.rego index a855f359..0d75fb82 100644 --- a/examples/psp-deny-privileged/src_test.rego +++ b/examples/psp-deny-privileged/src_test.rego @@ -1,6 +1,8 @@ package psp_deny_privileged -test_privileged_false { +import rego.v1 + +test_privileged_false if { not psp_allows_privileged with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_privileged_false { } } -test_privileged_true { +test_privileged_true if { psp_allows_privileged with input as { "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/psp-warn-no-ro-fs/src.rego b/examples/psp-warn-no-ro-fs/src.rego index 172990e4..33340740 100644 --- a/examples/psp-warn-no-ro-fs/src.rego +++ b/examples/psp-warn-no-ro-fs/src.rego @@ -14,10 +14,11 @@ package psp_warn_no_ro_fs import data.lib.core import data.lib.psps +import rego.v1 policyID := "P2004" -warn[msg] { +warn[msg] if { some psp psps.psps[psp] no_read_only_filesystem(psp) @@ -25,10 +26,10 @@ warn[msg] { msg := core.format_with_id(sprintf("%s/%s: Allows for a writeable root filesystem", [core.kind, core.name]), policyID) } -no_read_only_filesystem(psp) { +no_read_only_filesystem(psp) if { core.missing_field(psp.spec, "readOnlyRootFilesystem") } -no_read_only_filesystem(psp) { +no_read_only_filesystem(psp) if { not psp.spec.readOnlyRootFilesystem } diff --git a/examples/psp-warn-no-ro-fs/src_test.rego b/examples/psp-warn-no-ro-fs/src_test.rego index 7027d0eb..941526fb 100644 --- a/examples/psp-warn-no-ro-fs/src_test.rego +++ b/examples/psp-warn-no-ro-fs/src_test.rego @@ -1,6 +1,8 @@ package psp_warn_no_ro_fs -test_rofs_true { +import rego.v1 + +test_rofs_true if { not no_read_only_filesystem({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -8,7 +10,7 @@ test_rofs_true { }) } -test_null { +test_null if { no_read_only_filesystem({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, @@ -16,7 +18,7 @@ test_null { }) } -test_rofs_false { +test_rofs_false if { no_read_only_filesystem({ "kind": "PodSecurityPolicy", "metadata": {"name": "test-psp"}, diff --git a/examples/required-labels/src.rego b/examples/required-labels/src.rego index ca994252..b00f3197 100644 --- a/examples/required-labels/src.rego +++ b/examples/required-labels/src.rego @@ -13,17 +13,18 @@ package required_labels import data.lib.core +import rego.v1 policyID := "P0002" -violation[msg] { +violation[msg] if { missing := missing_labels count(missing) > 0 msg := core.format_with_id(sprintf("%s/%s: Missing required labels: %v", [core.kind, core.name, missing]), policyID) } -missing_labels := missing { +missing_labels := missing if { provided := {label | core.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided diff --git a/examples/required-labels/src_test.rego b/examples/required-labels/src_test.rego index 6868b119..02e31e5c 100644 --- a/examples/required-labels/src_test.rego +++ b/examples/required-labels/src_test.rego @@ -1,18 +1,20 @@ package required_labels -test_not_missing { - in := {"metadata": {"labels": {"test": "test"}}} +import rego.v1 - missing := missing_labels with input as in +test_not_missing if { + inp := {"metadata": {"labels": {"test": "test"}}} + + missing := missing_labels with input as inp count(missing) == 0 } -test_missing_gk { - in := { +test_missing_gk if { + inp := { "review": {"object": {"metadata": {"labels": {"test": "test"}}}}, "parameters": {"labels": ["one", "two"]}, } - missing := missing_labels with input as in + missing := missing_labels with input as inp count(missing) == 2 } diff --git a/examples/role-deny-use-privileged-psp/src.rego b/examples/role-deny-use-privileged-psp/src.rego index 05e52301..d9da45fc 100644 --- a/examples/role-deny-use-privileged-psp/src.rego +++ b/examples/role-deny-use-privileged-psp/src.rego @@ -14,10 +14,11 @@ package role_deny_use_privileged_psps import data.lib.core import data.lib.rbac import data.lib.security +import rego.v1 policyID := "P2005" -violation[msg] { +violation[msg] if { role_uses_privileged_psp msg := core.format_with_id( @@ -26,22 +27,22 @@ violation[msg] { ) } -role_uses_privileged_psp { +role_uses_privileged_psp if { rule := core.resource.rules[_] rbac.rule_has_resource_type(rule, "podsecuritypolicies") rbac.rule_has_verb(rule, "use") rbac.rule_has_resource_name(rule, privileged_psps[_].metadata.name) } -privileged_psps[psp] { +privileged_psps[psp] if { psp := data.inventory.cluster["policy/v1beta1"].PodSecurityPolicy[_] psp_is_privileged(psp) } -psp_is_privileged(psp) { +psp_is_privileged(psp) if { psp.spec.privileged } -psp_is_privileged(psp) { +psp_is_privileged(psp) if { security.added_capability(psp, "SYS_ADMIN") } diff --git a/examples/role-deny-use-privileged-psp/src_test.rego b/examples/role-deny-use-privileged-psp/src_test.rego index f8a921a2..b1fbb5bf 100644 --- a/examples/role-deny-use-privileged-psp/src_test.rego +++ b/examples/role-deny-use-privileged-psp/src_test.rego @@ -1,6 +1,8 @@ package role_deny_use_privileged_psps -test_role_uses_privileged_psp_match { +import rego.v1 + +test_role_uses_privileged_psp_match if { role_uses_privileged_psp with input as {"rules": [{ "resourceNames": ["test"], "resources": ["podsecuritypolicies"], @@ -8,7 +10,7 @@ test_role_uses_privileged_psp_match { }]} } -test_role_uses_privileged_psp_wildcard_verb { +test_role_uses_privileged_psp_wildcard_verb if { role_uses_privileged_psp with input as {"rules": [{ "resourceNames": ["test"], "resources": ["podsecuritypolicies"], @@ -16,14 +18,14 @@ test_role_uses_privileged_psp_wildcard_verb { }]} } -test_role_uses_privileged_psp_no_resource_names { +test_role_uses_privileged_psp_no_resource_names if { role_uses_privileged_psp with input as {"rules": [{ "resources": ["podsecuritypolicies"], "verbs": ["use"], }]} } -test_role_uses_privileged_psp_wrong_name { +test_role_uses_privileged_psp_wrong_name if { not role_uses_privileged_psp with input as {"rules": [{ "resourceNames": ["wrong"], "resources": ["podsecuritypolicies"], @@ -31,7 +33,7 @@ test_role_uses_privileged_psp_wrong_name { }]} } -test_role_uses_privileged_psp_wrong_resource_type { +test_role_uses_privileged_psp_wrong_resource_type if { not role_uses_privileged_psp with input as {"rules": [{ "resourceNames": ["test"], "resources": ["wrong"], @@ -39,7 +41,7 @@ test_role_uses_privileged_psp_wrong_resource_type { }]} } -test_role_uses_privileged_psp_wrong_verb { +test_role_uses_privileged_psp_wrong_verb if { not role_uses_privileged_psp with input as {"rules": [{ "resourceNames": ["test"], "resources": ["podsecuritypolicies"],