Skip to content

Commit

Permalink
fix: cis checks validate api-server args
Browse files Browse the repository at this point in the history
Signed-off-by: chenk <[email protected]>
  • Loading branch information
chen-keinan committed Apr 14, 2024
1 parent bbb1941 commit 16c0a9a
Show file tree
Hide file tree
Showing 85 changed files with 1,385 additions and 284 deletions.
20 changes: 13 additions & 7 deletions checks/kubernetes/cisbenchmarks/apiserver/always_admit_plugin.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,22 @@ package builtin.kubernetes.KCV0011

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
some i
output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
check_flag(container) {
cmd := kubernetes.containers[_].command[_]
output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, cmd, -1)
regex.match("AlwaysAdmit", output[0][1])
}

check_flag(container) {
arg := kubernetes.containers[_].args[_]
output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, arg, -1)
regex.match("AlwaysAdmit", output[0][1])
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
check_flag(container)
msg := "Ensure that the admission control plugin AlwaysAdmit is not set"
res := result.new(msg, output)
res := result.new(msg, container)
}
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,28 @@ test_always_admit_plugin_is_not_enabled {
count(r) == 0
}

test_always_admit_plugin_is_not_enabled_args {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver"],
"args": ["--enable-admission-plugins=NamespaceLifecycle,ServiceAccount"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}

test_always_admit_plugin_is_enabled_with_others {
r := deny with input as {
"apiVersion": "v1",
Expand Down
20 changes: 12 additions & 8 deletions checks/kubernetes/cisbenchmarks/apiserver/anonymous_auth.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,20 @@ package builtin.kubernetes.KCV0001

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
some i
flag := container.command[i]
not kubernetes.command_has_flag(container.command, "--anonymous-auth=false")
check_flag(container) {
arg := kubernetes.containers[_].args[_]
contains(arg, "--anonymous-auth=false")
}

check_flag(container) {
cmd := kubernetes.containers[_].command[_]
contains(cmd, "--anonymous-auth=false")
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --anonymous-auth argument is set to false"
res := result.new(msg, output)
res := result.new(msg, container)
}
44 changes: 44 additions & 0 deletions checks/kubernetes/cisbenchmarks/apiserver/anonymous_auth_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,47 @@ test_anonymous_requests_false {

count(r) == 0
}

test_anonymous_requests_args_false {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver", "--advertise-address=192.168.49.2"],
"args": ["--anonymous-auth=false"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}

test_anonymous_requests_args_no_apiserver {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "test",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["test", "--advertise-address=192.168.49.2"],
"args": ["--anonymous-auth=true"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}
16 changes: 10 additions & 6 deletions checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxage.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0020

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not kubernetes.command_has_flag(container.command, "--audit-log-maxage")
check_flag(container) {
kubernetes.command_has_flag(container.command, "--audit-log-maxage")
}

check_flag(container) {
kubernetes.command_has_flag(container.args, "--audit-log-maxage")
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
res := result.new(msg, output)
res := result.new(msg, container)
}
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,25 @@ test_audit_log_maxage_is_not_set {
count(r) == 1
r[_].msg == "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
}

test_audit_log_maxage_is_set_10_args {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver"],
"args": ["--advertise-address=192.168.49.2", "--audit-log-maxage=30", "--secure-port=10"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}
16 changes: 10 additions & 6 deletions checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxbackup.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0021

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not kubernetes.command_has_flag(container.command, "--audit-log-maxbackup")
check_flag(container) {
kubernetes.command_has_flag(container.command, "--audit-log-maxbackup")
}

check_flag(container) {
kubernetes.command_has_flag(container.args, "--audit-log-maxbackup")
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
res := result.new(msg, output)
res := result.new(msg, container)
}
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,25 @@ test_audit_log_maxbackup_is_not_set {
count(r) == 1
r[_].msg == "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
}

test_audit_log_maxbackup_is_set_10_args {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver"],
"args": ["--advertise-address=192.168.49.2", "--audit-log-maxbackup=30", "--secure-port=10"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}
16 changes: 10 additions & 6 deletions checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxsize.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0022

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not kubernetes.command_has_flag(container.command, "--audit-log-maxsize")
check_flag(container) {
kubernetes.command_has_flag(container.command, "--audit-log-maxsize")
}

check_flag(container) {
kubernetes.command_has_flag(container.args, "--audit-log-maxsize")
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
res := result.new(msg, output)
res := result.new(msg, container)
}
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,28 @@ test_audit_log_maxsize_is_set_10 {
count(r) == 0
}

test_audit_log_maxsize_is_set_10_args {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver"],
"args": ["--advertise-address=192.168.49.2", "--audit-log-maxsize=10", "--secure-port=10"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}

test_audit_log_maxsize_is_not_set {
r := deny with input as {
"apiVersion": "v1",
Expand Down
16 changes: 10 additions & 6 deletions checks/kubernetes/cisbenchmarks/apiserver/audit_log_path.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0019

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not kubernetes.command_has_flag(container.command, "--audit-log-path")
check_flag(container) {
kubernetes.command_has_flag(container.command, "--audit-log-path")
}

check_flag(container) {
kubernetes.command_has_flag(container.args, "--audit-log-path")
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --audit-log-path argument is set"
res := result.new(msg, output)
res := result.new(msg, container)
}
22 changes: 22 additions & 0 deletions checks/kubernetes/cisbenchmarks/apiserver/audit_log_path_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,25 @@ test_audit_log_path_is_not_set {
count(r) == 1
r[_].msg == "Ensure that the --audit-log-path argument is set"
}

test_audit_log_path_is_set_args {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "apiserver",
"labels": {
"component": "kube-apiserver",
"tier": "control-plane",
},
},
"spec": {"containers": [{
"command": ["kube-apiserver"],
"args": ["--advertise-address=192.168.49.2", "--audit-log-path=<path>", "--secure-port=0"],
"image": "busybox",
"name": "hello",
}]},
}

count(r) == 0
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,16 @@ package builtin.kubernetes.KCV0007

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
check_flag(container) {
some i
output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
regex.match("AlwaysAllow", output[0][1])
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
check_flag(container)
msg := "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
res := result.new(msg, output)
res := result.new(msg, container)
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0008

import data.lib.kubernetes

check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not kubernetes.command_has_flag(container.command, "--authorization-mode")
check_flag(container) {
kubernetes.command_has_flag(container.command, "--authorization-mode")
some i
output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
regex.match("Node", output[0][1])
}

check_flag[container] {
container := kubernetes.containers[_]
check_flag(container) {
kubernetes.command_has_flag(container.args, "--authorization-mode")
some i
output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
not regex.match("Node", output[0][1])
output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
regex.match("Node", output[0][1])
}

deny[res] {
output := check_flag[_]
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
not check_flag(container)
msg := "Ensure that the --authorization-mode argument includes Node"
res := result.new(msg, output)
res := result.new(msg, container)
}
Loading

0 comments on commit 16c0a9a

Please sign in to comment.