fix: cis checks validate api-server args

Signed-off-by: chenk <[email protected]>
aquasecurity · Apr 14, 2024 · 68e8a4c · 68e8a4c
1 parent c454041
commit 68e8a4c
Show file tree

Hide file tree

Showing 13 changed files with 202 additions and 42 deletions.
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/bind_address.rego b/checks/kubernetes/cisbenchmarks/controllermamager/bind_address.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0039
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--bind-address=127.0.0.1")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --bind-address argument is set to 127.0.0.1"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/bind_address_test.rego b/checks/kubernetes/cisbenchmarks/controllermamager/bind_address_test.rego
@@ -21,6 +21,28 @@ test_bind_address_is_set_to_localhost_ip {
 	count(r) == 0
 }
 
+test_bind_address_is_set_to_localhost_ip_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "controller-manager",
+			"labels": {
+				"component": "kube-controller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--bind-address=127.0.0.1"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_bind_address_is_set_to_different_ip {
 	r := deny with input as {
 		"apiVersion": "v1",

diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/profiling.rego b/checks/kubernetes/cisbenchmarks/controllermamager/profiling.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0034
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--profiling=false")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--profiling=false")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--profiling=false")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --profiling argument is set to false"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/profiling_test.rego b/checks/kubernetes/cisbenchmarks/controllermamager/profiling_test.rego
@@ -21,6 +21,28 @@ test_profiling_is_set_to_false {
 	count(r) == 0
 }
 
+test_profiling_is_set_to_false_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "controller-manager",
+			"labels": {
+				"component": "kube-controller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--allocate-node-cidrs=true", "--profiling=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_profiling_is_set_to_true {
 	r := deny with input as {
 		"apiVersion": "v1",

diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/root_ca_file.rego b/checks/kubernetes/cisbenchmarks/controllermamager/root_ca_file.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0037
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--root-ca-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--root-ca-file")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--root-ca-file")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --root-ca-file argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/root_ca_file_test.rego b/checks/kubernetes/cisbenchmarks/controllermamager/root_ca_file_test.rego
@@ -42,3 +42,25 @@ test_root_ca_file_is_set {
 
 	count(r) == 0
 }
+
+test_root_ca_file_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-controller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--allocate-node-cidrs=true", "--root-ca-file=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/rotate_kubelet_server_certificate.rego b/checks/kubernetes/cisbenchmarks/controllermamager/rotate_kubelet_server_certificate.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0038
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "RotateKubeletServerCertificate=true")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "RotateKubeletServerCertificate=true")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "RotateKubeletServerCertificate=true")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the RotateKubeletServerCertificate argument is set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/...ks/kubernetes/cisbenchmarks/controllermamager/rotate_kubelet_server_certificate_test.rego b/...ks/kubernetes/cisbenchmarks/controllermamager/rotate_kubelet_server_certificate_test.rego
@@ -21,6 +21,28 @@ test_use_rotate_kubelet_server_certificate_is_set_to_true {
 	count(r) == 0
 }
 
+test_use_rotate_kubelet_server_certificate_is_set_to_true_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "controller-manager",
+			"labels": {
+				"component": "kube-controller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--feature-gates=RotateKubeletServerCertificate=true"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_use_rotate_kubelet_server_certificate_is_set_to_false {
 	r := deny with input as {
 		"apiVersion": "v1",

diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/service_account_private_key_file.rego b/checks/kubernetes/cisbenchmarks/controllermamager/service_account_private_key_file.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0036
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--service-account-private-key-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--service-account-private-key-file")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--service-account-private-key-file")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --service-account-private-key-file argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/terminated_pod_gc_threshold.rego b/checks/kubernetes/cisbenchmarks/controllermamager/terminated_pod_gc_threshold.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0033
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--terminated-pod-gc-threshold")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--terminated-pod-gc-threshold")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--terminated-pod-gc-threshold")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/terminated_pod_gc_threshold_test.rego b/checks/kubernetes/cisbenchmarks/controllermamager/terminated_pod_gc_threshold_test.rego
@@ -42,3 +42,25 @@ test_terminated_pod_gc_threshold_is_not_set {
 
 	count(r) == 0
 }
+
+test_terminated_pod_gc_threshold_is_not_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-conrtoller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--allocate-node-cidrs=true", "--terminated-pod-gc-threshold=10"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/use_service_account_credentials.rego b/checks/kubernetes/cisbenchmarks/controllermamager/use_service_account_credentials.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0035
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_controllermanager(container)
-	not kubernetes.command_has_flag(container.command, "--use-service-account-credentials=true")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--use-service-account-credentials=true")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--use-service-account-credentials=true")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_controllermanager(container)
+	not checkFlag(container)
 	msg := "Ensure that the --use-service-account-credentials argument is set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/controllermamager/use_service_account_credentials_test.rego b/checks/kubernetes/cisbenchmarks/controllermamager/use_service_account_credentials_test.rego
@@ -21,6 +21,28 @@ test_use_service_account_credentials_is_set_to_true {
 	count(r) == 0
 }
 
+test_use_service_account_credentials_is_set_to_true_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "controller-manager",
+			"labels": {
+				"component": "kube-controller-manager",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-controller-manager"],
+			"args": ["--allocate-node-cidrs=true", "--use-service-account-credentials=true"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_use_service_account_credentials_is_set_to_false {
 	r := deny with input as {
 		"apiVersion": "v1",