fix: cis checks validate api-server args

Signed-off-by: chenk <[email protected]>

checks/kubernetes/cisbenchmarks/etcd/auto_tls.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0044
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
+checkFlag(container) {
 	kubernetes.command_has_flag(container.command, "--auto-tls=true")
 }
 
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--auto-tls=true")
+}
+
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	checkFlag(container)
 	msg := "Ensure that the --auto-tls argument is not set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/auto_tls_test.rego

@@ -21,6 +21,28 @@ test_auto_tls_is_set_to_false {
 	count(r) == 0
 }
 
+test_auto_tls_is_set_to_false_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["etcd"],
+			"args": ["--advertise-client-urls=https://192.168.49.2:2379", "--auto-tls=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_auto_tls_is_set_to_true {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file.rego

@@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0042
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--cert-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--cert-file")
+	kubernetes.command_has_flag(container.command, "--key-file")
 }
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--key-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--cert-file")
+	kubernetes.command_has_flag(container.args, "--key-file")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	not checkFlag(container)
 	msg := "Ensure that the --cert-file and --key-file arguments are set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file_test.rego

@@ -65,6 +65,28 @@ test_etcd_cert_file_and_key_file_are_set {
 	count(r) == 0
 }
 
+test_etcd_cert_file_and_key_file_are_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["etcd"],
+			"args": ["--advertise-client-urls=https://192.168.49.2:2379", "--cert-file=<filename>", "--key-file=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_etcd_cert_file_and_key_file_are_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/etcd/client_cert_auth.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0043
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--client-cert-auth=true")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--client-cert-auth=true")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--client-cert-auth=true")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	not checkFlag(container)
 	msg := "Ensure that the --client-cert-auth argument is set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/client_cert_auth_test.rego

@@ -21,6 +21,28 @@ test_client_cert_auth_is_set_to_true {
 	count(r) == 0
 }
 
+test_client_cert_auth_is_set_to_true_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["etcd"],
+			"args": ["--advertise-client-urls=https://192.168.49.2:2379", "--client-cert-auth=true"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_client_cert_auth_is_set_to_false {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0047
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
+checkFlag(container) {
 	kubernetes.command_has_flag(container.command, "--peer-auto-tls=true")
 }
 
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--peer-auto-tls=true")
+}
+
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	checkFlag(container)
 	msg := "Ensure that the --peer-auto-tls argument is not set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls_test.rego

@@ -21,6 +21,28 @@ test_peer_auto_tls_is_set_to_false {
 	count(r) == 0
 }
 
+test_peer_auto_tls_is_set_to_false_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["etcd"],
+			"args": ["--advertise-client-urls=https://192.168.49.2:2379", "--peer-auto-tls=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_peer_auto_tls_is_set_to_true {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file.rego

@@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0045
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--peer-cert-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--peer-cert-file")
+	kubernetes.command_has_flag(container.command, "--peer-key-file")
 }
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--peer-key-file")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--peer-cert-file")
+	kubernetes.command_has_flag(container.args, "--peer-key-file")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	not checkFlag(container)
 	msg := "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file_test.rego

@@ -65,6 +65,28 @@ test_etcd_peer_cert_file_and_peer_key_file_are_set {
 	count(r) == 0
 }
 
+test_etcd_peer_cert_file_and_peer_key_file_are_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["etcd"],
+			"args": ["--peer-cert-file=<filename>", "--peer-key-file=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_etcd_peer_cert_file_and_peer_key_file_are_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0046
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_etcd(container)
-	not kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_etcd(container)
+	not checkFlag(container)
 	msg := "Ensure that the --peer-client-cert-auth argument is set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth_test.rego

@@ -21,6 +21,27 @@ test_peer_client_cert_auth_is_set_to_true {
 	count(r) == 0
 }
 
+test_peer_client_cert_auth_is_set_to_true_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "etcd",
+			"labels": {
+				"component": "etcd",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["--advertise-client-urls=https://192.168.49.2:2379", "--peer-client-cert-auth=true"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_peer_client_cert_auth_is_set_to_false {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/scheduler/bind_address.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0041
 
 import data.lib.kubernetes
 
-checkFlag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_scheduler(container)
-	not kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1")
+checkFlag(container) {
+	kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1")
+}
+
+checkFlag(container) {
+	kubernetes.command_has_flag(container.args, "--bind-address=127.0.0.1")
 }
 
 deny[res] {
-	output := checkFlag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_scheduler(container)
+	not checkFlag(container)
 	msg := "Ensure that the --bind-address argument is set to 127.0.0.1"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/scheduler/bind_address_test.rego

@@ -21,6 +21,28 @@ test_bind_address_is_set_to_localhost_ip {
 	count(r) == 0
 }
 
+test_bind_address_is_set_to_localhost_ip_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "scheduler",
+			"labels": {
+				"component": "kube-scheduler",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-scheduler"],
+			"args": ["--authentication-kubeconfig=<path/to/file>", "--bind-address=127.0.0.1"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_bind_address_is_set_to_different_ip {
 	r := deny with input as {
 		"apiVersion": "v1",