diff --git a/checks/kubernetes/cisbenchmarks/etcd/auto_tls.rego b/checks/kubernetes/cisbenchmarks/etcd/auto_tls.rego index 42d4a974..ac6c8867 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/auto_tls.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/auto_tls.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0044 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) +checkFlag(container) { kubernetes.command_has_flag(container.command, "--auto-tls=true") } +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--auto-tls=true") +} + deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + checkFlag(container) msg := "Ensure that the --auto-tls argument is not set to true" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/auto_tls_test.rego b/checks/kubernetes/cisbenchmarks/etcd/auto_tls_test.rego index 07c2c8a3..63db14df 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/auto_tls_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/auto_tls_test.rego @@ -21,6 +21,28 @@ test_auto_tls_is_set_to_false { count(r) == 0 } +test_auto_tls_is_set_to_false_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["etcd"], + "args": ["--advertise-client-urls=https://192.168.49.2:2379", "--auto-tls=false"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_auto_tls_is_set_to_true { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file.rego b/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file.rego index 19e19981..752a8a2c 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file.rego @@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0042 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--cert-file") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--cert-file") + kubernetes.command_has_flag(container.command, "--key-file") } -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--key-file") +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--cert-file") + kubernetes.command_has_flag(container.args, "--key-file") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + not checkFlag(container) msg := "Ensure that the --cert-file and --key-file arguments are set as appropriate" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file_test.rego b/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file_test.rego index fde6461f..1114eaa3 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/cert_file_and_key_file_test.rego @@ -65,6 +65,28 @@ test_etcd_cert_file_and_key_file_are_set { count(r) == 0 } +test_etcd_cert_file_and_key_file_are_set_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["etcd"], + "args": ["--advertise-client-urls=https://192.168.49.2:2379", "--cert-file=", "--key-file="], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_etcd_cert_file_and_key_file_are_not_set { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth.rego b/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth.rego index 3355dacf..01269638 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0043 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--client-cert-auth=true") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--client-cert-auth=true") +} + +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--client-cert-auth=true") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + not checkFlag(container) msg := "Ensure that the --client-cert-auth argument is set to true" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth_test.rego b/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth_test.rego index 8de95073..f2f7a697 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/client_cert_auth_test.rego @@ -21,6 +21,28 @@ test_client_cert_auth_is_set_to_true { count(r) == 0 } +test_client_cert_auth_is_set_to_true_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["etcd"], + "args": ["--advertise-client-urls=https://192.168.49.2:2379", "--client-cert-auth=true"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_client_cert_auth_is_set_to_false { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls.rego index 22b2cb79..093ba751 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0047 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) +checkFlag(container) { kubernetes.command_has_flag(container.command, "--peer-auto-tls=true") } +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--peer-auto-tls=true") +} + deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + checkFlag(container) msg := "Ensure that the --peer-auto-tls argument is not set to true" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls_test.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls_test.rego index 36647069..86817a90 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_auto_tls_test.rego @@ -21,6 +21,28 @@ test_peer_auto_tls_is_set_to_false { count(r) == 0 } +test_peer_auto_tls_is_set_to_false_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["etcd"], + "args": ["--advertise-client-urls=https://192.168.49.2:2379", "--peer-auto-tls=false"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_peer_auto_tls_is_set_to_true { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file.rego index 11396947..2a260c94 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file.rego @@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0045 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--peer-cert-file") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--peer-cert-file") + kubernetes.command_has_flag(container.command, "--peer-key-file") } -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--peer-key-file") +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--peer-cert-file") + kubernetes.command_has_flag(container.args, "--peer-key-file") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + not checkFlag(container) msg := "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file_test.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file_test.rego index 6012b899..1257404b 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_cert_file_and_key_file_test.rego @@ -65,6 +65,28 @@ test_etcd_peer_cert_file_and_peer_key_file_are_set { count(r) == 0 } +test_etcd_peer_cert_file_and_peer_key_file_are_set_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["etcd"], + "args": ["--peer-cert-file=", "--peer-key-file="], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_etcd_peer_cert_file_and_peer_key_file_are_not_set { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth.rego index 90a8cf80..a879a078 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0046 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_etcd(container) - not kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true") +} + +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--peer-client-cert-auth=true") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_etcd(container) + not checkFlag(container) msg := "Ensure that the --peer-client-cert-auth argument is set to true" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth_test.rego b/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth_test.rego index 60a1cb1b..aafecf32 100644 --- a/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth_test.rego +++ b/checks/kubernetes/cisbenchmarks/etcd/peer_client_cert_auth_test.rego @@ -21,6 +21,27 @@ test_peer_client_cert_auth_is_set_to_true { count(r) == 0 } +test_peer_client_cert_auth_is_set_to_true_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "etcd", + "labels": { + "component": "etcd", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["--advertise-client-urls=https://192.168.49.2:2379", "--peer-client-cert-auth=true"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_peer_client_cert_auth_is_set_to_false { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/scheduler/bind_address.rego b/checks/kubernetes/cisbenchmarks/scheduler/bind_address.rego index c6f2d035..60164422 100644 --- a/checks/kubernetes/cisbenchmarks/scheduler/bind_address.rego +++ b/checks/kubernetes/cisbenchmarks/scheduler/bind_address.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0041 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_scheduler(container) - not kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--bind-address=127.0.0.1") +} + +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--bind-address=127.0.0.1") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_scheduler(container) + not checkFlag(container) msg := "Ensure that the --bind-address argument is set to 127.0.0.1" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/scheduler/bind_address_test.rego b/checks/kubernetes/cisbenchmarks/scheduler/bind_address_test.rego index 188dfbe5..4db63b36 100644 --- a/checks/kubernetes/cisbenchmarks/scheduler/bind_address_test.rego +++ b/checks/kubernetes/cisbenchmarks/scheduler/bind_address_test.rego @@ -21,6 +21,28 @@ test_bind_address_is_set_to_localhost_ip { count(r) == 0 } +test_bind_address_is_set_to_localhost_ip_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "scheduler", + "labels": { + "component": "kube-scheduler", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["kube-scheduler"], + "args": ["--authentication-kubeconfig=", "--bind-address=127.0.0.1"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_bind_address_is_set_to_different_ip { r := deny with input as { "apiVersion": "v1", diff --git a/checks/kubernetes/cisbenchmarks/scheduler/profiling.rego b/checks/kubernetes/cisbenchmarks/scheduler/profiling.rego index 84a7ffbf..080a30aa 100644 --- a/checks/kubernetes/cisbenchmarks/scheduler/profiling.rego +++ b/checks/kubernetes/cisbenchmarks/scheduler/profiling.rego @@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0040 import data.lib.kubernetes -checkFlag[container] { - container := kubernetes.containers[_] - kubernetes.is_scheduler(container) - not kubernetes.command_has_flag(container.command, "--profiling=false") +checkFlag(container) { + kubernetes.command_has_flag(container.command, "--profiling=false") +} + +checkFlag(container) { + kubernetes.command_has_flag(container.args, "--profiling=false") } deny[res] { - output := checkFlag[_] + container := kubernetes.containers[_] + kubernetes.is_scheduler(container) + not checkFlag(container) msg := "Ensure that the --profiling argument is set to false" - res := result.new(msg, output) + res := result.new(msg, container) } diff --git a/checks/kubernetes/cisbenchmarks/scheduler/profiling_test.rego b/checks/kubernetes/cisbenchmarks/scheduler/profiling_test.rego index 9eb00b2c..98a83d31 100644 --- a/checks/kubernetes/cisbenchmarks/scheduler/profiling_test.rego +++ b/checks/kubernetes/cisbenchmarks/scheduler/profiling_test.rego @@ -21,6 +21,28 @@ test_profiling_is_set_to_false { count(r) == 0 } +test_profiling_is_set_to_false_args { + r := deny with input as { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "scheduler", + "labels": { + "component": "kube-scheduler", + "tier": "control-plane", + }, + }, + "spec": {"containers": [{ + "command": ["kube-scheduler"], + "args": ["--authentication-kubeconfig=", "--profiling=false"], + "image": "busybox", + "name": "hello", + }]}, + } + + count(r) == 0 +} + test_profiling_is_set_to_true { r := deny with input as { "apiVersion": "v1",