fix: cis checks validate (api-server, controller-manager, scheduler and etcd) args

checks/kubernetes/cisbenchmarks/apiserver/always_admit_plugin.rego

@@ -19,16 +19,22 @@ package builtin.kubernetes.KCV0011
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	some i
-	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
+check_flag(container) {
+	cmd := kubernetes.containers[_].command[_]
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, cmd, -1)
+	regex.match("AlwaysAdmit", output[0][1])
+}
+
+check_flag(container) {
+	arg := kubernetes.containers[_].args[_]
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, arg, -1)
 	regex.match("AlwaysAdmit", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the admission control plugin AlwaysAdmit is not set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/always_admit_plugin_test.rego

@@ -64,6 +64,28 @@ test_always_admit_plugin_is_not_enabled {
 	count(r) == 0
 }
 
+test_always_admit_plugin_is_not_enabled_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--enable-admission-plugins=NamespaceLifecycle,ServiceAccount"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_always_admit_plugin_is_enabled_with_others {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/anonymous_auth.rego

@@ -19,16 +19,20 @@ package builtin.kubernetes.KCV0001
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	some i
-	flag := container.command[i]
-	not kubernetes.command_has_flag(container.command, "--anonymous-auth=false")
+check_flag(container) {
+	arg := kubernetes.containers[_].args[_]
+	contains(arg, "--anonymous-auth=false")
+}
+
+check_flag(container) {
+	cmd := kubernetes.containers[_].command[_]
+	contains(cmd, "--anonymous-auth=false")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --anonymous-auth argument is set to false"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/anonymous_auth_test.rego

@@ -64,3 +64,47 @@ test_anonymous_requests_false {
 
 	count(r) == 0
 }
+
+test_anonymous_requests_args_false {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver", "--advertise-address=192.168.49.2"],
+			"args": ["--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
+test_anonymous_requests_args_no_apiserver {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "test",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["test", "--advertise-address=192.168.49.2"],
+			"args": ["--anonymous-auth=true"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxage.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0020
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--audit-log-maxage")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--audit-log-maxage")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--audit-log-maxage")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxage_test.rego

@@ -63,3 +63,25 @@ test_audit_log_maxage_is_not_set {
 	count(r) == 1
 	r[_].msg == "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
 }
+
+test_audit_log_maxage_is_set_10_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--audit-log-maxage=30", "--secure-port=10"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxbackup.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0021
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--audit-log-maxbackup")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--audit-log-maxbackup")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--audit-log-maxbackup")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxbackup_test.rego

@@ -63,3 +63,25 @@ test_audit_log_maxbackup_is_not_set {
 	count(r) == 1
 	r[_].msg == "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
 }
+
+test_audit_log_maxbackup_is_set_10_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--audit-log-maxbackup=30", "--secure-port=10"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxsize.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0022
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--audit-log-maxsize")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--audit-log-maxsize")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--audit-log-maxsize")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/audit_log_maxsize_test.rego

@@ -42,6 +42,28 @@ test_audit_log_maxsize_is_set_10 {
 	count(r) == 0
 }
 
+test_audit_log_maxsize_is_set_10_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--audit-log-maxsize=10", "--secure-port=10"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_audit_log_maxsize_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/audit_log_path.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0019
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--audit-log-path")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--audit-log-path")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--audit-log-path")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --audit-log-path argument is set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/audit_log_path_test.rego

@@ -42,3 +42,25 @@ test_audit_log_path_is_not_set {
 	count(r) == 1
 	r[_].msg == "Ensure that the --audit-log-path argument is set"
 }
+
+test_audit_log_path_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--audit-log-path=<path>", "--secure-port=0"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego

@@ -19,16 +19,16 @@ package builtin.kubernetes.KCV0007
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
 	regex.match("AlwaysAllow", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego

@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0008
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--authorization-mode")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--authorization-mode")
+	some i
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
+	regex.match("Node", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--authorization-mode")
 	some i
-	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
-	not regex.match("Node", output[0][1])
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
+	regex.match("Node", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --authorization-mode argument includes Node"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }