Merge branch 'master' into delete-review-path

kubescape · Oct 9, 2023 · 300ad59 · 300ad59
2 parents 0be7a5b + f1cf9c1
commit 300ad59
Show file tree

Hide file tree

Showing 22 changed files with 77 additions and 16 deletions.
diff --git a/ControlID_RuleName.csv b/ControlID_RuleName.csv
@@ -69,7 +69,7 @@ C-0073,naked-pods
 C-0074,containers-mounting-docker-socket
 C-0075,image-pull-policy-is-not-set-to-always
 C-0076,label-usage-for-resources
-C-0077,K8s common labels usage
+C-0077,k8s-common-labels-usage
 C-0078,container-image-repository
 C-0079,CVE-2022-0185
 C-0081,CVE-2022-24348

diff --git a/controls/C-0077-k8scommonlabelsusage.json b/controls/C-0077-k8scommonlabelsusage.json
@@ -10,7 +10,7 @@
     "description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.",
     "remediation": "Define applicable labels or use the exception mechanism to prevent further notifications.",
     "rulesNames": [
-        "K8s common labels usage"
+        "k8s-common-labels-usage"
     ],
     "long_description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.",
     "test": "Test will check if the list of label that start with app.kubernetes.io/ are defined.",

diff --git a/rules/K8s common labels usage/raw.rego → rules/k8s-common-labels-usage/raw.rego b/rules/K8s common labels usage/raw.rego → rules/k8s-common-labels-usage/raw.rego
@@ -86,23 +86,33 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{
 
 no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	not wl.metadata.labels
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	metadata := wl.metadata
 	not metadata.labels
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	labels := wl.metadata.labels
 	not all_kubernetes_labels(labels)
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 all_kubernetes_labels(labels){
 	recommended_labels := data.postureControlInputs.k8sRecommendedLabels
 	recommended_label := recommended_labels[_]
 	labels[recommended_label]
 }
+
+# get_label_key accepts a parameter so it's not considered a rule
+get_label_key(unused_param) = key {
+	recommended_labels := data.postureControlInputs.k8sRecommendedLabels
+    count(recommended_labels) > 0
+    key := recommended_labels[0]
+} else = "YOUR_LABEL"
diff --git a/...8s common labels usage/rule.metadata.json → ...8s-common-labels-usage/rule.metadata.json b/...8s common labels usage/rule.metadata.json → ...8s-common-labels-usage/rule.metadata.json
@@ -1,5 +1,5 @@
 {
-    "name": "K8s common labels usage",
+    "name": "k8s-common-labels-usage",
     "attributes": {
       "armoBuiltin": true
     },

diff --git a/rules/k8s-common-labels-usage/test/cronjob/data.json b/rules/k8s-common-labels-usage/test/cronjob/data.json
@@ -0,0 +1,8 @@
+{
+    "postureControlInputs": {
+        "k8sRecommendedLabels": [
+            "app.kubernetes.io/name",
+            "app.kubernetes.io/instance"
+        ]
+    }
+}
diff --git a/...n labels usage/test/cronjob/expected.json → ...n-labels-usage/test/cronjob/expected.json b/...n labels usage/test/cronjob/expected.json → ...n-labels-usage/test/cronjob/expected.json
@@ -2,7 +2,7 @@
     "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "spec.jobTemplate.spec.template.metadata.labels",
+        "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",

diff --git a/...els usage/test/cronjob/input/cronjob.yaml → ...els-usage/test/cronjob/input/cronjob.yaml b/...els usage/test/cronjob/input/cronjob.yaml → ...els-usage/test/cronjob/input/cronjob.yaml
diff --git a/rules/k8s-common-labels-usage/test/pod/data.json b/rules/k8s-common-labels-usage/test/pod/data.json
@@ -0,0 +1,5 @@
+{
+    "postureControlInputs": {
+        "k8sRecommendedLabels": []
+    }
+}
diff --git a/...ommon labels usage/test/pod/expected.json → ...ommon-labels-usage/test/pod/expected.json b/...ommon labels usage/test/pod/expected.json → ...ommon-labels-usage/test/pod/expected.json
@@ -2,7 +2,7 @@
     "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "metadata.labels",
+        "path": "metadata.labels.YOUR_LABEL",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",

diff --git a/...mmon labels usage/test/pod/input/pod.yaml → ...mmon-labels-usage/test/pod/input/pod.yaml b/...mmon labels usage/test/pod/input/pod.yaml → ...mmon-labels-usage/test/pod/input/pod.yaml
diff --git a/rules/k8s-common-labels-usage/test/workload-fail/data.json b/rules/k8s-common-labels-usage/test/workload-fail/data.json
@@ -0,0 +1,8 @@
+{
+    "postureControlInputs": {
+        "k8sRecommendedLabels": [
+            "app.kubernetes.io/name",
+            "app.kubernetes.io/instance"
+        ]
+    }
+}
diff --git a/...ls usage/test/workload-fail/expected.json → ...ls-usage/test/workload-fail/expected.json b/...ls usage/test/workload-fail/expected.json → ...ls-usage/test/workload-fail/expected.json
@@ -2,7 +2,7 @@
     "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "spec.template.metadata.labels",
+        "path": "spec.template.metadata.labels.app.kubernetes.io/name",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",

diff --git a/.../test/workload-fail/input/deployment.yaml → .../test/workload-fail/input/deployment.yaml b/.../test/workload-fail/input/deployment.yaml → .../test/workload-fail/input/deployment.yaml
diff --git a/... labels usage/test/workload/expected.json → ...-labels-usage/test/workload/expected.json b/... labels usage/test/workload/expected.json → ...-labels-usage/test/workload/expected.json
diff --git a/...usage/test/workload/input/deployment.yaml → ...usage/test/workload/input/deployment.yaml b/...usage/test/workload/input/deployment.yaml → ...usage/test/workload/input/deployment.yaml
diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego
@@ -84,19 +84,22 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{
 
 no_label_or_no_label_usage(wl, start_of_path) = path{
 	not wl.metadata
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 no_label_or_no_label_usage(wl, start_of_path) = path{
 	metadata := wl.metadata
 	not metadata.labels
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 no_label_or_no_label_usage(wl, start_of_path) = path{
 	labels := wl.metadata.labels
 	not is_desired_label(labels)
-	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
+	label_key := get_label_key("")
+	path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}]
 }
 
 is_desired_label(labels) {
@@ -105,3 +108,9 @@ is_desired_label(labels) {
 	labels[recommended_label]
 }
 
+# get_label_key accepts a parameter so it's not considered a rule
+get_label_key(unused_param) = key {
+	recommended_labels := data.postureControlInputs.recommendedLabels
+    count(recommended_labels) > 0
+    key := recommended_labels[0]
+} else = "YOUR_LABEL"
diff --git a/rules/label-usage-for-resources/test/cronjob/data.json b/rules/label-usage-for-resources/test/cronjob/data.json
@@ -0,0 +1,5 @@
+{
+    "postureControlInputs": {
+        "recommendedLabels": []
+    }
+}
diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json
@@ -2,10 +2,10 @@
     "alertMessage": "the following cronjobs a certain set of labels is not defined: hello",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "metadata.labels",
+        "path": "metadata.labels.YOUR_LABEL",
         "value": "YOUR_VALUE"
     }, {
-        "path": "spec.jobTemplate.spec.template.metadata.labels",
+        "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",

diff --git a/rules/label-usage-for-resources/test/pod/data.json b/rules/label-usage-for-resources/test/pod/data.json
@@ -0,0 +1,8 @@
+{
+    "postureControlInputs": {
+        "recommendedLabels": [
+            "app",
+            "tier"
+        ]
+    }
+}
diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json
@@ -2,7 +2,7 @@
     "alertMessage": "in the following pods a certain set of labels is not defined: command-demo",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "metadata.labels",
+        "path": "metadata.labels.app",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",

diff --git a/rules/label-usage-for-resources/test/workload-fail/data.json b/rules/label-usage-for-resources/test/workload-fail/data.json
@@ -0,0 +1,8 @@
+{
+    "postureControlInputs": {
+        "recommendedLabels": [
+            "app",
+            "tier"
+        ]
+    }
+}
diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json
@@ -2,7 +2,7 @@
     "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:",
     "failedPaths": [],
     "fixPaths": [{
-        "path": "spec.template.metadata.labels",
+        "path": "spec.template.metadata.labels.app",
         "value": "YOUR_VALUE"
     }],
     "ruleStatus": "",