From f1cf9c1cb69e3fbc8d4e8f71357419096ae19ee5 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky <66885688+itsmeital@users.noreply.github.com> Date: Mon, 9 Oct 2023 14:39:16 +0300 Subject: [PATCH] Add .YOUR_KEY to C-0077 & C-0076 (#514) * add .YOUR_KEY to C-0077 & C-0076 Signed-off-by: Meital Rudnitsky * fix tests Signed-off-by: Meital Rudnitsky * fix rule naming convention Signed-off-by: Meital Rudnitsky * use 1st value of recommended labels for label key Signed-off-by: Meital Rudnitsky * fix test Signed-off-by: Meital Rudnitsky * fix rules Signed-off-by: Meital Rudnitsky * fix Signed-off-by: Meital Rudnitsky --------- Signed-off-by: Meital Rudnitsky --- ControlID_RuleName.csv | 2 +- controls/C-0077-k8scommonlabelsusage.json | 2 +- .../raw.rego | 16 +++++++++++++--- .../rule.metadata.json | 2 +- .../test/cronjob/data.json | 8 ++++++++ .../test/cronjob/expected.json | 2 +- .../test/cronjob/input/cronjob.yaml | 0 rules/k8s-common-labels-usage/test/pod/data.json | 5 +++++ .../test/pod/expected.json | 2 +- .../test/pod/input/pod.yaml | 0 .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- .../test/workload-fail/input/deployment.yaml | 0 .../test/workload/expected.json | 0 .../test/workload/input/deployment.yaml | 0 rules/label-usage-for-resources/raw.rego | 15 ++++++++++++--- .../test/cronjob/data.json | 5 +++++ .../test/cronjob/expected.json | 4 ++-- .../label-usage-for-resources/test/pod/data.json | 8 ++++++++ .../test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- 22 files changed, 77 insertions(+), 16 deletions(-) rename rules/{K8s common labels usage => k8s-common-labels-usage}/raw.rego (81%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/rule.metadata.json (97%) create mode 100644 rules/k8s-common-labels-usage/test/cronjob/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/expected.json (86%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/input/cronjob.yaml (100%) create mode 100644 rules/k8s-common-labels-usage/test/pod/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/expected.json (91%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/input/pod.yaml (100%) create mode 100644 rules/k8s-common-labels-usage/test/workload-fail/data.json rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/expected.json (89%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/input/deployment.yaml (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/input/deployment.yaml (100%) create mode 100644 rules/label-usage-for-resources/test/cronjob/data.json create mode 100644 rules/label-usage-for-resources/test/pod/data.json create mode 100644 rules/label-usage-for-resources/test/workload-fail/data.json diff --git a/ControlID_RuleName.csv b/ControlID_RuleName.csv index dee396dae..51235bb80 100644 --- a/ControlID_RuleName.csv +++ b/ControlID_RuleName.csv @@ -69,7 +69,7 @@ C-0073,naked-pods C-0074,containers-mounting-docker-socket C-0075,image-pull-policy-is-not-set-to-always C-0076,label-usage-for-resources -C-0077,K8s common labels usage +C-0077,k8s-common-labels-usage C-0078,container-image-repository C-0079,CVE-2022-0185 C-0081,CVE-2022-24348 diff --git a/controls/C-0077-k8scommonlabelsusage.json b/controls/C-0077-k8scommonlabelsusage.json index a4ed375d9..d3645ac56 100644 --- a/controls/C-0077-k8scommonlabelsusage.json +++ b/controls/C-0077-k8scommonlabelsusage.json @@ -10,7 +10,7 @@ "description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "remediation": "Define applicable labels or use the exception mechanism to prevent further notifications.", "rulesNames": [ - "K8s common labels usage" + "k8s-common-labels-usage" ], "long_description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "test": "Test will check if the list of label that start with app.kubernetes.io/ are defined.", diff --git a/rules/K8s common labels usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego similarity index 81% rename from rules/K8s common labels usage/raw.rego rename to rules/k8s-common-labels-usage/raw.rego index d9adb28e4..238b41216 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,19 +86,22 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ @@ -106,3 +109,10 @@ all_kubernetes_labels(labels){ recommended_label := recommended_labels[_] labels[recommended_label] } + +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { + recommended_labels := data.postureControlInputs.k8sRecommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/K8s common labels usage/rule.metadata.json b/rules/k8s-common-labels-usage/rule.metadata.json similarity index 97% rename from rules/K8s common labels usage/rule.metadata.json rename to rules/k8s-common-labels-usage/rule.metadata.json index 8cfc734bc..fdf0b6bc4 100644 --- a/rules/K8s common labels usage/rule.metadata.json +++ b/rules/k8s-common-labels-usage/rule.metadata.json @@ -1,5 +1,5 @@ { - "name": "K8s common labels usage", + "name": "k8s-common-labels-usage", "attributes": { "armoBuiltin": true }, diff --git a/rules/k8s-common-labels-usage/test/cronjob/data.json b/rules/k8s-common-labels-usage/test/cronjob/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/cronjob/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json similarity index 86% rename from rules/K8s common labels usage/test/cronjob/expected.json rename to rules/k8s-common-labels-usage/test/cronjob/expected.json index 54bbecca0..2f9d26829 100644 --- a/rules/K8s common labels usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/cronjob/input/cronjob.yaml b/rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml similarity index 100% rename from rules/K8s common labels usage/test/cronjob/input/cronjob.yaml rename to rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml diff --git a/rules/k8s-common-labels-usage/test/pod/data.json b/rules/k8s-common-labels-usage/test/pod/data.json new file mode 100644 index 000000000..8125fe53b --- /dev/null +++ b/rules/k8s-common-labels-usage/test/pod/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json similarity index 91% rename from rules/K8s common labels usage/test/pod/expected.json rename to rules/k8s-common-labels-usage/test/pod/expected.json index fa82c5e58..2a4cac865 100644 --- a/rules/K8s common labels usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/pod/input/pod.yaml b/rules/k8s-common-labels-usage/test/pod/input/pod.yaml similarity index 100% rename from rules/K8s common labels usage/test/pod/input/pod.yaml rename to rules/k8s-common-labels-usage/test/pod/input/pod.yaml diff --git a/rules/k8s-common-labels-usage/test/workload-fail/data.json b/rules/k8s-common-labels-usage/test/workload-fail/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/K8s common labels usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json similarity index 89% rename from rules/K8s common labels usage/test/workload-fail/expected.json rename to rules/k8s-common-labels-usage/test/workload-fail/expected.json index aa02dcc2f..3a98cdfa0 100644 --- a/rules/K8s common labels usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/workload-fail/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload-fail/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml diff --git a/rules/K8s common labels usage/test/workload/expected.json b/rules/k8s-common-labels-usage/test/workload/expected.json similarity index 100% rename from rules/K8s common labels usage/test/workload/expected.json rename to rules/k8s-common-labels-usage/test/workload/expected.json diff --git a/rules/K8s common labels usage/test/workload/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload/input/deployment.yaml diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index e059dc7e1..a8f8e82e8 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,22 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { @@ -105,3 +108,9 @@ is_desired_label(labels) { labels[recommended_label] } +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { + recommended_labels := data.postureControlInputs.recommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/label-usage-for-resources/test/cronjob/data.json b/rules/label-usage-for-resources/test/cronjob/data.json new file mode 100644 index 000000000..8e17f0794 --- /dev/null +++ b/rules/label-usage-for-resources/test/cronjob/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "recommendedLabels": [] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index 35aca7d3c..595a928d3 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/data.json b/rules/label-usage-for-resources/test/pod/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/pod/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index 18eb1ba9c..ffcc45464 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/data.json b/rules/label-usage-for-resources/test/workload-fail/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index 6adc8d7c7..dcf7acfeb 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "",