From 2da1cfb5bcac25652874877306b518633116fa3b Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Tue, 3 Oct 2023 11:06:04 +0300 Subject: [PATCH 1/7] add .YOUR_KEY to C-0077 & C-0076 Signed-off-by: Meital Rudnitsky --- rules/K8s common labels usage/raw.rego | 6 +++--- rules/label-usage-for-resources/raw.rego | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego index f5d103bd7..97bbeb496 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/K8s common labels usage/raw.rego @@ -86,19 +86,19 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 464c704cd..92ec1f896 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,19 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, beggining_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { From e9320a32a78d94060cde34c87c20a150011966e3 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Tue, 3 Oct 2023 11:42:30 +0300 Subject: [PATCH 2/7] fix tests Signed-off-by: Meital Rudnitsky --- rules/K8s common labels usage/test/cronjob/expected.json | 2 +- rules/K8s common labels usage/test/pod/expected.json | 2 +- .../K8s common labels usage/test/workload-fail/expected.json | 2 +- rules/label-usage-for-resources/test/cronjob/expected.json | 4 ++-- rules/label-usage-for-resources/test/pod/expected.json | 2 +- .../test/workload-fail/expected.json | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/K8s common labels usage/test/cronjob/expected.json b/rules/K8s common labels usage/test/cronjob/expected.json index 54bbecca0..b392487fb 100644 --- a/rules/K8s common labels usage/test/cronjob/expected.json +++ b/rules/K8s common labels usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/pod/expected.json b/rules/K8s common labels usage/test/pod/expected.json index fa82c5e58..06c6b8361 100644 --- a/rules/K8s common labels usage/test/pod/expected.json +++ b/rules/K8s common labels usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/K8s common labels usage/test/workload-fail/expected.json b/rules/K8s common labels usage/test/workload-fail/expected.json index aa02dcc2f..b5035f7d9 100644 --- a/rules/K8s common labels usage/test/workload-fail/expected.json +++ b/rules/K8s common labels usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index 35aca7d3c..c6f1f9a05 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index 18eb1ba9c..703e96eee 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels", + "path": "metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index 6adc8d7c7..59bf2fc95 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels", + "path": "spec.template.metadata.labels.YOUR_KEY", "value": "YOUR_VALUE" }], "ruleStatus": "", From 8b28919a879a150706fd1898608291ccec14f250 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Tue, 3 Oct 2023 12:08:49 +0300 Subject: [PATCH 3/7] fix rule naming convention Signed-off-by: Meital Rudnitsky --- ControlID_RuleName.csv | 2 +- controls/C-0077-k8scommonlabelsusage.json | 2 +- .../raw.rego | 0 .../rule.metadata.json | 2 +- .../test/cronjob/expected.json | 0 .../test/cronjob/input/cronjob.yaml | 0 .../test/pod/expected.json | 0 .../test/pod/input/pod.yaml | 0 .../test/workload-fail/expected.json | 0 .../test/workload-fail/input/deployment.yaml | 0 .../test/workload/expected.json | 0 .../test/workload/input/deployment.yaml | 0 12 files changed, 3 insertions(+), 3 deletions(-) rename rules/{K8s common labels usage => k8s-common-labels-usage}/raw.rego (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/rule.metadata.json (97%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/cronjob/input/cronjob.yaml (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/pod/input/pod.yaml (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload-fail/input/deployment.yaml (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/expected.json (100%) rename rules/{K8s common labels usage => k8s-common-labels-usage}/test/workload/input/deployment.yaml (100%) diff --git a/ControlID_RuleName.csv b/ControlID_RuleName.csv index dee396dae..51235bb80 100644 --- a/ControlID_RuleName.csv +++ b/ControlID_RuleName.csv @@ -69,7 +69,7 @@ C-0073,naked-pods C-0074,containers-mounting-docker-socket C-0075,image-pull-policy-is-not-set-to-always C-0076,label-usage-for-resources -C-0077,K8s common labels usage +C-0077,k8s-common-labels-usage C-0078,container-image-repository C-0079,CVE-2022-0185 C-0081,CVE-2022-24348 diff --git a/controls/C-0077-k8scommonlabelsusage.json b/controls/C-0077-k8scommonlabelsusage.json index a4ed375d9..d3645ac56 100644 --- a/controls/C-0077-k8scommonlabelsusage.json +++ b/controls/C-0077-k8scommonlabelsusage.json @@ -10,7 +10,7 @@ "description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "remediation": "Define applicable labels or use the exception mechanism to prevent further notifications.", "rulesNames": [ - "K8s common labels usage" + "k8s-common-labels-usage" ], "long_description": "Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.", "test": "Test will check if the list of label that start with app.kubernetes.io/ are defined.", diff --git a/rules/K8s common labels usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego similarity index 100% rename from rules/K8s common labels usage/raw.rego rename to rules/k8s-common-labels-usage/raw.rego diff --git a/rules/K8s common labels usage/rule.metadata.json b/rules/k8s-common-labels-usage/rule.metadata.json similarity index 97% rename from rules/K8s common labels usage/rule.metadata.json rename to rules/k8s-common-labels-usage/rule.metadata.json index 609c361c7..4dbfbd4a4 100644 --- a/rules/K8s common labels usage/rule.metadata.json +++ b/rules/k8s-common-labels-usage/rule.metadata.json @@ -1,5 +1,5 @@ { - "name": "K8s common labels usage", + "name": "k8s-common-labels-usage", "attributes": { "armoBuiltin": true }, diff --git a/rules/K8s common labels usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json similarity index 100% rename from rules/K8s common labels usage/test/cronjob/expected.json rename to rules/k8s-common-labels-usage/test/cronjob/expected.json diff --git a/rules/K8s common labels usage/test/cronjob/input/cronjob.yaml b/rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml similarity index 100% rename from rules/K8s common labels usage/test/cronjob/input/cronjob.yaml rename to rules/k8s-common-labels-usage/test/cronjob/input/cronjob.yaml diff --git a/rules/K8s common labels usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json similarity index 100% rename from rules/K8s common labels usage/test/pod/expected.json rename to rules/k8s-common-labels-usage/test/pod/expected.json diff --git a/rules/K8s common labels usage/test/pod/input/pod.yaml b/rules/k8s-common-labels-usage/test/pod/input/pod.yaml similarity index 100% rename from rules/K8s common labels usage/test/pod/input/pod.yaml rename to rules/k8s-common-labels-usage/test/pod/input/pod.yaml diff --git a/rules/K8s common labels usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json similarity index 100% rename from rules/K8s common labels usage/test/workload-fail/expected.json rename to rules/k8s-common-labels-usage/test/workload-fail/expected.json diff --git a/rules/K8s common labels usage/test/workload-fail/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload-fail/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload-fail/input/deployment.yaml diff --git a/rules/K8s common labels usage/test/workload/expected.json b/rules/k8s-common-labels-usage/test/workload/expected.json similarity index 100% rename from rules/K8s common labels usage/test/workload/expected.json rename to rules/k8s-common-labels-usage/test/workload/expected.json diff --git a/rules/K8s common labels usage/test/workload/input/deployment.yaml b/rules/k8s-common-labels-usage/test/workload/input/deployment.yaml similarity index 100% rename from rules/K8s common labels usage/test/workload/input/deployment.yaml rename to rules/k8s-common-labels-usage/test/workload/input/deployment.yaml From 662926e68528d708940b2739c9d72126aa2f0cd5 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Sun, 8 Oct 2023 17:07:58 +0300 Subject: [PATCH 4/7] use 1st value of recommended labels for label key Signed-off-by: Meital Rudnitsky --- rules/k8s-common-labels-usage/raw.rego | 12 +++++++++--- rules/k8s-common-labels-usage/test/cronjob/data.json | 8 ++++++++ .../test/cronjob/expected.json | 2 +- rules/k8s-common-labels-usage/test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- rules/label-usage-for-resources/raw.rego | 11 ++++++++--- .../test/cronjob/expected.json | 4 ++-- rules/label-usage-for-resources/test/pod/data.json | 8 ++++++++ .../label-usage-for-resources/test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- 12 files changed, 56 insertions(+), 13 deletions(-) create mode 100644 rules/k8s-common-labels-usage/test/cronjob/data.json create mode 100644 rules/k8s-common-labels-usage/test/workload-fail/data.json create mode 100644 rules/label-usage-for-resources/test/pod/data.json create mode 100644 rules/label-usage-for-resources/test/workload-fail/data.json diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index 7ae3bac8f..24eea2d7c 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,19 +86,19 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ @@ -106,3 +106,9 @@ all_kubernetes_labels(labels){ recommended_label := recommended_labels[_] labels[recommended_label] } + +get_label_key() = key { + recommended_labels := data.postureControlInputs.k8sRecommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/k8s-common-labels-usage/test/cronjob/data.json b/rules/k8s-common-labels-usage/test/cronjob/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/cronjob/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/k8s-common-labels-usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json index b392487fb..2f9d26829 100644 --- a/rules/k8s-common-labels-usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", + "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json index 06c6b8361..2a4cac865 100644 --- a/rules/k8s-common-labels-usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/workload-fail/data.json b/rules/k8s-common-labels-usage/test/workload-fail/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/k8s-common-labels-usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json index b5035f7d9..3a98cdfa0 100644 --- a/rules/k8s-common-labels-usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.YOUR_KEY", + "path": "spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 197422fde..85cb2c3c0 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,19 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, beggining_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { @@ -105,3 +105,8 @@ is_desired_label(labels) { labels[recommended_label] } +get_label_key() = key { + recommended_labels := data.postureControlInputs.recommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index c6f1f9a05..595a928d3 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/data.json b/rules/label-usage-for-resources/test/pod/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/pod/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index 703e96eee..ffcc45464 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/data.json b/rules/label-usage-for-resources/test/workload-fail/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index 59bf2fc95..dcf7acfeb 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.YOUR_KEY", + "path": "spec.template.metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "", From 82c8a3efe1e9556aa32ca23f880e1549640527f0 Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Sun, 8 Oct 2023 19:43:36 +0300 Subject: [PATCH 5/7] fix test Signed-off-by: Meital Rudnitsky --- rules/k8s-common-labels-usage/raw.rego | 9 ++++++--- rules/label-usage-for-resources/raw.rego | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index 24eea2d7c..a31d4bd70 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,19 +86,22 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 85cb2c3c0..4195f63de 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,22 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, beggining_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] + label_key := get_label_key() + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { From 45ce278b1313fa6dbdee2b0f6e4d659c25bbf3b9 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Mon, 9 Oct 2023 13:01:06 +0300 Subject: [PATCH 6/7] fix rules Signed-off-by: YiscahLevySilas1 --- rules/k8s-common-labels-usage/raw.rego | 14 ++++---------- rules/k8s-common-labels-usage/test/pod/data.json | 5 +++++ rules/label-usage-for-resources/raw.rego | 14 ++++---------- .../test/cronjob/data.json | 5 +++++ 4 files changed, 18 insertions(+), 20 deletions(-) create mode 100644 rules/k8s-common-labels-usage/test/pod/data.json create mode 100644 rules/label-usage-for-resources/test/cronjob/data.json diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index a31d4bd70..1c293215f 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,21 +86,14 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ not wl.metadata.labels - label_key := get_label_key() - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] -} - -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ - metadata := wl.metadata - not metadata.labels - label_key := get_label_key() + label_key := get_label_key("") path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - label_key := get_label_key() + label_key := get_label_key("") path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } @@ -110,7 +103,8 @@ all_kubernetes_labels(labels){ labels[recommended_label] } -get_label_key() = key { +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { recommended_labels := data.postureControlInputs.k8sRecommendedLabels count(recommended_labels) > 0 key := recommended_labels[0] diff --git a/rules/k8s-common-labels-usage/test/pod/data.json b/rules/k8s-common-labels-usage/test/pod/data.json new file mode 100644 index 000000000..8125fe53b --- /dev/null +++ b/rules/k8s-common-labels-usage/test/pod/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 4195f63de..3cfc17966 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,21 +84,14 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, beggining_of_path) = path{ not wl.metadata - label_key := get_label_key() - path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] -} - -no_label_or_no_label_usage(wl, beggining_of_path) = path{ - metadata := wl.metadata - not metadata.labels - label_key := get_label_key() + label_key := get_label_key("") path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - label_key := get_label_key() + label_key := get_label_key("") path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } @@ -108,7 +101,8 @@ is_desired_label(labels) { labels[recommended_label] } -get_label_key() = key { +# get_label_key accepts a parameter so it's not considered a rule +get_label_key(unused_param) = key { recommended_labels := data.postureControlInputs.recommendedLabels count(recommended_labels) > 0 key := recommended_labels[0] diff --git a/rules/label-usage-for-resources/test/cronjob/data.json b/rules/label-usage-for-resources/test/cronjob/data.json new file mode 100644 index 000000000..8e17f0794 --- /dev/null +++ b/rules/label-usage-for-resources/test/cronjob/data.json @@ -0,0 +1,5 @@ +{ + "postureControlInputs": { + "recommendedLabels": [] + } +} \ No newline at end of file From 859957022f0dba08a9a3c784b719daae5e2e7fdf Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Mon, 9 Oct 2023 13:35:14 +0300 Subject: [PATCH 7/7] fix rule Signed-off-by: YiscahLevySilas1 --- rules/label-usage-for-resources/raw.rego | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 3cfc17966..59555329f 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -88,6 +88,13 @@ no_label_or_no_label_usage(wl, beggining_of_path) = path{ path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] } +no_label_or_no_label_usage(wl, beggining_of_path) = path{ + metadata := wl.metadata + not metadata.labels + label_key := get_label_key("") + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, label_key]), "value": "YOUR_VALUE"}] +} + no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels)