Updated "Service Does Not Target Pod" for K8s

assets/queries/k8s/service_does_not_target_pod/query.rego

@@ -1,13 +1,17 @@
 package Cx
 
+import data.generic.k8s as k8sLib
+
 CxPolicy[result] {
 	service := input.document[i]
 	service.kind == "Service"
 	metadata := service.metadata
 	ports := service.spec.ports
 	servicePorts := ports[j]
-	contains(service.spec.selector[_])
-	confirmPorts(servicePorts) == false
+	pod := match_label(service.spec.selector[_])
+	pod != null
+
+	not confirmPorts(servicePorts, pod)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -22,7 +26,8 @@ CxPolicy[result] {
 	service := input.document[i]
 	service.kind == "Service"
 	metadata := service.metadata
-	contains(service.spec.selector[_]) == false
+	pod := match_label(service.spec.selector[_])
+	pod == null
 
 	result := {
 		"documentId": input.document[i].id,
@@ -33,30 +38,19 @@ CxPolicy[result] {
 	}
 }
 
-confirmPorts(servicePorts) {
-	pod := input.document[i]
-	pod.kind == "Pod"
+confirmPorts(servicePorts, pod) {
+	specInfo := k8sLib.getSpecInfo(pod)
 	types := {"initContainers", "containers"}
-	containers := pod.spec[types[x]][j]
-	containers.ports[k].containerPort == servicePorts.targetPort
-} else {
-	stateful_set := input.document[i]
-	stateful_set.kind == "StatefulSet"
-	types := {"initContainers", "containers"}
-	containers := stateful_set.spec.template.spec[types[x]][j]
-	containers.ports[k].containerPort == servicePorts.targetPort
-} else = false {
-	true
+	containers := specInfo.spec[types[x]]
+	containers[_].ports[_].containerPort == servicePorts.targetPort
 }
 
-contains(string) {
-	pod := input.document[i]
-	pod.kind == "Pod"
+match_label(string) = output {
+	pod := input.document[_]
+	listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob"]
+	pod.kind == listKinds[x]
 	pod.metadata.labels[_] == string
-} else {
-	stateful_set := input.document[i]
-	stateful_set.kind == "StatefulSet"
-	stateful_set.metadata.labels[_] == string
-} else = false {
+	output = pod
+} else = null {
 	true
 }

assets/queries/k8s/service_does_not_target_pod/test/positive1.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld2
+spec:
+  type: NodePort
+  selector:
+    app: helloworld2
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 9377
+      protocol: TCP
+      targetPort: 9377
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx2
+  labels:
+    app: hellowwwworld
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      ports:
+        - containerPort: 9377

assets/queries/k8s/service_does_not_target_pod/test/positive2.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld3
+spec:
+  type: NodePort
+  selector:
+    app: helloworld3
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 9377
+      protocol: TCP
+      targetPort: 9377
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: helloworld3
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: helloworld3
+  template:
+    metadata:
+      labels:
+        app: helloworld3
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80

assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json

@@ -2,11 +2,13 @@
   {
     "queryName": "Service Does Not Target Pod",
     "severity": "LOW",
-    "line": 14
+    "line": 7,
+    "fileName": "positive1.yaml"
   },
   {
     "queryName": "Service Does Not Target Pod",
     "severity": "LOW",
-    "line": 24
+    "line": 14,
+    "fileName": "positive2.yaml"
   }
 ]