Updated query Service Does Not Target Pod #2793 (#2881)

Signed-off-by: João Reigota <[email protected]>
Co-authored-by: rafaela-soares <[email protected]>

assets/queries/k8s/service_does_not_target_pod/query.rego

@@ -1,13 +1,16 @@
 package Cx
 
+import data.generic.k8s as k8sLib
+
 CxPolicy[result] {
 	service := input.document[i]
 	service.kind == "Service"
 	metadata := service.metadata
 	ports := service.spec.ports
 	servicePorts := ports[j]
-	contains(service.spec.selector[_])
-	confirmPorts(servicePorts) == false
+	label := service.spec.selector[_]
+	match_label(label)
+	not confirmPorts(label, servicePorts)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -22,7 +25,8 @@ CxPolicy[result] {
 	service := input.document[i]
 	service.kind == "Service"
 	metadata := service.metadata
-	contains(service.spec.selector[_]) == false
+	label := service.spec.selector[_]
+	not match_label(label)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -33,20 +37,20 @@ CxPolicy[result] {
 	}
 }
 
-confirmPorts(servicePorts) {
-	pod := input.document[i]
-	pod.kind == "Pod"
+listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob"]
+
+confirmPorts(label, servicePorts) {
+	resource := input.document[_]
+	resource.kind == listKinds[x]
+	resource.metadata.labels[_] == label
+	specInfo := k8sLib.getSpecInfo(resource)
 	types := {"initContainers", "containers"}
-	containers := pod.spec[types[x]][j]
-	containers.ports[k].containerPort == servicePorts.targetPort
-} else = false {
-	true
+	containers := specInfo.spec[types[j]]
+	containers[_].ports[_].containerPort == servicePorts.targetPort
 }
 
-contains(string) {
-	pod := input.document[i]
-	pod.kind == "Pod"
-	pod.metadata.labels[_] == string
-} else = false {
-	true
+match_label(string) {
+	resource := input.document[_]
+	resource.kind == listKinds[x]
+	resource.metadata.labels[_] == string
 }

assets/queries/k8s/service_does_not_target_pod/test/positive1.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld2
+spec:
+  type: NodePort
+  selector:
+    app: helloworld2
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 9377
+      protocol: TCP
+      targetPort: 9377
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx2
+  labels:
+    app: hellowwwworld
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      ports:
+        - containerPort: 9377

assets/queries/k8s/service_does_not_target_pod/test/positive2.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld3
+spec:
+  type: NodePort
+  selector:
+    app: helloworld3
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 9377
+      protocol: TCP
+      targetPort: 9377
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: helloworld3
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: helloworld3
+  template:
+    metadata:
+      labels:
+        app: helloworld3
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80

assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json

@@ -2,11 +2,13 @@
   {
     "queryName": "Service Does Not Target Pod",
     "severity": "LOW",
-    "line": 14
+    "line": 7,
+    "fileName": "positive1.yaml"
   },
   {
     "queryName": "Service Does Not Target Pod",
     "severity": "LOW",
-    "line": 24
+    "line": 14,
+    "fileName": "positive2.yaml"
   }
 ]