From a789338afc07d604ee4b309db5d8516b1a958167 Mon Sep 17 00:00:00 2001 From: joaorufi Date: Fri, 18 Mar 2022 10:44:10 -0300 Subject: [PATCH 1/5] ... Signed-off-by: joaorufi --- .../query.rego | 30 +++++++++++++++++++ .../test/negative5.yaml | 11 +++++++ .../test/positive5.yaml | 9 ++++++ .../test/positive6.yaml | 11 +++++++ .../test/positive_expected_result.json | 12 ++++++++ 5 files changed, 73 insertions(+) create mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative5.yaml create mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml create mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego index 08091a608cc..f7604f5e435 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego @@ -23,6 +23,36 @@ CxPolicy[result] { } } +CxPolicy[result] { + resource := input.document[i] + resource.kind == "KubeletConfiguration" + + not common_lib.valid_key(resource, "authorization") + + result := { + "documentId": input.document[i].id, + "searchKey": "kind", + "issueType": "MissingAttribute", + "keyExpectedValue": "authorization attribute to be different from null", + "keyActualValue": "authorization attribute does not exist", + } +} + +CxPolicy[result] { + resource := input.document[i] + resource.kind == "KubeletConfiguration" + + resource.authorization.mode == "AlwaysAllow" + + result := { + "documentId": input.document[i].id, + "searchKey": "authentication.mode", + "issueType": "IncorrectValue", + "keyExpectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "keyActualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + } +} + hasFlagWithValue(container, flag, value) { command := container.command startswith(command[a], flag) diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative5.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative5.yaml new file mode 100644 index 00000000000..a5f906b848c --- /dev/null +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative5.yaml @@ -0,0 +1,11 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: false +authorization: + mode: webhook diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml new file mode 100644 index 00000000000..697e916beab --- /dev/null +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml @@ -0,0 +1,9 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: false diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml new file mode 100644 index 00000000000..2c6e2c7036c --- /dev/null +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml @@ -0,0 +1,11 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: false +authorization: + mode: AlwaysAllow diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 250462c39d2..5e4ca60e049 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -22,5 +22,17 @@ "severity": "MEDIUM", "line": 11, "filename": "positive4.yaml" + }, + { + "queryName": "Authorization Mode Set To Always Allow", + "severity": "MEDIUM", + "line": 2, + "filename": "positive5.yaml" + }, + { + "queryName": "Authorization Mode Set To Always Allow", + "severity": "MEDIUM", + "line": 11, + "filename": "positive6.yaml" } ] \ No newline at end of file From 1b8fa87e0a3593c626a016ec59669858c92234dc Mon Sep 17 00:00:00 2001 From: joaorufi Date: Fri, 18 Mar 2022 10:55:56 -0300 Subject: [PATCH 2/5] kubelet config file Signed-off-by: joaorufi --- .../query.rego | 17 +---------------- .../test/negative6.json | 8 ++++++++ .../test/positive5.yaml | 2 ++ .../test/positive6.json | 8 ++++++++ .../test/positive6.yaml | 11 ----------- .../test/positive_expected_result.json | 4 ++-- 6 files changed, 21 insertions(+), 29 deletions(-) create mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative6.json create mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.json delete mode 100644 assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego index f7604f5e435..81148ffb49f 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego @@ -23,21 +23,6 @@ CxPolicy[result] { } } -CxPolicy[result] { - resource := input.document[i] - resource.kind == "KubeletConfiguration" - - not common_lib.valid_key(resource, "authorization") - - result := { - "documentId": input.document[i].id, - "searchKey": "kind", - "issueType": "MissingAttribute", - "keyExpectedValue": "authorization attribute to be different from null", - "keyActualValue": "authorization attribute does not exist", - } -} - CxPolicy[result] { resource := input.document[i] resource.kind == "KubeletConfiguration" @@ -46,7 +31,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": "authentication.mode", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", "issueType": "IncorrectValue", "keyExpectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", "keyActualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative6.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative6.json new file mode 100644 index 00000000000..253fea6a05e --- /dev/null +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative6.json @@ -0,0 +1,8 @@ +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authorization": { + "mode": "webhook" + } +} \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml index 697e916beab..2c6e2c7036c 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive5.yaml @@ -7,3 +7,5 @@ readOnlyPort: 0 authentication: anonymous: enabled: false +authorization: + mode: AlwaysAllow diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.json new file mode 100644 index 00000000000..dc3e9e5ee45 --- /dev/null +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.json @@ -0,0 +1,8 @@ +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authorization": { + "mode": "AlwaysAllow" + } +} \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml deleted file mode 100644 index 2c6e2c7036c..00000000000 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive6.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kubelet.config.k8s.io/v1beta1 -kind: KubeletConfiguration -address: "192.168.0.8" -port: 20250 -serializeImagePulls: false -readOnlyPort: 0 -authentication: - anonymous: - enabled: false -authorization: - mode: AlwaysAllow diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 5e4ca60e049..cf9e605e35b 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -26,13 +26,13 @@ { "queryName": "Authorization Mode Set To Always Allow", "severity": "MEDIUM", - "line": 2, + "line": 11, "filename": "positive5.yaml" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "MEDIUM", - "line": 11, + "line": 6, "filename": "positive6.yaml" } ] \ No newline at end of file From 60dfae05c0d26aaf2d87d0691c9a6da42eb1d509 Mon Sep 17 00:00:00 2001 From: joaorufi Date: Fri, 18 Mar 2022 10:59:25 -0300 Subject: [PATCH 3/5] fix tests Signed-off-by: joaorufi --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index cf9e605e35b..0896aa5a201 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -33,6 +33,6 @@ "queryName": "Authorization Mode Set To Always Allow", "severity": "MEDIUM", "line": 6, - "filename": "positive6.yaml" + "filename": "positive6.json" } ] \ No newline at end of file From a74b214e2a38a25528629858b77ff0d518236cc2 Mon Sep 17 00:00:00 2001 From: joaorufi Date: Fri, 18 Mar 2022 11:20:12 -0300 Subject: [PATCH 4/5] added model json to tests Signed-off-by: joaorufi --- test/main_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/main_test.go b/test/main_test.go index b6898972871..1ee2ffac443 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -35,7 +35,7 @@ var ( "../assets/queries/terraform/kubernetes": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/general": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/alicloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/k8s": {FileKind: []model.FileKind{model.KindYAML}, Platform: "k8s"}, + "../assets/queries/k8s": {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "k8s"}, "../assets/queries/cloudFormation/aws": {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "cloudFormation"}, "../assets/queries/cloudFormation/aws_sam": {FileKind: []model.FileKind{model.KindYAML}, Platform: "cloudFormation"}, "../assets/queries/ansible/aws": {FileKind: []model.FileKind{model.KindYAML}, Platform: "ansible"}, From 79e2f8e661cdfd32cff8e38ce2f7ace29bff4784 Mon Sep 17 00:00:00 2001 From: joaorufi Date: Mon, 21 Mar 2022 10:39:01 -0300 Subject: [PATCH 5/5] kubelet validation Signed-off-by: joaorufi --- .github/workflows/validate-k8s-samples.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-k8s-samples.yml b/.github/workflows/validate-k8s-samples.yml index b5c2bd5d0d0..54d5b5611f0 100644 --- a/.github/workflows/validate-k8s-samples.yml +++ b/.github/workflows/validate-k8s-samples.yml @@ -3,8 +3,8 @@ name: validate-k8s-samples on: pull_request: paths: - - "assets/queries/k8s/**/test/*.yaml" - - "assets/queries/k8s/**/test/*.yml" + - "assets/queries/k8s/**/test/*.yaml" + - "assets/queries/k8s/**/test/*.yml" jobs: validate-k8s-manifests: @@ -28,6 +28,6 @@ jobs: run: | python3 -u .github/scripts/samples-linters/validate-syntax.py \ "assets/queries/k8s/**/test/*.yaml" \ - --extra ' --skip-kinds CustomResourceDefinition' \ + --extra ' --skip-kinds CustomResourceDefinition,KubeletConfiguration' \ --linter .bin/kubeval \ --skip '.github/scripts/samples-linters/ignore-list/k8s' -v