From d5bd98af47707481664c1fa63910dbdfc1c21050 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 17 May 2022 15:38:02 +0100 Subject: [PATCH] add support to .crt file --- .../metadata.json | 2 +- .../query.rego | 8 +++++--- .../test/negative6.yaml | 13 +++++++++++++ .../test/negative7.yaml | 16 ++++++++++++++++ .../test/positive_expected_result.json | 12 ++++++------ 5 files changed, 41 insertions(+), 10 deletions(-) create mode 100644 assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative6.yaml create mode 100644 assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative7.yaml diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json index 7518cf95338..b34a071900e 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json @@ -3,7 +3,7 @@ "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "category": "Access Control", - "descriptionText": "Client Certificate Authentication should be Setup with a .pem file", + "descriptionText": "Client Certificate Authentication should be Setup with a .pem or .crt file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "78c11e53" diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego index 7b87d5fe358..04beee7652a 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego @@ -33,13 +33,14 @@ CxPolicy[result] { cmd := command[_] common_lib.inArray(container.command, cmd) k8sLib.startWithFlag(container,"--client-ca-file") - not k8sLib.startAndEndWithFlag(container,"--client-ca-file", ".pem") + not k8sLib.startAndEndWithFlag(container,"--client-ca-file", ".crt") + not k8sLib.startAndEndWithFlag(container,"--client-ca-file", ".pem") result := { "documentId": input.document[i].id, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "IncorrectValue", - "keyExpectedValue": "Client Certification should have a .pem file", + "keyExpectedValue": "Client Certification should have a .pem or .crt file", "keyActualValue": "Client Certification is not properly set", "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) } @@ -71,12 +72,13 @@ CxPolicy[result] { doc :=input.document[i] doc.kind == "KubeletConfiguration" not endswith(doc.authentication.x509.clientCAFile, ".pem") + not endswith(doc.authentication.x509.clientCAFile, ".crt") result := { "documentId": doc.id, "searchKey": "kind={{KubeletConfiguration}}", "issueType": "IncorrectValue", - "keyExpectedValue": "Client Certification should have a .pem file", + "keyExpectedValue": "Client Certification should have a .pem or .crt file", "keyActualValue": "Client Certification is not properly set", } } diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative6.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative6.yaml new file mode 100644 index 00000000000..006b76d57ad --- /dev/null +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative6.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/var/lib/ca.crt"] + restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative7.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative7.yaml new file mode 100644 index 00000000000..3b1292c74a5 --- /dev/null +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative7.yaml @@ -0,0 +1,16 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: "/var/lib/kubernetes/ca.crt" +authorization: +evictionHard: + memory.available: "200Mi" diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index f24ae44b89c..9fe04be75e3 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -3,36 +3,36 @@ "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "filename": "positive4.yaml" + "fileName": "positive4.yaml" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "filename": "positive5.yaml" + "fileName": "positive5.yaml" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "filename": "positive6.yaml" + "fileName": "positive6.yaml" } ]