From 894a685e4833d6eadbcdba6ea7f262d533af8eba Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 6 Aug 2023 14:22:42 +0300 Subject: [PATCH] removed tested resources Signed-off-by: David Wertenteil --- ...12-thedefaultnamespaceshouldnotbeused.json | 7 +--- .../limitrange-in-default-namespace/raw.rego | 40 ------------------- .../rule.metadata.json | 25 ------------ .../test/limitrange/expected.json | 23 ----------- .../test/limitrange/input/limitrange.yaml | 21 ---------- .../raw.rego | 40 ------------------- .../rule.metadata.json | 25 ------------ .../test/networkpolicy/expected.json | 23 ----------- .../networkpolicy/input/networkpolicy.yaml | 28 ------------- .../raw.rego | 40 ------------------- .../rule.metadata.json | 25 ------------ .../test/resourcequota/expected.json | 23 ----------- .../resourcequota/input/resourcequota.yaml | 12 ------ .../raw.rego | 40 ------------------- .../rule.metadata.json | 25 ------------ .../test/poddisruptionbudget/expected.json | 26 ------------ .../input/poddisruptionbudget.yaml | 9 ----- .../raw.rego | 40 ------------------- .../rule.metadata.json | 25 ------------ .../test/poddisruptionbudget/expected.json | 26 ------------ .../input/poddisruptionbudget.yaml | 9 ----- 21 files changed, 1 insertion(+), 531 deletions(-) delete mode 100644 rules/limitrange-in-default-namespace/raw.rego delete mode 100644 rules/limitrange-in-default-namespace/rule.metadata.json delete mode 100644 rules/limitrange-in-default-namespace/test/limitrange/expected.json delete mode 100644 rules/limitrange-in-default-namespace/test/limitrange/input/limitrange.yaml delete mode 100644 rules/networkpolicy-in-default-namespace/raw.rego delete mode 100644 rules/networkpolicy-in-default-namespace/rule.metadata.json delete mode 100644 rules/networkpolicy-in-default-namespace/test/networkpolicy/expected.json delete mode 100644 rules/networkpolicy-in-default-namespace/test/networkpolicy/input/networkpolicy.yaml delete mode 100644 rules/resourcequota-in-default-namespace/raw.rego delete mode 100644 rules/resourcequota-in-default-namespace/rule.metadata.json delete mode 100644 rules/resourcequota-in-default-namespace/test/resourcequota/expected.json delete mode 100644 rules/resourcequota-in-default-namespace/test/resourcequota/input/resourcequota.yaml delete mode 100644 rules/resources-event-1-in-default-namespace/raw.rego delete mode 100644 rules/resources-event-1-in-default-namespace/rule.metadata.json delete mode 100644 rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/expected.json delete mode 100644 rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml delete mode 100644 rules/resources-event-2-in-default-namespace/raw.rego delete mode 100644 rules/resources-event-2-in-default-namespace/rule.metadata.json delete mode 100644 rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/expected.json delete mode 100644 rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml diff --git a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json index a94082137..d5882df6d 100644 --- a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json +++ b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json @@ -18,11 +18,9 @@ "role-in-default-namespace", "configmap-in-default-namespace", "endpoints-in-default-namespace", - "limitrange-in-default-namespace", "persistentvolumeclaim-in-default-namespace", "podtemplate-in-default-namespace", "replicationcontroller-in-default-namespace", - "resourcequota-in-default-namespace", "service-in-default-namespace", "serviceaccount-in-default-namespace", "endpointslice-in-default-namespace", @@ -30,11 +28,8 @@ "lease-in-default-namespace", "csistoragecapacity-in-default-namespace", "ingress-in-default-namespace", - "networkpolicy-in-default-namespace", "poddisruptionbudget-in-default-namespace", - "resources-secret-in-default-namespace", - "resources-event-1-in-default-namespace", - "resources-event-2-in-default-namespace" + "resources-secret-in-default-namespace" ], "baseScore": 4, "impact_statement": "None", diff --git a/rules/limitrange-in-default-namespace/raw.rego b/rules/limitrange-in-default-namespace/raw.rego deleted file mode 100644 index 716352f01..000000000 --- a/rules/limitrange-in-default-namespace/raw.rego +++ /dev/null @@ -1,40 +0,0 @@ -package armo_builtins - -deny[msga] { - resource := input[_] - result := is_default_namespace(resource.metadata) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) - msga := { - "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 3, - "failedPaths": failed_path, - "fixPaths": fixed_path, - "alertObject": { - "k8sApiObjects": [resource] - } - } -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - metadata.namespace == "default" - failed_path = "metadata.namespace" - fixPath = "" -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - not metadata.namespace - failed_path = "" - fixPath = {"path": "metadata.namespace", "value": "YOUR_NAMESPACE"} -} - -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - diff --git a/rules/limitrange-in-default-namespace/rule.metadata.json b/rules/limitrange-in-default-namespace/rule.metadata.json deleted file mode 100644 index 495ef330e..000000000 --- a/rules/limitrange-in-default-namespace/rule.metadata.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "limitrange-in-default-namespace", - "attributes": { - "armoBuiltin": true - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "LimitRange" - ] - } - ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/limitrange-in-default-namespace/test/limitrange/expected.json b/rules/limitrange-in-default-namespace/test/limitrange/expected.json deleted file mode 100644 index 5986875c8..000000000 --- a/rules/limitrange-in-default-namespace/test/limitrange/expected.json +++ /dev/null @@ -1,23 +0,0 @@ -[ - { - "alertMessage": "LimitRange: kubescape is in the 'default' namespace", - "failedPaths": [ - "metadata.namespace" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 3, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "LimitRange", - "metadata": { - "name": "kubescape" - } - } - ] - } - } -] \ No newline at end of file diff --git a/rules/limitrange-in-default-namespace/test/limitrange/input/limitrange.yaml b/rules/limitrange-in-default-namespace/test/limitrange/input/limitrange.yaml deleted file mode 100644 index e02a52e6c..000000000 --- a/rules/limitrange-in-default-namespace/test/limitrange/input/limitrange.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - name: kubescape - namespace: default -spec: - limits: - - default: - memory: 512Mi - cpu: 500m - defaultRequest: - memory: 256Mi - cpu: 250m - type: Container - - min: - memory: 256Mi - cpu: 200m - max: - memory: 1Gi - cpu: 1 - type: Pod diff --git a/rules/networkpolicy-in-default-namespace/raw.rego b/rules/networkpolicy-in-default-namespace/raw.rego deleted file mode 100644 index 716352f01..000000000 --- a/rules/networkpolicy-in-default-namespace/raw.rego +++ /dev/null @@ -1,40 +0,0 @@ -package armo_builtins - -deny[msga] { - resource := input[_] - result := is_default_namespace(resource.metadata) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) - msga := { - "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 3, - "failedPaths": failed_path, - "fixPaths": fixed_path, - "alertObject": { - "k8sApiObjects": [resource] - } - } -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - metadata.namespace == "default" - failed_path = "metadata.namespace" - fixPath = "" -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - not metadata.namespace - failed_path = "" - fixPath = {"path": "metadata.namespace", "value": "YOUR_NAMESPACE"} -} - -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - diff --git a/rules/networkpolicy-in-default-namespace/rule.metadata.json b/rules/networkpolicy-in-default-namespace/rule.metadata.json deleted file mode 100644 index 385a405fc..000000000 --- a/rules/networkpolicy-in-default-namespace/rule.metadata.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "networkpolicy-in-default-namespace", - "attributes": { - "armoBuiltin": true - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "networking.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "NetworkPolicy" - ] - } - ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/networkpolicy-in-default-namespace/test/networkpolicy/expected.json b/rules/networkpolicy-in-default-namespace/test/networkpolicy/expected.json deleted file mode 100644 index 366069ce6..000000000 --- a/rules/networkpolicy-in-default-namespace/test/networkpolicy/expected.json +++ /dev/null @@ -1,23 +0,0 @@ -[ - { - "alertMessage": "NetworkPolicy: kubescape is in the 'default' namespace", - "failedPaths": [ - "metadata.namespace" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 3, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "networking.k8s.io/v1", - "kind": "NetworkPolicy", - "metadata": { - "name": "kubescape" - } - } - ] - } - } -] \ No newline at end of file diff --git a/rules/networkpolicy-in-default-namespace/test/networkpolicy/input/networkpolicy.yaml b/rules/networkpolicy-in-default-namespace/test/networkpolicy/input/networkpolicy.yaml deleted file mode 100644 index a5469c4fb..000000000 --- a/rules/networkpolicy-in-default-namespace/test/networkpolicy/input/networkpolicy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubescape - namespace: default -spec: - podSelector: - matchLabels: - role: db - policyTypes: - - Ingress - - Egress - ingress: - - from: - - ipBlock: - cidr: 172.17.0.0/16 - except: - - 172.17.1.0/24 - ports: - - protocol: TCP - port: 6379 - egress: - - to: - - ipBlock: - cidr: 10.0.0.0/24 - ports: - - protocol: TCP - port: 6379 diff --git a/rules/resourcequota-in-default-namespace/raw.rego b/rules/resourcequota-in-default-namespace/raw.rego deleted file mode 100644 index 716352f01..000000000 --- a/rules/resourcequota-in-default-namespace/raw.rego +++ /dev/null @@ -1,40 +0,0 @@ -package armo_builtins - -deny[msga] { - resource := input[_] - result := is_default_namespace(resource.metadata) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) - msga := { - "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 3, - "failedPaths": failed_path, - "fixPaths": fixed_path, - "alertObject": { - "k8sApiObjects": [resource] - } - } -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - metadata.namespace == "default" - failed_path = "metadata.namespace" - fixPath = "" -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - not metadata.namespace - failed_path = "" - fixPath = {"path": "metadata.namespace", "value": "YOUR_NAMESPACE"} -} - -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - diff --git a/rules/resourcequota-in-default-namespace/rule.metadata.json b/rules/resourcequota-in-default-namespace/rule.metadata.json deleted file mode 100644 index 479b4ddfb..000000000 --- a/rules/resourcequota-in-default-namespace/rule.metadata.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "resourcequota-in-default-namespace", - "attributes": { - "armoBuiltin": true - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "ResourceQuota" - ] - } - ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/resourcequota-in-default-namespace/test/resourcequota/expected.json b/rules/resourcequota-in-default-namespace/test/resourcequota/expected.json deleted file mode 100644 index 79398a4ec..000000000 --- a/rules/resourcequota-in-default-namespace/test/resourcequota/expected.json +++ /dev/null @@ -1,23 +0,0 @@ -[ - { - "alertMessage": "ResourceQuota: kubescape is in the 'default' namespace", - "failedPaths": [ - "metadata.namespace" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 3, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "ResourceQuota", - "metadata": { - "name": "kubescape" - } - } - ] - } - } -] \ No newline at end of file diff --git a/rules/resourcequota-in-default-namespace/test/resourcequota/input/resourcequota.yaml b/rules/resourcequota-in-default-namespace/test/resourcequota/input/resourcequota.yaml deleted file mode 100644 index 56e1a9b3f..000000000 --- a/rules/resourcequota-in-default-namespace/test/resourcequota/input/resourcequota.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ResourceQuota -metadata: - name: kubescape - namespace: default -spec: - hard: - pods: "10" - requests.cpu: "4" - requests.memory: 5Gi - limits.cpu: "10" - limits.memory: 10Gi \ No newline at end of file diff --git a/rules/resources-event-1-in-default-namespace/raw.rego b/rules/resources-event-1-in-default-namespace/raw.rego deleted file mode 100644 index 716352f01..000000000 --- a/rules/resources-event-1-in-default-namespace/raw.rego +++ /dev/null @@ -1,40 +0,0 @@ -package armo_builtins - -deny[msga] { - resource := input[_] - result := is_default_namespace(resource.metadata) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) - msga := { - "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 3, - "failedPaths": failed_path, - "fixPaths": fixed_path, - "alertObject": { - "k8sApiObjects": [resource] - } - } -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - metadata.namespace == "default" - failed_path = "metadata.namespace" - fixPath = "" -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - not metadata.namespace - failed_path = "" - fixPath = {"path": "metadata.namespace", "value": "YOUR_NAMESPACE"} -} - -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - diff --git a/rules/resources-event-1-in-default-namespace/rule.metadata.json b/rules/resources-event-1-in-default-namespace/rule.metadata.json deleted file mode 100644 index 60f932d89..000000000 --- a/rules/resources-event-1-in-default-namespace/rule.metadata.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "resources-event-1-in-default-namespace", - "attributes": { - "armoBuiltin": true - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Event" - ] - } - ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/expected.json b/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/expected.json deleted file mode 100644 index a5ab9f768..000000000 --- a/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/expected.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "alertMessage": "PodDisruptionBudget: zk-pdb is in the 'default' namespace", - "failedPaths": [], - "fixPaths": [ - { - "path": "metadata.namespace", - "value": "YOUR_NAMESPACE" - } - ], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 3, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "policy/v1", - "kind": "PodDisruptionBudget", - "metadata": { - "name": "zk-pdb" - } - } - ] - } - } -] \ No newline at end of file diff --git a/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml b/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml deleted file mode 100644 index 5d7c59877..000000000 --- a/rules/resources-event-1-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: zk-pdb -spec: - minAvailable: 2 - selector: - matchLabels: - app: zookeeper \ No newline at end of file diff --git a/rules/resources-event-2-in-default-namespace/raw.rego b/rules/resources-event-2-in-default-namespace/raw.rego deleted file mode 100644 index 716352f01..000000000 --- a/rules/resources-event-2-in-default-namespace/raw.rego +++ /dev/null @@ -1,40 +0,0 @@ -package armo_builtins - -deny[msga] { - resource := input[_] - result := is_default_namespace(resource.metadata) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) - msga := { - "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 3, - "failedPaths": failed_path, - "fixPaths": fixed_path, - "alertObject": { - "k8sApiObjects": [resource] - } - } -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - metadata.namespace == "default" - failed_path = "metadata.namespace" - fixPath = "" -} - -is_default_namespace(metadata) = [failed_path, fixPath] { - not metadata.namespace - failed_path = "" - fixPath = {"path": "metadata.namespace", "value": "YOUR_NAMESPACE"} -} - -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - diff --git a/rules/resources-event-2-in-default-namespace/rule.metadata.json b/rules/resources-event-2-in-default-namespace/rule.metadata.json deleted file mode 100644 index 6ce6a4a06..000000000 --- a/rules/resources-event-2-in-default-namespace/rule.metadata.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "resources-event-2-in-default-namespace", - "attributes": { - "armoBuiltin": true - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "events.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Event" - ] - } - ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/expected.json b/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/expected.json deleted file mode 100644 index a5ab9f768..000000000 --- a/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/expected.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "alertMessage": "PodDisruptionBudget: zk-pdb is in the 'default' namespace", - "failedPaths": [], - "fixPaths": [ - { - "path": "metadata.namespace", - "value": "YOUR_NAMESPACE" - } - ], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 3, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "policy/v1", - "kind": "PodDisruptionBudget", - "metadata": { - "name": "zk-pdb" - } - } - ] - } - } -] \ No newline at end of file diff --git a/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml b/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml deleted file mode 100644 index 5d7c59877..000000000 --- a/rules/resources-event-2-in-default-namespace/test/poddisruptionbudget/input/poddisruptionbudget.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: zk-pdb -spec: - minAvailable: 2 - selector: - matchLabels: - app: zookeeper \ No newline at end of file