CIS Benchmark policy 5.1.3 (#39)

Signed-off-by: Saurabh Pandit <[email protected]> Co-authored-by: Saurabh Pandit <[email protected]>
xunholy · Jul 7, 2020 · f137c21 · f137c21
1 parent 541924b
commit f137c21
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 0 deletions.
diff --git a/policies/CIS.5.1.3.rego b/policies/CIS.5.1.3.rego
@@ -0,0 +1,27 @@
+package cis_5_1_3
+
+import data.lib.kubernetes
+
+violation[msg] {
+    kubernetes.clusterroles[clusterrole]
+    is_using_wildcard(clusterrole.rules[_])
+    msg = kubernetes.format(sprintf("ClusterRole %v - use of wildcard is not allowed", [clusterrole.metadata.name]))
+}
+
+violation[msg] {
+    kubernetes.roles[role]
+    is_using_wildcard(role.rules[_])
+    msg = kubernetes.format(sprintf("Role %v - use of wildcard is not allowed", [role.metadata.name]))
+}
+
+is_using_wildcard(rule) {
+    rule.apiGroups[_] == "*"
+}
+
+is_using_wildcard(rule) {
+    rule.resources[_] == "*"
+}
+
+is_using_wildcard(rule) {
+    rule.verbs[_] == "*"
+}
diff --git a/policies/CIS.5.1.3_test.rego b/policies/CIS.5.1.3_test.rego
@@ -0,0 +1,62 @@
+package cis_5_1_3
+
+import data.lib.test
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "tokenviews", "*")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "*", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "*", "tokenviews", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "authorization.k8s.io", "tokenviews", "*")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "authorization.k8s.io", "*", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "*", "tokenviews", "create")
+}
+
+test_no_violation {
+    test.no_violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "tokenviews", "create")
+}
+
+test_no_violation_2 {
+    test.no_violations(violation) with input as policy_input("Role", "authorization.k8s.io", "tokenviews", "create")
+}
+
+policy_input(rolekind, apiGroup, resource, verb) = {
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "kind": rolekind,
+    "metadata": {
+        "annotations": {
+            "rbac.authorization.kubernetes.io/autoupdate": "true"
+        },
+        "labels": {
+            "kubernetes.io/bootstrapping": "rbac-defaults"
+        },
+        "name": "system:node"
+    },
+    "rules": [
+        {
+            "apiGroups": [
+                apiGroup
+            ],
+            "resources": [
+                resource
+            ],
+            "verbs": [
+                verb
+            ]
+        }
+    ]
+}
diff --git a/policies/lib/kubernetes.rego b/policies/lib/kubernetes.rego
@@ -153,6 +153,19 @@ clusterroles[clusterrole] {
     clusterrole = object
 }
 
+is_role {
+  kind = "Role"
+}
+
+is_role {
+  kind = "Roles"
+}
+
+roles[role] {
+    is_role
+    role = object
+}
+
 is_clusterrole_binding {
     kind = "ClusterRoleBinding"
 }