Adding CVE-2023-3676 check

Signed-off-by: Amit Schendel <[email protected]>

rules/CVE-2023-3676/raw.rego

@@ -0,0 +1,15 @@
+package armo_builtins
+
+deny[msg] {                                                                 
+    input.request.kind.kind == "Pod"
+    path := input.request.object.spec.containers.volumeMounts.subPath                 
+    not startswith(path, "$(")                                     
+    msga := {
+			"alertMessage": "You may be vulnerable to CVE-2023-3676",
+			"failedPaths": [path],
+			"fixPaths":[],
+			"alertObject": { 
+                "k8SApiObjects": [input[_]],
+            },
+		}     
+}

rules/CVE-2023-3676/rule.metadata.json

@@ -0,0 +1,25 @@
+{
+    "name": "CVE-2023-3676",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "apps"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "Pod"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "Check for CVE-2023-3676",
+    "remediation": "Update kubelet version",
+    "ruleQuery": "armo_builtins"
+}

rules/CVE-2023-3676/test/pod/input/pod.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: wintest
+spec:
+  containers:
+  - name: test
+    image: raesene/windows-powertools
+    command:
+    - powershell.exe
+    - -command
+    - "start-sleep -seconds 600"
+    volumeMounts:
+    - name: test
+      mountPath: c:\var
+      subPath: $(Start-process cmd)
+  volumes:
+  - name: test
+    hostPath:
+      path: c:\var
+  hostNetwork: true
+  nodeSelector:
+    kubernetes.io/os: windows