Merge pull request #525 from kubescape/slashben-patch-1

Making sure that service and ingress are in the same namespace
kubescape · Oct 16, 2023 · 22de0e1 · 22de0e1
2 parents aa94277 + 3035658
commit 22de0e1
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 7 deletions.
diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json
@@ -28,8 +28,7 @@
     "baseScore": 7.0,
     "scanningScope": {
         "matches": [
-            "cluster",
-            "file"
+            "cluster"
         ]
     }
 }
diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego
@@ -35,6 +35,10 @@ deny[msga] {
 
     svc := input[_]
     svc.kind == "Service"
+
+    # Make sure that they belong to the same namespace
+    svc.metadata.namespace == ingress.metadata.namespace
+
     # avoid duplicate alerts
     # if service is already exposed through NodePort or LoadBalancer workload will fail on that
     not is_exposed_service(svc)
@@ -55,11 +59,16 @@ deny[msga] {
         "alertObject": {
             "k8sApiObjects": [wl]
         },
-        "relatedObjects": [{
-            "object": ingress,
+        "relatedObjects": [
+		{
+	            "object": ingress,
 		    "reviewPaths": result,
-            "failedPaths": result,
-        }]
+	            "failedPaths": result,
+	        },
+		{
+	            "object": svc,
+		}
+        ]
     }
 } 
 

diff --git a/rules/exposure-to-internet/test/failed_with_ingress/expected.json b/rules/exposure-to-internet/test/failed_with_ingress/expected.json
@@ -23,7 +23,8 @@
                     "apiVersion": "networking.k8s.io/v1",
                     "kind": "Ingress",
                     "metadata": {
-                        "name": "my-ingress"
+                        "name": "my-ingress",
+                        "namespace": "default"
                     },
                     "spec": {
                         "ingressClassName": "nginx",
@@ -54,6 +55,28 @@
                     "spec.rules[0].http.paths[0].backend.service.name"
                 ],
                 "fixPaths": null
+            },
+            {
+                "object": {
+                    "apiVersion": "v1",
+                    "kind": "Service",
+                    "metadata": {
+                        "name": "my-service",
+                        "namespace": "default"
+                    },
+                    "spec": {
+                        "ports": [
+                            {
+                                "port": 80,
+                                "targetPort": 80
+                            }
+                        ],
+                        "selector": {
+                            "app": "my-app"
+                        },
+                        "type": "ClusterIP"
+                    }
+                }
             }
         ]
     }

diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml
@@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: my-ingress
+  namespace: default
 spec:
   ingressClassName: nginx
   rules:

diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: my-service
+  namespace: default
 spec:
   selector:
     app: my-app