-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
461 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
package armo_builtins | ||
import future.keywords.in | ||
|
||
|
||
deny[msga] { | ||
virtualservice := input[_] | ||
virtualservice.kind == "VirtualService" | ||
|
||
# Check if the VirtualService is connected to a Gateway | ||
gateway := input[_] | ||
gateway.kind == "Gateway" | ||
|
||
is_same_namespace(gateway, virtualservice) | ||
virtualservice.spec.gateways[_] == gateway.metadata.name | ||
|
||
# Find the connected Istio Ingress Gateway that should be a LoadBalancer if it is exposed to the internet | ||
istioingressgateway := input[_] | ||
istioingressgateway.kind == "Service" | ||
istioingressgateway.metadata.namespace == "istio-system" | ||
gateway.spec.selector[_] == istioingressgateway.metadata.labels[_] | ||
|
||
|
||
# Check if the Istio Ingress Gateway is exposed to the internet | ||
is_exposed_service(istioingressgateway) | ||
|
||
# Check if the VirtualService is connected to an workload | ||
# First, find the service that the VirtualService is connected to | ||
connected_service := input[_] | ||
connected_service.kind == "Service" | ||
fqsn := get_fqsn(get_namespace(virtualservice), virtualservice.spec.http[_].route[_].destination.host) | ||
target_ns := split(fqsn,".")[1] | ||
target_name := split(fqsn,".")[0] | ||
# Check if the service is in the same namespace as the VirtualService | ||
get_namespace(connected_service) == target_ns | ||
# Check if the service is the target of the VirtualService | ||
connected_service.metadata.name == target_name | ||
|
||
# Check if the service is connected to a workload | ||
wl := input[_] | ||
is_same_namespace(connected_service, wl) | ||
spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"} | ||
spec_template_spec_patterns[wl.kind] | ||
wl_connected_to_service(wl, connected_service) | ||
|
||
result := svc_connected_to_virtualservice(connected_service, virtualservice) | ||
|
||
msga := { | ||
"alertMessage": sprintf("workload '%v' is exposed through virtualservice '%v'", [wl.metadata.name, virtualservice.metadata.name]), | ||
"packagename": "armo_builtins", | ||
"failedPaths": [], | ||
"fixPaths": [], | ||
"alertScore": 7, | ||
"alertObject": { | ||
"k8sApiObjects": [wl] | ||
}, | ||
"relatedObjects": [ | ||
{ | ||
"object": virtualservice, | ||
"reviewPaths": result, | ||
"failedPaths": result, | ||
}, | ||
{ | ||
"object": connected_service, | ||
} | ||
] | ||
} | ||
} | ||
|
||
# ==================================================================================== | ||
|
||
get_namespace(obj) = namespace { | ||
obj.metadata | ||
obj.metadata.namespace | ||
namespace := obj.metadata.namespace | ||
} | ||
|
||
get_namespace(obj) = namespace { | ||
not obj.metadata.namespace | ||
namespace := "default" | ||
} | ||
|
||
is_same_namespace(obj1, obj2) { | ||
obj1.metadata.namespace == obj2.metadata.namespace | ||
} | ||
|
||
is_same_namespace(obj1, obj2) { | ||
not obj1.metadata.namespace | ||
obj2.metadata.namespace == "default" | ||
} | ||
|
||
is_same_namespace(obj1, obj2) { | ||
not obj2.metadata.namespace | ||
obj1.metadata.namespace == "default" | ||
} | ||
|
||
is_same_namespace(obj1, obj2) { | ||
not obj1.metadata.namespace | ||
not obj2.metadata.namespace | ||
} | ||
|
||
is_exposed_service(svc) { | ||
svc.spec.type == "NodePort" | ||
} | ||
|
||
is_exposed_service(svc) { | ||
svc.spec.type == "LoadBalancer" | ||
} | ||
|
||
wl_connected_to_service(wl, svc) { | ||
count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector) | ||
} | ||
|
||
wl_connected_to_service(wl, svc) { | ||
wl.spec.selector.matchLabels == svc.spec.selector | ||
} | ||
|
||
wl_connected_to_service(wl, svc) { | ||
count({x | svc.spec.selector[x] == wl.spec.template.metadata.labels[x]}) == count(svc.spec.selector) | ||
} | ||
|
||
svc_connected_to_virtualservice(svc, virtualservice) = result { | ||
host := virtualservice.spec.http[i].route[j].destination.host | ||
svc.metadata.name == host | ||
result := [sprintf("spec.http[%d].routes[%d].destination.host", [i,j])] | ||
} | ||
|
||
get_fqsn(ns, dest_host) = fqsn { | ||
# verify that this name is without the namespace | ||
count(split(".", dest_host)) == 1 | ||
fqsn := sprintf("%v.%v.svc.cluster.local", [dest_host, ns]) | ||
} | ||
|
||
get_fqsn(ns, dest_host) = fqsn { | ||
count(split(".", dest_host)) == 2 | ||
fqsn := sprintf("%v.svc.cluster.local", [dest_host]) | ||
} | ||
|
||
get_fqsn(ns, dest_host) = fqsn { | ||
count(split(".", dest_host)) == 4 | ||
fqsn := dest_host | ||
} | ||
|
||
|
||
|
62 changes: 62 additions & 0 deletions
62
rules/exposure-to-internet-via-istio-ingress/rule.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
{ | ||
"name": "exposure-to-internet-via-istio-ingress", | ||
"attributes": { | ||
"useFromKubescapeVersion": "v3.0.9" | ||
}, | ||
"ruleLanguage": "Rego", | ||
"match": [ | ||
{ | ||
"apiGroups": [ | ||
"" | ||
], | ||
"apiVersions": [ | ||
"v1" | ||
], | ||
"resources": [ | ||
"Pod", | ||
"Service" | ||
] | ||
}, | ||
{ | ||
"apiGroups": [ | ||
"apps" | ||
], | ||
"apiVersions": [ | ||
"v1" | ||
], | ||
"resources": [ | ||
"Deployment", | ||
"ReplicaSet", | ||
"DaemonSet", | ||
"StatefulSet" | ||
] | ||
}, | ||
{ | ||
"apiGroups": [ | ||
"batch" | ||
], | ||
"apiVersions": [ | ||
"*" | ||
], | ||
"resources": [ | ||
"Job", | ||
"CronJob" | ||
] | ||
}, | ||
{ | ||
"apiGroups": [ | ||
"networking.istio.io" | ||
], | ||
"apiVersions": [ | ||
"v1" | ||
], | ||
"resources": [ | ||
"VirtualService", | ||
"Gateways" | ||
] | ||
} | ||
], | ||
"description": "fails if the running workload is bound to a Service that is exposed to the Internet through Istio Gateway.", | ||
"remediation": "", | ||
"ruleQuery": "armo_builtins" | ||
} |
92 changes: 92 additions & 0 deletions
92
rules/exposure-to-internet-via-istio-ingress/test/failed_with_istiogw/expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
[ | ||
{ | ||
"alertMessage": "workload 'nginx' is exposed through virtualservice 'nginx'", | ||
"failedPaths": [], | ||
"reviewPaths": null, | ||
"deletePaths": null, | ||
"fixPaths": [], | ||
"ruleStatus": "", | ||
"packagename": "armo_builtins", | ||
"alertScore": 7, | ||
"alertObject": { | ||
"k8sApiObjects": [ | ||
{ | ||
"apiVersion": "apps/v1", | ||
"kind": "Deployment", | ||
"metadata": { | ||
"labels": { | ||
"app": "nginx" | ||
}, | ||
"name": "nginx" | ||
} | ||
} | ||
] | ||
}, | ||
"relatedObjects": [ | ||
{ | ||
"object": { | ||
"apiVersion": "networking.istio.io/v1alpha3", | ||
"kind": "VirtualService", | ||
"metadata": { | ||
"name": "nginx" | ||
}, | ||
"spec": { | ||
"gateways": [ | ||
"nginx-gateway" | ||
], | ||
"hosts": [ | ||
"*" | ||
], | ||
"http": [ | ||
{ | ||
"route": [ | ||
{ | ||
"destination": { | ||
"host": "nginx", | ||
"port": { | ||
"number": 80 | ||
} | ||
} | ||
} | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"failedPaths": [ | ||
"spec.http[0].routes[0].destination.host" | ||
], | ||
"reviewPaths": [ | ||
"spec.http[0].routes[0].destination.host" | ||
], | ||
"deletePaths": null, | ||
"fixPaths": null | ||
}, | ||
{ | ||
"object": { | ||
"apiVersion": "v1", | ||
"kind": "Service", | ||
"metadata": { | ||
"name": "nginx" | ||
}, | ||
"spec": { | ||
"ports": [ | ||
{ | ||
"port": 80, | ||
"protocol": "TCP", | ||
"targetPort": 80 | ||
} | ||
], | ||
"selector": { | ||
"app": "nginx" | ||
} | ||
} | ||
}, | ||
"failedPaths": null, | ||
"reviewPaths": null, | ||
"deletePaths": null, | ||
"fixPaths": null | ||
} | ||
] | ||
} | ||
] |
61 changes: 61 additions & 0 deletions
61
rules/exposure-to-internet-via-istio-ingress/test/failed_with_istiogw/input/deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
annotations: | ||
deployment.kubernetes.io/revision: "1" | ||
creationTimestamp: "2024-11-19T19:33:37Z" | ||
generation: 1 | ||
labels: | ||
app: nginx | ||
name: nginx | ||
namespace: default | ||
resourceVersion: "826" | ||
uid: 84c22298-82c1-4ca1-bc23-aeb210beffd7 | ||
spec: | ||
progressDeadlineSeconds: 600 | ||
replicas: 1 | ||
revisionHistoryLimit: 10 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
strategy: | ||
rollingUpdate: | ||
maxSurge: 25% | ||
maxUnavailable: 25% | ||
type: RollingUpdate | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
spec: | ||
containers: | ||
- image: nginx | ||
imagePullPolicy: Always | ||
name: nginx | ||
resources: {} | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
dnsPolicy: ClusterFirst | ||
restartPolicy: Always | ||
schedulerName: default-scheduler | ||
securityContext: {} | ||
terminationGracePeriodSeconds: 30 | ||
status: | ||
availableReplicas: 1 | ||
conditions: | ||
- lastTransitionTime: "2024-11-19T19:33:45Z" | ||
lastUpdateTime: "2024-11-19T19:33:45Z" | ||
message: Deployment has minimum availability. | ||
reason: MinimumReplicasAvailable | ||
status: "True" | ||
type: Available | ||
- lastTransitionTime: "2024-11-19T19:33:37Z" | ||
lastUpdateTime: "2024-11-19T19:33:45Z" | ||
message: ReplicaSet "nginx-7854ff8877" has successfully progressed. | ||
reason: NewReplicaSetAvailable | ||
status: "True" | ||
type: Progressing | ||
observedGeneration: 1 | ||
readyReplicas: 1 | ||
replicas: 1 | ||
updatedReplicas: 1 |
Oops, something went wrong.