diff --git a/.github/sync.yml b/.github/sync.yml new file mode 100644 index 000000000..a50434370 --- /dev/null +++ b/.github/sync.yml @@ -0,0 +1,7 @@ +# This is a config file used by the `sync.yml` action under workflows folder +# To determine which files are to be synced and where. +# You can configure it to sync files across multiples repositories or branches too. + +kubescape/kubescape.io: # Target repository + - source: docs/controls + dest: docs/docs/controls/ diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release-v2.yaml similarity index 61% rename from .github/workflows/create-release.yaml rename to .github/workflows/create-release-v2.yaml index 0230173a5..9333f00ea 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release-v2.yaml @@ -1,4 +1,5 @@ -name: create release +name: 'Create and Publish Tags with Testing and Artifact Handling' + on: workflow_dispatch: inputs: @@ -9,88 +10,67 @@ on: push: tags: - - 'v*.*.*-rc.*' + - 'v*.*.*-rc.*' + env: REGO_ARTIFACT_KEY_NAME: rego_artifact REGO_ARTIFACT_PATH: release jobs: - # testing link checks - markdown-link-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - - name: Check links - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 - with: - use-verbose-mode: 'yes' - - # main job of testing and building the env. test_pr_checks: - needs: [markdown-link-check] permissions: pull-requests: write uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main with: - GO_VERSION: 1.19 + GO_VERSION: '1.21' BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/... secrets: inherit - # build regolibrary artifacts / test rego dependencies / test rego unit-tests build-and-rego-test: needs: [test_pr_checks] - name: Build and test rego artifacts runs-on: ubuntu-latest outputs: - NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }} REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }} REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }} steps: - - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f - name: checkout repo content - with: - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - - - id: tag-calculator - uses: kubescape/workflows/.github/actions/tag-action@main - with: - ORIGINAL_TAG: ${{ inputs.TAG }} - SUB_STRING: "-rc" + - uses: actions/checkout@v2 + name: Checkout repo content - # Test using Golang OPA hot rule compilation - - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 + - name: Set up Go 1.21 + uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: 1.21 - - name: Test Regoes + - name: Test Regos (Golang OPA hot rule compilation) working-directory: testrunner run: | - apt update && apt install -y cmake + sudo apt update && sudo apt install -y cmake GOPATH=$(go env GOPATH) make - - name: setup python - uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa + - name: Setup Python 3.10.6 + uses: actions/setup-python@v2 with: python-version: 3.10.6 - # generating subsections ids - - name: Update frameworks subsections - run: bash ./scripts/generate_subsections_ids.sh + - name: Install Python dependencies + run: | + python -m pip install --upgrade pip + pip install requests + + - name: Update frameworks subsections (generating subsections ids) + run: python ./scripts/generate_subsections_ids.py - # validate control-ID duplications - - run: python ./scripts/validations.py + - name: Validate control-ID duplications + run: python ./scripts/validations.py - # run export script to generate regolibrary artifacts - - run: python ./scripts/export.py + - name: Generate RegoLibrary artifacts (run export script) + run: python ./scripts/export.py - # removing release artifacts file extensions - name: Strip Metadata Files Extensions run: | cd release - find -type f -name '*.json' | while read f; do mv "$f" "${f%.json}"; done - find -type f -name '*.csv' | while read f; do mv "$f" "${f%.csv}"; done + find . -type f \( -name '*.json' -o -name '*.csv' \) | while read f; do mv "$f" "${f%.*}"; done - run: ls -laR @@ -100,8 +80,8 @@ jobs: echo "REGO_ARTIFACT_KEY_NAME=${{ env.REGO_ARTIFACT_KEY_NAME }}" >> $GITHUB_OUTPUT echo "REGO_ARTIFACT_PATH=${{ env.REGO_ARTIFACT_PATH }}" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 - name: Upload artifact + - name: Upload artifact + uses: actions/upload-artifact@v2 with: name: ${{ env.REGO_ARTIFACT_KEY_NAME }} path: ${{ env.REGO_ARTIFACT_PATH }}/ @@ -132,34 +112,66 @@ jobs: secrets: inherit # start release process - release: + create-new-tag-and-release: needs: [ks-and-rego-test] if: ${{ (always() && (contains(needs.*.result, 'success')) && !(contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }} name: create release and upload assets runs-on: ubuntu-latest steps: + - uses: actions/checkout@v2 + name: Checkout repository + + - name: 'Generate Release Tag' + id: generate_tag + uses: kubescape/workflows/.github/actions/tag-action@main + with: + ORIGINAL_TAG: ${{ github.ref_name }} + SUB_STRING: "-rc." + + # Create and push the full version tag (e.g., v2.0.1) + - name: Create and Push Full Tag + uses: rickstaa/action-create-tag@v1 + with: + tag: ${{ steps.generate_tag.outputs.NEW_TAG }} + force_push_tag: false + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate Short Tag + id: short_tag + run: | + SHORT_TAG=$(echo "${{ steps.generate_tag.outputs.NEW_TAG }}" | grep -oP '^v\d+') + echo "Short tag: $SHORT_TAG" + echo "SHORT_TAG=$SHORT_TAG" >> $GITHUB_ENV + + - name: Force Push Short Tag + uses: rickstaa/action-create-tag@v1 + with: + tag: ${{ env.SHORT_TAG }} + force_push_tag: true + github_token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2 id: download-artifact with: name: ${{ env.REGO_ARTIFACT_KEY_NAME }} path: ${{ env.REGO_ARTIFACT_PATH }} - - name: Create Release and upload assets - id: create_release_upload_assets - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 + - name: Create or Update Release and Upload Assets + uses: softprops/action-gh-release@v2 with: - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - name: Release ${{ needs.build-and-rego-test.outputs.NEW_TAG }} - tag_name: ${{ needs.build-and-rego-test.outputs.NEW_TAG }} - body: ${{ github.event.pull_request.body }} + token: ${{ secrets.GITHUB_TOKEN }} + tag_name: ${{ env.SHORT_TAG }} + name: ${{ env.SHORT_TAG }} + body: "Automated release for ${{ env.SHORT_TAG}}" + files: ${{ env.REGO_ARTIFACT_PATH }}/* draft: false fail_on_unmatched_files: true prerelease: false - files: '${{ env.REGO_ARTIFACT_PATH }}/*' + make_latest: "false" # Update regolibrary documentation with latest controls and rules. update-documentation: - needs: [release] + needs: [create-new-tag-and-release] runs-on: ubuntu-latest steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # ratchet:actions/checkout@v3.5.2 @@ -176,4 +188,6 @@ jobs: env: README_API_KEY: ${{ secrets.README_API_KEY }} run: |- - python ./scripts/upload-readme.py \ No newline at end of file + python ./scripts/upload-readme.py + - name: execute docs generator script + run: python ./scripts/mk-generator.py # Script to generate controls library documentation diff --git a/.github/workflows/pr-comments.yaml b/.github/workflows/pr-comments.yaml index 6a1c10390..a394fecb6 100644 --- a/.github/workflows/pr-comments.yaml +++ b/.github/workflows/pr-comments.yaml @@ -1,8 +1,9 @@ name: PR Comment Trigger on: - issue_comment: - types: [created] + workflow_call: + # issue_comment: + # types: [created] jobs: job01: if: ${{ github.event.issue.pull_request }} diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml index 9ad180434..c517620bb 100644 --- a/.github/workflows/pr-tests.yaml +++ b/.github/workflows/pr-tests.yaml @@ -3,10 +3,7 @@ on: push: branches: [ master, main ] pull_request: - # run for every chnage in the PR types: [ opened, synchronize, reopened, ready_for_review ] - # Do not run the pipeline if only Markdown files changed - paths-ignore: ['**.md'] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,43 +12,19 @@ concurrency: env: REGO_ARTIFACT_KEY_NAME: rego_artifact REGO_ARTIFACT_PATH: releaseDev + GH_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} jobs: - # testing link checks - markdown-link-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - - name: Check links - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 - with: - use-verbose-mode: 'yes' - # main job of testing and building the env. test_pr_checks: - # needs: [markdown-link-check] permissions: pull-requests: write uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main with: - GO_VERSION: 1.19 + GO_VERSION: '1.21' BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/... secrets: inherit -# test-coverage: -# needs: [test_pr_checks] -# uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main -# if: | -# ${{ (always() && -# (contains(needs.*.result, 'success')) && -# !(contains(needs.*.result, 'skipped')) && -# !(contains(needs.*.result, 'failure')) && -# !(contains(needs.*.result, 'cancelled'))) }} -# with: -# COVERAGELIMIT: "58" -# SHA: ${{ github.sha }} - - build-and-rego-test: name: Build and test rego artifacts runs-on: ubuntu-latest @@ -61,27 +34,32 @@ jobs: !(contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }} - # needs: [test_pr_checks] outputs: REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }} REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }} steps: - - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f + - uses: actions/checkout@v4 name: checkout repo content with: - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + token: ${{ env.GH_ACCESS_TOKEN }} # Test using Golang OPA hot rule compilation - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 + uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: '1.21' # testing rego library - name: Test Regoes working-directory: testrunner run: | - apt update && apt install -y cmake + for i in {1..5}; do + sudo apt update && break || sleep 15; + done + for i in {1..5}; do + sudo apt install -y cmake && break || sleep 15; + done + echo "Using Go path: $(which go)" GOPATH=$(go env GOPATH) make - name: Set up Regal @@ -96,13 +74,18 @@ jobs: uses: actions/setup-python@v4 with: python-version: 3.10.6 + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install requests + # validate control-ID duplications - run: python ./scripts/validations.py # generating subsections ids - name: Update frameworks subsections - run: bash ./scripts/generate_subsections_ids.sh + run: python ./scripts/generate_subsections_ids.py # run export script to generate regolibrary artifacts # releaseDev clean up is for old compatability. should be removed at end of 2023. @@ -159,9 +142,9 @@ jobs: runs-on: ubuntu-latest needs: [ks-and-rego-test] steps: - - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f + - uses: actions/checkout@v4 name: checkout repo content with: - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + token: ${{ env.GH_ACCESS_TOKEN }} - name: Remove pre-release folder run: rm -r -f pre-release diff --git a/.github/workflows/push-releasedev-updates.yaml b/.github/workflows/push-releasedev-updates.yaml index 94bcd7dcd..633ed838a 100644 --- a/.github/workflows/push-releasedev-updates.yaml +++ b/.github/workflows/push-releasedev-updates.yaml @@ -2,17 +2,23 @@ name: Push to regolibrary-dev on: push: - branches: [master, main] + branches: [master] + +env: + GH_ACCESS_TOKEN: ${{ secrets.ARMOSEC_ACCESS_KEY }} jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + token: ${{ env.GH_ACCESS_TOKEN }} + + - run: git config --global url.https://${{ env.GH_ACCESS_TOKEN }}@github.com/armosec/.insteadOf https://github.com/armosec/ + - run: git config --global url.https://${{ env.GH_ACCESS_TOKEN }}@github.com/kubescape/.insteadOf https://github.com/kubescape/ - name: Run export script run: | @@ -30,6 +36,6 @@ jobs: - name: Push changes uses: ad-m/github-push-action@master with: - github_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + github_token: ${{ env.GH_ACCESS_TOKEN }} repository: kubescape/regolibrary-dev - force: true \ No newline at end of file + force: true diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml new file mode 100644 index 000000000..88148b1d4 --- /dev/null +++ b/.github/workflows/sync.yml @@ -0,0 +1,28 @@ +# The action is used to sync documentation of controls library with `kubescape.io` website +# The action checks for any files that are out of sync +# And opens a pull request in the target repository with the changes(if any) + +name: Sync Files + +on: + push: + branches: + - master + paths: + - 'docs/controls/**' # The action is triggered everytime there is a push to the defined path + workflow_dispatch: + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@master + - name: Run GitHub File Sync + uses: BetaHuhn/repo-file-sync-action@v1 + with: + GH_PAT: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + COMMIT_BODY: "Sync documentation of controls library from `regolibrary` repository" + PR_BODY: Syncing the Control Library docs from `regolibrary` repository to update the `controls` documentation + PR_LABELS: automerge + COMMIT_PREFIX: "" diff --git a/ControlID_RuleName.csv b/ControlID_RuleName.csv index 51235bb80..2cfb21a35 100644 --- a/ControlID_RuleName.csv +++ b/ControlID_RuleName.csv @@ -77,7 +77,6 @@ C-0082,read-only-port-enabled C-0083,exposed-critical-pods C-0084,exposed-rce-pods C-0085,excessive_amount_of_vulnerabilities_pods -C-0086,CVE-2022-0492 C-0087,CVE-2022-23648 C-0088,rbac-enabled-cloud C-0088,rbac-enabled-native diff --git a/FWName_CID_CName.csv b/FWName_CID_CName.csv index 44a74aa54..c9e84ed77 100644 --- a/FWName_CID_CName.csv +++ b/FWName_CID_CName.csv @@ -55,7 +55,6 @@ AllControls,C-0077,K8s common labels usage AllControls,C-0078,Images from allowed registry AllControls,C-0079,CVE-2022-0185-linux-kernel-container-escape AllControls,C-0081,CVE-2022-24348-argocddirtraversal -AllControls,C-0086,CVE-2022-0492-cgroups-container-escape AllControls,C-0087,CVE-2022-23648-containerd-fs-escape AllControls,C-0088,RBAC enabled AllControls,C-0090,CVE-2022-39328-grafana-auth-bypass @@ -93,7 +92,6 @@ ArmoBest,C-0070,Enforce Kubelet client TLS authentication ArmoBest,C-0078,Images from allowed registry ArmoBest,C-0079,CVE-2022-0185-linux-kernel-container-escape ArmoBest,C-0081,CVE-2022-24348-argocddirtraversal -ArmoBest,C-0086,CVE-2022-0492-cgroups-container-escape ArmoBest,C-0087,CVE-2022-23648-containerd-fs-escape ArmoBest,C-0089,CVE-2022-3172-aggregated-API-server-redirect ArmoBest,C-0091,CVE-2022-47633-kyverno-signature-bypass diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 000000000..cbcacdb74 --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,12 @@ +# Maintainers + +The following table lists the project core maintainers: + +| Name | GitHub | Organization | Added/Renewed On | +| --- | --- | --- |------------------| +| [Yiscah Levy Silas](https://www.linkedin.com/in/yiscah-levy-silas/) | [@YiscahLevySilas1](https://github.com/YiscahLevySilas1) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [Daniel Grunberger](https://www.linkedin.com/in/daniel-grunberger-719685188/) | [@Daniel-GrunbergerCA](https://github.com/Daniel-GrunbergerCA) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [Yuval Leibovich](https://www.linkedin.com/in/yuval-leibovich-42ab9661/) | [@yuleib](https://github.com/yuleib) | [ARMO](https://www.armosec.io/) | 2022-11-01 | +| [Alessio Greggi](https://www.linkedin.com/in/alegrey91/) | [@alegrey91](https://github.com/alegrey91) | [ARMO](https://www.armosec.io/) | 2023-02-01 | +| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 | diff --git a/README.md b/README.md index 572788774..ab8297944 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,6 @@ Example of a framework: "name": "DevOpsBest", "description": "This framework is recommended for use by devops.", "attributes": { - "armoBuiltin": true }, "scanningScope": { "matches": [ @@ -54,7 +53,6 @@ Example of a framework: ] } ``` -* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects. * controlNames - List of controls to run, must be exact name. Use copy-paste to be sure. * `scanningScope` - this framework will run just if kubescape scan process match to the scope in the list.(for example the framework above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```. `cloud` meaning - will run just on managed cluster @@ -68,7 +66,6 @@ Example of a control: { "name": "Pods in default namespace", "attributes": { - "armoBuiltin": true }, "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", "remediation": "Create necessary namespaces and move all the pods from default namespace there.", @@ -94,7 +91,6 @@ Example of a control: } } ``` -* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects. * `rulesNames` - List of rules to run, must be exact name. Use copy-paste to be sure. * `scanningScope` - this control will run just if kubescape scan process match to the scope in the list.(for example the control above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```. `cloud` meaning - will run just on managed cluster * `category` - The category the control belongs to. Some controls may also define a `subCategory`. The available categories/sub categories are listed under the `mapCategoryNameToID.json` file, mapped to their respective IDs @@ -116,7 +112,6 @@ Example of rule.metadata.json: { "name": "resources-cpu-limit-and-request", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ @@ -146,7 +141,6 @@ Example of rule.metadata.json: "ruleQuery": "armo_builtins" } ``` -* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects. * See [rule go struct](https://github.com/kubescape/opa-utils/blob/master/reporthandling/datastructures.go#L37) for further explanations of rule fields diff --git a/attack-tracks/external-wl-unauthenticated.json b/attack-tracks/external-wl-unauthenticated.json new file mode 100644 index 000000000..a09fc9ac6 --- /dev/null +++ b/attack-tracks/external-wl-unauthenticated.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "external-database-without-authentication" + }, + "spec": { + "version": "1.0", + "data": { + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", + "subSteps": [ + { + "name": "Unauthenticated Access", + "description": "An unauthenticated attacker can access resources." + } + ] + } + } +} \ No newline at end of file diff --git a/attack-tracks/external-workload-with-cluster-takeover-roles.json b/attack-tracks/external-workload-with-cluster-takeover-roles.json new file mode 100644 index 000000000..d12d0a139 --- /dev/null +++ b/attack-tracks/external-workload-with-cluster-takeover-roles.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "external-workload-with-cluster-takeover-roles" + }, + "spec": { + "version": "1.0", + "data": { + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", + "subSteps": [ + { + "name": "Cluster Access", + "description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster." + } + ] + } + } +} \ No newline at end of file diff --git a/attack-tracks/workload-unauthenticated-service.json b/attack-tracks/workload-unauthenticated-service.json new file mode 100644 index 000000000..d3eb6b961 --- /dev/null +++ b/attack-tracks/workload-unauthenticated-service.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "workload-unauthenticated-service" + }, + "spec": { + "version": "1.0", + "data": { + "name": "Initial Access", + "description": "The service is exposed outside the Kubernetes network.", + "subSteps": [ + { + "name": "Execution", + "description": "Database access is missing authentication and it can be accessed by anyone" + } + ] + } + } +} \ No newline at end of file diff --git a/controls/C-0001-forbiddencontainerregistries.json b/controls/C-0001-forbiddencontainerregistries.json index 4b55ecdd0..de918c769 100644 --- a/controls/C-0001-forbiddencontainerregistries.json +++ b/controls/C-0001-forbiddencontainerregistries.json @@ -1,7 +1,6 @@ { "name": "Forbidden Container Registries", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Initial Access" ], diff --git a/controls/C-0002-execintocontainer.json b/controls/C-0002-execintocontainer.json index 139380ac1..c77af143e 100644 --- a/controls/C-0002-execintocontainer.json +++ b/controls/C-0002-execintocontainer.json @@ -1,7 +1,6 @@ { - "name": "Exec into container", + "name": "Prevent containers from allowing command execution", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Execution" ], @@ -14,7 +13,6 @@ "description": "Attackers with relevant permissions can run malicious commands in the context of legitimate containers in the cluster using \u201ckubectl exec\u201d command. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl exec\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ - "exec-into-container", "exec-into-container-v1" ], "long_description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", diff --git a/controls/C-0004-resourcesmemorylimitandrequest.json b/controls/C-0004-resourcesmemorylimitandrequest.json index afa91763f..5d1df7987 100644 --- a/controls/C-0004-resourcesmemorylimitandrequest.json +++ b/controls/C-0004-resourcesmemorylimitandrequest.json @@ -1,7 +1,6 @@ { "name": "Resources memory limit and request", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "compliance", "devops" diff --git a/controls/C-0005-apiserverinsecureportisenabled.json b/controls/C-0005-apiserverinsecureportisenabled.json index 8d4882f74..5fb3aad30 100644 --- a/controls/C-0005-apiserverinsecureportisenabled.json +++ b/controls/C-0005-apiserverinsecureportisenabled.json @@ -1,7 +1,6 @@ { "name": "API server insecure port is enabled", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0007-datadestruction.json b/controls/C-0007-datadestruction.json index 5cd33f53c..3b6ad93d8 100644 --- a/controls/C-0007-datadestruction.json +++ b/controls/C-0007-datadestruction.json @@ -1,7 +1,6 @@ { - "name": "Data Destruction", + "name": "Roles with delete capabilities", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Impact" ], @@ -13,7 +12,6 @@ "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. This control identifies all subjects that can delete resources.", "remediation": "You should follow the least privilege principle and minimize the number of subjects that can delete resources.", "rulesNames": [ - "rule-excessive-delete-rights", "rule-excessive-delete-rights-v1" ], "long_description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json index cf38bf979..16f4c79dd 100644 --- a/controls/C-0009-resourcelimits.json +++ b/controls/C-0009-resourcelimits.json @@ -1,17 +1,8 @@ { "name": "Resource limits", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" - ], - "attackTracks": [ - { - "attackTrack": "service-destruction", - "categories": [ - "Denial of service" - ] - } ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", diff --git a/controls/C-0012-applicationscredentialsinconfigurationfiles.json b/controls/C-0012-applicationscredentialsinconfigurationfiles.json index a093a3e06..8ca05f709 100644 --- a/controls/C-0012-applicationscredentialsinconfigurationfiles.json +++ b/controls/C-0012-applicationscredentialsinconfigurationfiles.json @@ -2,7 +2,6 @@ "name": "Applications credentials in configuration files", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "microsoftMitreColumns": [ "Credential access", "Lateral Movement" diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json index a60e15ea8..e62fd8a29 100644 --- a/controls/C-0013-nonrootcontainers.json +++ b/controls/C-0013-nonrootcontainers.json @@ -1,19 +1,18 @@ { "name": "Non-root containers", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" ] }, "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", - "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", + "remediation": "If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.", "rulesNames": [ "non-root-containers" ], - "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", - "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", + "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", + "test": "Verify that runAsUser is set to a user id greater than 0 or that runAsNonRoot is set to true, and that runAsGroup is set to an id greater than 0. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", "controlID": "C-0013", "baseScore": 6.0, "example": "@controls/examples/c013.yaml", diff --git a/controls/C-0014-accesskubernetesdashboard.json b/controls/C-0014-accesskubernetesdashboard.json index a73388f62..84b01cfa3 100644 --- a/controls/C-0014-accesskubernetesdashboard.json +++ b/controls/C-0014-accesskubernetesdashboard.json @@ -1,7 +1,6 @@ { "name": "Access Kubernetes dashboard", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Discovery", "Lateral Movement" @@ -14,7 +13,6 @@ "description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. This control checks if a subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not the dashboard pod is associated with dashboard service account.", "remediation": "Make sure that the \u201cKubernetes Dashboard\u201d service account is only bound to the Kubernetes dashboard following the least privilege principle.", "rulesNames": [ - "rule-access-dashboard", "rule-access-dashboard-subject-v1", "rule-access-dashboard-wl-v1" ], diff --git a/controls/C-0015-listkubernetessecrets.json b/controls/C-0015-listkubernetessecrets.json index f990a4b71..6474e7b85 100644 --- a/controls/C-0015-listkubernetessecrets.json +++ b/controls/C-0015-listkubernetessecrets.json @@ -1,7 +1,6 @@ { "name": "List Kubernetes secrets", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Credential access" ], @@ -14,7 +13,6 @@ "description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. This control determines which user, group or service account can list/get secrets.", "remediation": "Monitor and approve list of users, groups and service accounts that can access secrets. Use exception mechanism to prevent repetitive the notifications.", "rulesNames": [ - "rule-can-list-get-secrets", "rule-can-list-get-secrets-v1" ], "long_description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", diff --git a/controls/C-0016-allowprivilegeescalation.json b/controls/C-0016-allowprivilegeescalation.json index 75c50947f..383059b1c 100644 --- a/controls/C-0016-allowprivilegeescalation.json +++ b/controls/C-0016-allowprivilegeescalation.json @@ -1,10 +1,10 @@ { "name": "Allow privilege escalation", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", - "compliance" + "compliance", + "smartRemediation" ] }, "description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.", diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json index 63f47a664..657d9dad7 100644 --- a/controls/C-0017-immutablecontainerfilesystem.json +++ b/controls/C-0017-immutablecontainerfilesystem.json @@ -1,10 +1,10 @@ { "name": "Immutable container filesystem", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", - "compliance" + "compliance", + "smartRemediation" ], "attackTracks": [ { diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json index 160e7e2dd..1be332d3a 100644 --- a/controls/C-0018-configuredreadinessprobe.json +++ b/controls/C-0018-configuredreadinessprobe.json @@ -1,7 +1,6 @@ { "name": "Configured readiness probe", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0020-mountserviceprincipal.json b/controls/C-0020-mountserviceprincipal.json index 4f0c8cbf1..91b58039f 100644 --- a/controls/C-0020-mountserviceprincipal.json +++ b/controls/C-0020-mountserviceprincipal.json @@ -1,7 +1,6 @@ { "name": "Mount service principal", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Credential Access" ], diff --git a/controls/C-0021-exposedsensitiveinterfaces.json b/controls/C-0021-exposedsensitiveinterfaces.json index 13b202a97..8d51908b0 100644 --- a/controls/C-0021-exposedsensitiveinterfaces.json +++ b/controls/C-0021-exposedsensitiveinterfaces.json @@ -2,7 +2,6 @@ "name": "Exposed sensitive interfaces", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "microsoftMitreColumns": [ "Initial access" ], @@ -13,7 +12,6 @@ "description": "Exposing a sensitive interface to the internet poses a security risk. It might enable attackers to run malicious code or deploy containers in the cluster. This control checks if known components (e.g. Kubeflow, Argo Workflows, etc.) are deployed and exposed services externally.", "remediation": "Consider blocking external interfaces or protect them with appropriate security tools.", "rulesNames": [ - "exposed-sensitive-interfaces", "exposed-sensitive-interfaces-v1" ], "long_description": "Exposing a sensitive interface to the internet poses a security risk. Some popular frameworks were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing them to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.", diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json index 3f8ebbc7a..fdff6848d 100644 --- a/controls/C-0026-kubernetescronjob.json +++ b/controls/C-0026-kubernetescronjob.json @@ -1,7 +1,6 @@ { "name": "Kubernetes CronJob", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Persistence" ], diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json index 98afdec86..56196673d 100644 --- a/controls/C-0030-ingressandegressblocked.json +++ b/controls/C-0030-ingressandegressblocked.json @@ -1,7 +1,6 @@ { "name": "Ingress and Egress blocked", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "compliance" ] diff --git a/controls/C-0031-deletekubernetesevents.json b/controls/C-0031-deletekubernetesevents.json index 149ec2beb..7f76c856e 100644 --- a/controls/C-0031-deletekubernetesevents.json +++ b/controls/C-0031-deletekubernetesevents.json @@ -1,7 +1,6 @@ { "name": "Delete Kubernetes events", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Defense evasion" ], @@ -14,7 +13,6 @@ "description": "Attackers may delete Kubernetes events to avoid detection of their activity in the cluster. This control identifies all the subjects that can delete Kubernetes events.", "remediation": "You should follow the least privilege principle. Minimize the number of subjects who can delete Kubernetes events. Avoid using these subjects in the daily operations.", "rulesNames": [ - "rule-can-delete-k8s-events", "rule-can-delete-k8s-events-v1" ], "long_description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node. Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json index a6a37ad32..01a0b146f 100644 --- a/controls/C-0034-automaticmappingofserviceaccount.json +++ b/controls/C-0034-automaticmappingofserviceaccount.json @@ -1,10 +1,10 @@ { "name": "Automatic mapping of service account", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", - "compliance" + "compliance", + "smartRemediation" ] }, "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", diff --git a/controls/C-0035-clusteradminbinding.json b/controls/C-0035-clusteradminbinding.json index 74eb05741..e2f1e987e 100644 --- a/controls/C-0035-clusteradminbinding.json +++ b/controls/C-0035-clusteradminbinding.json @@ -1,7 +1,6 @@ { - "name": "Cluster-admin binding", + "name": "Administrative Roles", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Privilege escalation" ], @@ -14,7 +13,6 @@ "description": "Attackers who have cluster admin permissions (can perform any action on any resource), can take advantage of their privileges for malicious activities. This control determines which subjects have cluster admin permissions.", "remediation": "You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use subjects with such high permissions for daily operations.", "rulesNames": [ - "rule-list-all-cluster-admins", "rule-list-all-cluster-admins-v1" ], "long_description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", diff --git a/controls/C-0036-maliciousadmissioncontrollervalidating.json b/controls/C-0036-maliciousadmissioncontrollervalidating.json index 61a4660a8..2ed288707 100644 --- a/controls/C-0036-maliciousadmissioncontrollervalidating.json +++ b/controls/C-0036-maliciousadmissioncontrollervalidating.json @@ -1,7 +1,6 @@ { "name": "Validate admission controller (validating)", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Credential access" ], diff --git a/controls/C-0037-corednspoisoning.json b/controls/C-0037-corednspoisoning.json index bd0bbf9b5..2ff4a9ce1 100644 --- a/controls/C-0037-corednspoisoning.json +++ b/controls/C-0037-corednspoisoning.json @@ -1,7 +1,6 @@ { "name": "CoreDNS poisoning", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Lateral Movement" ], @@ -12,7 +11,6 @@ "description": "If attackers have permissions to modify the coredns ConfigMap they can change the behavior of the cluster\u2019s DNS, poison it, and override the network identity of other services. This control identifies all subjects allowed to update the 'coredns' configmap.", "remediation": "You should follow the least privilege principle. Monitor and approve all the subjects allowed to modify the 'coredns' configmap. It is also recommended to remove this permission from the users/service accounts used in the daily operations.", "rulesNames": [ - "rule-can-update-configmap", "rule-can-update-configmap-v1" ], "long_description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json index 880f1b975..80a86f0b5 100644 --- a/controls/C-0038-hostpidipcprivileges.json +++ b/controls/C-0038-hostpidipcprivileges.json @@ -1,7 +1,6 @@ { "name": "Host PID/IPC privileges", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0039-maliciousadmissioncontrollermutating.json b/controls/C-0039-maliciousadmissioncontrollermutating.json index cc3cdfba2..3fb7e2290 100644 --- a/controls/C-0039-maliciousadmissioncontrollermutating.json +++ b/controls/C-0039-maliciousadmissioncontrollermutating.json @@ -1,7 +1,6 @@ { "name": "Validate admission controller (mutating)", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Persistence" ], diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json index 739aaf032..580e32f69 100644 --- a/controls/C-0041-hostnetworkaccess.json +++ b/controls/C-0041-hostnetworkaccess.json @@ -1,7 +1,6 @@ { "name": "HostNetwork access", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0042-sshserverrunninginsidecontainer.json b/controls/C-0042-sshserverrunninginsidecontainer.json index 702157a64..44d723272 100644 --- a/controls/C-0042-sshserverrunninginsidecontainer.json +++ b/controls/C-0042-sshserverrunninginsidecontainer.json @@ -1,7 +1,6 @@ { "name": "SSH server running inside container", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Execution" ], @@ -12,7 +11,6 @@ "description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. This control checks if pods have an open SSH port (22/2222).", "remediation": "Remove SSH from the container image or limit the access to the SSH server using network policies.", "rulesNames": [ - "rule-can-ssh-to-pod", "rule-can-ssh-to-pod-v1" ], "long_description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json index 89b18b9c7..1ad44feec 100644 --- a/controls/C-0044-containerhostport.json +++ b/controls/C-0044-containerhostport.json @@ -1,7 +1,6 @@ { "name": "Container hostPort", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance", diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json index 44199b0cb..bed14f51a 100644 --- a/controls/C-0045-writablehostpathmount.json +++ b/controls/C-0045-writablehostpathmount.json @@ -1,7 +1,6 @@ { "name": "Writable hostPath mount", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Persistence", "Lateral Movement" @@ -10,7 +9,8 @@ "security", "compliance", "devops", - "security-impact" + "security-impact", + "smartRemediation" ], "attackTracks": [ { diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json index 2ca8ee8d0..a4cb3ab46 100644 --- a/controls/C-0046-insecurecapabilities.json +++ b/controls/C-0046-insecurecapabilities.json @@ -2,10 +2,10 @@ "name": "Insecure capabilities", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "controlTypeTags": [ "security", - "compliance" + "compliance", + "smartRemediation" ], "attackTracks": [ { diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json index 9c84c0e44..6e687b6d3 100644 --- a/controls/C-0048-hostpathmount.json +++ b/controls/C-0048-hostpathmount.json @@ -1,13 +1,13 @@ { "name": "HostPath mount", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Privilege escalation" ], "controlTypeTags": [ "security", - "compliance" + "compliance", + "smartRemediation" ], "attackTracks": [ { diff --git a/controls/C-0049-networkmapping.json b/controls/C-0049-networkmapping.json index 4ed7e4c2a..8a0e662e7 100644 --- a/controls/C-0049-networkmapping.json +++ b/controls/C-0049-networkmapping.json @@ -1,7 +1,6 @@ { "name": "Network mapping", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Discovery" ], diff --git a/controls/C-0050-resourcescpulimitandrequest.json b/controls/C-0050-resourcescpulimitandrequest.json index 5084d6866..984d06d34 100644 --- a/controls/C-0050-resourcescpulimitandrequest.json +++ b/controls/C-0050-resourcescpulimitandrequest.json @@ -2,7 +2,6 @@ "name": "Resources CPU limit and request", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "controlTypeTags": [ "compliance", "devops" diff --git a/controls/C-0052-instancemetadataapi.json b/controls/C-0052-instancemetadataapi.json index 0c8718562..9db8f8d5c 100644 --- a/controls/C-0052-instancemetadataapi.json +++ b/controls/C-0052-instancemetadataapi.json @@ -1,7 +1,6 @@ { "name": "Instance Metadata API", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Discovery" ], diff --git a/controls/C-0053-accesscontainerserviceaccount.json b/controls/C-0053-accesscontainerserviceaccount.json index a99e952ee..a3a503532 100644 --- a/controls/C-0053-accesscontainerserviceaccount.json +++ b/controls/C-0053-accesscontainerserviceaccount.json @@ -1,7 +1,6 @@ { "name": "Access container service account", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Credential access" ], @@ -14,7 +13,6 @@ "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "rulesNames": [ - "access-container-service-account", "access-container-service-account-v1" ], "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", diff --git a/controls/C-0054-clusterinternalnetworking.json b/controls/C-0054-clusterinternalnetworking.json index f2ac99d2e..d4ab27bf8 100644 --- a/controls/C-0054-clusterinternalnetworking.json +++ b/controls/C-0054-clusterinternalnetworking.json @@ -1,7 +1,6 @@ { "name": "Cluster internal networking", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Lateral movement" ], diff --git a/controls/C-0055-linuxhardening.json b/controls/C-0055-linuxhardening.json index 996b5fe57..75e374a56 100644 --- a/controls/C-0055-linuxhardening.json +++ b/controls/C-0055-linuxhardening.json @@ -1,7 +1,6 @@ { "name": "Linux hardening", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0056-configuredlivenessprobe.json b/controls/C-0056-configuredlivenessprobe.json index 88fef2132..f2191926b 100644 --- a/controls/C-0056-configuredlivenessprobe.json +++ b/controls/C-0056-configuredlivenessprobe.json @@ -1,7 +1,6 @@ { "name": "Configured liveness probe", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0057-privilegedcontainer.json b/controls/C-0057-privilegedcontainer.json index 4189c7554..c4565b51a 100644 --- a/controls/C-0057-privilegedcontainer.json +++ b/controls/C-0057-privilegedcontainer.json @@ -1,12 +1,12 @@ { "name": "Privileged container", "attributes": { - "armoBuiltin": true, "microsoftMitreColumns": [ "Privilege escalation" ], "controlTypeTags": [ - "security" + "security", + "smartRemediation" ] }, "description": "Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary. This control identifies all the privileged Pods.", diff --git a/controls/C-0058-cve202125741usingsymlinkforarbitraryhostfilesystemaccess.json b/controls/C-0058-cve202125741usingsymlinkforarbitraryhostfilesystemaccess.json index e57b4fd03..1c2c27134 100644 --- a/controls/C-0058-cve202125741usingsymlinkforarbitraryhostfilesystemaccess.json +++ b/controls/C-0058-cve202125741usingsymlinkforarbitraryhostfilesystemaccess.json @@ -1,7 +1,6 @@ { "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0059-cve202125742nginxingresssnippetannotationvulnerability.json b/controls/C-0059-cve202125742nginxingresssnippetannotationvulnerability.json index 5cc664567..95ec4dbee 100644 --- a/controls/C-0059-cve202125742nginxingresssnippetannotationvulnerability.json +++ b/controls/C-0059-cve202125742nginxingresssnippetannotationvulnerability.json @@ -1,7 +1,6 @@ { "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0061-podsindefaultnamespace.json b/controls/C-0061-podsindefaultnamespace.json index e2301b080..e2abdff72 100644 --- a/controls/C-0061-podsindefaultnamespace.json +++ b/controls/C-0061-podsindefaultnamespace.json @@ -1,7 +1,6 @@ { "name": "Pods in default namespace", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "compliance", "devops" diff --git a/controls/C-0062-sudoincontainerentrypoint.json b/controls/C-0062-sudoincontainerentrypoint.json index 2a8b27c5e..43c2fe44f 100644 --- a/controls/C-0062-sudoincontainerentrypoint.json +++ b/controls/C-0062-sudoincontainerentrypoint.json @@ -1,7 +1,6 @@ { "name": "Sudo in container entrypoint", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0063-portforwardingprivileges.json b/controls/C-0063-portforwardingprivileges.json index 5d24a32e1..dc93dc1aa 100644 --- a/controls/C-0063-portforwardingprivileges.json +++ b/controls/C-0063-portforwardingprivileges.json @@ -1,7 +1,6 @@ { "name": "Portforwarding privileges", "attributes": { - "armoBuiltin": true, "rbacQuery": "Port Forwarding", "controlTypeTags": [ "security-impact", @@ -11,7 +10,6 @@ "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ - "rule-can-portforward", "rule-can-portforward-v1" ], "long_description": "Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command \u201ckubectl portforward\u201d command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.", diff --git a/controls/C-0065-noimpersonation.json b/controls/C-0065-noimpersonation.json index 4d677e49f..efa09b17c 100644 --- a/controls/C-0065-noimpersonation.json +++ b/controls/C-0065-noimpersonation.json @@ -1,7 +1,6 @@ { "name": "No impersonation", "attributes": { - "armoBuiltin": true, "rbacQuery": "Impersonation", "controlTypeTags": [ "security", @@ -13,7 +12,6 @@ "long_description": "Impersonation is an explicit RBAC permission to use other roles rather than the one assigned to a user, group or service account. This is sometimes needed for testing purposes. However, it is highly recommended not to use this capability in the production environments for daily operations. This control identifies all subjects whose roles include impersonate verb.", "test": "Check for RBACs giving 'impersonate' verb to users/groups/uids/serviceaccounts", "rulesNames": [ - "rule-can-impersonate-users-groups", "rule-can-impersonate-users-groups-v1" ], "controlID": "C-0065", diff --git a/controls/C-0066-secretetcdencryptionenabled.json b/controls/C-0066-secretetcdencryptionenabled.json index 24880d5ec..cf6a902cf 100644 --- a/controls/C-0066-secretetcdencryptionenabled.json +++ b/controls/C-0066-secretetcdencryptionenabled.json @@ -1,7 +1,6 @@ { "name": "Secret/etcd encryption enabled", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0067-auditlogsenabled.json b/controls/C-0067-auditlogsenabled.json index e90541c9d..8632d19b4 100644 --- a/controls/C-0067-auditlogsenabled.json +++ b/controls/C-0067-auditlogsenabled.json @@ -1,7 +1,6 @@ { "name": "Audit logs enabled", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0068-pspenabled.json b/controls/C-0068-pspenabled.json index b18ede310..4ac34744c 100644 --- a/controls/C-0068-pspenabled.json +++ b/controls/C-0068-pspenabled.json @@ -1,7 +1,6 @@ { "name": "PSP enabled", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0069-disableanonymousaccesstokubeletservice.json b/controls/C-0069-disableanonymousaccesstokubeletservice.json index 19759145b..02ade8374 100644 --- a/controls/C-0069-disableanonymousaccesstokubeletservice.json +++ b/controls/C-0069-disableanonymousaccesstokubeletservice.json @@ -1,7 +1,6 @@ { "name": "Disable anonymous access to Kubelet service", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0070-enforcekubeletclienttlsauthentication.json b/controls/C-0070-enforcekubeletclienttlsauthentication.json index fc57cbc58..a9f272927 100644 --- a/controls/C-0070-enforcekubeletclienttlsauthentication.json +++ b/controls/C-0070-enforcekubeletclienttlsauthentication.json @@ -1,7 +1,6 @@ { "name": "Enforce Kubelet client TLS authentication", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0073-nakedpods.json b/controls/C-0073-nakedpods.json index 6782d3900..fae18d3b0 100644 --- a/controls/C-0073-nakedpods.json +++ b/controls/C-0073-nakedpods.json @@ -1,7 +1,6 @@ { "name": "Naked pods", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0074-containersmountingdockersocket.json b/controls/C-0074-containersmountingdockersocket.json index 9c952d1e6..7126ff12c 100644 --- a/controls/C-0074-containersmountingdockersocket.json +++ b/controls/C-0074-containersmountingdockersocket.json @@ -1,9 +1,9 @@ { "name": "Container runtime socket mounted", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ - "devops" + "devops", + "smartRemediation" ] }, "description": "Mounting Container runtime socket (Unix socket) enables container to access Container runtime, retrieve sensitive information and execute commands, if Container runtime is available. This control identifies pods that attempt to mount Container runtime socket for accessing Container runtime.", diff --git a/controls/C-0075-imagepullpolicyonlatesttag.json b/controls/C-0075-imagepullpolicyonlatesttag.json index 0ecca02c2..b02d5df6f 100644 --- a/controls/C-0075-imagepullpolicyonlatesttag.json +++ b/controls/C-0075-imagepullpolicyonlatesttag.json @@ -1,7 +1,6 @@ { "name": "Image pull policy on latest tag", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0076-labelusageforresources.json b/controls/C-0076-labelusageforresources.json index 105baa26a..e885a9080 100644 --- a/controls/C-0076-labelusageforresources.json +++ b/controls/C-0076-labelusageforresources.json @@ -2,7 +2,6 @@ "name": "Label usage for resources", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0077-k8scommonlabelsusage.json b/controls/C-0077-k8scommonlabelsusage.json index d3645ac56..3e2a61d3e 100644 --- a/controls/C-0077-k8scommonlabelsusage.json +++ b/controls/C-0077-k8scommonlabelsusage.json @@ -2,7 +2,6 @@ "name": "K8s common labels usage", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "controlTypeTags": [ "devops" ] diff --git a/controls/C-0078-imagesfromallowedregistry.json b/controls/C-0078-imagesfromallowedregistry.json index dce18ebe3..4011590c7 100644 --- a/controls/C-0078-imagesfromallowedregistry.json +++ b/controls/C-0078-imagesfromallowedregistry.json @@ -2,7 +2,6 @@ "name": "Images from allowed registry", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "microsoftMitreColumns": [ "Collection" ], diff --git a/controls/C-0079-cve20220185linuxkernelcontainerescape.json b/controls/C-0079-cve20220185linuxkernelcontainerescape.json index b135f9d07..cd0d53126 100644 --- a/controls/C-0079-cve20220185linuxkernelcontainerescape.json +++ b/controls/C-0079-cve20220185linuxkernelcontainerescape.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-0185-linux-kernel-container-escape", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0081-cve202224348argocddirtraversal.json b/controls/C-0081-cve202224348argocddirtraversal.json index 9a3fe859d..8dd9fa520 100644 --- a/controls/C-0081-cve202224348argocddirtraversal.json +++ b/controls/C-0081-cve202224348argocddirtraversal.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-24348-argocddirtraversal", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json index 72199d3d7..2479eff06 100644 --- a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json @@ -1,7 +1,6 @@ { "name": "Workloads with Critical vulnerabilities exposed to external traffic", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json index f67d95544..7dbc746e9 100644 --- a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json @@ -1,7 +1,6 @@ { "name": "Workloads with RCE vulnerabilities exposed to external traffic", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0085-workloadswithexcessiveamountofvulnerabilities.json b/controls/C-0085-workloadswithexcessiveamountofvulnerabilities.json index cea0bfb7e..e0a3c3f55 100644 --- a/controls/C-0085-workloadswithexcessiveamountofvulnerabilities.json +++ b/controls/C-0085-workloadswithexcessiveamountofvulnerabilities.json @@ -2,7 +2,6 @@ "name": "Workloads with excessive amount of vulnerabilities", "attributes": { "actionRequired": "configuration", - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0086-cve20220492cgroupscontainerescape.json b/controls/C-0086-cve20220492cgroupscontainerescape.json deleted file mode 100644 index 65b5688f1..000000000 --- a/controls/C-0086-cve20220492cgroupscontainerescape.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "CVE-2022-0492-cgroups-container-escape", - "attributes": { - "armoBuiltin": true, - "controlTypeTags": [ - "security", - "compliance" - ] - }, - "description": "Linux Kernel vulnerability CVE-2022-0492 may allow malicious code running inside container to escape container isolation and gain root privileges on the entire node. When fixed Kernel version numbers will become available, this control will be modified to verify them and avoid false positive detections. This control identifies all the resources that don't deploy neither AppArmor nor SELinux, run as root or allow privileged escalation or have corresponding dangerous capabilities.", - "remediation": "Activate AppArmor or SELinux. Follow the least privilege principle and remove root privileges or privilege escalation option and CAP_DAC_OVERRIDE capability. Make sure you don't allow container images from potentially dangerous sources and that containers that must have high privileges are taken from protected repositories.", - "rulesNames": [ - "CVE-2022-0492" - ], - "long_description": "Linux Kernel vulnerability CVE-2022-0492 may allow malicious code running inside container to escape container isolation and gain root privileges on the entire node. In order to exploit this vulnerability, malicious code should run as root in the container or have CAP_DAC_OVERRIDE capability. If SELinux or AppArmor is deployed, this CVE becomes not exploitable. Also, the exploit is possible when container runtime uses cgroup version 1 implementation (which we assume is on by default, since it is not visible from the Kubernetes level). When fixed Kernel version numbers will become available, this control will be modified to verify them and avoid false positive detections. Note, it is enough to have a single node in the cluster with vulnerable Kernel in order to damage the system. This control identifies all the resources that don't deploy niether AppArmor nor SELinux, run as root or allow privileged escalation or have corresponding dangerous capabilities.", - "test": "This control checks whether the container is running with high privileges (root or CAP_DAC_OVERRIDE capability) and doesn't have SELinux or AppArmor enabled. In case where the container is running with CAP_DAC_OVERRIDE capability, we also check for Seccomp, as it's enough to prevent the exploitation in this case.", - "controlID": "C-0086", - "baseScore": 4.0, - "example": "", - "category": { - "name" : "Workload" - }, - "scanningScope": { - "matches": [ - "cluster" - ] - } -} \ No newline at end of file diff --git a/controls/C-0087-cve202223648containerdfsescape.json b/controls/C-0087-cve202223648containerdfsescape.json index d850d7f1a..30a5cf28a 100644 --- a/controls/C-0087-cve202223648containerdfsescape.json +++ b/controls/C-0087-cve202223648containerdfsescape.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-23648-containerd-fs-escape", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0088-rbacenabled.json b/controls/C-0088-rbacenabled.json index 5a85b4db0..44c895b1b 100644 --- a/controls/C-0088-rbacenabled.json +++ b/controls/C-0088-rbacenabled.json @@ -1,7 +1,6 @@ { "name": "RBAC enabled", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" diff --git a/controls/C-0089-cve20223172aggregatedapiserverredirect.json b/controls/C-0089-cve20223172aggregatedapiserverredirect.json index 5509df70c..a65e59bea 100644 --- a/controls/C-0089-cve20223172aggregatedapiserverredirect.json +++ b/controls/C-0089-cve20223172aggregatedapiserverredirect.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-3172-aggregated-API-server-redirect", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0090-cve202239328grafanaauthbypass.json b/controls/C-0090-cve202239328grafanaauthbypass.json index 1191ce466..fcbde74a6 100644 --- a/controls/C-0090-cve202239328grafanaauthbypass.json +++ b/controls/C-0090-cve202239328grafanaauthbypass.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-39328-grafana-auth-bypass", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0091-cve202247633kyvernosignaturebypass.json b/controls/C-0091-cve202247633kyvernosignaturebypass.json index ac49c011c..26d40f3be 100644 --- a/controls/C-0091-cve202247633kyvernosignaturebypass.json +++ b/controls/C-0091-cve202247633kyvernosignaturebypass.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-47633-kyverno-signature-bypass", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ] diff --git a/controls/C-0092-ensurethattheapiserverpodspecificationfilepermissionsaresetto600ormorerestrictive.json b/controls/C-0092-ensurethattheapiserverpodspecificationfilepermissionsaresetto600ormorerestrictive.json index de61a4dd3..70561ce3f 100644 --- a/controls/C-0092-ensurethattheapiserverpodspecificationfilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0092-ensurethattheapiserverpodspecificationfilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0093-ensurethattheapiserverpodspecificationfileownershipissettorootroot.json b/controls/C-0093-ensurethattheapiserverpodspecificationfileownershipissettorootroot.json index c45ecef4c..3385a032c 100644 --- a/controls/C-0093-ensurethattheapiserverpodspecificationfileownershipissettorootroot.json +++ b/controls/C-0093-ensurethattheapiserverpodspecificationfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0094-ensurethatthecontrollermanagerpodspecificationfilepermissionsaresetto600ormorerestrictive.json b/controls/C-0094-ensurethatthecontrollermanagerpodspecificationfilepermissionsaresetto600ormorerestrictive.json index fea592b35..12fe8ca25 100644 --- a/controls/C-0094-ensurethatthecontrollermanagerpodspecificationfilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0094-ensurethatthecontrollermanagerpodspecificationfilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0095-ensurethatthecontrollermanagerpodspecificationfileownershipissettorootroot.json b/controls/C-0095-ensurethatthecontrollermanagerpodspecificationfileownershipissettorootroot.json index eda16e975..7b3bc3aa9 100644 --- a/controls/C-0095-ensurethatthecontrollermanagerpodspecificationfileownershipissettorootroot.json +++ b/controls/C-0095-ensurethatthecontrollermanagerpodspecificationfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0096-ensurethattheschedulerpodspecificationfilepermissionsaresetto600ormorerestrictive.json b/controls/C-0096-ensurethattheschedulerpodspecificationfilepermissionsaresetto600ormorerestrictive.json index 85eaab575..e4d57ae1b 100644 --- a/controls/C-0096-ensurethattheschedulerpodspecificationfilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0096-ensurethattheschedulerpodspecificationfilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0097-ensurethattheschedulerpodspecificationfileownershipissettorootroot.json b/controls/C-0097-ensurethattheschedulerpodspecificationfileownershipissettorootroot.json index 0b1b17149..a7a99ff82 100644 --- a/controls/C-0097-ensurethattheschedulerpodspecificationfileownershipissettorootroot.json +++ b/controls/C-0097-ensurethattheschedulerpodspecificationfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0098-ensurethattheetcdpodspecificationfilepermissionsaresetto600ormorerestrictive.json b/controls/C-0098-ensurethattheetcdpodspecificationfilepermissionsaresetto600ormorerestrictive.json index 424fe3f15..878fa443f 100644 --- a/controls/C-0098-ensurethattheetcdpodspecificationfilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0098-ensurethattheetcdpodspecificationfilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0099-ensurethattheetcdpodspecificationfileownershipissettorootroot.json b/controls/C-0099-ensurethattheetcdpodspecificationfileownershipissettorootroot.json index 1e0271620..65c070d50 100644 --- a/controls/C-0099-ensurethattheetcdpodspecificationfileownershipissettorootroot.json +++ b/controls/C-0099-ensurethattheetcdpodspecificationfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0100-ensurethatthecontainernetworkinterfacefilepermissionsaresetto600ormorerestrictive.json b/controls/C-0100-ensurethatthecontainernetworkinterfacefilepermissionsaresetto600ormorerestrictive.json index 8201304fb..a667f6ec1 100644 --- a/controls/C-0100-ensurethatthecontainernetworkinterfacefilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0100-ensurethatthecontainernetworkinterfacefilepermissionsaresetto600ormorerestrictive.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126653/recommendations/1838574" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0101-ensurethatthecontainernetworkinterfacefileownershipissettorootroot.json b/controls/C-0101-ensurethatthecontainernetworkinterfacefileownershipissettorootroot.json index 5bf97b155..30161b04e 100644 --- a/controls/C-0101-ensurethatthecontainernetworkinterfacefileownershipissettorootroot.json +++ b/controls/C-0101-ensurethatthecontainernetworkinterfacefileownershipissettorootroot.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126653/recommendations/1838576" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0102-ensurethattheetcddatadirectorypermissionsaresetto700ormorerestrictive.json b/controls/C-0102-ensurethattheetcddatadirectorypermissionsaresetto700ormorerestrictive.json index 5e86b3f87..464089744 100644 --- a/controls/C-0102-ensurethattheetcddatadirectorypermissionsaresetto700ormorerestrictive.json +++ b/controls/C-0102-ensurethattheetcddatadirectorypermissionsaresetto700ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0103-ensurethattheetcddatadirectoryownershipissettoetcdetcd.json b/controls/C-0103-ensurethattheetcddatadirectoryownershipissettoetcdetcd.json index 2b6c363b1..c31dcaa0a 100644 --- a/controls/C-0103-ensurethattheetcddatadirectoryownershipissettoetcdetcd.json +++ b/controls/C-0103-ensurethattheetcddatadirectoryownershipissettoetcdetcd.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126653/recommendations/1838579" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0104-ensurethattheadminconffilepermissionsaresetto600.json b/controls/C-0104-ensurethattheadminconffilepermissionsaresetto600.json index d3354f989..b934be74e 100644 --- a/controls/C-0104-ensurethattheadminconffilepermissionsaresetto600.json +++ b/controls/C-0104-ensurethattheadminconffilepermissionsaresetto600.json @@ -12,7 +12,6 @@ "ensure-that-the-admin.conf-file-permissions-are-set-to-600" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None.", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0105-ensurethattheadminconffileownershipissettorootroot.json b/controls/C-0105-ensurethattheadminconffileownershipissettorootroot.json index 85a025e80..f445a1432 100644 --- a/controls/C-0105-ensurethattheadminconffileownershipissettorootroot.json +++ b/controls/C-0105-ensurethattheadminconffileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-admin.conf-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None.", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0106-ensurethattheschedulerconffilepermissionsaresetto600ormorerestrictive.json b/controls/C-0106-ensurethattheschedulerconffilepermissionsaresetto600ormorerestrictive.json index 019a12916..2655c7c12 100644 --- a/controls/C-0106-ensurethattheschedulerconffilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0106-ensurethattheschedulerconffilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0107-ensurethattheschedulerconffileownershipissettorootroot.json b/controls/C-0107-ensurethattheschedulerconffileownershipissettorootroot.json index bedbaa4cf..9552e189e 100644 --- a/controls/C-0107-ensurethattheschedulerconffileownershipissettorootroot.json +++ b/controls/C-0107-ensurethattheschedulerconffileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0108-ensurethatthecontrollermanagerconffilepermissionsaresetto600ormorerestrictive.json b/controls/C-0108-ensurethatthecontrollermanagerconffilepermissionsaresetto600ormorerestrictive.json index d10e9dc58..700526c95 100644 --- a/controls/C-0108-ensurethatthecontrollermanagerconffilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0108-ensurethatthecontrollermanagerconffilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0109-ensurethatthecontrollermanagerconffileownershipissettorootroot.json b/controls/C-0109-ensurethatthecontrollermanagerconffileownershipissettorootroot.json index 1f955425f..44c4233e7 100644 --- a/controls/C-0109-ensurethatthecontrollermanagerconffileownershipissettorootroot.json +++ b/controls/C-0109-ensurethatthecontrollermanagerconffileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0110-ensurethatthekubernetespkidirectoryandfileownershipissettorootroot.json b/controls/C-0110-ensurethatthekubernetespkidirectoryandfileownershipissettorootroot.json index 0b5d14501..7199fa0f9 100644 --- a/controls/C-0110-ensurethatthekubernetespkidirectoryandfileownershipissettorootroot.json +++ b/controls/C-0110-ensurethatthekubernetespkidirectoryandfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 8, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0111-ensurethatthekubernetespkicertificatefilepermissionsaresetto600ormorerestrictive.json b/controls/C-0111-ensurethatthekubernetespkicertificatefilepermissionsaresetto600ormorerestrictive.json index f8ef841a2..39ed1b914 100644 --- a/controls/C-0111-ensurethatthekubernetespkicertificatefilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0111-ensurethatthekubernetespkicertificatefilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 8, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0112-ensurethatthekubernetespkikeyfilepermissionsaresetto600.json b/controls/C-0112-ensurethatthekubernetespkikeyfilepermissionsaresetto600.json index e70d4f9cb..c70fa9379 100644 --- a/controls/C-0112-ensurethatthekubernetespkikeyfilepermissionsaresetto600.json +++ b/controls/C-0112-ensurethatthekubernetespkikeyfilepermissionsaresetto600.json @@ -12,7 +12,6 @@ "ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600" ], "attributes": { - "armoBuiltin": true }, "baseScore": 8, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0113-ensurethattheapiserveranonymousauthargumentissettofalse.json b/controls/C-0113-ensurethattheapiserveranonymousauthargumentissettofalse.json index 0f3b394de..c021bfbac 100644 --- a/controls/C-0113-ensurethattheapiserveranonymousauthargumentissettofalse.json +++ b/controls/C-0113-ensurethattheapiserveranonymousauthargumentissettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838609" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0114-ensurethattheapiservertokenauthfileparameterisnotset.json b/controls/C-0114-ensurethattheapiservertokenauthfileparameterisnotset.json index 80e827ab5..7dc3e89da 100644 --- a/controls/C-0114-ensurethattheapiservertokenauthfileparameterisnotset.json +++ b/controls/C-0114-ensurethattheapiservertokenauthfileparameterisnotset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838611" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-token-auth-file-parameter-is-not-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0115-ensurethattheapiserverdenyserviceexternalipsisnotset.json b/controls/C-0115-ensurethattheapiserverdenyserviceexternalipsisnotset.json index 8a052258b..9ed3be63c 100644 --- a/controls/C-0115-ensurethattheapiserverdenyserviceexternalipsisnotset.json +++ b/controls/C-0115-ensurethattheapiserverdenyserviceexternalipsisnotset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838614" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0116-ensurethattheapiserverkubeletclientcertificateandkubeletclientkeyargumentsaresetasappropriate.json b/controls/C-0116-ensurethattheapiserverkubeletclientcertificateandkubeletclientkeyargumentsaresetasappropriate.json index 903f4b6a2..d9d3a8312 100644 --- a/controls/C-0116-ensurethattheapiserverkubeletclientcertificateandkubeletclientkeyargumentsaresetasappropriate.json +++ b/controls/C-0116-ensurethattheapiserverkubeletclientcertificateandkubeletclientkeyargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838624" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0117-ensurethattheapiserverkubeletcertificateauthorityargumentissetasappropriate.json b/controls/C-0117-ensurethattheapiserverkubeletcertificateauthorityargumentissetasappropriate.json index a8d7beb37..1e5007181 100644 --- a/controls/C-0117-ensurethattheapiserverkubeletcertificateauthorityargumentissetasappropriate.json +++ b/controls/C-0117-ensurethattheapiserverkubeletcertificateauthorityargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838634" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0118-ensurethattheapiserverauthorizationmodeargumentisnotsettoalwaysallow.json b/controls/C-0118-ensurethattheapiserverauthorizationmodeargumentisnotsettoalwaysallow.json index d1e466ede..3fe1bd12c 100644 --- a/controls/C-0118-ensurethattheapiserverauthorizationmodeargumentisnotsettoalwaysallow.json +++ b/controls/C-0118-ensurethattheapiserverauthorizationmodeargumentisnotsettoalwaysallow.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838639" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0119-ensurethattheapiserverauthorizationmodeargumentincludesnode.json b/controls/C-0119-ensurethattheapiserverauthorizationmodeargumentincludesnode.json index b4d59d6f4..403c86f61 100644 --- a/controls/C-0119-ensurethattheapiserverauthorizationmodeargumentincludesnode.json +++ b/controls/C-0119-ensurethattheapiserverauthorizationmodeargumentincludesnode.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838641" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-authorization-mode-argument-includes-Node" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0120-ensurethattheapiserverauthorizationmodeargumentincludesrbac.json b/controls/C-0120-ensurethattheapiserverauthorizationmodeargumentincludesrbac.json index 794a47b24..3a9309c13 100644 --- a/controls/C-0120-ensurethattheapiserverauthorizationmodeargumentincludesrbac.json +++ b/controls/C-0120-ensurethattheapiserverauthorizationmodeargumentincludesrbac.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838642" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-authorization-mode-argument-includes-RBAC" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0121-ensurethattheadmissioncontrolplugineventratelimitisset.json b/controls/C-0121-ensurethattheadmissioncontrolplugineventratelimitisset.json index 8ece62802..c2016a57b 100644 --- a/controls/C-0121-ensurethattheadmissioncontrolplugineventratelimitisset.json +++ b/controls/C-0121-ensurethattheadmissioncontrolplugineventratelimitisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838644" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-EventRateLimit-is-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0122-ensurethattheadmissioncontrolpluginalwaysadmitisnotset.json b/controls/C-0122-ensurethattheadmissioncontrolpluginalwaysadmitisnotset.json index 8a01ffe7f..94d13db31 100644 --- a/controls/C-0122-ensurethattheadmissioncontrolpluginalwaysadmitisnotset.json +++ b/controls/C-0122-ensurethattheadmissioncontrolpluginalwaysadmitisnotset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838647" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0123-ensurethattheadmissioncontrolpluginalwayspullimagesisset.json b/controls/C-0123-ensurethattheadmissioncontrolpluginalwayspullimagesisset.json index 939546258..a1b28828a 100644 --- a/controls/C-0123-ensurethattheadmissioncontrolpluginalwayspullimagesisset.json +++ b/controls/C-0123-ensurethattheadmissioncontrolpluginalwayspullimagesisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838649" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set" @@ -22,7 +21,7 @@ "default_value": "By default, `AlwaysPullImages` is not set.", "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0124-ensurethattheadmissioncontrolpluginsecuritycontextdenyissetifpodsecuritypolicyisnotused.json b/controls/C-0124-ensurethattheadmissioncontrolpluginsecuritycontextdenyissetifpodsecuritypolicyisnotused.json index b7dd643e0..0f8ad054e 100644 --- a/controls/C-0124-ensurethattheadmissioncontrolpluginsecuritycontextdenyissetifpodsecuritypolicyisnotused.json +++ b/controls/C-0124-ensurethattheadmissioncontrolpluginsecuritycontextdenyissetifpodsecuritypolicyisnotused.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838650" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0125-ensurethattheadmissioncontrolpluginserviceaccountisset.json b/controls/C-0125-ensurethattheadmissioncontrolpluginserviceaccountisset.json index f323a790e..e6ccd01b2 100644 --- a/controls/C-0125-ensurethattheadmissioncontrolpluginserviceaccountisset.json +++ b/controls/C-0125-ensurethattheadmissioncontrolpluginserviceaccountisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838652" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-ServiceAccount-is-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0126-ensurethattheadmissioncontrolpluginnamespacelifecycleisset.json b/controls/C-0126-ensurethattheadmissioncontrolpluginnamespacelifecycleisset.json index 1f0035541..89a6f89cf 100644 --- a/controls/C-0126-ensurethattheadmissioncontrolpluginnamespacelifecycleisset.json +++ b/controls/C-0126-ensurethattheadmissioncontrolpluginnamespacelifecycleisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838653" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0127-ensurethattheadmissioncontrolpluginnoderestrictionisset.json b/controls/C-0127-ensurethattheadmissioncontrolpluginnoderestrictionisset.json index bf4d32232..732fc7934 100644 --- a/controls/C-0127-ensurethattheadmissioncontrolpluginnoderestrictionisset.json +++ b/controls/C-0127-ensurethattheadmissioncontrolpluginnoderestrictionisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838655" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-admission-control-plugin-NodeRestriction-is-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0128-ensurethattheapiserversecureportargumentisnotsetto0.json b/controls/C-0128-ensurethattheapiserversecureportargumentisnotsetto0.json index 975b4b4ec..084e651c8 100644 --- a/controls/C-0128-ensurethattheapiserversecureportargumentisnotsetto0.json +++ b/controls/C-0128-ensurethattheapiserversecureportargumentisnotsetto0.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838659" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-secure-port-argument-is-not-set-to-0" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0129-ensurethattheapiserverprofilingargumentissettofalse.json b/controls/C-0129-ensurethattheapiserverprofilingargumentissettofalse.json index 5481d1360..4717aab65 100644 --- a/controls/C-0129-ensurethattheapiserverprofilingargumentissettofalse.json +++ b/controls/C-0129-ensurethattheapiserverprofilingargumentissettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838660" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-profiling-argument-is-set-to-false" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0130-ensurethattheapiserverauditlogpathargumentisset.json b/controls/C-0130-ensurethattheapiserverauditlogpathargumentisset.json index a7e8a10c0..3bce2ca73 100644 --- a/controls/C-0130-ensurethattheapiserverauditlogpathargumentisset.json +++ b/controls/C-0130-ensurethattheapiserverauditlogpathargumentisset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838662" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-audit-log-path-argument-is-set" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0131-ensurethattheapiserverauditlogmaxageargumentissetto30orasappropriate.json b/controls/C-0131-ensurethattheapiserverauditlogmaxageargumentissetto30orasappropriate.json index 64b60bdb5..5d754c477 100644 --- a/controls/C-0131-ensurethattheapiserverauditlogmaxageargumentissetto30orasappropriate.json +++ b/controls/C-0131-ensurethattheapiserverauditlogmaxageargumentissetto30orasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838664" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0132-ensurethattheapiserverauditlogmaxbackupargumentissetto10orasappropriate.json b/controls/C-0132-ensurethattheapiserverauditlogmaxbackupargumentissetto10orasappropriate.json index 38f0c5b2c..9da6c5b5d 100644 --- a/controls/C-0132-ensurethattheapiserverauditlogmaxbackupargumentissetto10orasappropriate.json +++ b/controls/C-0132-ensurethattheapiserverauditlogmaxbackupargumentissetto10orasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838665" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0133-ensurethattheapiserverauditlogmaxsizeargumentissetto100orasappropriate.json b/controls/C-0133-ensurethattheapiserverauditlogmaxsizeargumentissetto100orasappropriate.json index b2686ff52..3b8c20b7d 100644 --- a/controls/C-0133-ensurethattheapiserverauditlogmaxsizeargumentissetto100orasappropriate.json +++ b/controls/C-0133-ensurethattheapiserverauditlogmaxsizeargumentissetto100orasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838666" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0134-ensurethattheapiserverrequesttimeoutargumentissetasappropriate.json b/controls/C-0134-ensurethattheapiserverrequesttimeoutargumentissetasappropriate.json index 20d462c2d..47a2fd30b 100644 --- a/controls/C-0134-ensurethattheapiserverrequesttimeoutargumentissetasappropriate.json +++ b/controls/C-0134-ensurethattheapiserverrequesttimeoutargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838667" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0135-ensurethattheapiserverserviceaccountlookupargumentissettotrue.json b/controls/C-0135-ensurethattheapiserverserviceaccountlookupargumentissettotrue.json index 1f041716d..7e1ef2c91 100644 --- a/controls/C-0135-ensurethattheapiserverserviceaccountlookupargumentissettotrue.json +++ b/controls/C-0135-ensurethattheapiserverserviceaccountlookupargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838668" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0136-ensurethattheapiserverserviceaccountkeyfileargumentissetasappropriate.json b/controls/C-0136-ensurethattheapiserverserviceaccountkeyfileargumentissetasappropriate.json index fb00096f2..3db936f6b 100644 --- a/controls/C-0136-ensurethattheapiserverserviceaccountkeyfileargumentissetasappropriate.json +++ b/controls/C-0136-ensurethattheapiserverserviceaccountkeyfileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838669" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0137-ensurethattheapiserveretcdcertfileandetcdkeyfileargumentsaresetasappropriate.json b/controls/C-0137-ensurethattheapiserveretcdcertfileandetcdkeyfileargumentsaresetasappropriate.json index 1a3c586c6..b036696cf 100644 --- a/controls/C-0137-ensurethattheapiserveretcdcertfileandetcdkeyfileargumentsaresetasappropriate.json +++ b/controls/C-0137-ensurethattheapiserveretcdcertfileandetcdkeyfileargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838670" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0138-ensurethattheapiservertlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json b/controls/C-0138-ensurethattheapiservertlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json index a367ccfc2..5109ef0a6 100644 --- a/controls/C-0138-ensurethattheapiservertlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json +++ b/controls/C-0138-ensurethattheapiservertlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838671" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0139-ensurethattheapiserverclientcafileargumentissetasappropriate.json b/controls/C-0139-ensurethattheapiserverclientcafileargumentissetasappropriate.json index a9ae1a17d..16d54997d 100644 --- a/controls/C-0139-ensurethattheapiserverclientcafileargumentissetasappropriate.json +++ b/controls/C-0139-ensurethattheapiserverclientcafileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838672" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0140-ensurethattheapiserveretcdcafileargumentissetasappropriate.json b/controls/C-0140-ensurethattheapiserveretcdcafileargumentissetasappropriate.json index e48543946..4a598bb5f 100644 --- a/controls/C-0140-ensurethattheapiserveretcdcafileargumentissetasappropriate.json +++ b/controls/C-0140-ensurethattheapiserveretcdcafileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838673" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0141-ensurethattheapiserverencryptionproviderconfigargumentissetasappropriate.json b/controls/C-0141-ensurethattheapiserverencryptionproviderconfigargumentissetasappropriate.json index d8cd51e3d..75260ca96 100644 --- a/controls/C-0141-ensurethattheapiserverencryptionproviderconfigargumentissetasappropriate.json +++ b/controls/C-0141-ensurethattheapiserverencryptionproviderconfigargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838674" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0142-ensurethatencryptionprovidersareappropriatelyconfigured.json b/controls/C-0142-ensurethatencryptionprovidersareappropriatelyconfigured.json index 5a16fcf5a..88ecde7da 100644 --- a/controls/C-0142-ensurethatencryptionprovidersareappropriatelyconfigured.json +++ b/controls/C-0142-ensurethatencryptionprovidersareappropriatelyconfigured.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838675" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-api-server-encryption-providers-are-appropriately-configured" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0143-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers.json b/controls/C-0143-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers.json index 640fc5bea..6fd581ab3 100644 --- a/controls/C-0143-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers.json +++ b/controls/C-0143-ensurethattheapiserveronlymakesuseofstrongcryptographicciphers.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126663/recommendations/1838676" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0144-ensurethatthecontrollermanagerterminatedpodgcthresholdargumentissetasappropriate.json b/controls/C-0144-ensurethatthecontrollermanagerterminatedpodgcthresholdargumentissetasappropriate.json index 91a3285e9..e43c72438 100644 --- a/controls/C-0144-ensurethatthecontrollermanagerterminatedpodgcthresholdargumentissetasappropriate.json +++ b/controls/C-0144-ensurethatthecontrollermanagerterminatedpodgcthresholdargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838677" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0145-ensurethatthecontrollermanagerprofilingargumentissettofalse.json b/controls/C-0145-ensurethatthecontrollermanagerprofilingargumentissettofalse.json index d9ac69d3e..4b045fe06 100644 --- a/controls/C-0145-ensurethatthecontrollermanagerprofilingargumentissettofalse.json +++ b/controls/C-0145-ensurethatthecontrollermanagerprofilingargumentissettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838678" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-profiling-argument-is-set-to-false" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0146-ensurethatthecontrollermanageruseserviceaccountcredentialsargumentissettotrue.json b/controls/C-0146-ensurethatthecontrollermanageruseserviceaccountcredentialsargumentissettotrue.json index 7a38fc012..722356eb6 100644 --- a/controls/C-0146-ensurethatthecontrollermanageruseserviceaccountcredentialsargumentissettotrue.json +++ b/controls/C-0146-ensurethatthecontrollermanageruseserviceaccountcredentialsargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838679" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true" @@ -22,7 +21,7 @@ "default_value": "By default, `--use-service-account-credentials` is set to false.", "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0147-ensurethatthecontrollermanagerserviceaccountprivatekeyfileargumentissetasappropriate.json b/controls/C-0147-ensurethatthecontrollermanagerserviceaccountprivatekeyfileargumentissetasappropriate.json index 7c1ef253c..3d22abaaf 100644 --- a/controls/C-0147-ensurethatthecontrollermanagerserviceaccountprivatekeyfileargumentissetasappropriate.json +++ b/controls/C-0147-ensurethatthecontrollermanagerserviceaccountprivatekeyfileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838680" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0148-ensurethatthecontrollermanagerrootcafileargumentissetasappropriate.json b/controls/C-0148-ensurethatthecontrollermanagerrootcafileargumentissetasappropriate.json index 39af5c01d..71adea6b4 100644 --- a/controls/C-0148-ensurethatthecontrollermanagerrootcafileargumentissetasappropriate.json +++ b/controls/C-0148-ensurethatthecontrollermanagerrootcafileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838681" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0149-ensurethatthecontrollermanagerrotatekubeletservercertificateargumentissettotrue.json b/controls/C-0149-ensurethatthecontrollermanagerrotatekubeletservercertificateargumentissettotrue.json index 8d0ba98ff..beb379523 100644 --- a/controls/C-0149-ensurethatthecontrollermanagerrotatekubeletservercertificateargumentissettotrue.json +++ b/controls/C-0149-ensurethatthecontrollermanagerrotatekubeletservercertificateargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838682" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0150-ensurethatthecontrollermanagerbindaddressargumentissetto127001.json b/controls/C-0150-ensurethatthecontrollermanagerbindaddressargumentissetto127001.json index f0b3593a1..10b242b04 100644 --- a/controls/C-0150-ensurethatthecontrollermanagerbindaddressargumentissetto127001.json +++ b/controls/C-0150-ensurethatthecontrollermanagerbindaddressargumentissetto127001.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126669/recommendations/1838683" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0151-ensurethattheschedulerprofilingargumentissettofalse.json b/controls/C-0151-ensurethattheschedulerprofilingargumentissettofalse.json index 6b5492f05..466486b94 100644 --- a/controls/C-0151-ensurethattheschedulerprofilingargumentissettofalse.json +++ b/controls/C-0151-ensurethattheschedulerprofilingargumentissettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126670/recommendations/1838684" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-scheduler-profiling-argument-is-set-to-false" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0152-ensurethattheschedulerbindaddressargumentissetto127001.json b/controls/C-0152-ensurethattheschedulerbindaddressargumentissetto127001.json index bcb0a2a07..8740f53ab 100644 --- a/controls/C-0152-ensurethattheschedulerbindaddressargumentissetto127001.json +++ b/controls/C-0152-ensurethattheschedulerbindaddressargumentissetto127001.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126670/recommendations/1838685" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0153-ensurethatthecertfileandkeyfileargumentsaresetasappropriate.json b/controls/C-0153-ensurethatthecertfileandkeyfileargumentsaresetasappropriate.json index aea7b7b7a..6d1a62835 100644 --- a/controls/C-0153-ensurethatthecertfileandkeyfileargumentsaresetasappropriate.json +++ b/controls/C-0153-ensurethatthecertfileandkeyfileargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838562" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-tls-enabled" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0154-ensurethattheclientcertauthargumentissettotrue.json b/controls/C-0154-ensurethattheclientcertauthargumentissettotrue.json index bd2c0c71f..68da5f5e2 100644 --- a/controls/C-0154-ensurethattheclientcertauthargumentissettotrue.json +++ b/controls/C-0154-ensurethattheclientcertauthargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838565" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-client-auth-cert" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0155-ensurethattheautotlsargumentisnotsettotrue.json b/controls/C-0155-ensurethattheautotlsargumentisnotsettotrue.json index ba2bfb209..e06cade47 100644 --- a/controls/C-0155-ensurethattheautotlsargumentisnotsettotrue.json +++ b/controls/C-0155-ensurethattheautotlsargumentisnotsettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838567" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-auto-tls-disabled" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0156-ensurethatthepeercertfileandpeerkeyfileargumentsaresetasappropriate.json b/controls/C-0156-ensurethatthepeercertfileandpeerkeyfileargumentsaresetasappropriate.json index 28dd920dc..740d3d44e 100644 --- a/controls/C-0156-ensurethatthepeercertfileandpeerkeyfileargumentsaresetasappropriate.json +++ b/controls/C-0156-ensurethatthepeercertfileandpeerkeyfileargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838569" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-peer-tls-enabled" @@ -22,7 +21,7 @@ "default_value": "**Note:** This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.", "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0157-ensurethatthepeerclientcertauthargumentissettotrue.json b/controls/C-0157-ensurethatthepeerclientcertauthargumentissettotrue.json index a3cc8d04c..582114816 100644 --- a/controls/C-0157-ensurethatthepeerclientcertauthargumentissettotrue.json +++ b/controls/C-0157-ensurethatthepeerclientcertauthargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838572" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-peer-client-auth-cert" @@ -22,7 +21,7 @@ "default_value": "**Note:** This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to `false`.", "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0158-ensurethatthepeerautotlsargumentisnotsettotrue.json b/controls/C-0158-ensurethatthepeerautotlsargumentisnotsettotrue.json index 816dfd2a8..f74eb0fef 100644 --- a/controls/C-0158-ensurethatthepeerautotlsargumentisnotsettotrue.json +++ b/controls/C-0158-ensurethatthepeerautotlsargumentisnotsettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838575" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-peer-auto-tls-disabled" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0159-ensurethatauniquecertificateauthorityisusedforetcd.json b/controls/C-0159-ensurethatauniquecertificateauthorityisusedforetcd.json index d9067e17e..47588b6af 100644 --- a/controls/C-0159-ensurethatauniquecertificateauthorityisusedforetcd.json +++ b/controls/C-0159-ensurethatauniquecertificateauthorityisusedforetcd.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126654/recommendations/1838578" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "etcd-unique-ca" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0160-ensurethataminimalauditpolicyiscreated.json b/controls/C-0160-ensurethataminimalauditpolicyiscreated.json index 302d80645..50afb0b3d 100644 --- a/controls/C-0160-ensurethataminimalauditpolicyiscreated.json +++ b/controls/C-0160-ensurethataminimalauditpolicyiscreated.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126657/recommendations/1838582" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "k8s-audit-logs-enabled-native-cis" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0161-ensurethattheauditpolicycoverskeysecurityconcerns.json b/controls/C-0161-ensurethattheauditpolicycoverskeysecurityconcerns.json index 507ecf299..9958dd636 100644 --- a/controls/C-0161-ensurethattheauditpolicycoverskeysecurityconcerns.json +++ b/controls/C-0161-ensurethattheauditpolicycoverskeysecurityconcerns.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126657/recommendations/1838583" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "audit-policy-content" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0162-ensurethatthekubeletservicefilepermissionsaresetto600ormorerestrictive.json b/controls/C-0162-ensurethatthekubeletservicefilepermissionsaresetto600ormorerestrictive.json index 2f3de829d..3a2c382d2 100644 --- a/controls/C-0162-ensurethatthekubeletservicefilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0162-ensurethatthekubeletservicefilepermissionsaresetto600ormorerestrictive.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126659/recommendations/1838585" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0163-ensurethatthekubeletservicefileownershipissettorootroot.json b/controls/C-0163-ensurethatthekubeletservicefileownershipissettorootroot.json index a4002c340..de874ec6e 100644 --- a/controls/C-0163-ensurethatthekubeletservicefileownershipissettorootroot.json +++ b/controls/C-0163-ensurethatthekubeletservicefileownershipissettorootroot.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126659/recommendations/1838589" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0164-ifproxykubeconfigfileexistsensurepermissionsaresetto600ormorerestrictive.json b/controls/C-0164-ifproxykubeconfigfileexistsensurepermissionsaresetto600ormorerestrictive.json index 242f4e5e4..77ebe3f66 100644 --- a/controls/C-0164-ifproxykubeconfigfileexistsensurepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0164-ifproxykubeconfigfileexistsensurepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0165-ifproxykubeconfigfileexistsensureownershipissettorootroot.json b/controls/C-0165-ifproxykubeconfigfileexistsensureownershipissettorootroot.json index 2ba57e278..e8982e7cc 100644 --- a/controls/C-0165-ifproxykubeconfigfileexistsensureownershipissettorootroot.json +++ b/controls/C-0165-ifproxykubeconfigfileexistsensureownershipissettorootroot.json @@ -12,7 +12,6 @@ "if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0166-ensurethatthekubeconfigkubeletconffilepermissionsaresetto600ormorerestrictive.json b/controls/C-0166-ensurethatthekubeconfigkubeletconffilepermissionsaresetto600ormorerestrictive.json index 13d89aea8..7660486c5 100644 --- a/controls/C-0166-ensurethatthekubeconfigkubeletconffilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0166-ensurethatthekubeconfigkubeletconffilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0167-ensurethatthekubeconfigkubeletconffileownershipissettorootroot.json b/controls/C-0167-ensurethatthekubeconfigkubeletconffileownershipissettorootroot.json index 08888e347..ed13229bf 100644 --- a/controls/C-0167-ensurethatthekubeconfigkubeletconffileownershipissettorootroot.json +++ b/controls/C-0167-ensurethatthekubeconfigkubeletconffileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 6, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0168-ensurethatthecertificateauthoritiesfilepermissionsaresetto600ormorerestrictive.json b/controls/C-0168-ensurethatthecertificateauthoritiesfilepermissionsaresetto600ormorerestrictive.json index ea9ff5a30..242eca8d6 100644 --- a/controls/C-0168-ensurethatthecertificateauthoritiesfilepermissionsaresetto600ormorerestrictive.json +++ b/controls/C-0168-ensurethatthecertificateauthoritiesfilepermissionsaresetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0169-ensurethattheclientcertificateauthoritiesfileownershipissettorootroot.json b/controls/C-0169-ensurethattheclientcertificateauthoritiesfileownershipissettorootroot.json index 0262db91d..7b9b3a42a 100644 --- a/controls/C-0169-ensurethattheclientcertificateauthoritiesfileownershipissettorootroot.json +++ b/controls/C-0169-ensurethattheclientcertificateauthoritiesfileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0170-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatepermissionssetto600ormorerestrictive.json b/controls/C-0170-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatepermissionssetto600ormorerestrictive.json index b5440909a..635d11361 100644 --- a/controls/C-0170-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatepermissionssetto600ormorerestrictive.json +++ b/controls/C-0170-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatepermissionssetto600ormorerestrictive.json @@ -12,7 +12,6 @@ "if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0171-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatefileownershipissettorootroot.json b/controls/C-0171-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatefileownershipissettorootroot.json index 72b032332..f25327e54 100644 --- a/controls/C-0171-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatefileownershipissettorootroot.json +++ b/controls/C-0171-ifthekubeletconfigyamlconfigurationfileisbeingusedvalidatefileownershipissettorootroot.json @@ -12,7 +12,6 @@ "ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root" ], "attributes": { - "armoBuiltin": true }, "baseScore": 7, "impact_statement": "None", @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0172-ensurethattheanonymousauthargumentissettofalse.json b/controls/C-0172-ensurethattheanonymousauthargumentissettofalse.json index 1eacc7167..90b330298 100644 --- a/controls/C-0172-ensurethattheanonymousauthargumentissettofalse.json +++ b/controls/C-0172-ensurethattheanonymousauthargumentissettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838638" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "anonymous-requests-to-kubelet-service-updated" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0173-ensurethattheauthorizationmodeargumentisnotsettoalwaysallow.json b/controls/C-0173-ensurethattheauthorizationmodeargumentisnotsettoalwaysallow.json index 510cc12cb..9726af5d9 100644 --- a/controls/C-0173-ensurethattheauthorizationmodeargumentisnotsettoalwaysallow.json +++ b/controls/C-0173-ensurethattheauthorizationmodeargumentisnotsettoalwaysallow.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838640" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-authorization-mode-alwaysAllow" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0174-ensurethattheclientcafileargumentissetasappropriate.json b/controls/C-0174-ensurethattheclientcafileargumentissetasappropriate.json index 099b906a3..008e5ae76 100644 --- a/controls/C-0174-ensurethattheclientcafileargumentissetasappropriate.json +++ b/controls/C-0174-ensurethattheclientcafileargumentissetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838643" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "enforce-kubelet-client-tls-authentication-updated" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0175-verifythatthereadonlyportargumentissetto0.json b/controls/C-0175-verifythatthereadonlyportargumentissetto0.json index 651169e18..6821ef5ae 100644 --- a/controls/C-0175-verifythatthereadonlyportargumentissetto0.json +++ b/controls/C-0175-verifythatthereadonlyportargumentissetto0.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838645" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "read-only-port-enabled-updated" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0176-ensurethatthestreamingconnectionidletimeoutargumentisnotsetto0.json b/controls/C-0176-ensurethatthestreamingconnectionidletimeoutargumentisnotsetto0.json index 6073fdfde..cac14e689 100644 --- a/controls/C-0176-ensurethatthestreamingconnectionidletimeoutargumentisnotsetto0.json +++ b/controls/C-0176-ensurethatthestreamingconnectionidletimeoutargumentisnotsetto0.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838646" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-streaming-connection-idle-timeout" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0177-ensurethattheprotectkerneldefaultsargumentissettotrue.json b/controls/C-0177-ensurethattheprotectkerneldefaultsargumentissettotrue.json index 28313cffd..58c18fbd5 100644 --- a/controls/C-0177-ensurethattheprotectkerneldefaultsargumentissettotrue.json +++ b/controls/C-0177-ensurethattheprotectkerneldefaultsargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838648" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-protect-kernel-defaults" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0178-ensurethatthemakeiptablesutilchainsargumentissettotrue.json b/controls/C-0178-ensurethatthemakeiptablesutilchainsargumentissettotrue.json index 507ab2c14..625358396 100644 --- a/controls/C-0178-ensurethatthemakeiptablesutilchainsargumentissettotrue.json +++ b/controls/C-0178-ensurethatthemakeiptablesutilchainsargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838651" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-ip-tables" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0179-ensurethatthehostnameoverrideargumentisnotset.json b/controls/C-0179-ensurethatthehostnameoverrideargumentisnotset.json index c7db62e8a..d08adebc6 100644 --- a/controls/C-0179-ensurethatthehostnameoverrideargumentisnotset.json +++ b/controls/C-0179-ensurethatthehostnameoverrideargumentisnotset.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838654" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-hostname-override" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0180-ensurethattheeventqpsargumentissetto0oralevelwhichensuresappropriateeventcapture.json b/controls/C-0180-ensurethattheeventqpsargumentissetto0oralevelwhichensuresappropriateeventcapture.json index 6875418e8..34020fe44 100644 --- a/controls/C-0180-ensurethattheeventqpsargumentissetto0oralevelwhichensuresappropriateeventcapture.json +++ b/controls/C-0180-ensurethattheeventqpsargumentissetto0oralevelwhichensuresappropriateeventcapture.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838656" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-event-qps" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0181-ensurethatthetlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json b/controls/C-0181-ensurethatthetlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json index e6585c203..330f8632d 100644 --- a/controls/C-0181-ensurethatthetlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json +++ b/controls/C-0181-ensurethatthetlscertfileandtlsprivatekeyfileargumentsaresetasappropriate.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838657" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "validate-kubelet-tls-configuration-updated" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0182-ensurethattherotatecertificatesargumentisnotsettofalse.json b/controls/C-0182-ensurethattherotatecertificatesargumentisnotsettofalse.json index f2f4e10a3..1836bf526 100644 --- a/controls/C-0182-ensurethattherotatecertificatesargumentisnotsettofalse.json +++ b/controls/C-0182-ensurethattherotatecertificatesargumentisnotsettofalse.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838658" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-rotate-certificates" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0183-verifythattherotatekubeletservercertificateargumentissettotrue.json b/controls/C-0183-verifythattherotatekubeletservercertificateargumentissettotrue.json index c9c33f4a1..3de6f9ad2 100644 --- a/controls/C-0183-verifythattherotatekubeletservercertificateargumentissettotrue.json +++ b/controls/C-0183-verifythattherotatekubeletservercertificateargumentissettotrue.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838661" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-rotate-kubelet-server-certificate" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0184-ensurethatthekubeletonlymakesuseofstrongcryptographicciphers.json b/controls/C-0184-ensurethatthekubeletonlymakesuseofstrongcryptographicciphers.json index 867aa5ff4..5df7efaee 100644 --- a/controls/C-0184-ensurethatthekubeletonlymakesuseofstrongcryptographicciphers.json +++ b/controls/C-0184-ensurethatthekubeletonlymakesuseofstrongcryptographicciphers.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126668/recommendations/1838663" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "kubelet-strong-cryptographics-ciphers" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0185-ensurethattheclusteradminroleisonlyusedwhererequired.json b/controls/C-0185-ensurethattheclusteradminroleisonlyusedwhererequired.json index 27dc6fd3c..5a0ab6578 100644 --- a/controls/C-0185-ensurethattheclusteradminroleisonlyusedwhererequired.json +++ b/controls/C-0185-ensurethattheclusteradminroleisonlyusedwhererequired.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838588" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "cluster-admin-role" @@ -23,7 +22,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0186-minimizeaccesstosecrets.json b/controls/C-0186-minimizeaccesstosecrets.json index 2717be8c0..6848b5268 100644 --- a/controls/C-0186-minimizeaccesstosecrets.json +++ b/controls/C-0186-minimizeaccesstosecrets.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838590" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-can-list-get-secrets-v1" @@ -23,7 +22,8 @@ "default_value": "By default in a kubeadm cluster the following list of principals have `get` privileges on `secret` objects ```CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:expand-controller expand-controller ServiceAccount kube-systemsystem:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-systemsystem:controller:namespace-controller namespace-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:kube-controller-manager system:kube-controller-manager User ```", "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json b/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json index 1a09b3e9c..19e97ef8f 100644 --- a/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json +++ b/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838591" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-list-all-cluster-admins-v1" diff --git a/controls/C-0188-minimizeaccesstocreatepods.json b/controls/C-0188-minimizeaccesstocreatepods.json index 9894f0f6f..c1cd2293a 100644 --- a/controls/C-0188-minimizeaccesstocreatepods.json +++ b/controls/C-0188-minimizeaccesstocreatepods.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838592" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-can-create-pod" @@ -23,7 +22,8 @@ "default_value": "By default in a kubeadm cluster the following list of principals have `create` privileges on `pod` objects ```CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-systemsystem:controller:job-controller job-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:controller:replicaset-controller replicaset-controller ServiceAccount kube-systemsystem:controller:replication-controller replication-controller ServiceAccount kube-systemsystem:controller:statefulset-controller statefulset-controller ServiceAccount kube-system```", "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json b/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json index 18d01d325..6aba37cd6 100644 --- a/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json +++ b/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838594" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "automount-default-service-account", @@ -24,7 +23,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json b/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json index e442061f7..3d03705f1 100644 --- a/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json +++ b/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838595" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "automount-service-account" @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json b/controls/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json index f63300f60..80af64a7e 100644 --- a/controls/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json +++ b/controls/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126661/recommendations/1838597" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-can-bind-escalate", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json b/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json index 751567761..8fd428237 100644 --- a/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json +++ b/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838600" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-applied-1", @@ -24,7 +23,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json b/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json index f26d41490..66bbe4015 100644 --- a/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json +++ b/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838601" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json b/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json index 2a0bd2cae..a8215e14e 100644 --- a/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json +++ b/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838602" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json b/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json index 6f39f2806..ce44b97c2 100644 --- a/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json +++ b/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838605" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json b/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json index 8113cb719..1ba67e9ac 100644 --- a/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json +++ b/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838610" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json b/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json index 1e632ee04..c409c8c9b 100644 --- a/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json +++ b/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838612" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-restricted-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0198-minimizetheadmissionofrootcontainers.json b/controls/C-0198-minimizetheadmissionofrootcontainers.json index b014fe9c6..c7c4831bb 100644 --- a/controls/C-0198-minimizetheadmissionofrootcontainers.json +++ b/controls/C-0198-minimizetheadmissionofrootcontainers.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838615" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-restricted-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json b/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json index b7cd4a991..fe20c7827 100644 --- a/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json +++ b/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838617" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json b/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json index eb0ec059d..4baddf253 100644 --- a/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json +++ b/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838621" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-restricted-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json b/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json index 5837b34cc..9562269c8 100644 --- a/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json +++ b/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838622" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-restricted-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json b/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json index a405a144e..e5485e4da 100644 --- a/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json +++ b/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838623" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0203-minimizetheadmissionofhostpathvolumes.json b/controls/C-0203-minimizetheadmissionofhostpathvolumes.json index 08d155323..ea7586c8c 100644 --- a/controls/C-0203-minimizetheadmissionofhostpathvolumes.json +++ b/controls/C-0203-minimizetheadmissionofhostpathvolumes.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838625" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json b/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json index 15962e85a..aa9879848 100644 --- a/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json +++ b/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126662/recommendations/1838626" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pod-security-admission-baseline-applied-1", @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0205-ensurethatthecniinusesupportsnetworkpolicies.json b/controls/C-0205-ensurethatthecniinusesupportsnetworkpolicies.json index 807f396d8..f3d3dbee9 100644 --- a/controls/C-0205-ensurethatthecniinusesupportsnetworkpolicies.json +++ b/controls/C-0205-ensurethatthecniinusesupportsnetworkpolicies.json @@ -9,7 +9,6 @@ "https://workbench.cisecurity.org/sections/1126664/recommendations/1838627" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-cni-in-use-supports-network-policies" @@ -22,7 +21,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json b/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json index 153d5c606..41b11369d 100644 --- a/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json +++ b/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126664/recommendations/1838628" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "internal-networking" @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json b/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json index 083ee8d02..80efc67d4 100644 --- a/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json +++ b/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126665/recommendations/1838630" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-secrets-in-env-var" @@ -26,7 +25,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0208-considerexternalsecretstorage.json b/controls/C-0208-considerexternalsecretstorage.json index c97d5293c..aa09a2ba1 100644 --- a/controls/C-0208-considerexternalsecretstorage.json +++ b/controls/C-0208-considerexternalsecretstorage.json @@ -12,7 +12,6 @@ "https://workbench.cisecurity.org/sections/1126665/recommendations/1838631" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "external-secret-storage" @@ -23,7 +22,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0209-createadministrativeboundariesbetweenresourcesusingnamespaces.json b/controls/C-0209-createadministrativeboundariesbetweenresourcesusingnamespaces.json index 9b16df013..4a43be133 100644 --- a/controls/C-0209-createadministrativeboundariesbetweenresourcesusingnamespaces.json +++ b/controls/C-0209-createadministrativeboundariesbetweenresourcesusingnamespaces.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126667/recommendations/1838633" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "list-all-namespaces" @@ -23,7 +22,7 @@ "default_value": "By default, Kubernetes starts with two initial namespaces: 1. `default` - The default namespace for objects with no other namespace2. `kube-system` - The namespace for objects created by the Kubernetes system3. `kube-node-lease` - Namespace used for node heartbeats4. `kube-public` - Namespace used for public information in a cluster", "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json b/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json index d854fc293..017e8a472 100644 --- a/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json +++ b/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126667/recommendations/1838635" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "set-seccomp-profile-RuntimeDefault" @@ -23,7 +22,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json b/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json index 700f9c67f..bd6c6f6fe 100644 --- a/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json +++ b/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126667/recommendations/1838636" ], "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security", "compliance" @@ -35,7 +34,8 @@ "set-fsgroup-value", "set-fsgroupchangepolicy-value", "set-sysctls-params", - "set-supplementalgroups-values" + "set-supplementalgroups-values", + "rule-allow-privilege-escalation" ], "baseScore": 8, "impact_statement": "If you incorrectly apply security contexts, you may have trouble running the pods.", @@ -45,7 +45,8 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster", + "file" ] } } \ No newline at end of file diff --git a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json index d5882df6d..2840520ed 100644 --- a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json +++ b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json @@ -10,7 +10,6 @@ "https://workbench.cisecurity.org/sections/1126667/recommendations/1838637" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "pods-in-default-namespace", @@ -39,7 +38,7 @@ }, "scanningScope": { "matches": [ - "cloud" + "cluster" ] } } \ No newline at end of file diff --git a/controls/C-0213-minimizetheadmissionofprivilegedcontainers.json b/controls/C-0213-minimizetheadmissionofprivilegedcontainers.json index 73ecf84f5..8644eb71c 100644 --- a/controls/C-0213-minimizetheadmissionofprivilegedcontainers.json +++ b/controls/C-0213-minimizetheadmissionofprivilegedcontainers.json @@ -10,7 +10,6 @@ "https://aws.github.io/aws-eks-best-practices/pods/#restrict-the-containers-that-can-run-as-privileged" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-privileged-container" diff --git a/controls/C-0214-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json b/controls/C-0214-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json index ce11828ec..c6afbec98 100644 --- a/controls/C-0214-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json +++ b/controls/C-0214-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/concepts/policy/pod-security-policy" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-hostpid" diff --git a/controls/C-0215-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json b/controls/C-0215-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json index d4e00efb6..1de0d7356 100644 --- a/controls/C-0215-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json +++ b/controls/C-0215-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/concepts/policy/pod-security-policy" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-hostipc" diff --git a/controls/C-0216-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json b/controls/C-0216-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json index 05a610d69..c2e922b2b 100644 --- a/controls/C-0216-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json +++ b/controls/C-0216-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/concepts/policy/pod-security-policy" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-hostnetwork" diff --git a/controls/C-0217-minimizetheadmissionofcontainerswithallowprivilegeescalation.json b/controls/C-0217-minimizetheadmissionofcontainerswithallowprivilegeescalation.json index ebb9620ad..c534a5425 100644 --- a/controls/C-0217-minimizetheadmissionofcontainerswithallowprivilegeescalation.json +++ b/controls/C-0217-minimizetheadmissionofcontainerswithallowprivilegeescalation.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/concepts/policy/pod-security-policy" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-allowprivilegeescalation" diff --git a/controls/C-0218-minimizetheadmissionofrootcontainers.json b/controls/C-0218-minimizetheadmissionofrootcontainers.json index 09bdb7782..0b63280a9 100644 --- a/controls/C-0218-minimizetheadmissionofrootcontainers.json +++ b/controls/C-0218-minimizetheadmissionofrootcontainers.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-root-container" diff --git a/controls/C-0219-minimizetheadmissionofcontainerswithaddedcapabilities.json b/controls/C-0219-minimizetheadmissionofcontainerswithaddedcapabilities.json index dd3beb276..71537bf19 100644 --- a/controls/C-0219-minimizetheadmissionofcontainerswithaddedcapabilities.json +++ b/controls/C-0219-minimizetheadmissionofcontainerswithaddedcapabilities.json @@ -10,7 +10,6 @@ "https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-deny-allowed-capabilities" diff --git a/controls/C-0220-minimizetheadmissionofcontainerswithcapabilitiesassigned.json b/controls/C-0220-minimizetheadmissionofcontainerswithcapabilitiesassigned.json index adbedb4fa..027031de9 100644 --- a/controls/C-0220-minimizetheadmissionofcontainerswithcapabilitiesassigned.json +++ b/controls/C-0220-minimizetheadmissionofcontainerswithcapabilitiesassigned.json @@ -10,7 +10,6 @@ "https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "psp-required-drop-capabilities" diff --git a/controls/C-0221-ensureimagevulnerabilityscanningusingamazonecrimagescanningorathirdpartyprovider.json b/controls/C-0221-ensureimagevulnerabilityscanningusingamazonecrimagescanningorathirdpartyprovider.json index 965ca6348..c0ac2db13 100644 --- a/controls/C-0221-ensureimagevulnerabilityscanningusingamazonecrimagescanningorathirdpartyprovider.json +++ b/controls/C-0221-ensureimagevulnerabilityscanningusingamazonecrimagescanningorathirdpartyprovider.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-image-scanning-enabled-cloud" diff --git a/controls/C-0222-minimizeuseraccesstoamazonecr.json b/controls/C-0222-minimizeuseraccesstoamazonecr.json index 9b07514fc..062f8c322 100644 --- a/controls/C-0222-minimizeuseraccesstoamazonecr.json +++ b/controls/C-0222-minimizeuseraccesstoamazonecr.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-repository" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-aws-policies-are-present" diff --git a/controls/C-0223-minimizeclusteraccesstoreadonlyforamazonecr.json b/controls/C-0223-minimizeclusteraccesstoreadonlyforamazonecr.json index 48038f40d..d77cc23b7 100644 --- a/controls/C-0223-minimizeclusteraccesstoreadonlyforamazonecr.json +++ b/controls/C-0223-minimizeclusteraccesstoreadonlyforamazonecr.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure_nodeinstancerole_has_right_permissions_for_ecr" diff --git a/controls/C-0225-preferusingdedicatedeksserviceaccounts.json b/controls/C-0225-preferusingdedicatedeksserviceaccounts.json index 937fe41f0..a45cb1332 100644 --- a/controls/C-0225-preferusingdedicatedeksserviceaccounts.json +++ b/controls/C-0225-preferusingdedicatedeksserviceaccounts.json @@ -11,7 +11,6 @@ "https://aws.github.io/aws-eks-best-practices/security/docs/iam/#scope-the-iam-role-trust-policy-for-irsa-to-the-service-account-name" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-default-service-accounts-has-only-default-roles", diff --git a/controls/C-0226-preferusingacontaineroptimizedoswhenpossible.json b/controls/C-0226-preferusingacontaineroptimizedoswhenpossible.json index 7090d5651..207e0fb65 100644 --- a/controls/C-0226-preferusingacontaineroptimizedoswhenpossible.json +++ b/controls/C-0226-preferusingacontaineroptimizedoswhenpossible.json @@ -10,7 +10,6 @@ "https://aws.amazon.com/bottlerocket/" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "alert-container-optimized-os-not-in-use" diff --git a/controls/C-0227-restrictaccesstothecontrolplaneendpoint.json b/controls/C-0227-restrictaccesstothecontrolplaneendpoint.json index d3f811ee0..1334d4e81 100644 --- a/controls/C-0227-restrictaccesstothecontrolplaneendpoint.json +++ b/controls/C-0227-restrictaccesstothecontrolplaneendpoint.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-endpointprivateaccess-is-enabled"], "baseScore": 8.0, diff --git a/controls/C-0228-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json b/controls/C-0228-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json index a761077d7..d5b56ad8f 100644 --- a/controls/C-0228-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json +++ b/controls/C-0228-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks"], "baseScore": 8.0, diff --git a/controls/C-0229-ensureclustersarecreatedwithprivatenodes.json b/controls/C-0229-ensureclustersarecreatedwithprivatenodes.json index 2385ad0a2..cc4a8ceb5 100644 --- a/controls/C-0229-ensureclustersarecreatedwithprivatenodes.json +++ b/controls/C-0229-ensureclustersarecreatedwithprivatenodes.json @@ -7,7 +7,6 @@ "manual_test": "", "references": [], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks"], "baseScore": 8.0, diff --git a/controls/C-0230-ensurenetworkpolicyisenabledandsetasappropriate.json b/controls/C-0230-ensurenetworkpolicyisenabledandsetasappropriate.json index 14d578d16..08a99d846 100644 --- a/controls/C-0230-ensurenetworkpolicyisenabledandsetasappropriate.json +++ b/controls/C-0230-ensurenetworkpolicyisenabledandsetasappropriate.json @@ -7,7 +7,6 @@ "manual_test": "", "references": [], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-network-policy-is-enabled-eks"], "baseScore": 6.0, diff --git a/controls/C-0231-encrypttraffictohttpsloadbalancerswithtlscertificates.json b/controls/C-0231-encrypttraffictohttpsloadbalancerswithtlscertificates.json index d38d84530..b7ad51993 100644 --- a/controls/C-0231-encrypttraffictohttpsloadbalancerswithtlscertificates.json +++ b/controls/C-0231-encrypttraffictohttpsloadbalancerswithtlscertificates.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-https-loadbalancers-encrypted-with-tls-aws"], "baseScore": 5.0, diff --git a/controls/C-0232-managekubernetesrbacuserswithawsiamauthenticatorforkubernetesorupgradetoawscliv116156.json b/controls/C-0232-managekubernetesrbacuserswithawsiamauthenticatorforkubernetesorupgradetoawscliv116156.json index d09998ff6..c670f317f 100644 --- a/controls/C-0232-managekubernetesrbacuserswithawsiamauthenticatorforkubernetesorupgradetoawscliv116156.json +++ b/controls/C-0232-managekubernetesrbacuserswithawsiamauthenticatorforkubernetesorupgradetoawscliv116156.json @@ -10,7 +10,6 @@ "https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "review-roles-with-aws-iam-authenticator" diff --git a/controls/C-0233-considerfargateforrunninguntrustedworkloads.json b/controls/C-0233-considerfargateforrunninguntrustedworkloads.json index 61e0d1910..12d6c2746 100644 --- a/controls/C-0233-considerfargateforrunninguntrustedworkloads.json +++ b/controls/C-0233-considerfargateforrunninguntrustedworkloads.json @@ -9,7 +9,6 @@ "https://docs.aws.amazon.com/eks/latest/userguide/fargate.html" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "alert-fargate-not-in-use" diff --git a/controls/C-0234-considerexternalsecretstorage.json b/controls/C-0234-considerexternalsecretstorage.json index 93551b69a..1f67bb928 100644 --- a/controls/C-0234-considerexternalsecretstorage.json +++ b/controls/C-0234-considerexternalsecretstorage.json @@ -7,7 +7,6 @@ "manual_test": "Review your secrets management implementation.", "references": [], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-external-secrets-storage-is-in-use"], "baseScore": 6.0, diff --git a/controls/C-0235-ensurethatthekubeletconfigurationfilehaspermissionssetto644ormorerestrictive.json b/controls/C-0235-ensurethatthekubeletconfigurationfilehaspermissionssetto644ormorerestrictive.json index c651e3ff7..a4b5deeb5 100644 --- a/controls/C-0235-ensurethatthekubeletconfigurationfilehaspermissionssetto644ormorerestrictive.json +++ b/controls/C-0235-ensurethatthekubeletconfigurationfilehaspermissionssetto644ormorerestrictive.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive" diff --git a/controls/C-0236-verifyimagesignature.json b/controls/C-0236-verifyimagesignature.json index c44ffa3eb..869329595 100644 --- a/controls/C-0236-verifyimagesignature.json +++ b/controls/C-0236-verifyimagesignature.json @@ -7,8 +7,7 @@ "manual_test": "", "references": [], "attributes": { - "actionRequired": "configuration", - "armoBuiltin": true + "actionRequired": "configuration" }, "rulesNames": [ "verify-image-signature" diff --git a/controls/C-0237-hasimagesignature.json b/controls/C-0237-hasimagesignature.json index fde0b9557..7ebf3a0b9 100644 --- a/controls/C-0237-hasimagesignature.json +++ b/controls/C-0237-hasimagesignature.json @@ -7,7 +7,6 @@ "manual_test": "", "references": [], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "has-image-signature" diff --git a/controls/C-0238-ensurethatthekubeconfigfilepermissionsaresetto644ormorerestrictive.json b/controls/C-0238-ensurethatthekubeconfigfilepermissionsaresetto644ormorerestrictive.json index 9852350e2..579deb1fe 100644 --- a/controls/C-0238-ensurethatthekubeconfigfilepermissionsaresetto644ormorerestrictive.json +++ b/controls/C-0238-ensurethatthekubeconfigfilepermissionsaresetto644ormorerestrictive.json @@ -9,7 +9,6 @@ "https://kubernetes.io/docs/admin/kube-proxy/" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive" diff --git a/controls/C-0239-preferusingdedicatedaksserviceaccounts.json b/controls/C-0239-preferusingdedicatedaksserviceaccounts.json index a2159db1f..ecdb5c39c 100644 --- a/controls/C-0239-preferusingdedicatedaksserviceaccounts.json +++ b/controls/C-0239-preferusingdedicatedaksserviceaccounts.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-default-service-accounts-has-only-default-roles" diff --git a/controls/C-0240-ensurenetworkpolicyisenabledandsetasappropriate.json b/controls/C-0240-ensurenetworkpolicyisenabledandsetasappropriate.json index 5faee94ea..820ae79e6 100644 --- a/controls/C-0240-ensurenetworkpolicyisenabledandsetasappropriate.json +++ b/controls/C-0240-ensurenetworkpolicyisenabledandsetasappropriate.json @@ -9,7 +9,6 @@ "\n\n " ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-cni-enabled-aks" diff --git a/controls/C-0241-useazurerbacforkubernetesauthorization.json b/controls/C-0241-useazurerbacforkubernetesauthorization.json index c49ccdac6..cb266de34 100644 --- a/controls/C-0241-useazurerbacforkubernetesauthorization.json +++ b/controls/C-0241-useazurerbacforkubernetesauthorization.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": ["ensure-azure-rbac-is-set"], "baseScore": 7, diff --git a/controls/C-0242-hostilemultitenantworkloads.json b/controls/C-0242-hostilemultitenantworkloads.json index 62e98a3bb..a43c8afcb 100644 --- a/controls/C-0242-hostilemultitenantworkloads.json +++ b/controls/C-0242-hostilemultitenantworkloads.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-hostile-multitenant-workloads" diff --git a/controls/C-0243-ensureimagevulnerabilityscanningusingazuredefenderimagescanningorathirdpartyprovider.json b/controls/C-0243-ensureimagevulnerabilityscanningusingazuredefenderimagescanningorathirdpartyprovider.json index daa7c6d2e..e58ca3937 100644 --- a/controls/C-0243-ensureimagevulnerabilityscanningusingazuredefenderimagescanningorathirdpartyprovider.json +++ b/controls/C-0243-ensureimagevulnerabilityscanningusingazuredefenderimagescanningorathirdpartyprovider.json @@ -9,7 +9,6 @@ "\n\n \n\n " ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider" diff --git a/controls/C-0244-ensurekubernetessecretsareencrypted.json b/controls/C-0244-ensurekubernetessecretsareencrypted.json index 3bb263573..d164330f9 100644 --- a/controls/C-0244-ensurekubernetessecretsareencrypted.json +++ b/controls/C-0244-ensurekubernetessecretsareencrypted.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "secret-etcd-encryption-cloud" diff --git a/controls/C-0245-encrypttraffictohttpsloadbalancerswithtlscertificates.json b/controls/C-0245-encrypttraffictohttpsloadbalancerswithtlscertificates.json index d2c800b01..00739a944 100644 --- a/controls/C-0245-encrypttraffictohttpsloadbalancerswithtlscertificates.json +++ b/controls/C-0245-encrypttraffictohttpsloadbalancerswithtlscertificates.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "encrypt-traffic-to-https-load-balancers-with-tls-certificates" diff --git a/controls/C-0246-avoiduseofsystemmastersgroup.json b/controls/C-0246-avoiduseofsystemmastersgroup.json index da7412a5a..396738b3a 100644 --- a/controls/C-0246-avoiduseofsystemmastersgroup.json +++ b/controls/C-0246-avoiduseofsystemmastersgroup.json @@ -9,7 +9,6 @@ "https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/rbac/escalation_check.go#L38" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-manual" diff --git a/controls/C-0247-restrictaccesstothecontrolplaneendpoint.json b/controls/C-0247-restrictaccesstothecontrolplaneendpoint.json index b9d730671..9dd307d28 100644 --- a/controls/C-0247-restrictaccesstothecontrolplaneendpoint.json +++ b/controls/C-0247-restrictaccesstothecontrolplaneendpoint.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "restrict-access-to-the-control-plane-endpoint" diff --git a/controls/C-0248-ensureclustersarecreatedwithprivatenodes.json b/controls/C-0248-ensureclustersarecreatedwithprivatenodes.json index aca15749d..cd7d2bf39 100644 --- a/controls/C-0248-ensureclustersarecreatedwithprivatenodes.json +++ b/controls/C-0248-ensureclustersarecreatedwithprivatenodes.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-clusters-are-created-with-private-nodes" diff --git a/controls/C-0249-restrictuntrustedworkloads.json b/controls/C-0249-restrictuntrustedworkloads.json index e2c5d3123..eb4c80d06 100644 --- a/controls/C-0249-restrictuntrustedworkloads.json +++ b/controls/C-0249-restrictuntrustedworkloads.json @@ -9,7 +9,6 @@ "\n\n \n\n " ], "attributes": { - "armoBuiltin": true, "actionRequired": "manual review" }, "rulesNames": [ diff --git a/controls/C-0250-minimizeclusteraccesstoreadonlyforazurecontainerregistryacr.json b/controls/C-0250-minimizeclusteraccesstoreadonlyforazurecontainerregistryacr.json index 674e4c2b6..e3c0779a1 100644 --- a/controls/C-0250-minimizeclusteraccesstoreadonlyforazurecontainerregistryacr.json +++ b/controls/C-0250-minimizeclusteraccesstoreadonlyforazurecontainerregistryacr.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-service-principle-has-read-only-permissions" diff --git a/controls/C-0251-minimizeuseraccesstoazurecontainerregistryacr.json b/controls/C-0251-minimizeuseraccesstoazurecontainerregistryacr.json index a8d5af221..9029e5289 100644 --- a/controls/C-0251-minimizeuseraccesstoazurecontainerregistryacr.json +++ b/controls/C-0251-minimizeuseraccesstoazurecontainerregistryacr.json @@ -9,7 +9,6 @@ "" ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "list-role-definitions-in-acr" diff --git a/controls/C-0252-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json b/controls/C-0252-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json index 15d9a5c14..fc0e3e193 100644 --- a/controls/C-0252-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json +++ b/controls/C-0252-ensureclustersarecreatedwithprivateendpointenabledandpublicaccessdisabled.json @@ -9,7 +9,6 @@ "\n\n " ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled" diff --git a/controls/C-0253-deprecated-k8s-registry.json b/controls/C-0253-deprecated-k8s-registry.json index 35fa98c76..d112dbf87 100644 --- a/controls/C-0253-deprecated-k8s-registry.json +++ b/controls/C-0253-deprecated-k8s-registry.json @@ -1,7 +1,6 @@ { "name": "Deprecated Kubernetes image registry", "attributes": { - "armoBuiltin": true }, "description": "Kubernetes team has deprecated GCR (k8s.gcr.io) registry and recommends pulling Kubernetes components from the new registry (registry.k8s.io). This is mandatory from 1.27", "remediation": "Change the images to be pulled from the new registry (registry.k8s.io).", diff --git a/controls/C-0254-enableauditlogs.json b/controls/C-0254-enableauditlogs.json index eb9ef642f..a35ec5daf 100644 --- a/controls/C-0254-enableauditlogs.json +++ b/controls/C-0254-enableauditlogs.json @@ -9,7 +9,6 @@ "\n\n \n\n " ], "attributes": { - "armoBuiltin": true }, "rulesNames": [ "rule-manual" diff --git a/controls/C-0255-workloadwithsecretaccess.json b/controls/C-0255-workloadwithsecretaccess.json index 686a72577..69a3b1264 100644 --- a/controls/C-0255-workloadwithsecretaccess.json +++ b/controls/C-0255-workloadwithsecretaccess.json @@ -1,7 +1,6 @@ { "name": "Workload with secret access", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json index cc35d4e7b..4e6247e51 100644 --- a/controls/C-0256-exposuretointernet.json +++ b/controls/C-0256-exposuretointernet.json @@ -1,7 +1,6 @@ { - "name": "Exposure to internet", + "name": "External facing", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], @@ -17,6 +16,24 @@ "categories": [ "Initial Access" ] + }, + { + "attackTrack": "external-workload-with-cluster-takeover-roles", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "external-database-without-authentication", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "workload-unauthenticated-service", + "categories": [ + "Initial Access" + ] } ] }, @@ -28,8 +45,7 @@ "baseScore": 7.0, "scanningScope": { "matches": [ - "cluster", - "file" + "cluster" ] } } diff --git a/controls/C-0257-pvcaccess.json b/controls/C-0257-pvcaccess.json index 19a1b77f7..2040ebd41 100644 --- a/controls/C-0257-pvcaccess.json +++ b/controls/C-0257-pvcaccess.json @@ -1,7 +1,6 @@ { "name": "Workload with PVC access", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0258-configmapaccess.json b/controls/C-0258-configmapaccess.json index 2b15ba4d7..492a85209 100644 --- a/controls/C-0258-configmapaccess.json +++ b/controls/C-0258-configmapaccess.json @@ -1,7 +1,6 @@ { "name": "Workload with ConfigMap access", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0259-workloadwithcredentialaccess.json b/controls/C-0259-workloadwithcredentialaccess.json index 9153afd41..99de6b5c8 100644 --- a/controls/C-0259-workloadwithcredentialaccess.json +++ b/controls/C-0259-workloadwithcredentialaccess.json @@ -1,7 +1,6 @@ { "name": "Workload with credential access", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0260-missingnetworkpolicy.json b/controls/C-0260-missingnetworkpolicy.json index f51ad8c42..6f1157c7f 100644 --- a/controls/C-0260-missingnetworkpolicy.json +++ b/controls/C-0260-missingnetworkpolicy.json @@ -1,7 +1,6 @@ { "name": "Missing network policy", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], @@ -12,7 +11,8 @@ "Lateral Movement (Network)" ] } - ] + ], + "isFixedByNetworkPolicy": true }, "description": "This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.", "remediation": "Review the workloads identified by this control and assess whether it's necessary to configure a network policy for them.", diff --git a/controls/C-0261-satokenmounted.json b/controls/C-0261-satokenmounted.json index 5e438e4af..aa15abcfb 100644 --- a/controls/C-0261-satokenmounted.json +++ b/controls/C-0261-satokenmounted.json @@ -1,7 +1,6 @@ { "name": "ServiceAccount token mounted", "attributes": { - "armoBuiltin": true, "controlTypeTags": [ "security" ], diff --git a/controls/C-0262-anonymousaccessisenabled.json b/controls/C-0262-anonymousaccessisenabled.json index acc295a63..1479170b2 100644 --- a/controls/C-0262-anonymousaccessisenabled.json +++ b/controls/C-0262-anonymousaccessisenabled.json @@ -5,7 +5,10 @@ "remediation": "Review and modify your cluster's RBAC configuration to ensure that only authenticated and authorized users have appropriate permissions based on their roles and responsibilities within your system.", "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to anonymous user. Also checks in the apiserver if the --anonymous-auth flag is set to false", "attributes": { - "armoBuiltin": true + "controlTypeTags": [ + "security", + "compliance" + ] }, "rulesNames": [ "anonymous-access-enabled" diff --git a/controls/C-0263-ingress-tls.json b/controls/C-0263-ingress-tls.json new file mode 100644 index 000000000..ce6b724f5 --- /dev/null +++ b/controls/C-0263-ingress-tls.json @@ -0,0 +1,20 @@ +{ + "name": "Ingress uses TLS", + "attributes": { + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "description": "This control detect Ingress resources that do not use TLS", + "remediation": "The user needs to implement TLS for the Ingress resource in order to encrypt the incoming traffic", + "rulesNames": ["ingress-no-tls"], + "test": "Check if the Ingress resource has TLS configured", + "controlID": "C-0263", + "baseScore": 7.0, + "scanningScope": { + "matches": [ + "cluster","file" + ] + } +} diff --git a/controls/C-0264-pv-encrypted.json b/controls/C-0264-pv-encrypted.json new file mode 100644 index 000000000..e13131027 --- /dev/null +++ b/controls/C-0264-pv-encrypted.json @@ -0,0 +1,20 @@ +{ + "name": "PersistentVolume without encyption", + "attributes": { + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "description": "This control detects PersistentVolumes without encyption", + "remediation": "Enable encryption on the PersistentVolume using the configuration in StorageClass", + "rulesNames": ["pv-without-encryption"], + "test": "Checking all PersistentVolumes via their StorageClass for encryption", + "controlID": "C-0264", + "baseScore": 5.0, + "scanningScope": { + "matches": [ + "cluster" + ] + } +} diff --git a/controls/C-0265-authenticateduserhasrbac.json b/controls/C-0265-authenticateduserhasrbac.json new file mode 100644 index 000000000..1d023639e --- /dev/null +++ b/controls/C-0265-authenticateduserhasrbac.json @@ -0,0 +1,24 @@ +{ + "controlID": "C-0265", + "name": "system:authenticated user has elevated roles", + "description": "Granting permissions to the system:authenticated group is generally not recommended and can introduce security risks. This control ensures that system:authenticated users do not have cluster risking permissions.", + "remediation": "Review and modify your cluster's RBAC configuration to ensure that system:authenticated will have minimal permissions.", + "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to system:authenticated group.", + "attributes": { + }, + "rulesNames": [ + "system-authenticated-allowed-to-take-over-cluster" + ], + "baseScore": 7, + "category": { + "name": "Control plane", + "subCategory": { + "name": "Supply chain" + } + }, + "scanningScope": { + "matches": [ + "cluster" + ] + } +} \ No newline at end of file diff --git a/controls/C-0266-exposuretointernet-gateway.json b/controls/C-0266-exposuretointernet-gateway.json new file mode 100644 index 000000000..c349b0314 --- /dev/null +++ b/controls/C-0266-exposuretointernet-gateway.json @@ -0,0 +1,45 @@ +{ + "name": "Exposure to internet via Gateway API", + "attributes": { + "controlTypeTags": [ + "security" + ], + "attackTracks": [ + { + "attackTrack": "workload-external-track", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "service-destruction", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "external-workload-with-cluster-takeover-roles", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "workload-unauthenticated-service", + "categories": [ + "Initial Access" + ] + } + ] + }, + "description": "This control detect workloads that are exposed on Internet through a Gateway API (HTTPRoute,TCPRoute, UDPRoute). It fails in case it find workloads connected with these resources.", + "remediation": "The user can evaluate its exposed resources and apply relevant changes wherever needed.", + "rulesNames": ["exposure-to-internet-via-gateway-api"], + "test": "Checks if workloads are exposed through the use of Gateway API (HTTPRoute,TCPRoute, UDPRoute).", + "controlID": "C-0266", + "baseScore": 7.0, + "scanningScope": { + "matches": [ + "cluster" + ] + } +} diff --git a/controls/C-0267-workloadwithclustertakeoverroles.json b/controls/C-0267-workloadwithclustertakeoverroles.json new file mode 100644 index 000000000..8ab37b83d --- /dev/null +++ b/controls/C-0267-workloadwithclustertakeoverroles.json @@ -0,0 +1,36 @@ +{ + "name": "Workload with cluster takeover roles", + "attributes": { + "controlTypeTags": [ + "security" + ], + "attackTracks": [ + { + "attackTrack": "external-workload-with-cluster-takeover-roles", + "categories": [ + "Cluster Access" + ], + "displayRelatedResources": true, + "clickableResourceKind": "ServiceAccount" + } + ] + }, + "description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.", + "remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.", + "rulesNames": [ + "workload-with-cluster-takeover-roles" + ], + "long_description": "In Kubernetes, workloads with overly permissive roles pose a significant security risk. When a workload is granted roles that exceed the necessities of its operation, it creates an attack surface for privilege escalation within the cluster. This is especially critical if the roles include permissions for creating, updating, or accessing sensitive resources or secrets. An attacker exploiting such a workload can leverage these excessive privileges to perform unauthorized actions, potentially leading to a full cluster takeover. Ensuring that each service account associated with a workload is limited to permissions that are strictly necessary for its function is crucial in mitigating the risk of cluster takeovers.", + "test": "Check if the service account used by a workload has cluster takeover roles.", + "controlID": "C-0267", + "baseScore": 6.0, + "category": { + "name": "Workload" + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0268-ensurecpurequestsareset.json b/controls/C-0268-ensurecpurequestsareset.json new file mode 100644 index 000000000..a5e309df0 --- /dev/null +++ b/controls/C-0268-ensurecpurequestsareset.json @@ -0,0 +1,28 @@ +{ + "name": "Ensure CPU requests are set", + "attributes": { + "controlTypeTags": [ + "compliance", + "devops" + ] + }, + "description": "This control identifies all Pods for which the CPU requests are not set.", + "remediation": "Set the CPU requests or use exception mechanism to avoid unnecessary notifications.", + "rulesNames": [ + "resources-cpu-requests" + ], + "controlID": "C-0268", + "baseScore": 3.0, + "category": { + "name": "Workload", + "subCategory": { + "name": "Resource management" + } + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0269-ensurememoryrequestsareset.json b/controls/C-0269-ensurememoryrequestsareset.json new file mode 100644 index 000000000..290db0b59 --- /dev/null +++ b/controls/C-0269-ensurememoryrequestsareset.json @@ -0,0 +1,28 @@ +{ + "name": "Ensure memory requests are set", + "attributes": { + "controlTypeTags": [ + "compliance", + "devops" + ] + }, + "description": "This control identifies all Pods for which the memory requests are not set.", + "remediation": "Set the memory requests or use exception mechanism to avoid unnecessary notifications.", + "rulesNames": [ + "resources-memory-requests" + ], + "controlID": "C-0269", + "baseScore": 3.0, + "category": { + "name": "Workload", + "subCategory": { + "name": "Resource management" + } + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0270-ensurecpulimitsareset.json b/controls/C-0270-ensurecpulimitsareset.json new file mode 100644 index 000000000..edc09d4c1 --- /dev/null +++ b/controls/C-0270-ensurecpulimitsareset.json @@ -0,0 +1,37 @@ +{ + "name": "Ensure CPU limits are set", + "attributes": { + "controlTypeTags": [ + "compliance", + "devops", + "security" + ], + "attackTracks": [ + { + "attackTrack": "service-destruction", + "categories": [ + "Denial of service" + ] + } + ] + }, + "description": "This control identifies all Pods for which the CPU limits are not set.", + "remediation": "Set the CPU limits or use exception mechanism to avoid unnecessary notifications.", + "rulesNames": [ + "resources-cpu-limits" + ], + "controlID": "C-0270", + "baseScore": 8.0, + "category": { + "name": "Workload", + "subCategory": { + "name": "Resource management" + } + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0271-ensurememorylimitsareset.json b/controls/C-0271-ensurememorylimitsareset.json new file mode 100644 index 000000000..ce56063d2 --- /dev/null +++ b/controls/C-0271-ensurememorylimitsareset.json @@ -0,0 +1,37 @@ +{ + "name": "Ensure memory limits are set", + "attributes": { + "controlTypeTags": [ + "compliance", + "devops", + "security" + ], + "attackTracks": [ + { + "attackTrack": "service-destruction", + "categories": [ + "Denial of service" + ] + } + ] + }, + "description": "This control identifies all Pods for which the memory limits are not set.", + "remediation": "Set the memory limits or use exception mechanism to avoid unnecessary notifications.", + "rulesNames": [ + "resources-memory-limits" + ], + "controlID": "C-0271", + "baseScore": 8.0, + "category": { + "name": "Workload", + "subCategory": { + "name": "Resource management" + } + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0272-workloadwithadministrativeroles.json b/controls/C-0272-workloadwithadministrativeroles.json new file mode 100644 index 000000000..3d59e4f04 --- /dev/null +++ b/controls/C-0272-workloadwithadministrativeroles.json @@ -0,0 +1,22 @@ +{ + "name": "Workload with administrative roles", + "attributes": {}, + "description": "This control identifies workloads where the associated service accounts have roles that grant administrative-level access across the cluster. Granting a workload such expansive permissions equates to providing it cluster admin roles. This level of access can pose a significant security risk, as it allows the workload to perform any action on any resource, potentially leading to unauthorized data access or cluster modifications.", + "remediation": "You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use service accounts with such high permissions for daily operations.", + "rulesNames": [ + "workload-with-administrative-roles" + ], + "long_description": "In Kubernetes environments, workloads granted administrative-level privileges without restrictions represent a critical security vulnerability. When a service account associated with a workload is configured with permissions to perform any action on any resource, it essentially holds unrestricted access within the cluster, akin to cluster admin privileges. This configuration dramatically increases the risk of security breaches, including data theft, unauthorized modifications, and potentially full cluster takeovers. Such privileges allow attackers to exploit the workload for wide-ranging malicious activities, bypassing the principle of least privilege. Therefore, it's essential to follow the least privilege principle and make sure cluster admin permissions are granted only when it is absolutely necessary.", + "test": "Check if the service account used by a workload has cluster admin roles, either by being bound to the cluster-admin clusterrole, or by having equivalent high privileges.", + "controlID": "C-0272", + "baseScore": 6.0, + "category": { + "name" : "Workload" + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} diff --git a/controls/C-0273-outdatedk8sversion.json b/controls/C-0273-outdatedk8sversion.json new file mode 100644 index 000000000..2e933cfab --- /dev/null +++ b/controls/C-0273-outdatedk8sversion.json @@ -0,0 +1,22 @@ +{ + "name": "Outdated Kubernetes version", + "attributes": {}, + "description": "Identifies Kubernetes clusters running on outdated versions. Using old versions can expose clusters to known vulnerabilities, compatibility issues, and miss out on improved features and security patches. Keeping Kubernetes up-to-date is crucial for maintaining security and operational efficiency.", + "remediation": "Regularly update Kubernetes clusters to the latest stable version to mitigate known vulnerabilities and enhance functionality. Plan and execute upgrades considering workload compatibility, testing in a staging environment before applying changes to production. Follow Kubernetes' best practices for version management and upgrades to ensure a smooth transition and minimal downtime.", + "rulesNames": [ + "outdated-k8s-version" + ], + "long_description": "Running an outdated version of Kubernetes poses significant security risks and operational challenges. Older versions may contain unpatched vulnerabilities, leading to potential security breaches and unauthorized access. Additionally, outdated clusters might not support newer, more secure, and efficient features, impacting both performance and security. Regularly updating Kubernetes ensures compliance with the latest security standards and access to enhanced functionalities.", + "test": "Verifies the current Kubernetes version against the latest stable releases.", + "controlID": "C-0273", + "baseScore": 2.0, + "category": { + "name": "Control plane" + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} \ No newline at end of file diff --git a/controls/C-0274-unauthenticatedservice.json b/controls/C-0274-unauthenticatedservice.json new file mode 100644 index 000000000..0b208afe8 --- /dev/null +++ b/controls/C-0274-unauthenticatedservice.json @@ -0,0 +1,35 @@ +{ + "name": "Verify Authenticated Service", + "controlID": "C-0274", + "description": "Verifies if the service is authenticated", + "long_description": "Verifies that in order to access the service, the user must be authenticated.", + "remediation": "Configure the service to require authentication.", + "manual_test": "", + "attributes": { + "controlTypeTags": [ + "security" + ], + "attackTracks": [ + { + "attackTrack": "workload-unauthenticated-service", + "categories": [ + "Execution" + ] + } + ] + }, + "rulesNames": [ + "unauthenticated-service" + ], + "baseScore": 7, + "impact_statement": "", + "default_value": "", + "category": { + "name": "Network" + }, + "scanningScope": { + "matches": [ + "cluster" + ] + } +} \ No newline at end of file diff --git a/controls/examples/c013.yaml b/controls/examples/c013.yaml index 6b3ecf544..ce997a920 100644 --- a/controls/examples/c013.yaml +++ b/controls/examples/c013.yaml @@ -12,4 +12,4 @@ spec: image: busybox command: [ "sh", "-c", "sleep 1h" ] securityContext: - allowPrivilegeEscalation: false #lastly, we check this is set to false \ No newline at end of file + runAsNonRoot: false # alternatively, this can be runAsNonRoot: true \ No newline at end of file diff --git a/default-config-inputs.json b/default-config-inputs.json index c985e96bf..a0bd9ee1f 100644 --- a/default-config-inputs.json +++ b/default-config-inputs.json @@ -1,7 +1,6 @@ { "name": "default", "attributes": { - "armoBuiltin": true }, "scope": { "designatorType": "attributes", @@ -50,13 +49,9 @@ ], "max_critical_vulnerabilities": ["5"], "max_high_vulnerabilities": ["10"], - "sensitiveValuesAllowed": ["AllowedValue"], "sensitiveKeyNames": [ - "aws_access_key_id", "aws_secret_access_key", - "azure_batchai_storage_account", "azure_batchai_storage_key", - "azure_batch_account", "azure_batch_key", "secret", "key", @@ -76,6 +71,8 @@ "_key_", "_secret_" ], + "sensitiveKeyNamesAllowed": [], + "sensitiveValuesAllowed": [], "servicesNames": [ "nifi-service", "argo-server", diff --git a/exceptions/gke.json b/exceptions/gke.json index 4423491c3..39889b9ca 100644 --- a/exceptions/gke.json +++ b/exceptions/gke.json @@ -1006,6 +1006,20 @@ "name": "validation-webhook.snapshot.storage.gke.io" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "gmp-operator.gmp-system.monitoring.googleapis.com" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "warden-validating.config.common-webhooks.networking.gke.io" + } + }, { "designatorType": "Attributes", "attributes": { @@ -1103,6 +1117,20 @@ "kind": "Namespace", "name": "kube-system" } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "gmp-public" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "gmp-system" + } } ], "posturePolicies": [ @@ -1142,11 +1170,107 @@ "name": "route-controller", "namespace": "kube-system" } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "superadmin", + "namespace": "kube-system" + } + + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pkgextract-service", + "namespace": "kube-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pkgextract-service", + "namespace": "kube-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "collector", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "operator", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "collector", + "namespace": "gmp-public" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "alertmanager", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "collector", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "rule-evaluator", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gmp-operator", + "namespace": "gmp-system" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "gke-metrics-agent-conf", + "namespace": "kube-system" + } } ], "posturePolicies": [ { - "controlID": "c-0053" } ] } diff --git a/exceptions/kube-apiserver.json b/exceptions/kube-apiserver.json index 1061e861a..df6985fd1 100644 --- a/exceptions/kube-apiserver.json +++ b/exceptions/kube-apiserver.json @@ -29,7 +29,7 @@ "controlID": "c-0017" }, { - "controlID": "c-0013 " + "controlID": "c-0013" }, { "controlID": "c-0020" @@ -44,13 +44,10 @@ "controlID": "c-0016" }, { - "controlID": "c-0004" - }, - { - "controlID": "c-0050" + "controlID": "C-0270" }, { - "controlID": "c-0009" + "controlID": "C-0271" }, { "controlID": "c-0048" diff --git a/exceptions/kubescape-prometheus.json b/exceptions/kubescape-prometheus.json index fe83aff47..ae712885a 100644 --- a/exceptions/kubescape-prometheus.json +++ b/exceptions/kubescape-prometheus.json @@ -53,9 +53,6 @@ } ], "posturePolicies": [ - { - "controlID": "c-0001" - }, { "controlID": "c-0078" } @@ -140,9 +137,6 @@ } ], "posturePolicies": [ - { - "controlID": "c-0001" - }, { "controlID": "c-0078" } diff --git a/exceptions/kubescape.json b/exceptions/kubescape.json index 403314000..34b2187ed 100644 --- a/exceptions/kubescape.json +++ b/exceptions/kubescape.json @@ -33,6 +33,14 @@ "namespace": "kubescape" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "synchronizer", + "namespace": "kubescape" + } + }, { "designatorType": "Attributes", "attributes": { @@ -75,20 +83,47 @@ } ], "posturePolicies": [ + { + "controlID": "c-0076" + }, + { + "controlID": "c-0237" + }, { "controlID": "c-0055" }, + { + "controlID": "c-0056" + }, { "controlID": "c-0017" }, + { + "controlID": "c-0018" + }, + { + "controlID": "c-0013" + }, + { + "controlID": "c-0030" + }, { "controlID": "c-0210" }, + { + "controlID": "c-0260" + }, + { + "controlID": "c-0207" + }, { "controlID": "c-0211" }, { "controlID": "c-0058" + }, + { + "controlID": "c-0038" } ] }, @@ -144,9 +179,6 @@ } ], "posturePolicies": [ - { - "controlID": "c-0001" - }, { "controlID": "c-0078" } @@ -206,6 +238,9 @@ "posturePolicies": [ { "controlID": "c-0030" + }, + { + "controlID": "c-0013" } ] }, @@ -376,6 +411,14 @@ "namespace": "kubescape" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "storage", + "namespace": "kubescape" + } + }, { "designatorType": "Attributes", "attributes": { @@ -384,6 +427,22 @@ "namespace": "kubescape" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-agent", + "namespace": "kubescape" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kubevuln", + "namespace": "kubescape" + } + }, { "designatorType": "Attributes", "attributes": { @@ -392,6 +451,14 @@ "namespace": "kubescape" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "synchronizer", + "namespace": "kubescape" + } + }, { "designatorType": "Attributes", "attributes": { @@ -405,8 +472,20 @@ { "controlID": "c-0034" }, + { + "controlID": "c-0207" + }, + { + "controlID": "c-0013" + }, + { + "controlID": "c-0015" + }, { "controlID": "c-0053" + }, + { + "controlID": "c-0186" } ] }, @@ -529,6 +608,12 @@ { "controlID": "c-0055" }, + { + "controlID": "c-0260" + }, + { + "controlID": "c-0013" + }, { "controlID": "c-0056" }, @@ -578,6 +663,9 @@ { "controlID": "c-0034" }, + { + "controlID": "c-0260" + }, { "controlID": "c-0055" }, @@ -594,5 +682,27 @@ "controlID": "c-0076" } ] + }, + { + "name": "exclude-ns", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "attributes": { + "systemException": true + }, + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + {} + ] } ] diff --git a/exceptions/minikube.json b/exceptions/minikube.json index d9ef5fbf2..b8654d538 100644 --- a/exceptions/minikube.json +++ b/exceptions/minikube.json @@ -41,6 +41,38 @@ "name": "coredns" } }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "namespace": "kube-system", + "name": "sealed-secrets-controller" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "namespace": "kube-system", + "name": "tpu-device-plugin" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "namespace": "kube-system", + "name": "runsc-metric-server" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "namespace": "kube-system", + "name": "nvidia-gpu-.*" + } + }, { "designatorType": "Attributes", "attributes": { diff --git a/frameworks/__YAMLscan.json b/frameworks/__YAMLscan.json index 8c42e60b7..353b3ae30 100644 --- a/frameworks/__YAMLscan.json +++ b/frameworks/__YAMLscan.json @@ -2,7 +2,7 @@ "name": "YAML-scanning", "description": "Controls relevant to yamls", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -29,7 +29,7 @@ "Delete Kubernetes events", "Access tiller endpoint", "Automatic mapping of service account", - "Cluster-admin binding", + "Administrative Roles", "Validate admission controller (validating)", "CoreDNS poisoning", "Host PID/IPC privileges", @@ -57,7 +57,6 @@ "Label usage for resources", "K8s common labels usage", "Images from allowed registry", - "CVE-2022-24348-argocddirtraversal", - "CVE-2022-0492-cgroups-container-escape" + "CVE-2022-24348-argocddirtraversal" ] -} \ No newline at end of file +} diff --git a/frameworks/allcontrols.json b/frameworks/allcontrols.json index 890e01015..d0a25500d 100644 --- a/frameworks/allcontrols.json +++ b/frameworks/allcontrols.json @@ -2,7 +2,7 @@ "name": "AllControls", "description": "Contains all the controls from all the frameworks", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -12,22 +12,10 @@ }, "typeTags": ["compliance"], "activeControls": [ - { - "controlID": "C-0001", - "patch": { - "name": "Forbidden Container Registries" - } - }, { "controlID": "C-0002", "patch": { - "name": "Exec into container" - } - }, - { - "controlID": "C-0004", - "patch": { - "name": "Resources memory limit and request" + "name": "Prevent containers from allowing command execution" } }, { @@ -39,13 +27,7 @@ { "controlID": "C-0007", "patch": { - "name": "Data Destruction" - } - }, - { - "controlID": "C-0009", - "patch": { - "name": "Resource limits" + "name": "Roles with delete capabilities" } }, { @@ -129,7 +111,7 @@ { "controlID": "C-0035", "patch": { - "name": "Cluster-admin binding" + "name": "Administrative Roles" } }, { @@ -192,12 +174,6 @@ "name": "Network mapping" } }, - { - "controlID": "C-0050", - "patch": { - "name": "Resources CPU limit and request" - } - }, { "controlID": "C-0052", "patch": { @@ -348,12 +324,6 @@ "name": "CVE-2022-24348-argocddirtraversal" } }, - { - "controlID": "C-0086", - "patch": { - "name": "CVE-2022-0492-cgroups-container-escape" - } - }, { "controlID": "C-0087", "patch": { @@ -378,11 +348,29 @@ "name": "CVE-2022-47633-kyverno-signature-bypass" } }, - { + { "controlID": "C-0262", "patch": { "name": "Anonymous access enabled" } + }, + { + "controlID": "C-0265", + "patch": { + "name": "Authenticated user has sensitive permissions" + } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } } ] -} \ No newline at end of file +} diff --git a/frameworks/armobest.json b/frameworks/armobest.json index 04c639036..abda35185 100644 --- a/frameworks/armobest.json +++ b/frameworks/armobest.json @@ -2,7 +2,7 @@ "name": "ArmoBest", "description": "", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -10,18 +10,14 @@ "file" ] }, - "typeTags": ["compliance"], + "typeTags": [ + "compliance" + ], "activeControls": [ - { - "controlID": "C-0001", - "patch": { - "name": "Forbidden Container Registries" - } - }, { "controlID": "C-0002", "patch": { - "name": "Exec into container" + "name": "Prevent containers from allowing command execution" } }, { @@ -30,12 +26,6 @@ "name": "API server insecure port is enabled" } }, - { - "controlID": "C-0009", - "patch": { - "name": "Resource limits" - } - }, { "controlID": "C-0012", "patch": { @@ -75,7 +65,7 @@ { "controlID": "C-0035", "patch": { - "name": "Cluster-admin binding" + "name": "Administrative Roles" } }, { @@ -210,12 +200,6 @@ "name": "CVE-2022-24348-argocddirtraversal" } }, - { - "controlID": "C-0086", - "patch": { - "name": "CVE-2022-0492-cgroups-container-escape" - } - }, { "controlID": "C-0087", "patch": { @@ -245,6 +229,18 @@ "patch": { "name": "Check if signature exists" } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } } ] } \ No newline at end of file diff --git a/frameworks/cis-aks-t1.2.0.json b/frameworks/cis-aks-t1.2.0.json index 7eac30cec..2bf60aa45 100644 --- a/frameworks/cis-aks-t1.2.0.json +++ b/frameworks/cis-aks-t1.2.0.json @@ -3,14 +3,16 @@ "description": "Testing CIS for Azure Kubernetes Service (AKS) as suggested by CIS benchmark: https://workbench.cisecurity.org/benchmarks/9058", "attributes": { "version": "v1.2.0", - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ "AKS" ] }, - "typeTags": ["compliance"], + "typeTags": [ + "compliance" + ], "activeControls": [ { "controlID": "C-0078", @@ -549,15 +551,15 @@ "id": "3.2", "controlsIDs": [ "C-0172", - "C-0175", - "C-0179", - "C-0182", "C-0173", "C-0174", + "C-0175", "C-0176", "C-0177", "C-0178", + "C-0179", "C-0180", + "C-0182", "C-0183" ] } @@ -602,8 +604,8 @@ "name": "CNI Plugin", "id": "4.4", "controlsIDs": [ - "C-0206", - "C-0205" + "C-0205", + "C-0206" ] }, "5": { diff --git a/frameworks/cis-eks-t1.2.0.json b/frameworks/cis-eks-t1.2.0.json index 4dc1ffda5..eb9ddbf8b 100644 --- a/frameworks/cis-eks-t1.2.0.json +++ b/frameworks/cis-eks-t1.2.0.json @@ -3,14 +3,16 @@ "description": "Testing CIS for Amazon Elastic Kubernetes Service (EKS) as suggested by CIS benchmark: https://workbench.cisecurity.org/benchmarks/9681", "attributes": { "version": "v1.2.0", - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ "EKS" ] }, - "typeTags": ["compliance"], + "typeTags": [ + "compliance" + ], "activeControls": [ { "controlID": "C-0066", @@ -499,7 +501,7 @@ "name": "CIS-3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive" } }, - { + { "controlID": "C-0242", "patch": { "name": "CIS-5.6.2 Hostile multi-tenant workloads" @@ -509,8 +511,8 @@ "controlID": "C-0246", "patch": { "name": "CIS-4.1.7 Avoid use of system:masters group" - } - } + } + } ], "subSections": { "2": { @@ -580,7 +582,8 @@ "C-0188", "C-0189", "C-0190", - "C-0191" + "C-0191", + "C-0246" ] }, "2": { @@ -618,7 +621,7 @@ "id": "4.6", "controlsIDs": [ "C-0209", - "C-0211", + "C-0211", "C-0212" ] } @@ -632,9 +635,10 @@ "name": "Image Registry and Image Scanning", "id": "5.1", "controlsIDs": [ + "C-0078", "C-0221", - "C-0223", - "C-0078" + "C-0222", + "C-0223" ] }, "2": { @@ -673,10 +677,11 @@ "name": "Other Cluster Configurations", "id": "5.6", "controlsIDs": [ - "C-0233" + "C-0233", + "C-0242" ] } } } } -} +} \ No newline at end of file diff --git a/frameworks/cis-v1.23-t1.0.1.json b/frameworks/cis-v1.23-t1.0.1.json index cfd884b5d..d9c28f10d 100644 --- a/frameworks/cis-v1.23-t1.0.1.json +++ b/frameworks/cis-v1.23-t1.0.1.json @@ -3,7 +3,7 @@ "description": "Testing CIS for Kubernetes as suggested by CIS in https://workbench.cisecurity.org/benchmarks/8973", "attributes": { "version": "v1.0.1", - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -11,7 +11,9 @@ "file" ] }, - "typeTags": ["compliance"], + "typeTags": [ + "compliance" + ], "subSections": { "1": { "id": "1", @@ -79,7 +81,6 @@ "C-0141", "C-0142", "C-0143" - ] }, "3": { @@ -92,7 +93,7 @@ "C-0147", "C-0148", "C-0149", - "C-0150" + "C-0150" ] }, "4": { @@ -115,7 +116,7 @@ "C-0156", "C-0157", "C-0158", - "C-0159" + "C-0159" ] }, "3": { @@ -150,7 +151,6 @@ "C-0169", "C-0170", "C-0171" - ] }, "2": { @@ -169,7 +169,7 @@ "C-0181", "C-0182", "C-0183", - "C-0184" + "C-0184" ] } } @@ -188,7 +188,7 @@ "C-0188", "C-0189", "C-0190", - "C-0191" + "C-0191" ] }, "2": { @@ -207,38 +207,38 @@ "C-0201", "C-0202", "C-0203", - "C-0204" + "C-0204" ] }, "3": { "name": "Network Policies and CNI", "id": "5.3", "controlsIDs": [ - "C-0205", - "C-0206" + "C-0205", + "C-0206" ] }, "4": { "name": "Secrets Management", "id": "5.4", "controlsIDs": [ - "C-0207", - "C-0208" + "C-0207", + "C-0208" ] }, "7": { "name": "General Policies", "id": "5.7", "controlsIDs": [ - "C-0209", + "C-0209", "C-0210", - "C-0211", - "C-0212" + "C-0211", + "C-0212" ] } } } - }, + }, "activeControls": [ { "controlID": "C-0092", diff --git a/frameworks/clusterscan.json b/frameworks/clusterscan.json index a97ab72ec..9dd5f73ef 100644 --- a/frameworks/clusterscan.json +++ b/frameworks/clusterscan.json @@ -2,7 +2,7 @@ "name": "ClusterScan", "description": "Framework for scanning a cluster", "attributes": { - "armoBuiltin": true + "builtin": true }, "typeTags": [ "security" @@ -38,6 +38,12 @@ "name": "Anonymous access enabled" } }, + { + "controlID": "C-0265", + "patch": { + "name": "Authenticated user has sensitive permissions" + } + }, { "controlID": "C-0015", "patch": { @@ -47,13 +53,13 @@ { "controlID": "C-0002", "patch": { - "name": "Exec into container" + "name": "Prevent containers from allowing command execution" } }, { "controlID": "C-0007", "patch": { - "name": "Data Destruction" + "name": "Roles with delete capabilities" } }, { @@ -77,7 +83,7 @@ { "controlID": "C-0035", "patch": { - "name": "Cluster-admin binding" + "name": "Administrative Roles" } }, { @@ -107,7 +113,7 @@ { "controlID": "C-0256", "patch": { - "name": "Exposure to internet" + "name": "External facing" } }, { @@ -141,4 +147,4 @@ } } ] -} \ No newline at end of file +} diff --git a/frameworks/devopsbest.json b/frameworks/devopsbest.json index 55906992b..cb1ba3f0f 100644 --- a/frameworks/devopsbest.json +++ b/frameworks/devopsbest.json @@ -2,7 +2,7 @@ "name": "DevOpsBest", "description": "", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -12,12 +12,6 @@ }, "typeTags": ["compliance"], "activeControls": [ - { - "controlID": "C-0004", - "patch": { - "name": "Resources memory limit and request" - } - }, { "controlID": "C-0018", "patch": { @@ -30,12 +24,6 @@ "name": "Container hostPort" } }, - { - "controlID": "C-0050", - "patch": { - "name": "Resources CPU limit and request" - } - }, { "controlID": "C-0056", "patch": { @@ -83,6 +71,30 @@ "patch": { "name": "Deprecated Kubernetes image registry" } + }, + { + "controlID": "C-0268", + "patch": { + "name": "Ensure CPU requests are set" + } + }, + { + "controlID": "C-0269", + "patch": { + "name": "Ensure memory requests are set" + } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } } ] -} \ No newline at end of file +} diff --git a/frameworks/mitre.json b/frameworks/mitre.json index 460d794b3..c8e5e2194 100644 --- a/frameworks/mitre.json +++ b/frameworks/mitre.json @@ -2,7 +2,7 @@ "name": "MITRE", "description": "Testing MITRE for Kubernetes as suggested by microsoft in https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/k8s-matrix.png", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -15,13 +15,13 @@ { "controlID": "C-0002", "patch": { - "name": "Exec into container" + "name": "Prevent containers from allowing command execution" } }, { "controlID": "C-0007", "patch": { - "name": "Data Destruction" + "name": "Roles with delete capabilities" } }, { @@ -69,7 +69,7 @@ { "controlID": "C-0035", "patch": { - "name": "Cluster-admin binding" + "name": "Administrative Roles" } }, { @@ -175,4 +175,4 @@ } } ] -} \ No newline at end of file +} diff --git a/frameworks/nsaframework.json b/frameworks/nsaframework.json index 3955df176..62f30f273 100644 --- a/frameworks/nsaframework.json +++ b/frameworks/nsaframework.json @@ -2,7 +2,7 @@ "name": "NSA", "description": "Implement NSA security advices for K8s ", "attributes": { - "armoBuiltin": true + "builtin": true }, "scanningScope": { "matches": [ @@ -15,7 +15,7 @@ { "controlID": "C-0002", "patch": { - "name": "Exec into container" + "name": "Prevent containers from allowing command execution" } }, { @@ -24,12 +24,6 @@ "name": "API server insecure port is enabled" } }, - { - "controlID": "C-0009", - "patch": { - "name": "Resource limits" - } - }, { "controlID": "C-0012", "patch": { @@ -69,7 +63,7 @@ { "controlID": "C-0035", "patch": { - "name": "Cluster-admin binding" + "name": "Administrative Roles" } }, { @@ -155,6 +149,18 @@ "patch": { "name": "Enforce Kubelet client TLS authentication" } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } } ] -} \ No newline at end of file +} diff --git a/frameworks/security.json b/frameworks/security.json index 6f9e23805..2bdf84494 100644 --- a/frameworks/security.json +++ b/frameworks/security.json @@ -2,7 +2,7 @@ "name": "security", "description": "Controls that are used to assess security threats.", "attributes": { - "armoBuiltin": true + "builtin": true }, "typeTags": [ "security" @@ -15,57 +15,51 @@ }, "activeControls": [ { - "controlID": "C-0009", + "controlID": "C-0005", "patch": { - "name": "Resource limits" + "name": "API server insecure port is enabled" } }, { - "controlID": "C-0017", + "controlID": "C-0012", "patch": { - "name": "Immutable container filesystem" + "name": "Applications credentials in configuration files" } }, - { - "controlID": "C-0256", + { + "controlID": "C-0013", "patch": { - "name": "Exposure to Internet" - } - }, - { - "controlID": "C-0259", - "patch": { - "name": "Workload with credential access" + "name": "Non-root containers" } }, { - "controlID": "C-0258", + "controlID": "C-0016", "patch": { - "name": "Workload with configMap access" + "name": "Allow privilege escalation" } }, { - "controlID": "C-0257", + "controlID": "C-0017", "patch": { - "name": "Workload with PVC access" + "name": "Immutable container filesystem" } }, { - "controlID": "C-0260", + "controlID": "C-0034", "patch": { - "name": "Missing network policy" + "name": "Automatic mapping of service account" } }, { - "controlID": "C-0261", + "controlID": "C-0035", "patch": { - "name": "ServiceAccount token mounted" + "name": "Administrative Roles" } }, - { - "controlID": "C-0255", + { + "controlID": "C-0038", "patch": { - "name": "Workload with secret access" + "name": "Host PID/IPC privileges" } }, { @@ -98,17 +92,143 @@ "name": "HostPath mount" } }, + { + "controlID": "C-0057", + "patch": { + "name": "Privileged container" + } + }, + { + "controlID": "C-0066", + "patch": { + "name": "Secret/etcd encryption enabled" + } + }, + { + "controlID": "C-0069", + "patch": { + "name": "Disable anonymous access to Kubelet service" + } + }, + { + "controlID": "C-0070", + "patch": { + "name": "Enforce Kubelet client TLS authentication" + } + }, + { + "controlID": "C-0074", + "patch": { + "name": "Container runtime socket mounted" + } + }, { "controlID": "C-0211", "patch": { "name": "Apply Security Context to Your Pods and Containers" } }, - { + { + "controlID": "C-0255", + "patch": { + "name": "Workload with secret access" + } + }, + { + "controlID": "C-0256", + "patch": { + "name": "External facing" + } + }, + { + "controlID": "C-0257", + "patch": { + "name": "Workload with PVC access" + } + }, + { + "controlID": "C-0258", + "patch": { + "name": "Workload with configMap access" + } + }, + { + "controlID": "C-0259", + "patch": { + "name": "Workload with credential access" + } + }, + { + "controlID": "C-0260", + "patch": { + "name": "Missing network policy" + } + }, + { + "controlID": "C-0261", + "patch": { + "name": "ServiceAccount token mounted" + } + }, + { "controlID": "C-0262", "patch": { "name": "Anonymous access enabled" } + }, + { + "controlID": "C-0264", + "patch": { + "name": "PersistentVolume without encyption" + } + }, + { + "controlID": "C-0265", + "patch": { + "name": "Authenticated user has sensitive permissions" + } + }, + { + "controlID": "C-0267", + "patch": { + "name": "Workload with cluster takeover roles" + } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } + }, + { + "controlID": "C-0272", + "patch": { + "name": "Workload with administrative roles" + } + }, + { + "controlID": "C-0273", + "patch": { + "name": "Outdated Kubernetes version" + } + }, + { + "controlID": "C-0266", + "patch": { + "name": "Exposure to internet via Gateway API" + } + }, + { + "controlID": "C-0274", + "patch": { + "name": "Verify Authenticated Service" + } } ] -} +} \ No newline at end of file diff --git a/frameworks/soc2.json b/frameworks/soc2.json new file mode 100644 index 000000000..98d27e4db --- /dev/null +++ b/frameworks/soc2.json @@ -0,0 +1,75 @@ +{ + "name": "SOC2", + "description": "SOC2 compliance related controls", + "attributes": { + "builtin": true + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + }, + "typeTags": ["compliance"], + "activeControls": [ + { + "controlID": "C-0260", + "patch": { + "name": "Firewall (CC6.1,CC6.6,CC7.2)", + "description": "Network is monitored and protected by the following. System firewalls are configured to limit unnecessary ports, protocols and services. Firewall rules are reviewed at least annually by IT management.", + "long_description": "Network is monitored and protected by the following. System firewalls are configured to limit unnecessary ports, protocols and services. Firewall rules are reviewed at least annually by IT management.", + "remediation": "Define network policies for all workloads to protect unwanted access" + } + }, + { + "controlID": "C-0012", + "patch": { + "name": "Cryptographic key management - misplaced secrets (CC6.1,CC6.6,CC6.7)", + "description": "Encryption keys used to protect data at rest and in transit are stored and managed in accordance with the organization's cryptography policy. Access to encryption keys are restricted to authorized personnel.", + "long_description": "Encryption keys used to protect data at rest and in transit are stored and managed in accordance with the organization's cryptography policy. Access to encryption keys are restricted to authorized personnel." + } + }, + { + "controlID": "C-0186", + "patch": { + "name": "Cryptographic key management - minimize access to secrets (CC6.1,CC6.6,CC6.7)", + "description": "Encryption keys used to protect data at rest and in transit are stored and managed in accordance with the organization's cryptography policy. Access to encryption keys are restricted to authorized personnel.", + "long_description": "Encryption keys used to protect data at rest and in transit are stored and managed in accordance with the organization's cryptography policy. Access to encryption keys are restricted to authorized personnel." + } + }, + { + "controlID": "C-0035", + "patch": { + "name": "Access restriction to infrastructure - admin access (CC6.1 ,CC6.2, CC6.7, CC6.8)", + "description": "Administrative access on the in-scope production infrastructure (cloud platform, servers, database) are restricted to authorized users based on job responsibilities.", + "long_description": "Administrative access on the in-scope production infrastructure (cloud platform, servers, database) are restricted to authorized users based on job responsibilities." + } + }, + { + "controlID": "C-0067", + "patch": { + "name": "Event logging (CC6.8,CC7.1,CC7.2)", + "description": "Logging is enabled to monitor the following events at the application and/or infrastructure layers.", + "long_description": "Logging is enabled to monitor the following events at the application and/or infrastructure layers: - Logon attempts - Data deletions - Application and system errors - Changes to software and configuration settings - Changes to system files, configuration files or content files The logs are monitored by IT Operations staff and significant issues are investigated and resolved within a timely manner." + } + }, + { + "controlID": "C-0263", + "patch": { + "name": "Data in motion encryption - Ingress is TLS encrypted (CC6.1,CC6.6,CC6.7)", + "description": "Transport Layer Security (TLS) is used to protect the transmission of data sent over the internet to and from the organization's application server.", + "long_description": "Transport Layer Security (TLS) is used to protect the transmission of data sent over the internet to and from the organization's application server." + } + }, + { + "controlID": "C-0264", + "patch": { + "name": "Data in rest encryption - Persistent Volumes are encrypted (CC1.1,CC6.7)", + "description": "Transport Layer Security (TLS) is used to protect the transmission of data sent over the internet to and from the organization's application server.", + "long_description": "Transport Layer Security (TLS) is used to protect the transmission of data sent over the internet to and from the organization's application server." + } + } + + + ] +} diff --git a/frameworks/workloadscan.json b/frameworks/workloadscan.json index c92f72ea3..c3f1a0ec3 100644 --- a/frameworks/workloadscan.json +++ b/frameworks/workloadscan.json @@ -2,7 +2,7 @@ "name": "WorkloadScan", "description": "Framework for scanning a workload", "attributes": { - "armoBuiltin": true + "builtin": true }, "typeTags": [ "security" @@ -14,30 +14,6 @@ "name": "Images from allowed registry" } }, - { - "controlID": "C-0236", - "patch": { - "name": "Verify image signature" - } - }, - { - "controlID": "C-0237", - "patch": { - "name": "Check if signature exists" - } - }, - { - "controlID": "C-0004", - "patch": { - "name": "Resources memory limit and request" - } - }, - { - "controlID": "C-0050", - "patch": { - "name": "Resources CPU limit and request" - } - }, { "controlID": "C-0045", "patch": { @@ -134,6 +110,18 @@ "patch": { "name": "Privileged container" } + }, + { + "controlID": "C-0270", + "patch": { + "name": "Ensure CPU limits are set" + } + }, + { + "controlID": "C-0271", + "patch": { + "name": "Ensure memory limits are set" + } } ] -} \ No newline at end of file +} diff --git a/gitregostore/datastructures.go b/gitregostore/datastructures.go index 49b21983c..47441fe52 100644 --- a/gitregostore/datastructures.go +++ b/gitregostore/datastructures.go @@ -56,7 +56,7 @@ func newGitRegoStore(baseUrl string, owner string, repository string, path strin watch = true } - if strings.Contains(tag, "latest") || strings.Contains(tag, "download") { + if strings.Contains(tag, "latest") || strings.Contains(tag, "download") || strings.Contains(path, "releases") { // TODO - This condition was added to avoid dependency on updating productions configs on deployment. // Once production configs are updated (branch set to ""), this condition can be removed. if strings.ToLower(branch) == "master" { @@ -98,6 +98,13 @@ func (gs *GitRegoStore) SetRegoObjects() error { return err } +// NewGitRegoStoreV2 - generates git store object for production v2 regolibrary release files. +// Release files source: "https://github.com/kubescape/regolibrary/releases/tag/v2" +func NewGitRegoStoreV2(frequency int) *GitRegoStore { + gs := NewGitRegoStore("https://github.com", "kubescape", "regolibrary", "releases", "download/v2", "", frequency) + return gs +} + // NewDefaultGitRegoStore - generates git store object for production regolibrary release files. // Release files source: "https://github.com/kubescape/regolibrary/releases/latest/download" func NewDefaultGitRegoStore(frequency int) *GitRegoStore { diff --git a/gitregostore/gitstoremethods.go b/gitregostore/gitstoremethods.go index e6a83bde3..eb44a6971 100644 --- a/gitregostore/gitstoremethods.go +++ b/gitregostore/gitstoremethods.go @@ -7,6 +7,7 @@ import ( "github.com/armosec/armoapi-go/armotypes" "github.com/go-gota/gota/dataframe" "github.com/go-gota/gota/series" + "github.com/kubescape/opa-utils/reporthandling" opapolicy "github.com/kubescape/opa-utils/reporthandling" "github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1" "k8s.io/utils/strings/slices" @@ -225,6 +226,20 @@ func (gs *GitRegoStore) GetOPAAttackTrackControls() ([]opapolicy.Control, error) return attackTrackControlsList, nil } +func (gs *GitRegoStore) GetAttackTrackCategoriesByControlIDAndAttackTrackName(controlID string, attackTrackName string) (opapolicy.AttackTrackCategories, error) { + control, err := gs.GetOPAControlByID(controlID) + if err != nil { + return opapolicy.AttackTrackCategories{}, fmt.Errorf("in GetAttackTrackCategoriesByControlIDAndAttackTrackName: error getting control: %s. error: %w", controlID, err) + } + categories := control.GetAllAttackTrackCategories() + for _, category := range categories { + if category.AttackTrack == attackTrackName { + return category, nil + } + } + return opapolicy.AttackTrackCategories{}, fmt.Errorf("attack track category '%s' not found in control '%s'", attackTrackName, controlID) +} + func (gs *GitRegoStore) GetOPAControlsNamesList() ([]string, error) { gs.controlsLock.RLock() defer gs.controlsLock.RUnlock() @@ -287,6 +302,55 @@ func (gs *GitRegoStore) GetOpaFrameworkListByControlID(controlID string) []strin return frameworksNameList } +// GetControlFrameworkSubsections returns all subsections of a control in a framework +func (gs *GitRegoStore) GetControlFrameworkSubsections(controlID string, frameworkName string) ([]string, error) { + gs.frameworksLock.RLock() + defer gs.frameworksLock.RUnlock() + gs.controlsLock.RLock() + defer gs.controlsLock.RUnlock() + + fw, err := gs.getOPAFrameworkByName(frameworkName) // doesn't lock framework + if err != nil { + return nil, err + } + + control, err := gs.getOPAControlByID(controlID) // doesn't lock control + if err != nil { + return nil, err + } + + fwSubsectionIDs := make([]string, 0) + subsections := fw.SubSections + + for i := range subsections { + fwSubsectionIDs = gs.getControlFrameworkSubSections(fwSubsectionIDs, control.ControlID, subsections[i]) + } + + return fwSubsectionIDs, nil +} + +func (gs *GitRegoStore) getControlFrameworkSubSections(fwSubsectionIDs []string, controlID string, section *reporthandling.FrameworkSubSection) []string { + // Return the current list if the section is nil + if section == nil { + return fwSubsectionIDs + } + + // Recursively gather IDs from subsections + if section.SubSections != nil { + for _, subSection := range section.SubSections { + // Update fwSubsectionIDs with the result of the recursive call + fwSubsectionIDs = gs.getControlFrameworkSubSections(fwSubsectionIDs, controlID, subSection) + } + } + + // Append the current section ID if it contains the controlID + if section.ControlIDs != nil && slices.Contains(section.ControlIDs, controlID) { + fwSubsectionIDs = append(fwSubsectionIDs, section.ID) + } + + return fwSubsectionIDs +} + // =============================================================== // =========================== Frameworks ======================== // =============================================================== diff --git a/gitregostore/gitstoremethods_test.go b/gitregostore/gitstoremethods_test.go index 400f96bdf..f22dc774c 100644 --- a/gitregostore/gitstoremethods_test.go +++ b/gitregostore/gitstoremethods_test.go @@ -220,6 +220,40 @@ func gs_tests(t *testing.T, gs *GitRegoStore) { "wrong control for framework name 'NSA' and control name 'Allow privilege escalation' expected: 'C-0016', found %s", control.ControlID, ) }) + + t.Run("should retrieve list of fw subsections IDs", func(t *testing.T) { + t.Parallel() + + subsectionsIDs, err := gs.GetControlFrameworkSubsections("C-0067", "cis-eks-t1.2.0") + require.NoError(t, err) + require.NotEmptyf(t, subsectionsIDs, + "failed to get subsections ids list for control 'C-0067' in framework name 'cis-eks-t1.2.0' %v", err, + ) + assert.ElementsMatch(t, []string{"2.1"}, subsectionsIDs) + + t.Run("should retrieve fw subsection by ID", func(t *testing.T) { + t.Parallel() + + subsectionsIDs, err := gs.GetControlFrameworkSubsections("C-0167", "cis-aks-t1.2.0") + assert.NoError(t, err) + require.NotEmptyf(t, subsectionsIDs, + "failed to get subsections ids list for control 'C-0167' in framework name 'cis-aks-t1.2.0' %v", err, + ) + assert.ElementsMatch(t, []string{"3.1"}, subsectionsIDs) + }) + }) +} + +func TestGetPoliciesMethodsNewV2(t *testing.T) { + t.Parallel() + + gs := NewGitRegoStoreV2(-1) + t.Run("shoud set objects in rego store", func(t *testing.T) { + require.NoError(t, gs.SetRegoObjects()) + }) + + gs_tests(t, gs) + } func TestGetPoliciesMethodsNew(t *testing.T) { diff --git a/gitregostore/gitstoreutils_test.go b/gitregostore/gitstoreutils_test.go index e88772faf..be8f73c7a 100644 --- a/gitregostore/gitstoreutils_test.go +++ b/gitregostore/gitstoreutils_test.go @@ -345,7 +345,7 @@ func TestSetControls(t *testing.T) { } // - respStr = `[{"name":"TEST","attributes":{"armoBuiltin":true,"controlTypeTags":["security","compliance"],"attackTracks":[{"attackTrack": "container","categories": ["Execution","Initial access"]},{"attackTrack": "network","categories": ["Eavesdropping","Spoofing"]}]},"description":"","remediation":"","rulesNames":["CVE-2022-0185"],"id":"C-0079","long_description":"","test":"","controlID":"C-0079","baseScore":4,"example":""}]` + respStr = `[{"name":"TEST","attributes":{"controlTypeTags":["security","compliance"],"attackTracks":[{"attackTrack": "container","categories": ["Execution","Initial access"]},{"attackTrack": "network","categories": ["Eavesdropping","Spoofing"]}]},"description":"","remediation":"","rulesNames":["CVE-2022-0185"],"id":"C-0079","long_description":"","test":"","controlID":"C-0079","baseScore":4,"example":""}]` err = store.setControls(respStr) if err != nil { t.Errorf("Error setting controls: %v", err) diff --git a/go.mod b/go.mod index 242866559..cecf821c0 100644 --- a/go.mod +++ b/go.mod @@ -1,20 +1,20 @@ -module github.com/kubescape/regolibrary +module github.com/kubescape/regolibrary/v2 -go 1.19 +go 1.21 require ( - github.com/armosec/armoapi-go v0.0.211 + github.com/armosec/armoapi-go v0.0.330 github.com/go-gota/gota v0.12.0 - github.com/kubescape/opa-utils v0.0.263 + github.com/kubescape/opa-utils v0.0.279 github.com/stretchr/testify v1.8.4 - go.uber.org/zap v1.24.0 + go.uber.org/zap v1.27.0 k8s.io/utils v0.0.0-20230726121419-3b25d923346b ) require ( - cloud.google.com/go/compute v1.20.1 // indirect + cloud.google.com/go/compute v1.23.3 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/container v1.24.0 // indirect + cloud.google.com/go/container v1.27.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect @@ -25,8 +25,8 @@ require ( github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armosec/gojay v1.2.15 // indirect - github.com/armosec/utils-go v0.0.20 // indirect - github.com/armosec/utils-k8s-go v0.0.16 // indirect + github.com/armosec/utils-go v0.0.57 // indirect + github.com/armosec/utils-k8s-go v0.0.26 // indirect github.com/aws/aws-sdk-go-v2 v1.19.1 // indirect github.com/aws/aws-sdk-go-v2/config v1.18.30 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.29 // indirect @@ -43,118 +43,126 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.20.1 // indirect github.com/aws/smithy-go v1.13.5 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/briandowns/spinner v1.23.0 // indirect + github.com/cenkalti/backoff v2.2.1+incompatible // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/docker/docker v24.0.5+incompatible // indirect - github.com/docker/go-connections v0.4.0 // indirect - github.com/docker/go-units v0.5.0 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/docker/docker v25.0.1+incompatible // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/fatih/color v1.15.0 // indirect github.com/francoispqt/gojay v1.2.13 // indirect - github.com/ghodss/yaml v1.0.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/s2a-go v0.1.4 // indirect - github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.11.0 // indirect - github.com/gorilla/mux v1.8.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect + github.com/gorilla/mux v1.8.1 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525 // indirect - github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847 // indirect + github.com/kubescape/go-logger v0.0.22 // indirect + github.com/kubescape/k8s-interface v0.0.161 // indirect github.com/kubescape/rbac-utils v0.0.20 // indirect github.com/kylelemons/godebug v1.1.0 // indirect + github.com/magiconair/properties v1.8.1 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mattn/go-isatty v0.0.19 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/open-policy-agent/opa v0.55.0 // indirect + github.com/olvrng/ujson v1.1.0 // indirect + github.com/open-policy-agent/opa v0.61.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc4 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect + github.com/pelletier/go-toml v1.2.0 // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pquerna/cachecontrol v0.2.0 // indirect - github.com/prometheus/client_golang v1.16.0 // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.42.0 // indirect - github.com/prometheus/procfs v0.10.1 // indirect + github.com/prometheus/client_golang v1.18.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect + github.com/spf13/afero v1.6.0 // indirect + github.com/spf13/cast v1.3.0 // indirect + github.com/spf13/jwalterweatherman v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/spf13/viper v1.7.0 // indirect github.com/stripe/stripe-go/v74 v74.28.0 // indirect + github.com/subosito/gotenv v1.2.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2 // indirect github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 // indirect - github.com/uptrace/uptrace-go v1.16.0 // indirect + github.com/uptrace/uptrace-go v1.18.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0 // indirect - go.opentelemetry.io/otel v1.16.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 // indirect - go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0 // indirect - go.opentelemetry.io/otel/metric v1.16.0 // indirect - go.opentelemetry.io/otel/sdk v1.16.0 // indirect - go.opentelemetry.io/otel/sdk/metric v0.39.0 // indirect - go.opentelemetry.io/otel/trace v1.16.0 // indirect - go.opentelemetry.io/proto/otlp v0.19.0 // indirect - go.uber.org/atomic v1.11.0 // indirect + go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0 // indirect + go.opentelemetry.io/otel v1.21.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0 // indirect + go.opentelemetry.io/otel/metric v1.21.0 // indirect + go.opentelemetry.io/otel/sdk v1.21.0 // indirect + go.opentelemetry.io/otel/sdk/metric v0.41.0 // indirect + go.opentelemetry.io/otel/trace v1.21.0 // indirect + go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect - golang.org/x/time v0.3.0 // indirect + golang.org/x/crypto v0.19.0 // indirect + golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/sync v0.5.0 // indirect + golang.org/x/sys v0.17.0 // indirect + golang.org/x/term v0.17.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect gonum.org/v1/gonum v0.9.1 // indirect - google.golang.org/api v0.126.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect - google.golang.org/grpc v1.56.2 // indirect + google.golang.org/api v0.149.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/grpc v1.61.0 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.51.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.27.4 // indirect - k8s.io/apimachinery v0.27.4 // indirect - k8s.io/client-go v0.27.4 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/api v0.29.2 // indirect + k8s.io/apimachinery v0.29.2 // indirect + k8s.io/client-go v0.29.2 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect sigs.k8s.io/controller-runtime v0.15.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 2bd4a5642..492724314 100644 --- a/go.sum +++ b/go.sum @@ -7,38 +7,19 @@ cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6A cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA= +cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y= +cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg= -cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/container v1.24.0 h1:N51t/cgQJFqDD/W7Mb+IvmAPHrf8AbPx7Bb7aF4lROE= -cloud.google.com/go/container v1.24.0/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/container v1.27.1 h1:ZfLRiFM9ddFE92SlA28rknI6YJMz5Z5huAQK+FKWxIQ= +cloud.google.com/go/container v1.27.1/go.mod h1:b1A1gJeTBXVLQ6GGw9/9M4FG94BEGsqJ5+t4d/3N7O4= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU= @@ -59,9 +40,12 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthoriza github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0 h1:1u/K2BFv0MwkG6he8RYuUcbbeK22rkoZbg4lKa/msZU= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0/go.mod h1:U5gpsREQZE6SLk1t/cFfc1eMhYAlYpEzvaYXuDfefy8= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNLjCUeKhgnAJWAKhEUQM+RJQo2H1fuGSw1Ky1E= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2/go.mod h1:FbdwsQ2EzwvXxOPcMFYO8ogEc9uMMIj3YkmCdXdAFmk= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= @@ -70,18 +54,22 @@ github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdII github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= -github.com/armosec/armoapi-go v0.0.211 h1:OS4D56sfoaU7T6FOCyrufE2Ttdzv9tP7MZkFxh82ll0= -github.com/armosec/armoapi-go v0.0.211/go.mod h1:4AEdwBrbS1YCAn/lZzV+cOOR9BPa0MTHYHiJDlR1uRQ= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armosec/armoapi-go v0.0.330 h1:kvyLshJ3VBqWxDO/hvlpVU1DNsrmkb5M0oStw+Uwxb8= +github.com/armosec/armoapi-go v0.0.330/go.mod h1:6VYIw1hoNU3dTXKckMHNHhzhhPTMXDHtv5AFxvG4Q+U= github.com/armosec/gojay v1.2.15 h1:sSB2vnAvacUNkw9nzUYZKcPzhJOyk6/5LK2JCNdmoZY= github.com/armosec/gojay v1.2.15/go.mod h1:vzVAaay2TWJAngOpxu8aqLbye9jMgoKleuAOK+xsOts= -github.com/armosec/utils-go v0.0.20 h1:bvr+TMumEYdMsGFGSsaQysST7K02nNROFvuajNuKPlw= -github.com/armosec/utils-go v0.0.20/go.mod h1:ZEFiSv8KpTFNT19jHis1IengiF/BGDvg7tHmXo+cwxs= -github.com/armosec/utils-k8s-go v0.0.16 h1:h46PoxAb4OHA2p719PzcAS03lADw4lH4TyRMaZ3ix/g= -github.com/armosec/utils-k8s-go v0.0.16/go.mod h1:QX0QAGlH7KCZq810eO9QjTYqkhjw8cvrr96TZfaUGrk= +github.com/armosec/utils-go v0.0.57 h1:0RaqexK+t7HeKWfldBv2C1JiLLGuUx9FP0DGWDNRJpg= +github.com/armosec/utils-go v0.0.57/go.mod h1:4wfINE8JTQ6EHvSL2jki0Q3/D1j6oDi6sxxrtAEug74= +github.com/armosec/utils-k8s-go v0.0.26 h1:gVSV1mrALyphaesc+JXbx9SfbxLqfgg1KvvC1/0Hfkk= +github.com/armosec/utils-k8s-go v0.0.26/go.mod h1:WL2brx3tszxeSl1yHac0oAVJUg3o22HYh1dPjaSfjXU= github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.19.1 h1:STs0lbbpXu3byTPcnRLghs2DH0yk9qKDo27TyyJSKsM= github.com/aws/aws-sdk-go-v2 v1.19.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= @@ -115,76 +103,82 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.20.1 h1:U7h9CPoyMfVoN5jUglB0LglCMP10 github.com/aws/aws-sdk-go-v2/service/sts v1.20.1/go.mod h1:BUHusg4cOA1TFGegj7x8/eoWrbdHzJfoMrXcbMQAG0k= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= +github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A= +github.com/briandowns/spinner v1.23.0/go.mod h1:rPG4gmXeN3wQV/TsAY4w8lPdIM6RX3yqeBQJSrbXjuE= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= -github.com/docker/docker v24.0.5+incompatible h1:WmgcE4fxyI6EEXxBRxsHnZXrO1pQ3smi0k/jho4HLeY= -github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= -github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= -github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= +github.com/docker/docker v25.0.1+incompatible h1:k5TYd5rIVQRSqcTwCID+cyVA0yRg86+Pcrz1ls0/frA= +github.com/docker/docker v25.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= -github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= +github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk= github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= @@ -193,40 +187,44 @@ github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3 github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gota/gota v0.12.0 h1:T5BDg1hTf5fZ/CO+T/N0E+DDqUhvoKBl+UVckgcAAQg= github.com/go-gota/gota v0.12.0/go.mod h1:UT+NsWpZC/FhaOyWb9Hui0jXg0Iq8e/YugZHTbyW/34= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= -github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= -github.com/golang/glog v1.1.1 h1:jxpi2eWoU84wbX9iIEyAeeoac3FLuifZpY9tcNUD9kw= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -234,88 +232,96 @@ github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200j github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= -github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= -github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 h1:gDLXvp5S9izjldquuoAhDzccbskOL6tDC5jMSyx3zxE= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2/go.mod h1:7pdNwVWBBHGiCxa9lAszqCJMbfTISJ7oMftp8+UGV08= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 h1:RtRsiaGvWxcwd8y3BiRZxsylPT8hLWZ5SPcfI+3IDNk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0/go.mod h1:TzP6duP4Py2pHLVPPQp42aoYI92+PCrVotyR5e8Vqlk= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= @@ -323,51 +329,72 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525 h1:9wzR38LebiA58cGxRBnsF78k4eJGnk7UetoTPKkyz2A= -github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525/go.mod h1:Al+yTE+vemECb/Myn2G9+2o2uFmMtphbkQmxf4OEHxE= -github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847 h1:GGuS6pE6KGa5q7j9fkRN3p1eQw16/jLUMnPR8FT3O6M= -github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847/go.mod h1:eBd6few7RYplnNNlHoe6d7jMmoE6Kx1emapJ91euBbY= -github.com/kubescape/opa-utils v0.0.263 h1:ZK9ubreFqjvwB0C3iCRWTmLvtvZmQ4ivcxsqJ4URbW8= -github.com/kubescape/opa-utils v0.0.263/go.mod h1:0Be6E+vHqjavl/JneqgyC+oXOdfs6s+V6YnFvBkIAsA= +github.com/kubescape/go-logger v0.0.22 h1:gle7wH6emOiGv9ljdpVi82pWLQ3jGucrUucvil6JXHE= +github.com/kubescape/go-logger v0.0.22/go.mod h1:x3HBpZo3cMT/WIdy18BxvVVd5D0e/PWFVk/HiwBNu3g= +github.com/kubescape/k8s-interface v0.0.161 h1:v6b3/kmA4o/2niNrejrbXj5X9MLfH0UrpI3s+e/fdwc= +github.com/kubescape/k8s-interface v0.0.161/go.mod h1:oF+Yxug3Kpfu9Yr2j63wy7gwswrKXpiqI0mLk/7gF/s= +github.com/kubescape/opa-utils v0.0.279 h1:a+w9rAPVkNEKONVtswsVdRpw4LxwEdfkKsXvgzLAHhg= +github.com/kubescape/opa-utils v0.0.279/go.mod h1:N/UnbZHpoiHQH7O50yadhIXZvVl0IVtTGBmePPrSQSg= github.com/kubescape/rbac-utils v0.0.20 h1:1MMxsCsCZ3ntDi8f9ZYYcY+K7bv50bDW5ZvnGnhMhJw= github.com/kubescape/rbac-utils v0.0.20/go.mod h1:t57AhSrjuNGQ+mpZWQM/hBzrCOeKBDHegFoVo4tbikQ= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= +github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -378,48 +405,72 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo= github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/open-policy-agent/opa v0.55.0 h1:s7Vm4ph6zDqqP/KzvUSw9fsKVsm9lhbTZhYGxxTK7mo= -github.com/open-policy-agent/opa v0.55.0/go.mod h1:2Vh8fj/bXCqSwGMbBiHGrw+O8yrho6T/fdaHt5ROmaQ= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olvrng/ujson v1.1.0 h1:8xVUzVlqwdMVWh5d1UHBtLQ1D50nxoPuPEq9Wozs8oA= +github.com/olvrng/ujson v1.1.0/go.mod h1:Mz4G3RODTUfbkKyvi0lgmPx/7vd3Saksk+1jgk8s9xo= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/open-policy-agent/opa v0.61.0 h1:nhncQ2CAYtQTV/SMBhDDPsCpCQsUW+zO/1j+T5V7oZg= +github.com/open-policy-agent/opa v0.61.0/go.mod h1:7OUuzJnsS9yHf8lw0ApfcbrnaRG1EkN3J2fuuqi4G/E= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY= github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/pquerna/cachecontrol v0.2.0 h1:vBXSNuE5MYP9IJ5kjsdo8uq+w41jSPgvba2DEnkRx9k= github.com/pquerna/cachecontrol v0.2.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= -github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= -github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= -github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY= github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM= @@ -443,21 +494,36 @@ github.com/shurcooL/reactions v0.0.0-20181006231557-f2e0b4ca5b82/go.mod h1:TCR1l github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYEDaXHZDBsXlPCDqdhQuJkuw4NOtaxYe3xii4= github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE= github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= +github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -467,84 +533,86 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stripe/stripe-go/v74 v74.28.0 h1:ItzPPy+cjMKbR3Oihknt/8dv6PANp3hTThUGZjhF9lc= github.com/stripe/stripe-go/v74 v74.28.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2 h1:CNznWHkrbA6o1q2H/BsH4tIHf4zbKNtndeoV+AH8z0U= github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2/go.mod h1:7YSrHCmYPHIXjTWnKSU7EGT0TFEcm3WwSeQquwCGg38= github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 h1:uyrW06oJi4iWvhjPLVfk4qrSP2Zm0AMozKKDmp6i4pE= github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2/go.mod h1:PMAs2dNxP55lgt6xu0if+Jasm6s+Xpmqn6ev1NyDfnI= -github.com/uptrace/uptrace-go v1.16.0 h1:yB9vt1hBYYoXWExNx0okubLOjd339d7lH+/5o+Lp+MY= -github.com/uptrace/uptrace-go v1.16.0/go.mod h1:Ssc5wLpoL+9V0qkT5FtrIiru9SY4xb7q1UVLjSpxpCg= +github.com/uptrace/uptrace-go v1.18.0 h1:RY15qy19C0irbe2UCxQbjenk8WyUdvUV756R9ZpqCGI= +github.com/uptrace/uptrace-go v1.18.0/go.mod h1:BUW3sFgEyRmZIxts4cv6TGaJnWAW95uW78GIiSdChOQ= github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU= github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 h1:pginetY7+onl4qN1vl0xW/V/v6OBZ0vVdH+esuJgvmM= -go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0 h1:EbmAUG9hEAMXyfWEasIt2kmh/WmXUznUksChApTgBGc= -go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0/go.mod h1:rD9feqRYP24P14t5kmhNMqsqm1jvKmpx2H2rKVw52V8= -go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s= -go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 h1:t4ZwRPU+emrcvM2e9DHd0Fsf0JTPVcbfa/BhTDF03d0= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0/go.mod h1:vLarbg68dH2Wa77g71zmKQqlQ8+8Rq3GRG31uc0WcWI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 h1:f6BwB2OACc3FCbYVznctQ9V6KK7Vq6CjmYXJ7DeSs4E= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0/go.mod h1:UqL5mZ3qs6XYhDnZaW1Ps4upD+PX6LipH40AoeuIlwU= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0 h1:rm+Fizi7lTM2UefJ1TO347fSRcwmIsUAaZmYmIGBRAo= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0/go.mod h1:sWFbI3jJ+6JdjOVepA5blpv/TJ20Hw+26561iMbWcwU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 h1:cbsD4cUcviQGXdw8+bo5x2wazq10SKz8hEbtCRPcU78= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0/go.mod h1:JgXSGah17croqhJfhByOLVY719k1emAXC8MVhCIJlRs= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 h1:TVQp/bboR4mhZSav+MdgXB8FaRho1RC8UwVn3T0vjVc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0/go.mod h1:I33vtIe0sR96wfrUcilIzLoA3mLHhRmz9S9Te0S3gDo= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0 h1:+XWJd3jf75RXJq29mxbuXhCXFDG3S3R4vBUeSI2P7tE= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0/go.mod h1:hqgzBPTf4yONMFgdZvL/bK42R/iinTyVQtiWihs3SZc= -go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26Q3hqOo= -go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4= -go.opentelemetry.io/otel/sdk v1.16.0 h1:Z1Ok1YsijYL0CSJpHt4cS3wDDh7p572grzNrBMiMWgE= -go.opentelemetry.io/otel/sdk v1.16.0/go.mod h1:tMsIuKXuuIWPBAOrH+eHtvhTL+SntFtXF9QD68aP6p4= -go.opentelemetry.io/otel/sdk/metric v0.39.0 h1:Kun8i1eYf48kHH83RucG93ffz0zGV1sh46FAScOTuDI= -go.opentelemetry.io/otel/sdk/metric v0.39.0/go.mod h1:piDIRgjcK7u0HCL5pCA4e74qpK/jk3NiUoAHATVAmiI= -go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs= -go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= -go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= -go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= +go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0 h1:TXu20nL4yYfJlQeqG/D3Ia6b0p2HZmLfJto9hqJTQ/c= +go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0/go.mod h1:tQ5gBnfjndV1su3+DiLuu6rnd9hBBzg4rkRILnjSNFg= +go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc= +go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0 h1:k0k7hFNDd8K4iOMJXj7s8sHaC4mhTlAeppRmZXLgZ6k= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0/go.mod h1:hG4Fj/y8TR/tlEDREo8tWstl9fO9gcFkn4xrx0Io8xU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0 h1:HgbDTD8pioFdY3NRc/YCvsWjqQPtweGyXxa32LgnTOw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0/go.mod h1:tmvt/yK5Es5d6lHYWerLSOna8lCEfrBVX/a9M0ggqss= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0 h1:hSWWvDjXHVLq9DkmB+77fl8v7+t+yYiS+eNkiplDK54= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0/go.mod h1:zG7KQql1WjZCaUJd+L/ReSYx4bjbYJxg5ws9ws+mYes= +go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4= +go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= +go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8= +go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E= +go.opentelemetry.io/otel/sdk/metric v0.41.0 h1:c3sAt9/pQ5fSIUfl0gPtClV3HhE18DCVzByD33R/zsk= +go.opentelemetry.io/otel/sdk/metric v0.41.0/go.mod h1:PmOmSt+iOklKtIg5O4Vz9H/ttcRFSNTgii+E1KGyn1w= +go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc= +go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE= golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -554,13 +622,8 @@ golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxT golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691 h1:/yRP+0AN7mf5DkD3BAI6TOFnd51gEoDEb8o35jIFtgw= -golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -578,23 +641,22 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181029044818-c44066c5c816/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -604,42 +666,22 @@ golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= -golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0= +golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM= golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -647,14 +689,18 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190316082340-a2f829d7f35f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -663,42 +709,23 @@ golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= @@ -707,14 +734,14 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -725,6 +752,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= @@ -735,35 +763,13 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= +golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= +golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -784,29 +790,16 @@ google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.126.0 h1:q4GJq+cAdMAC7XP7njvQ4tvohGLiSlytuL4BQxbIZ+o= -google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY= +google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20181029155118-b69ba1387ce2/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -820,35 +813,13 @@ google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao= -google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= -google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= -google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 h1:Jyp0Hsi0bmHXG6k9eATXoYtjd6e2UzZ1SCn/wIupY14= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:oQ5rr10WTTMvP4A36n8JpR1OrO1BEiV4f78CneXZxkA= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -857,21 +828,10 @@ google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiq google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= -google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= +google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -880,35 +840,37 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= +gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -916,31 +878,27 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= -k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= -k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= -k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= -k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= +k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= +k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= +k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= +k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck= sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= diff --git a/go.work b/go.work deleted file mode 100644 index 1d56219a0..000000000 --- a/go.work +++ /dev/null @@ -1,5 +0,0 @@ -go 1.19 - -use ./testrunner -use . - diff --git a/rules/CVE-2021-25741/rule.metadata.json b/rules/CVE-2021-25741/rule.metadata.json index 7ea036588..be106a659 100644 --- a/rules/CVE-2021-25741/rule.metadata.json +++ b/rules/CVE-2021-25741/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "Symlink-Exchange-Can-Allow-Host-Filesystem-Access", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2021-25741/test/cronjob/expected.json b/rules/CVE-2021-25741/test/cronjob/expected.json index f90fd9157..5c26dbed8 100644 --- a/rules/CVE-2021-25741/test/cronjob/expected.json +++ b/rules/CVE-2021-25741/test/cronjob/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : mysql in CronJob : hello with subPath/subPathExpr", + "deletePaths": ["spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].subPath"], "failedPaths": ["spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].subPath"], "fixPaths": [], "ruleStatus": "", @@ -16,6 +17,7 @@ } }, { "alertMessage": "You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : php in CronJob : hello with subPath/subPathExpr", + "deletePaths": ["spec.jobTemplate.spec.template.spec.containers[1].volumeMounts[0].subPath"], "failedPaths": ["spec.jobTemplate.spec.template.spec.containers[1].volumeMounts[0].subPath"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/CVE-2021-25741/test/pod/expected.json b/rules/CVE-2021-25741/test/pod/expected.json index f8e5a0f59..127f35d27 100644 --- a/rules/CVE-2021-25741/test/pod/expected.json +++ b/rules/CVE-2021-25741/test/pod/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : mysql in pod : my-lamp-site with subPath/subPathExpr", + "deletePaths": ["spec.containers[0].volumeMounts[0].subPath"], "failedPaths": ["spec.containers[0].volumeMounts[0].subPath"], "fixPaths": [], "ruleStatus": "", @@ -16,6 +17,7 @@ } }, { "alertMessage": "You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : php in pod : my-lamp-site with subPath/subPathExpr", + "deletePaths": ["spec.containers[1].volumeMounts[0].subPath"], "failedPaths": ["spec.containers[1].volumeMounts[0].subPath"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/CVE-2021-25741/test/workloads/expected.json b/rules/CVE-2021-25741/test/workloads/expected.json index d684a63a6..53f9b9162 100644 --- a/rules/CVE-2021-25741/test/workloads/expected.json +++ b/rules/CVE-2021-25741/test/workloads/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : php in Deployment : my-deployment with subPath/subPathExpr", + "deletePaths": ["spec.template.spec.containers[1].volumeMounts[0].subPath"], "failedPaths": ["spec.template.spec.containers[1].volumeMounts[0].subPath"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/CVE-2021-25742/rule.metadata.json b/rules/CVE-2021-25742/rule.metadata.json index 6ea23d990..567147708 100644 --- a/rules/CVE-2021-25742/rule.metadata.json +++ b/rules/CVE-2021-25742/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "nginx-ingress-snippet-annotation-vulnerability", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2021-25742/test/deployment-bad-image-name/expected.json b/rules/CVE-2021-25742/test/deployment-bad-image-name/expected.json index 8c276546a..2dd44131f 100644 --- a/rules/CVE-2021-25742/test/deployment-bad-image-name/expected.json +++ b/rules/CVE-2021-25742/test/deployment-bad-image-name/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "You may be vulnerable to CVE-2021-25742. Deployment test", + "reviewPaths": [ + "spec.template.spec.containers[0].image" + ], "failedPaths": [ "spec.template.spec.containers[0].image" ], diff --git a/rules/CVE-2021-25742/test/deployment-config-map/expected.json b/rules/CVE-2021-25742/test/deployment-config-map/expected.json index 8aafe02a9..fd3720c42 100644 --- a/rules/CVE-2021-25742/test/deployment-config-map/expected.json +++ b/rules/CVE-2021-25742/test/deployment-config-map/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "You may be vulnerable to CVE-2021-25742. Deployment test", + "reviewPaths": [ + "spec.template.spec.containers[0].image" + ], "failedPaths": [ "spec.template.spec.containers[0].image" ], diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego index 912ed4a0b..3dc72ea19 100644 --- a/rules/CVE-2022-0185/raw.rego +++ b/rules/CVE-2022-0185/raw.rego @@ -3,14 +3,11 @@ package armo_builtins deny[msga] { node := input[_] node.kind == "Node" - kernel_version_match := regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, node.status.nodeInfo.kernelVersion, -1) - kernelVersion := kernel_version_match[0][0] - kernel_version_arr := split(kernelVersion, ".") - to_number(kernel_version_arr[0]) == 5 - to_number(kernel_version_arr[1]) >= 1 - to_number(kernel_version_arr[1]) <= 16 - to_number(kernel_version_arr[2]) < 2 + parsed_kernel_version_arr := parse_kernel_version_to_array(node.status.nodeInfo.kernelVersion) + is_azure := parsed_kernel_version_arr[4] == "azure" + + is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure) node.status.nodeInfo.operatingSystem == "linux" path := "status.nodeInfo.kernelVersion" @@ -40,7 +37,36 @@ deny[msga] { } } +# General Kernel versions are between 5.1.1 and 5.16.2 +is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure) { + is_azure == false + parsed_kernel_version_arr[0] == 5 + parsed_kernel_version_arr[1] >= 1 + parsed_kernel_version_arr[1] <= 16 + parsed_kernel_version_arr[2] < 2 +} + +# Azure kernel version with is 5.4.0-1067-azure +is_vulnerable_kernel_version(parsed_kernel_version_arr, is_azure) { + is_azure == true + parsed_kernel_version_arr[0] == 5 + parsed_kernel_version_arr[1] >= 1 + parsed_kernel_version_arr[1] <= 4 + parsed_kernel_version_arr[2] == 0 + parsed_kernel_version_arr[3] < 1067 +} + is_unprivileged_userns_clone_enabled(linux_kernel_var) { linux_kernel_var.key == "unprivileged_userns_clone" linux_kernel_var.value == "1\n" +} + +parse_kernel_version_to_array(kernel_version_str) = output { + version_triplet := regex.find_n(`(\d+\.\d+\.\d+)`, kernel_version_str,-1) + version_triplet_array := split(version_triplet[0],".") + + build_vendor := regex.find_n(`-(\d+)-(\w+)`, kernel_version_str,-1) + build_vendor_array := split(build_vendor[0],"-") + + output := [to_number(version_triplet_array[0]),to_number(version_triplet_array[1]),to_number(version_triplet_array[2]),to_number(build_vendor_array[1]),build_vendor_array[2]] } \ No newline at end of file diff --git a/rules/CVE-2022-0185/rule.metadata.json b/rules/CVE-2022-0185/rule.metadata.json index a50004be9..8649f2f19 100644 --- a/rules/CVE-2022-0185/rule.metadata.json +++ b/rules/CVE-2022-0185/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-0185", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2022-0185/test/test_azure_fail/expected.json b/rules/CVE-2022-0185/test/test_azure_fail/expected.json new file mode 100644 index 000000000..58e753420 --- /dev/null +++ b/rules/CVE-2022-0185/test/test_azure_fail/expected.json @@ -0,0 +1,553 @@ +[{ + "alertMessage": "You are vulnerable to CVE-2022-0185", + "reviewPaths": ["kernelVersion"], + "failedPaths": ["kernelVersion"], + "fixPaths": [], + "ruleStatus": "", + "packagename": "", + "alertScore": 0, + "alertObject": { + "externalObjects": { + "kernelVersion": "5.4.0-1059-azure", + "kind": "Node", + "name": "minikube", + "namespace": "", + "relatedObjects": [{ + "apiVersion": "hostdata.kubescape.cloud/v1beta0", + "data": [{ + "key": "acct", + "source": "/proc/sys/kernel/acct", + "value": "4\t2\t30\n" + }, { + "key": "acpi_video_flags", + "source": "/proc/sys/kernel/acpi_video_flags", + "value": "0\n" + }, { + "key": "apparmor_display_secid_mode", + "source": "/proc/sys/kernel/apparmor_display_secid_mode", + "value": "0\n" + }, { + "key": "auto_msgmni", + "source": "/proc/sys/kernel/auto_msgmni", + "value": "0\n" + }, { + "key": "bootloader_type", + "source": "/proc/sys/kernel/bootloader_type", + "value": "114\n" + }, { + "key": "bootloader_version", + "source": "/proc/sys/kernel/bootloader_version", + "value": "2\n" + }, { + "key": "bpf_stats_enabled", + "source": "/proc/sys/kernel/bpf_stats_enabled", + "value": "0\n" + }, { + "key": "cad_pid", + "source": "/proc/sys/kernel/cad_pid", + "value": "0\n" + }, { + "key": "cap_last_cap", + "source": "/proc/sys/kernel/cap_last_cap", + "value": "40\n" + }, { + "key": "core_pattern", + "source": "/proc/sys/kernel/core_pattern", + "value": "|/usr/share/apport/apport %p %s %c %d %P %E\n" + }, { + "key": "core_pipe_limit", + "source": "/proc/sys/kernel/core_pipe_limit", + "value": "0\n" + }, { + "key": "core_uses_pid", + "source": "/proc/sys/kernel/core_uses_pid", + "value": "0\n" + }, { + "key": "ctrl-alt-del", + "source": "/proc/sys/kernel/ctrl-alt-del", + "value": "0\n" + }, { + "key": "dmesg_restrict", + "source": "/proc/sys/kernel/dmesg_restrict", + "value": "0\n" + }, { + "key": "domainname", + "source": "/proc/sys/kernel/domainname", + "value": "(none)\n" + }, { + "key": "force_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/force_sysfs_fallback", + "value": "0\n" + }, { + "key": "ignore_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/ignore_sysfs_fallback", + "value": "0\n" + }, { + "key": "ftrace_dump_on_oops", + "source": "/proc/sys/kernel/ftrace_dump_on_oops", + "value": "0\n" + }, { + "key": "ftrace_enabled", + "source": "/proc/sys/kernel/ftrace_enabled", + "value": "1\n" + }, { + "key": "hardlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/hardlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hardlockup_panic", + "source": "/proc/sys/kernel/hardlockup_panic", + "value": "0\n" + }, { + "key": "hostname", + "source": "/proc/sys/kernel/hostname", + "value": "minikube\n" + }, { + "key": "hotplug", + "source": "/proc/sys/kernel/hotplug", + "value": "\n" + }, { + "key": "hung_task_all_cpu_backtrace", + "source": "/proc/sys/kernel/hung_task_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hung_task_check_count", + "source": "/proc/sys/kernel/hung_task_check_count", + "value": "4194304\n" + }, { + "key": "hung_task_check_interval_secs", + "source": "/proc/sys/kernel/hung_task_check_interval_secs", + "value": "0\n" + }, { + "key": "hung_task_panic", + "source": "/proc/sys/kernel/hung_task_panic", + "value": "0\n" + }, { + "key": "hung_task_timeout_secs", + "source": "/proc/sys/kernel/hung_task_timeout_secs", + "value": "120\n" + }, { + "key": "hung_task_warnings", + "source": "/proc/sys/kernel/hung_task_warnings", + "value": "10\n" + }, { + "key": "io_delay_type", + "source": "/proc/sys/kernel/io_delay_type", + "value": "1\n" + }, { + "key": "kexec_load_disabled", + "source": "/proc/sys/kernel/kexec_load_disabled", + "value": "0\n" + }, { + "key": "gc_delay", + "source": "/proc/sys/kernel/keys/gc_delay", + "value": "300\n" + }, { + "key": "maxbytes", + "source": "/proc/sys/kernel/keys/maxbytes", + "value": "20000\n" + }, { + "key": "maxkeys", + "source": "/proc/sys/kernel/keys/maxkeys", + "value": "200\n" + }, { + "key": "persistent_keyring_expiry", + "source": "/proc/sys/kernel/keys/persistent_keyring_expiry", + "value": "259200\n" + }, { + "key": "root_maxbytes", + "source": "/proc/sys/kernel/keys/root_maxbytes", + "value": "25000000\n" + }, { + "key": "root_maxkeys", + "source": "/proc/sys/kernel/keys/root_maxkeys", + "value": "1000000\n" + }, { + "key": "kptr_restrict", + "source": "/proc/sys/kernel/kptr_restrict", + "value": "1\n" + }, { + "key": "max_lock_depth", + "source": "/proc/sys/kernel/max_lock_depth", + "value": "1024\n" + }, { + "key": "max_rcu_stall_to_panic", + "source": "/proc/sys/kernel/max_rcu_stall_to_panic", + "value": "0\n" + }, { + "key": "modprobe", + "source": "/proc/sys/kernel/modprobe", + "value": "/sbin/modprobe\n" + }, { + "key": "modules_disabled", + "source": "/proc/sys/kernel/modules_disabled", + "value": "0\n" + }, { + "key": "msg_next_id", + "source": "/proc/sys/kernel/msg_next_id", + "value": "-1\n" + }, { + "key": "msgmax", + "source": "/proc/sys/kernel/msgmax", + "value": "8192\n" + }, { + "key": "msgmnb", + "source": "/proc/sys/kernel/msgmnb", + "value": "16384\n" + }, { + "key": "msgmni", + "source": "/proc/sys/kernel/msgmni", + "value": "32000\n" + }, { + "key": "ngroups_max", + "source": "/proc/sys/kernel/ngroups_max", + "value": "65536\n" + }, { + "key": "nmi_watchdog", + "source": "/proc/sys/kernel/nmi_watchdog", + "value": "0\n" + }, { + "key": "ns_last_pid", + "source": "/proc/sys/kernel/ns_last_pid", + "value": "17618\n" + }, { + "key": "numa_balancing", + "source": "/proc/sys/kernel/numa_balancing", + "value": "0\n" + }, { + "key": "oops_all_cpu_backtrace", + "source": "/proc/sys/kernel/oops_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "osrelease", + "source": "/proc/sys/kernel/osrelease", + "value": "5.13.0-39-generic\n" + }, { + "key": "ostype", + "source": "/proc/sys/kernel/ostype", + "value": "Linux\n" + }, { + "key": "overflowgid", + "source": "/proc/sys/kernel/overflowgid", + "value": "65534\n" + }, { + "key": "overflowuid", + "source": "/proc/sys/kernel/overflowuid", + "value": "65534\n" + }, { + "key": "panic", + "source": "/proc/sys/kernel/panic", + "value": "10\n" + }, { + "key": "panic_on_io_nmi", + "source": "/proc/sys/kernel/panic_on_io_nmi", + "value": "0\n" + }, { + "key": "panic_on_oops", + "source": "/proc/sys/kernel/panic_on_oops", + "value": "1\n" + }, { + "key": "panic_on_rcu_stall", + "source": "/proc/sys/kernel/panic_on_rcu_stall", + "value": "0\n" + }, { + "key": "panic_on_unrecovered_nmi", + "source": "/proc/sys/kernel/panic_on_unrecovered_nmi", + "value": "0\n" + }, { + "key": "panic_on_warn", + "source": "/proc/sys/kernel/panic_on_warn", + "value": "0\n" + }, { + "key": "panic_print", + "source": "/proc/sys/kernel/panic_print", + "value": "0\n" + }, { + "key": "perf_cpu_time_max_percent", + "source": "/proc/sys/kernel/perf_cpu_time_max_percent", + "value": "25\n" + }, { + "key": "perf_event_max_contexts_per_stack", + "source": "/proc/sys/kernel/perf_event_max_contexts_per_stack", + "value": "8\n" + }, { + "key": "perf_event_max_sample_rate", + "source": "/proc/sys/kernel/perf_event_max_sample_rate", + "value": "100000\n" + }, { + "key": "perf_event_max_stack", + "source": "/proc/sys/kernel/perf_event_max_stack", + "value": "127\n" + }, { + "key": "perf_event_mlock_kb", + "source": "/proc/sys/kernel/perf_event_mlock_kb", + "value": "516\n" + }, { + "key": "perf_event_paranoid", + "source": "/proc/sys/kernel/perf_event_paranoid", + "value": "4\n" + }, { + "key": "pid_max", + "source": "/proc/sys/kernel/pid_max", + "value": "4194304\n" + }, { + "key": "poweroff_cmd", + "source": "/proc/sys/kernel/poweroff_cmd", + "value": "/sbin/poweroff\n" + }, { + "key": "print-fatal-signals", + "source": "/proc/sys/kernel/print-fatal-signals", + "value": "0\n" + }, { + "key": "printk", + "source": "/proc/sys/kernel/printk", + "value": "4\t4\t1\t7\n" + }, { + "key": "printk_delay", + "source": "/proc/sys/kernel/printk_delay", + "value": "0\n" + }, { + "key": "printk_devkmsg", + "source": "/proc/sys/kernel/printk_devkmsg", + "value": "on\n" + }, { + "key": "printk_ratelimit", + "source": "/proc/sys/kernel/printk_ratelimit", + "value": "5\n" + }, { + "key": "printk_ratelimit_burst", + "source": "/proc/sys/kernel/printk_ratelimit_burst", + "value": "10\n" + }, { + "key": "max", + "source": "/proc/sys/kernel/pty/max", + "value": "4096\n" + }, { + "key": "nr", + "source": "/proc/sys/kernel/pty/nr", + "value": "4\n" + }, { + "key": "reserve", + "source": "/proc/sys/kernel/pty/reserve", + "value": "1024\n" + }, { + "key": "boot_id", + "source": "/proc/sys/kernel/random/boot_id", + "value": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb\n" + }, { + "key": "entropy_avail", + "source": "/proc/sys/kernel/random/entropy_avail", + "value": "3806\n" + }, { + "key": "poolsize", + "source": "/proc/sys/kernel/random/poolsize", + "value": "4096\n" + }, { + "key": "urandom_min_reseed_secs", + "source": "/proc/sys/kernel/random/urandom_min_reseed_secs", + "value": "60\n" + }, { + "key": "uuid", + "source": "/proc/sys/kernel/random/uuid", + "value": "7b6b5bf9-9af4-49db-aba6-f0be1c57e2b8\n" + }, { + "key": "write_wakeup_threshold", + "source": "/proc/sys/kernel/random/write_wakeup_threshold", + "value": "896\n" + }, { + "key": "randomize_va_space", + "source": "/proc/sys/kernel/randomize_va_space", + "value": "2\n" + }, { + "key": "real-root-dev", + "source": "/proc/sys/kernel/real-root-dev", + "value": "0\n" + }, { + "key": "sched_autogroup_enabled", + "source": "/proc/sys/kernel/sched_autogroup_enabled", + "value": "1\n" + }, { + "key": "sched_cfs_bandwidth_slice_us", + "source": "/proc/sys/kernel/sched_cfs_bandwidth_slice_us", + "value": "5000\n" + }, { + "key": "sched_child_runs_first", + "source": "/proc/sys/kernel/sched_child_runs_first", + "value": "0\n" + }, { + "key": "sched_deadline_period_max_us", + "source": "/proc/sys/kernel/sched_deadline_period_max_us", + "value": "4194304\n" + }, { + "key": "sched_deadline_period_min_us", + "source": "/proc/sys/kernel/sched_deadline_period_min_us", + "value": "100\n" + }, { + "key": "sched_energy_aware", + "source": "/proc/sys/kernel/sched_energy_aware", + "value": "1\n" + }, { + "key": "sched_rr_timeslice_ms", + "source": "/proc/sys/kernel/sched_rr_timeslice_ms", + "value": "100\n" + }, { + "key": "sched_rt_period_us", + "source": "/proc/sys/kernel/sched_rt_period_us", + "value": "1000000\n" + }, { + "key": "sched_rt_runtime_us", + "source": "/proc/sys/kernel/sched_rt_runtime_us", + "value": "950000\n" + }, { + "key": "sched_schedstats", + "source": "/proc/sys/kernel/sched_schedstats", + "value": "0\n" + }, { + "key": "sched_util_clamp_max", + "source": "/proc/sys/kernel/sched_util_clamp_max", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min", + "source": "/proc/sys/kernel/sched_util_clamp_min", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min_rt_default", + "source": "/proc/sys/kernel/sched_util_clamp_min_rt_default", + "value": "1024\n" + }, { + "key": "actions_avail", + "source": "/proc/sys/kernel/seccomp/actions_avail", + "value": "kill_process kill_thread trap errno user_notif trace log allow\n" + }, { + "key": "actions_logged", + "source": "/proc/sys/kernel/seccomp/actions_logged", + "value": "kill_process kill_thread trap errno user_notif trace log\n" + }, { + "key": "sem", + "source": "/proc/sys/kernel/sem", + "value": "32000\t1024000000\t500\t32000\n" + }, { + "key": "sem_next_id", + "source": "/proc/sys/kernel/sem_next_id", + "value": "-1\n" + }, { + "key": "sg-big-buff", + "source": "/proc/sys/kernel/sg-big-buff", + "value": "32768\n" + }, { + "key": "shm_next_id", + "source": "/proc/sys/kernel/shm_next_id", + "value": "-1\n" + }, { + "key": "shm_rmid_forced", + "source": "/proc/sys/kernel/shm_rmid_forced", + "value": "0\n" + }, { + "key": "shmall", + "source": "/proc/sys/kernel/shmall", + "value": "18446744073692774399\n" + }, { + "key": "shmmax", + "source": "/proc/sys/kernel/shmmax", + "value": "18446744073692774399\n" + }, { + "key": "shmmni", + "source": "/proc/sys/kernel/shmmni", + "value": "4096\n" + }, { + "key": "soft_watchdog", + "source": "/proc/sys/kernel/soft_watchdog", + "value": "1\n" + }, { + "key": "softlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/softlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "softlockup_panic", + "source": "/proc/sys/kernel/softlockup_panic", + "value": "0\n" + }, { + "key": "stack_tracer_enabled", + "source": "/proc/sys/kernel/stack_tracer_enabled", + "value": "0\n" + }, { + "key": "sysctl_writes_strict", + "source": "/proc/sys/kernel/sysctl_writes_strict", + "value": "1\n" + }, { + "key": "sysrq", + "source": "/proc/sys/kernel/sysrq", + "value": "176\n" + }, { + "key": "tainted", + "source": "/proc/sys/kernel/tainted", + "value": "12288\n" + }, { + "key": "threads-max", + "source": "/proc/sys/kernel/threads-max", + "value": "80984\n" + }, { + "key": "timer_migration", + "source": "/proc/sys/kernel/timer_migration", + "value": "1\n" + }, { + "key": "traceoff_on_warning", + "source": "/proc/sys/kernel/traceoff_on_warning", + "value": "0\n" + }, { + "key": "tracepoint_printk", + "source": "/proc/sys/kernel/tracepoint_printk", + "value": "0\n" + }, { + "key": "unknown_nmi_panic", + "source": "/proc/sys/kernel/unknown_nmi_panic", + "value": "0\n" + }, { + "key": "unprivileged_bpf_disabled", + "source": "/proc/sys/kernel/unprivileged_bpf_disabled", + "value": "2\n" + }, { + "key": "unprivileged_userns_apparmor_policy", + "source": "/proc/sys/kernel/unprivileged_userns_apparmor_policy", + "value": "1\n" + }, { + "key": "unprivileged_userns_clone", + "source": "/proc/sys/kernel/unprivileged_userns_clone", + "value": "1\n" + }, { + "key": "bset", + "source": "/proc/sys/kernel/usermodehelper/bset", + "value": "4294967295\t511\n" + }, { + "key": "inheritable", + "source": "/proc/sys/kernel/usermodehelper/inheritable", + "value": "4294967295\t511\n" + }, { + "key": "version", + "source": "/proc/sys/kernel/version", + "value": "#44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022\n" + }, { + "key": "watchdog", + "source": "/proc/sys/kernel/watchdog", + "value": "1\n" + }, { + "key": "watchdog_cpumask", + "source": "/proc/sys/kernel/watchdog_cpumask", + "value": "0-3\n" + }, { + "key": "watchdog_thresh", + "source": "/proc/sys/kernel/watchdog_thresh", + "value": "10\n" + }, { + "key": "ptrace_scope", + "source": "/proc/sys/kernel/yama/ptrace_scope", + "value": "1\n" + }], + "kind": "LinuxKernelVariables", + "metadata": { + "name": "minikube" + } + }] + } + } +}] \ No newline at end of file diff --git a/rules/CVE-2022-0185/test/test/input/kernelvars.json b/rules/CVE-2022-0185/test/test_azure_fail/input/kernelvars.json similarity index 100% rename from rules/CVE-2022-0185/test/test/input/kernelvars.json rename to rules/CVE-2022-0185/test/test_azure_fail/input/kernelvars.json diff --git a/rules/CVE-2022-0185/test/test_azure_fail/input/node.json b/rules/CVE-2022-0185/test/test_azure_fail/input/node.json new file mode 100644 index 000000000..f24295023 --- /dev/null +++ b/rules/CVE-2022-0185/test/test_azure_fail/input/node.json @@ -0,0 +1,264 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2022-04-26T05:54:17Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "3e64b11ed75e56e4898ea85f96b2e4af0301f43d", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_04_26T08_54_20_0700", + "minikube.k8s.io/version": "v1.25.1", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "", + "node.kubernetes.io/exclude-from-external-load-balancers": "" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubeadm.alpha.kubernetes.io/cri-socket": {}, + "f:volumes.kubernetes.io/controller-managed-attach-detach": {} + }, + "f:labels": { + ".": {}, + "f:beta.kubernetes.io/arch": {}, + "f:beta.kubernetes.io/os": {}, + "f:kubernetes.io/arch": {}, + "f:kubernetes.io/hostname": {}, + "f:kubernetes.io/os": {}, + "f:node-role.kubernetes.io/control-plane": {}, + "f:node-role.kubernetes.io/master": {}, + "f:node.kubernetes.io/exclude-from-external-load-balancers": {} + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "time": "2022-04-26T05:54:20Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:labels": { + "f:minikube.k8s.io/commit": {}, + "f:minikube.k8s.io/name": {}, + "f:minikube.k8s.io/updated_at": {}, + "f:minikube.k8s.io/version": {} + } + } + }, + "manager": "kubectl-label", + "operation": "Update", + "time": "2022-04-26T05:54:21Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:conditions": { + "k:{\"type\":\"DiskPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"MemoryPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"PIDPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"Ready\"}": { + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {} + } + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "subresource": "status", + "time": "2022-04-26T05:54:31Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:node.alpha.kubernetes.io/ttl": {} + } + }, + "f:spec": { + "f:podCIDR": {}, + "f:podCIDRs": { + ".": {}, + "v:\"10.244.0.0/24\"": {} + } + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2022-04-26T05:54:33Z" + }], + "name": "minikube", + "resourceVersion": "4245", + "uid": "5a3a25d4-b1e5-42d3-a533-4d36f084314e" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": ["10.244.0.0/24"] + }, + "status": { + "addresses": [{ + "address": "192.168.49.2", + "type": "InternalIP" + }, { + "address": "minikube", + "type": "Hostname" + }], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "conditions": [{ + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:31Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + }], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [{ + "names": ["quay.io/armosec/k8s-ca-vuln-scan-ubi@sha256:275fa8a7a1e58cbd3c94bbf6c6a423970d6b44c5355021f2a7ca937563c26593", "quay.io/armosec/k8s-ca-vuln-scan-ubi:127"], + "sizeBytes": 1018599142 + }, { + "names": ["gcr.io/google-samples/node-hello@sha256:d238d0ab54efb76ec0f7b1da666cefa9b40be59ef34346a761b8adc2dd45459b", "gcr.io/google-samples/node-hello:1.0"], + "sizeBytes": 643762709 + }, { + "names": ["requarks/wiki@sha256:dd83fff15e77843ff934b25c28c865ac000edf7653e5d11adad1dd51df87439d"], + "sizeBytes": 441083858 + }, { + "names": ["mariadb@sha256:821d0411208eaa88f9e1f0daccd1d534f88d19baf724eb9a2777cbedb10b6c66"], + "sizeBytes": 400782682 + }, { + "names": ["k8s.gcr.io/etcd@sha256:64b9ea357325d5db9f8a723dcf503b5a449177b17ac87d69481e126bb724c263", "k8s.gcr.io/etcd:3.5.1-0"], + "sizeBytes": 292558922 + }, { + "names": ["kubernetesui/dashboard@sha256:ec27f462cf1946220f5a9ace416a84a57c18f98c777876a8054405d1428cc92e", "kubernetesui/dashboard:v2.3.1"], + "sizeBytes": 220033604 + }, { + "names": ["httpd@sha256:94cd479f4875e3e0fba620baf7a0e9353e15783368f4f74b9ea5bdc729b3f366", "httpd:2.4"], + "sizeBytes": 143610390 + }, { + "names": ["quay.io/armosec/k8s-ca-dashboard-aggregator-ubi@sha256:5dd4c701070c0168dda6bf4932f2752212a6b8f9d70c0fa15f10f29d82ed460a", "quay.io/armosec/k8s-ca-dashboard-aggregator-ubi:185"], + "sizeBytes": 138395979 + }, { + "names": ["k8s.gcr.io/kube-apiserver@sha256:f54681a71cce62cbc1b13ebb3dbf1d880f849112789811f98b6aebd2caa2f255", "k8s.gcr.io/kube-apiserver:v1.23.1"], + "sizeBytes": 135162256 + }, { + "names": ["k8s.gcr.io/kube-controller-manager@sha256:a7ed87380108a2d811f0d392a3fe87546c85bc366e0d1e024dfa74eb14468604", "k8s.gcr.io/kube-controller-manager:v1.23.1"], + "sizeBytes": 124971684 + }, { + "names": ["k8s.gcr.io/kube-proxy@sha256:e40f3a28721588affcf187f3f246d1e078157dabe274003eaa2957a83f7170c8", "k8s.gcr.io/kube-proxy:v1.23.1"], + "sizeBytes": 112327826 + }, { + "names": ["quay.io/armosec/notification-server-ubi@sha256:4fc284ba63683e00468b92db20f51c1209ae475a6d0bd53c1b025964876d0eea", "quay.io/armosec/notification-server-ubi:89"], + "sizeBytes": 109413165 + }, { + "names": ["nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d"], + "sizeBytes": 109129446 + }, { + "names": ["quay.io/armosec/kubescape@sha256:b76503638466be6a9b988890202fa00de0e8806819a4a4438328e50abdac270c", "quay.io/armosec/kubescape:v2.0.149"], + "sizeBytes": 55122796 + }, { + "names": ["k8s.gcr.io/kube-scheduler@sha256:8be4eb1593cf9ff2d91b44596633b7815a3753696031a1eb4273d1b39427fa8c", "k8s.gcr.io/kube-scheduler:v1.23.1"], + "sizeBytes": 53488305 + }, { + "names": ["k8s.gcr.io/coredns/coredns@sha256:5b6ec0d6de9baaf3e92d0f66cd96a25b9edbce8716f5f15dcd1a616b3abd590e", "k8s.gcr.io/coredns/coredns:v1.8.6"], + "sizeBytes": 46829283 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:a5eba54aeada7d995f83356dcabb6c505e3922016d29246fa0e8a3c179533861", "quay.io/armosec/k8s-ca-websocket-ubi:458"], + "sizeBytes": 45050289 + }, { + "names": ["kubernetesui/metrics-scraper@sha256:36d5b3f60e1a144cc5ada820910535074bdf5cf73fb70d1ff1681537eef4e172", "kubernetesui/metrics-scraper:v1.0.7"], + "sizeBytes": 34446077 + }, { + "names": ["gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944", "gcr.io/k8s-minikube/storage-provisioner:v5"], + "sizeBytes": 31465472 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:b592a099c72c5f7ccc9da011b9c9f3297e7a60f5910a20f994c9dfa6142d9204"], + "sizeBytes": 11807596 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:82139d2561039726be060df2878ef023c59df7c536fbd7f6d766af5a99569fee", "quay.io/armosec/kube-host-sensor:latest"], + "sizeBytes": 11796788 + }, { + "names": ["busybox@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a", "busybox:latest"], + "sizeBytes": 1239748 + }, { + "names": ["k8s.gcr.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", "k8s.gcr.io/pause:3.6"], + "sizeBytes": 682696 + }], + "nodeInfo": { + "architecture": "amd64", + "bootID": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb", + "containerRuntimeVersion": "docker://20.10.12", + "kernelVersion": "5.4.0-1059-azure", + "kubeProxyVersion": "v1.23.1", + "kubeletVersion": "v1.23.1", + "machineID": "8de776e053e140d6a14c2d2def3d6bb8", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "8d013ac0-0dbc-4c34-b2bd-0365fd0fd31c" + } + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/ca_dac_override_pass/expected.json b/rules/CVE-2022-0185/test/test_azure_pass/expected.json similarity index 100% rename from rules/CVE-2022-0492/test/ca_dac_override_pass/expected.json rename to rules/CVE-2022-0185/test/test_azure_pass/expected.json diff --git a/rules/CVE-2022-0185/test/test_azure_pass/input/kernelvars.json b/rules/CVE-2022-0185/test/test_azure_pass/input/kernelvars.json new file mode 100644 index 000000000..4f45ec75e --- /dev/null +++ b/rules/CVE-2022-0185/test/test_azure_pass/input/kernelvars.json @@ -0,0 +1,536 @@ +{ + "apiVersion": "hostdata.kubescape.cloud/v1beta0", + "data": [{ + "key": "acct", + "source": "/proc/sys/kernel/acct", + "value": "4\t2\t30\n" + }, { + "key": "acpi_video_flags", + "source": "/proc/sys/kernel/acpi_video_flags", + "value": "0\n" + }, { + "key": "apparmor_display_secid_mode", + "source": "/proc/sys/kernel/apparmor_display_secid_mode", + "value": "0\n" + }, { + "key": "auto_msgmni", + "source": "/proc/sys/kernel/auto_msgmni", + "value": "0\n" + }, { + "key": "bootloader_type", + "source": "/proc/sys/kernel/bootloader_type", + "value": "114\n" + }, { + "key": "bootloader_version", + "source": "/proc/sys/kernel/bootloader_version", + "value": "2\n" + }, { + "key": "bpf_stats_enabled", + "source": "/proc/sys/kernel/bpf_stats_enabled", + "value": "0\n" + }, { + "key": "cad_pid", + "source": "/proc/sys/kernel/cad_pid", + "value": "0\n" + }, { + "key": "cap_last_cap", + "source": "/proc/sys/kernel/cap_last_cap", + "value": "40\n" + }, { + "key": "core_pattern", + "source": "/proc/sys/kernel/core_pattern", + "value": "|/usr/share/apport/apport %p %s %c %d %P %E\n" + }, { + "key": "core_pipe_limit", + "source": "/proc/sys/kernel/core_pipe_limit", + "value": "0\n" + }, { + "key": "core_uses_pid", + "source": "/proc/sys/kernel/core_uses_pid", + "value": "0\n" + }, { + "key": "ctrl-alt-del", + "source": "/proc/sys/kernel/ctrl-alt-del", + "value": "0\n" + }, { + "key": "dmesg_restrict", + "source": "/proc/sys/kernel/dmesg_restrict", + "value": "0\n" + }, { + "key": "domainname", + "source": "/proc/sys/kernel/domainname", + "value": "(none)\n" + }, { + "key": "force_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/force_sysfs_fallback", + "value": "0\n" + }, { + "key": "ignore_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/ignore_sysfs_fallback", + "value": "0\n" + }, { + "key": "ftrace_dump_on_oops", + "source": "/proc/sys/kernel/ftrace_dump_on_oops", + "value": "0\n" + }, { + "key": "ftrace_enabled", + "source": "/proc/sys/kernel/ftrace_enabled", + "value": "1\n" + }, { + "key": "hardlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/hardlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hardlockup_panic", + "source": "/proc/sys/kernel/hardlockup_panic", + "value": "0\n" + }, { + "key": "hostname", + "source": "/proc/sys/kernel/hostname", + "value": "minikube\n" + }, { + "key": "hotplug", + "source": "/proc/sys/kernel/hotplug", + "value": "\n" + }, { + "key": "hung_task_all_cpu_backtrace", + "source": "/proc/sys/kernel/hung_task_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hung_task_check_count", + "source": "/proc/sys/kernel/hung_task_check_count", + "value": "4194304\n" + }, { + "key": "hung_task_check_interval_secs", + "source": "/proc/sys/kernel/hung_task_check_interval_secs", + "value": "0\n" + }, { + "key": "hung_task_panic", + "source": "/proc/sys/kernel/hung_task_panic", + "value": "0\n" + }, { + "key": "hung_task_timeout_secs", + "source": "/proc/sys/kernel/hung_task_timeout_secs", + "value": "120\n" + }, { + "key": "hung_task_warnings", + "source": "/proc/sys/kernel/hung_task_warnings", + "value": "10\n" + }, { + "key": "io_delay_type", + "source": "/proc/sys/kernel/io_delay_type", + "value": "1\n" + }, { + "key": "kexec_load_disabled", + "source": "/proc/sys/kernel/kexec_load_disabled", + "value": "0\n" + }, { + "key": "gc_delay", + "source": "/proc/sys/kernel/keys/gc_delay", + "value": "300\n" + }, { + "key": "maxbytes", + "source": "/proc/sys/kernel/keys/maxbytes", + "value": "20000\n" + }, { + "key": "maxkeys", + "source": "/proc/sys/kernel/keys/maxkeys", + "value": "200\n" + }, { + "key": "persistent_keyring_expiry", + "source": "/proc/sys/kernel/keys/persistent_keyring_expiry", + "value": "259200\n" + }, { + "key": "root_maxbytes", + "source": "/proc/sys/kernel/keys/root_maxbytes", + "value": "25000000\n" + }, { + "key": "root_maxkeys", + "source": "/proc/sys/kernel/keys/root_maxkeys", + "value": "1000000\n" + }, { + "key": "kptr_restrict", + "source": "/proc/sys/kernel/kptr_restrict", + "value": "1\n" + }, { + "key": "max_lock_depth", + "source": "/proc/sys/kernel/max_lock_depth", + "value": "1024\n" + }, { + "key": "max_rcu_stall_to_panic", + "source": "/proc/sys/kernel/max_rcu_stall_to_panic", + "value": "0\n" + }, { + "key": "modprobe", + "source": "/proc/sys/kernel/modprobe", + "value": "/sbin/modprobe\n" + }, { + "key": "modules_disabled", + "source": "/proc/sys/kernel/modules_disabled", + "value": "0\n" + }, { + "key": "msg_next_id", + "source": "/proc/sys/kernel/msg_next_id", + "value": "-1\n" + }, { + "key": "msgmax", + "source": "/proc/sys/kernel/msgmax", + "value": "8192\n" + }, { + "key": "msgmnb", + "source": "/proc/sys/kernel/msgmnb", + "value": "16384\n" + }, { + "key": "msgmni", + "source": "/proc/sys/kernel/msgmni", + "value": "32000\n" + }, { + "key": "ngroups_max", + "source": "/proc/sys/kernel/ngroups_max", + "value": "65536\n" + }, { + "key": "nmi_watchdog", + "source": "/proc/sys/kernel/nmi_watchdog", + "value": "0\n" + }, { + "key": "ns_last_pid", + "source": "/proc/sys/kernel/ns_last_pid", + "value": "17618\n" + }, { + "key": "numa_balancing", + "source": "/proc/sys/kernel/numa_balancing", + "value": "0\n" + }, { + "key": "oops_all_cpu_backtrace", + "source": "/proc/sys/kernel/oops_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "osrelease", + "source": "/proc/sys/kernel/osrelease", + "value": "5.13.0-39-generic\n" + }, { + "key": "ostype", + "source": "/proc/sys/kernel/ostype", + "value": "Linux\n" + }, { + "key": "overflowgid", + "source": "/proc/sys/kernel/overflowgid", + "value": "65534\n" + }, { + "key": "overflowuid", + "source": "/proc/sys/kernel/overflowuid", + "value": "65534\n" + }, { + "key": "panic", + "source": "/proc/sys/kernel/panic", + "value": "10\n" + }, { + "key": "panic_on_io_nmi", + "source": "/proc/sys/kernel/panic_on_io_nmi", + "value": "0\n" + }, { + "key": "panic_on_oops", + "source": "/proc/sys/kernel/panic_on_oops", + "value": "1\n" + }, { + "key": "panic_on_rcu_stall", + "source": "/proc/sys/kernel/panic_on_rcu_stall", + "value": "0\n" + }, { + "key": "panic_on_unrecovered_nmi", + "source": "/proc/sys/kernel/panic_on_unrecovered_nmi", + "value": "0\n" + }, { + "key": "panic_on_warn", + "source": "/proc/sys/kernel/panic_on_warn", + "value": "0\n" + }, { + "key": "panic_print", + "source": "/proc/sys/kernel/panic_print", + "value": "0\n" + }, { + "key": "perf_cpu_time_max_percent", + "source": "/proc/sys/kernel/perf_cpu_time_max_percent", + "value": "25\n" + }, { + "key": "perf_event_max_contexts_per_stack", + "source": "/proc/sys/kernel/perf_event_max_contexts_per_stack", + "value": "8\n" + }, { + "key": "perf_event_max_sample_rate", + "source": "/proc/sys/kernel/perf_event_max_sample_rate", + "value": "100000\n" + }, { + "key": "perf_event_max_stack", + "source": "/proc/sys/kernel/perf_event_max_stack", + "value": "127\n" + }, { + "key": "perf_event_mlock_kb", + "source": "/proc/sys/kernel/perf_event_mlock_kb", + "value": "516\n" + }, { + "key": "perf_event_paranoid", + "source": "/proc/sys/kernel/perf_event_paranoid", + "value": "4\n" + }, { + "key": "pid_max", + "source": "/proc/sys/kernel/pid_max", + "value": "4194304\n" + }, { + "key": "poweroff_cmd", + "source": "/proc/sys/kernel/poweroff_cmd", + "value": "/sbin/poweroff\n" + }, { + "key": "print-fatal-signals", + "source": "/proc/sys/kernel/print-fatal-signals", + "value": "0\n" + }, { + "key": "printk", + "source": "/proc/sys/kernel/printk", + "value": "4\t4\t1\t7\n" + }, { + "key": "printk_delay", + "source": "/proc/sys/kernel/printk_delay", + "value": "0\n" + }, { + "key": "printk_devkmsg", + "source": "/proc/sys/kernel/printk_devkmsg", + "value": "on\n" + }, { + "key": "printk_ratelimit", + "source": "/proc/sys/kernel/printk_ratelimit", + "value": "5\n" + }, { + "key": "printk_ratelimit_burst", + "source": "/proc/sys/kernel/printk_ratelimit_burst", + "value": "10\n" + }, { + "key": "max", + "source": "/proc/sys/kernel/pty/max", + "value": "4096\n" + }, { + "key": "nr", + "source": "/proc/sys/kernel/pty/nr", + "value": "4\n" + }, { + "key": "reserve", + "source": "/proc/sys/kernel/pty/reserve", + "value": "1024\n" + }, { + "key": "boot_id", + "source": "/proc/sys/kernel/random/boot_id", + "value": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb\n" + }, { + "key": "entropy_avail", + "source": "/proc/sys/kernel/random/entropy_avail", + "value": "3806\n" + }, { + "key": "poolsize", + "source": "/proc/sys/kernel/random/poolsize", + "value": "4096\n" + }, { + "key": "urandom_min_reseed_secs", + "source": "/proc/sys/kernel/random/urandom_min_reseed_secs", + "value": "60\n" + }, { + "key": "uuid", + "source": "/proc/sys/kernel/random/uuid", + "value": "7b6b5bf9-9af4-49db-aba6-f0be1c57e2b8\n" + }, { + "key": "write_wakeup_threshold", + "source": "/proc/sys/kernel/random/write_wakeup_threshold", + "value": "896\n" + }, { + "key": "randomize_va_space", + "source": "/proc/sys/kernel/randomize_va_space", + "value": "2\n" + }, { + "key": "real-root-dev", + "source": "/proc/sys/kernel/real-root-dev", + "value": "0\n" + }, { + "key": "sched_autogroup_enabled", + "source": "/proc/sys/kernel/sched_autogroup_enabled", + "value": "1\n" + }, { + "key": "sched_cfs_bandwidth_slice_us", + "source": "/proc/sys/kernel/sched_cfs_bandwidth_slice_us", + "value": "5000\n" + }, { + "key": "sched_child_runs_first", + "source": "/proc/sys/kernel/sched_child_runs_first", + "value": "0\n" + }, { + "key": "sched_deadline_period_max_us", + "source": "/proc/sys/kernel/sched_deadline_period_max_us", + "value": "4194304\n" + }, { + "key": "sched_deadline_period_min_us", + "source": "/proc/sys/kernel/sched_deadline_period_min_us", + "value": "100\n" + }, { + "key": "sched_energy_aware", + "source": "/proc/sys/kernel/sched_energy_aware", + "value": "1\n" + }, { + "key": "sched_rr_timeslice_ms", + "source": "/proc/sys/kernel/sched_rr_timeslice_ms", + "value": "100\n" + }, { + "key": "sched_rt_period_us", + "source": "/proc/sys/kernel/sched_rt_period_us", + "value": "1000000\n" + }, { + "key": "sched_rt_runtime_us", + "source": "/proc/sys/kernel/sched_rt_runtime_us", + "value": "950000\n" + }, { + "key": "sched_schedstats", + "source": "/proc/sys/kernel/sched_schedstats", + "value": "0\n" + }, { + "key": "sched_util_clamp_max", + "source": "/proc/sys/kernel/sched_util_clamp_max", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min", + "source": "/proc/sys/kernel/sched_util_clamp_min", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min_rt_default", + "source": "/proc/sys/kernel/sched_util_clamp_min_rt_default", + "value": "1024\n" + }, { + "key": "actions_avail", + "source": "/proc/sys/kernel/seccomp/actions_avail", + "value": "kill_process kill_thread trap errno user_notif trace log allow\n" + }, { + "key": "actions_logged", + "source": "/proc/sys/kernel/seccomp/actions_logged", + "value": "kill_process kill_thread trap errno user_notif trace log\n" + }, { + "key": "sem", + "source": "/proc/sys/kernel/sem", + "value": "32000\t1024000000\t500\t32000\n" + }, { + "key": "sem_next_id", + "source": "/proc/sys/kernel/sem_next_id", + "value": "-1\n" + }, { + "key": "sg-big-buff", + "source": "/proc/sys/kernel/sg-big-buff", + "value": "32768\n" + }, { + "key": "shm_next_id", + "source": "/proc/sys/kernel/shm_next_id", + "value": "-1\n" + }, { + "key": "shm_rmid_forced", + "source": "/proc/sys/kernel/shm_rmid_forced", + "value": "0\n" + }, { + "key": "shmall", + "source": "/proc/sys/kernel/shmall", + "value": "18446744073692774399\n" + }, { + "key": "shmmax", + "source": "/proc/sys/kernel/shmmax", + "value": "18446744073692774399\n" + }, { + "key": "shmmni", + "source": "/proc/sys/kernel/shmmni", + "value": "4096\n" + }, { + "key": "soft_watchdog", + "source": "/proc/sys/kernel/soft_watchdog", + "value": "1\n" + }, { + "key": "softlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/softlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "softlockup_panic", + "source": "/proc/sys/kernel/softlockup_panic", + "value": "0\n" + }, { + "key": "stack_tracer_enabled", + "source": "/proc/sys/kernel/stack_tracer_enabled", + "value": "0\n" + }, { + "key": "sysctl_writes_strict", + "source": "/proc/sys/kernel/sysctl_writes_strict", + "value": "1\n" + }, { + "key": "sysrq", + "source": "/proc/sys/kernel/sysrq", + "value": "176\n" + }, { + "key": "tainted", + "source": "/proc/sys/kernel/tainted", + "value": "12288\n" + }, { + "key": "threads-max", + "source": "/proc/sys/kernel/threads-max", + "value": "80984\n" + }, { + "key": "timer_migration", + "source": "/proc/sys/kernel/timer_migration", + "value": "1\n" + }, { + "key": "traceoff_on_warning", + "source": "/proc/sys/kernel/traceoff_on_warning", + "value": "0\n" + }, { + "key": "tracepoint_printk", + "source": "/proc/sys/kernel/tracepoint_printk", + "value": "0\n" + }, { + "key": "unknown_nmi_panic", + "source": "/proc/sys/kernel/unknown_nmi_panic", + "value": "0\n" + }, { + "key": "unprivileged_bpf_disabled", + "source": "/proc/sys/kernel/unprivileged_bpf_disabled", + "value": "2\n" + }, { + "key": "unprivileged_userns_apparmor_policy", + "source": "/proc/sys/kernel/unprivileged_userns_apparmor_policy", + "value": "1\n" + }, { + "key": "unprivileged_userns_clone", + "source": "/proc/sys/kernel/unprivileged_userns_clone", + "value": "1\n" + }, { + "key": "bset", + "source": "/proc/sys/kernel/usermodehelper/bset", + "value": "4294967295\t511\n" + }, { + "key": "inheritable", + "source": "/proc/sys/kernel/usermodehelper/inheritable", + "value": "4294967295\t511\n" + }, { + "key": "version", + "source": "/proc/sys/kernel/version", + "value": "#44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022\n" + }, { + "key": "watchdog", + "source": "/proc/sys/kernel/watchdog", + "value": "1\n" + }, { + "key": "watchdog_cpumask", + "source": "/proc/sys/kernel/watchdog_cpumask", + "value": "0-3\n" + }, { + "key": "watchdog_thresh", + "source": "/proc/sys/kernel/watchdog_thresh", + "value": "10\n" + }, { + "key": "ptrace_scope", + "source": "/proc/sys/kernel/yama/ptrace_scope", + "value": "1\n" + }], + "kind": "LinuxKernelVariables", + "metadata": { + "name": "minikube" + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0185/test/test_azure_pass/input/node.json b/rules/CVE-2022-0185/test/test_azure_pass/input/node.json new file mode 100644 index 000000000..024b35095 --- /dev/null +++ b/rules/CVE-2022-0185/test/test_azure_pass/input/node.json @@ -0,0 +1,264 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2022-04-26T05:54:17Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "3e64b11ed75e56e4898ea85f96b2e4af0301f43d", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_04_26T08_54_20_0700", + "minikube.k8s.io/version": "v1.25.1", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "", + "node.kubernetes.io/exclude-from-external-load-balancers": "" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubeadm.alpha.kubernetes.io/cri-socket": {}, + "f:volumes.kubernetes.io/controller-managed-attach-detach": {} + }, + "f:labels": { + ".": {}, + "f:beta.kubernetes.io/arch": {}, + "f:beta.kubernetes.io/os": {}, + "f:kubernetes.io/arch": {}, + "f:kubernetes.io/hostname": {}, + "f:kubernetes.io/os": {}, + "f:node-role.kubernetes.io/control-plane": {}, + "f:node-role.kubernetes.io/master": {}, + "f:node.kubernetes.io/exclude-from-external-load-balancers": {} + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "time": "2022-04-26T05:54:20Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:labels": { + "f:minikube.k8s.io/commit": {}, + "f:minikube.k8s.io/name": {}, + "f:minikube.k8s.io/updated_at": {}, + "f:minikube.k8s.io/version": {} + } + } + }, + "manager": "kubectl-label", + "operation": "Update", + "time": "2022-04-26T05:54:21Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:conditions": { + "k:{\"type\":\"DiskPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"MemoryPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"PIDPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"Ready\"}": { + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {} + } + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "subresource": "status", + "time": "2022-04-26T05:54:31Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:node.alpha.kubernetes.io/ttl": {} + } + }, + "f:spec": { + "f:podCIDR": {}, + "f:podCIDRs": { + ".": {}, + "v:\"10.244.0.0/24\"": {} + } + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2022-04-26T05:54:33Z" + }], + "name": "minikube", + "resourceVersion": "4245", + "uid": "5a3a25d4-b1e5-42d3-a533-4d36f084314e" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": ["10.244.0.0/24"] + }, + "status": { + "addresses": [{ + "address": "192.168.49.2", + "type": "InternalIP" + }, { + "address": "minikube", + "type": "Hostname" + }], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "conditions": [{ + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:31Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + }], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [{ + "names": ["quay.io/armosec/k8s-ca-vuln-scan-ubi@sha256:275fa8a7a1e58cbd3c94bbf6c6a423970d6b44c5355021f2a7ca937563c26593", "quay.io/armosec/k8s-ca-vuln-scan-ubi:127"], + "sizeBytes": 1018599142 + }, { + "names": ["gcr.io/google-samples/node-hello@sha256:d238d0ab54efb76ec0f7b1da666cefa9b40be59ef34346a761b8adc2dd45459b", "gcr.io/google-samples/node-hello:1.0"], + "sizeBytes": 643762709 + }, { + "names": ["requarks/wiki@sha256:dd83fff15e77843ff934b25c28c865ac000edf7653e5d11adad1dd51df87439d"], + "sizeBytes": 441083858 + }, { + "names": ["mariadb@sha256:821d0411208eaa88f9e1f0daccd1d534f88d19baf724eb9a2777cbedb10b6c66"], + "sizeBytes": 400782682 + }, { + "names": ["k8s.gcr.io/etcd@sha256:64b9ea357325d5db9f8a723dcf503b5a449177b17ac87d69481e126bb724c263", "k8s.gcr.io/etcd:3.5.1-0"], + "sizeBytes": 292558922 + }, { + "names": ["kubernetesui/dashboard@sha256:ec27f462cf1946220f5a9ace416a84a57c18f98c777876a8054405d1428cc92e", "kubernetesui/dashboard:v2.3.1"], + "sizeBytes": 220033604 + }, { + "names": ["httpd@sha256:94cd479f4875e3e0fba620baf7a0e9353e15783368f4f74b9ea5bdc729b3f366", "httpd:2.4"], + "sizeBytes": 143610390 + }, { + "names": ["quay.io/armosec/k8s-ca-dashboard-aggregator-ubi@sha256:5dd4c701070c0168dda6bf4932f2752212a6b8f9d70c0fa15f10f29d82ed460a", "quay.io/armosec/k8s-ca-dashboard-aggregator-ubi:185"], + "sizeBytes": 138395979 + }, { + "names": ["k8s.gcr.io/kube-apiserver@sha256:f54681a71cce62cbc1b13ebb3dbf1d880f849112789811f98b6aebd2caa2f255", "k8s.gcr.io/kube-apiserver:v1.23.1"], + "sizeBytes": 135162256 + }, { + "names": ["k8s.gcr.io/kube-controller-manager@sha256:a7ed87380108a2d811f0d392a3fe87546c85bc366e0d1e024dfa74eb14468604", "k8s.gcr.io/kube-controller-manager:v1.23.1"], + "sizeBytes": 124971684 + }, { + "names": ["k8s.gcr.io/kube-proxy@sha256:e40f3a28721588affcf187f3f246d1e078157dabe274003eaa2957a83f7170c8", "k8s.gcr.io/kube-proxy:v1.23.1"], + "sizeBytes": 112327826 + }, { + "names": ["quay.io/armosec/notification-server-ubi@sha256:4fc284ba63683e00468b92db20f51c1209ae475a6d0bd53c1b025964876d0eea", "quay.io/armosec/notification-server-ubi:89"], + "sizeBytes": 109413165 + }, { + "names": ["nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d"], + "sizeBytes": 109129446 + }, { + "names": ["quay.io/armosec/kubescape@sha256:b76503638466be6a9b988890202fa00de0e8806819a4a4438328e50abdac270c", "quay.io/armosec/kubescape:v2.0.149"], + "sizeBytes": 55122796 + }, { + "names": ["k8s.gcr.io/kube-scheduler@sha256:8be4eb1593cf9ff2d91b44596633b7815a3753696031a1eb4273d1b39427fa8c", "k8s.gcr.io/kube-scheduler:v1.23.1"], + "sizeBytes": 53488305 + }, { + "names": ["k8s.gcr.io/coredns/coredns@sha256:5b6ec0d6de9baaf3e92d0f66cd96a25b9edbce8716f5f15dcd1a616b3abd590e", "k8s.gcr.io/coredns/coredns:v1.8.6"], + "sizeBytes": 46829283 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:a5eba54aeada7d995f83356dcabb6c505e3922016d29246fa0e8a3c179533861", "quay.io/armosec/k8s-ca-websocket-ubi:458"], + "sizeBytes": 45050289 + }, { + "names": ["kubernetesui/metrics-scraper@sha256:36d5b3f60e1a144cc5ada820910535074bdf5cf73fb70d1ff1681537eef4e172", "kubernetesui/metrics-scraper:v1.0.7"], + "sizeBytes": 34446077 + }, { + "names": ["gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944", "gcr.io/k8s-minikube/storage-provisioner:v5"], + "sizeBytes": 31465472 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:b592a099c72c5f7ccc9da011b9c9f3297e7a60f5910a20f994c9dfa6142d9204"], + "sizeBytes": 11807596 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:82139d2561039726be060df2878ef023c59df7c536fbd7f6d766af5a99569fee", "quay.io/armosec/kube-host-sensor:latest"], + "sizeBytes": 11796788 + }, { + "names": ["busybox@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a", "busybox:latest"], + "sizeBytes": 1239748 + }, { + "names": ["k8s.gcr.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", "k8s.gcr.io/pause:3.6"], + "sizeBytes": 682696 + }], + "nodeInfo": { + "architecture": "amd64", + "bootID": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb", + "containerRuntimeVersion": "docker://20.10.12", + "kernelVersion": "5.4.0-1067-azure", + "kubeProxyVersion": "v1.23.1", + "kubeletVersion": "v1.23.1", + "machineID": "8de776e053e140d6a14c2d2def3d6bb8", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "8d013ac0-0dbc-4c34-b2bd-0365fd0fd31c" + } + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0185/test/test/expected.json b/rules/CVE-2022-0185/test/test_generic_fail/expected.json similarity index 99% rename from rules/CVE-2022-0185/test/test/expected.json rename to rules/CVE-2022-0185/test/test_generic_fail/expected.json index 9ee16a18a..3429acd00 100644 --- a/rules/CVE-2022-0185/test/test/expected.json +++ b/rules/CVE-2022-0185/test/test_generic_fail/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "You are vulnerable to CVE-2022-0185", + "reviewPaths": ["kernelVersion"], "failedPaths": ["kernelVersion"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/CVE-2022-0185/test/test_generic_fail/input/kernelvars.json b/rules/CVE-2022-0185/test/test_generic_fail/input/kernelvars.json new file mode 100644 index 000000000..4f45ec75e --- /dev/null +++ b/rules/CVE-2022-0185/test/test_generic_fail/input/kernelvars.json @@ -0,0 +1,536 @@ +{ + "apiVersion": "hostdata.kubescape.cloud/v1beta0", + "data": [{ + "key": "acct", + "source": "/proc/sys/kernel/acct", + "value": "4\t2\t30\n" + }, { + "key": "acpi_video_flags", + "source": "/proc/sys/kernel/acpi_video_flags", + "value": "0\n" + }, { + "key": "apparmor_display_secid_mode", + "source": "/proc/sys/kernel/apparmor_display_secid_mode", + "value": "0\n" + }, { + "key": "auto_msgmni", + "source": "/proc/sys/kernel/auto_msgmni", + "value": "0\n" + }, { + "key": "bootloader_type", + "source": "/proc/sys/kernel/bootloader_type", + "value": "114\n" + }, { + "key": "bootloader_version", + "source": "/proc/sys/kernel/bootloader_version", + "value": "2\n" + }, { + "key": "bpf_stats_enabled", + "source": "/proc/sys/kernel/bpf_stats_enabled", + "value": "0\n" + }, { + "key": "cad_pid", + "source": "/proc/sys/kernel/cad_pid", + "value": "0\n" + }, { + "key": "cap_last_cap", + "source": "/proc/sys/kernel/cap_last_cap", + "value": "40\n" + }, { + "key": "core_pattern", + "source": "/proc/sys/kernel/core_pattern", + "value": "|/usr/share/apport/apport %p %s %c %d %P %E\n" + }, { + "key": "core_pipe_limit", + "source": "/proc/sys/kernel/core_pipe_limit", + "value": "0\n" + }, { + "key": "core_uses_pid", + "source": "/proc/sys/kernel/core_uses_pid", + "value": "0\n" + }, { + "key": "ctrl-alt-del", + "source": "/proc/sys/kernel/ctrl-alt-del", + "value": "0\n" + }, { + "key": "dmesg_restrict", + "source": "/proc/sys/kernel/dmesg_restrict", + "value": "0\n" + }, { + "key": "domainname", + "source": "/proc/sys/kernel/domainname", + "value": "(none)\n" + }, { + "key": "force_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/force_sysfs_fallback", + "value": "0\n" + }, { + "key": "ignore_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/ignore_sysfs_fallback", + "value": "0\n" + }, { + "key": "ftrace_dump_on_oops", + "source": "/proc/sys/kernel/ftrace_dump_on_oops", + "value": "0\n" + }, { + "key": "ftrace_enabled", + "source": "/proc/sys/kernel/ftrace_enabled", + "value": "1\n" + }, { + "key": "hardlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/hardlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hardlockup_panic", + "source": "/proc/sys/kernel/hardlockup_panic", + "value": "0\n" + }, { + "key": "hostname", + "source": "/proc/sys/kernel/hostname", + "value": "minikube\n" + }, { + "key": "hotplug", + "source": "/proc/sys/kernel/hotplug", + "value": "\n" + }, { + "key": "hung_task_all_cpu_backtrace", + "source": "/proc/sys/kernel/hung_task_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hung_task_check_count", + "source": "/proc/sys/kernel/hung_task_check_count", + "value": "4194304\n" + }, { + "key": "hung_task_check_interval_secs", + "source": "/proc/sys/kernel/hung_task_check_interval_secs", + "value": "0\n" + }, { + "key": "hung_task_panic", + "source": "/proc/sys/kernel/hung_task_panic", + "value": "0\n" + }, { + "key": "hung_task_timeout_secs", + "source": "/proc/sys/kernel/hung_task_timeout_secs", + "value": "120\n" + }, { + "key": "hung_task_warnings", + "source": "/proc/sys/kernel/hung_task_warnings", + "value": "10\n" + }, { + "key": "io_delay_type", + "source": "/proc/sys/kernel/io_delay_type", + "value": "1\n" + }, { + "key": "kexec_load_disabled", + "source": "/proc/sys/kernel/kexec_load_disabled", + "value": "0\n" + }, { + "key": "gc_delay", + "source": "/proc/sys/kernel/keys/gc_delay", + "value": "300\n" + }, { + "key": "maxbytes", + "source": "/proc/sys/kernel/keys/maxbytes", + "value": "20000\n" + }, { + "key": "maxkeys", + "source": "/proc/sys/kernel/keys/maxkeys", + "value": "200\n" + }, { + "key": "persistent_keyring_expiry", + "source": "/proc/sys/kernel/keys/persistent_keyring_expiry", + "value": "259200\n" + }, { + "key": "root_maxbytes", + "source": "/proc/sys/kernel/keys/root_maxbytes", + "value": "25000000\n" + }, { + "key": "root_maxkeys", + "source": "/proc/sys/kernel/keys/root_maxkeys", + "value": "1000000\n" + }, { + "key": "kptr_restrict", + "source": "/proc/sys/kernel/kptr_restrict", + "value": "1\n" + }, { + "key": "max_lock_depth", + "source": "/proc/sys/kernel/max_lock_depth", + "value": "1024\n" + }, { + "key": "max_rcu_stall_to_panic", + "source": "/proc/sys/kernel/max_rcu_stall_to_panic", + "value": "0\n" + }, { + "key": "modprobe", + "source": "/proc/sys/kernel/modprobe", + "value": "/sbin/modprobe\n" + }, { + "key": "modules_disabled", + "source": "/proc/sys/kernel/modules_disabled", + "value": "0\n" + }, { + "key": "msg_next_id", + "source": "/proc/sys/kernel/msg_next_id", + "value": "-1\n" + }, { + "key": "msgmax", + "source": "/proc/sys/kernel/msgmax", + "value": "8192\n" + }, { + "key": "msgmnb", + "source": "/proc/sys/kernel/msgmnb", + "value": "16384\n" + }, { + "key": "msgmni", + "source": "/proc/sys/kernel/msgmni", + "value": "32000\n" + }, { + "key": "ngroups_max", + "source": "/proc/sys/kernel/ngroups_max", + "value": "65536\n" + }, { + "key": "nmi_watchdog", + "source": "/proc/sys/kernel/nmi_watchdog", + "value": "0\n" + }, { + "key": "ns_last_pid", + "source": "/proc/sys/kernel/ns_last_pid", + "value": "17618\n" + }, { + "key": "numa_balancing", + "source": "/proc/sys/kernel/numa_balancing", + "value": "0\n" + }, { + "key": "oops_all_cpu_backtrace", + "source": "/proc/sys/kernel/oops_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "osrelease", + "source": "/proc/sys/kernel/osrelease", + "value": "5.13.0-39-generic\n" + }, { + "key": "ostype", + "source": "/proc/sys/kernel/ostype", + "value": "Linux\n" + }, { + "key": "overflowgid", + "source": "/proc/sys/kernel/overflowgid", + "value": "65534\n" + }, { + "key": "overflowuid", + "source": "/proc/sys/kernel/overflowuid", + "value": "65534\n" + }, { + "key": "panic", + "source": "/proc/sys/kernel/panic", + "value": "10\n" + }, { + "key": "panic_on_io_nmi", + "source": "/proc/sys/kernel/panic_on_io_nmi", + "value": "0\n" + }, { + "key": "panic_on_oops", + "source": "/proc/sys/kernel/panic_on_oops", + "value": "1\n" + }, { + "key": "panic_on_rcu_stall", + "source": "/proc/sys/kernel/panic_on_rcu_stall", + "value": "0\n" + }, { + "key": "panic_on_unrecovered_nmi", + "source": "/proc/sys/kernel/panic_on_unrecovered_nmi", + "value": "0\n" + }, { + "key": "panic_on_warn", + "source": "/proc/sys/kernel/panic_on_warn", + "value": "0\n" + }, { + "key": "panic_print", + "source": "/proc/sys/kernel/panic_print", + "value": "0\n" + }, { + "key": "perf_cpu_time_max_percent", + "source": "/proc/sys/kernel/perf_cpu_time_max_percent", + "value": "25\n" + }, { + "key": "perf_event_max_contexts_per_stack", + "source": "/proc/sys/kernel/perf_event_max_contexts_per_stack", + "value": "8\n" + }, { + "key": "perf_event_max_sample_rate", + "source": "/proc/sys/kernel/perf_event_max_sample_rate", + "value": "100000\n" + }, { + "key": "perf_event_max_stack", + "source": "/proc/sys/kernel/perf_event_max_stack", + "value": "127\n" + }, { + "key": "perf_event_mlock_kb", + "source": "/proc/sys/kernel/perf_event_mlock_kb", + "value": "516\n" + }, { + "key": "perf_event_paranoid", + "source": "/proc/sys/kernel/perf_event_paranoid", + "value": "4\n" + }, { + "key": "pid_max", + "source": "/proc/sys/kernel/pid_max", + "value": "4194304\n" + }, { + "key": "poweroff_cmd", + "source": "/proc/sys/kernel/poweroff_cmd", + "value": "/sbin/poweroff\n" + }, { + "key": "print-fatal-signals", + "source": "/proc/sys/kernel/print-fatal-signals", + "value": "0\n" + }, { + "key": "printk", + "source": "/proc/sys/kernel/printk", + "value": "4\t4\t1\t7\n" + }, { + "key": "printk_delay", + "source": "/proc/sys/kernel/printk_delay", + "value": "0\n" + }, { + "key": "printk_devkmsg", + "source": "/proc/sys/kernel/printk_devkmsg", + "value": "on\n" + }, { + "key": "printk_ratelimit", + "source": "/proc/sys/kernel/printk_ratelimit", + "value": "5\n" + }, { + "key": "printk_ratelimit_burst", + "source": "/proc/sys/kernel/printk_ratelimit_burst", + "value": "10\n" + }, { + "key": "max", + "source": "/proc/sys/kernel/pty/max", + "value": "4096\n" + }, { + "key": "nr", + "source": "/proc/sys/kernel/pty/nr", + "value": "4\n" + }, { + "key": "reserve", + "source": "/proc/sys/kernel/pty/reserve", + "value": "1024\n" + }, { + "key": "boot_id", + "source": "/proc/sys/kernel/random/boot_id", + "value": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb\n" + }, { + "key": "entropy_avail", + "source": "/proc/sys/kernel/random/entropy_avail", + "value": "3806\n" + }, { + "key": "poolsize", + "source": "/proc/sys/kernel/random/poolsize", + "value": "4096\n" + }, { + "key": "urandom_min_reseed_secs", + "source": "/proc/sys/kernel/random/urandom_min_reseed_secs", + "value": "60\n" + }, { + "key": "uuid", + "source": "/proc/sys/kernel/random/uuid", + "value": "7b6b5bf9-9af4-49db-aba6-f0be1c57e2b8\n" + }, { + "key": "write_wakeup_threshold", + "source": "/proc/sys/kernel/random/write_wakeup_threshold", + "value": "896\n" + }, { + "key": "randomize_va_space", + "source": "/proc/sys/kernel/randomize_va_space", + "value": "2\n" + }, { + "key": "real-root-dev", + "source": "/proc/sys/kernel/real-root-dev", + "value": "0\n" + }, { + "key": "sched_autogroup_enabled", + "source": "/proc/sys/kernel/sched_autogroup_enabled", + "value": "1\n" + }, { + "key": "sched_cfs_bandwidth_slice_us", + "source": "/proc/sys/kernel/sched_cfs_bandwidth_slice_us", + "value": "5000\n" + }, { + "key": "sched_child_runs_first", + "source": "/proc/sys/kernel/sched_child_runs_first", + "value": "0\n" + }, { + "key": "sched_deadline_period_max_us", + "source": "/proc/sys/kernel/sched_deadline_period_max_us", + "value": "4194304\n" + }, { + "key": "sched_deadline_period_min_us", + "source": "/proc/sys/kernel/sched_deadline_period_min_us", + "value": "100\n" + }, { + "key": "sched_energy_aware", + "source": "/proc/sys/kernel/sched_energy_aware", + "value": "1\n" + }, { + "key": "sched_rr_timeslice_ms", + "source": "/proc/sys/kernel/sched_rr_timeslice_ms", + "value": "100\n" + }, { + "key": "sched_rt_period_us", + "source": "/proc/sys/kernel/sched_rt_period_us", + "value": "1000000\n" + }, { + "key": "sched_rt_runtime_us", + "source": "/proc/sys/kernel/sched_rt_runtime_us", + "value": "950000\n" + }, { + "key": "sched_schedstats", + "source": "/proc/sys/kernel/sched_schedstats", + "value": "0\n" + }, { + "key": "sched_util_clamp_max", + "source": "/proc/sys/kernel/sched_util_clamp_max", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min", + "source": "/proc/sys/kernel/sched_util_clamp_min", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min_rt_default", + "source": "/proc/sys/kernel/sched_util_clamp_min_rt_default", + "value": "1024\n" + }, { + "key": "actions_avail", + "source": "/proc/sys/kernel/seccomp/actions_avail", + "value": "kill_process kill_thread trap errno user_notif trace log allow\n" + }, { + "key": "actions_logged", + "source": "/proc/sys/kernel/seccomp/actions_logged", + "value": "kill_process kill_thread trap errno user_notif trace log\n" + }, { + "key": "sem", + "source": "/proc/sys/kernel/sem", + "value": "32000\t1024000000\t500\t32000\n" + }, { + "key": "sem_next_id", + "source": "/proc/sys/kernel/sem_next_id", + "value": "-1\n" + }, { + "key": "sg-big-buff", + "source": "/proc/sys/kernel/sg-big-buff", + "value": "32768\n" + }, { + "key": "shm_next_id", + "source": "/proc/sys/kernel/shm_next_id", + "value": "-1\n" + }, { + "key": "shm_rmid_forced", + "source": "/proc/sys/kernel/shm_rmid_forced", + "value": "0\n" + }, { + "key": "shmall", + "source": "/proc/sys/kernel/shmall", + "value": "18446744073692774399\n" + }, { + "key": "shmmax", + "source": "/proc/sys/kernel/shmmax", + "value": "18446744073692774399\n" + }, { + "key": "shmmni", + "source": "/proc/sys/kernel/shmmni", + "value": "4096\n" + }, { + "key": "soft_watchdog", + "source": "/proc/sys/kernel/soft_watchdog", + "value": "1\n" + }, { + "key": "softlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/softlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "softlockup_panic", + "source": "/proc/sys/kernel/softlockup_panic", + "value": "0\n" + }, { + "key": "stack_tracer_enabled", + "source": "/proc/sys/kernel/stack_tracer_enabled", + "value": "0\n" + }, { + "key": "sysctl_writes_strict", + "source": "/proc/sys/kernel/sysctl_writes_strict", + "value": "1\n" + }, { + "key": "sysrq", + "source": "/proc/sys/kernel/sysrq", + "value": "176\n" + }, { + "key": "tainted", + "source": "/proc/sys/kernel/tainted", + "value": "12288\n" + }, { + "key": "threads-max", + "source": "/proc/sys/kernel/threads-max", + "value": "80984\n" + }, { + "key": "timer_migration", + "source": "/proc/sys/kernel/timer_migration", + "value": "1\n" + }, { + "key": "traceoff_on_warning", + "source": "/proc/sys/kernel/traceoff_on_warning", + "value": "0\n" + }, { + "key": "tracepoint_printk", + "source": "/proc/sys/kernel/tracepoint_printk", + "value": "0\n" + }, { + "key": "unknown_nmi_panic", + "source": "/proc/sys/kernel/unknown_nmi_panic", + "value": "0\n" + }, { + "key": "unprivileged_bpf_disabled", + "source": "/proc/sys/kernel/unprivileged_bpf_disabled", + "value": "2\n" + }, { + "key": "unprivileged_userns_apparmor_policy", + "source": "/proc/sys/kernel/unprivileged_userns_apparmor_policy", + "value": "1\n" + }, { + "key": "unprivileged_userns_clone", + "source": "/proc/sys/kernel/unprivileged_userns_clone", + "value": "1\n" + }, { + "key": "bset", + "source": "/proc/sys/kernel/usermodehelper/bset", + "value": "4294967295\t511\n" + }, { + "key": "inheritable", + "source": "/proc/sys/kernel/usermodehelper/inheritable", + "value": "4294967295\t511\n" + }, { + "key": "version", + "source": "/proc/sys/kernel/version", + "value": "#44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022\n" + }, { + "key": "watchdog", + "source": "/proc/sys/kernel/watchdog", + "value": "1\n" + }, { + "key": "watchdog_cpumask", + "source": "/proc/sys/kernel/watchdog_cpumask", + "value": "0-3\n" + }, { + "key": "watchdog_thresh", + "source": "/proc/sys/kernel/watchdog_thresh", + "value": "10\n" + }, { + "key": "ptrace_scope", + "source": "/proc/sys/kernel/yama/ptrace_scope", + "value": "1\n" + }], + "kind": "LinuxKernelVariables", + "metadata": { + "name": "minikube" + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0185/test/test/input/node.json b/rules/CVE-2022-0185/test/test_generic_fail/input/node.json similarity index 100% rename from rules/CVE-2022-0185/test/test/input/node.json rename to rules/CVE-2022-0185/test/test_generic_fail/input/node.json diff --git a/rules/CVE-2022-0492/test/no_new_privs_pass/expected.json b/rules/CVE-2022-0185/test/test_generic_pass/expected.json similarity index 100% rename from rules/CVE-2022-0492/test/no_new_privs_pass/expected.json rename to rules/CVE-2022-0185/test/test_generic_pass/expected.json diff --git a/rules/CVE-2022-0185/test/test_generic_pass/input/kernelvars.json b/rules/CVE-2022-0185/test/test_generic_pass/input/kernelvars.json new file mode 100644 index 000000000..bc5569e94 --- /dev/null +++ b/rules/CVE-2022-0185/test/test_generic_pass/input/kernelvars.json @@ -0,0 +1,536 @@ +{ + "apiVersion": "hostdata.kubescape.cloud/v1beta0", + "data": [{ + "key": "acct", + "source": "/proc/sys/kernel/acct", + "value": "4\t2\t30\n" + }, { + "key": "acpi_video_flags", + "source": "/proc/sys/kernel/acpi_video_flags", + "value": "0\n" + }, { + "key": "apparmor_display_secid_mode", + "source": "/proc/sys/kernel/apparmor_display_secid_mode", + "value": "0\n" + }, { + "key": "auto_msgmni", + "source": "/proc/sys/kernel/auto_msgmni", + "value": "0\n" + }, { + "key": "bootloader_type", + "source": "/proc/sys/kernel/bootloader_type", + "value": "114\n" + }, { + "key": "bootloader_version", + "source": "/proc/sys/kernel/bootloader_version", + "value": "2\n" + }, { + "key": "bpf_stats_enabled", + "source": "/proc/sys/kernel/bpf_stats_enabled", + "value": "0\n" + }, { + "key": "cad_pid", + "source": "/proc/sys/kernel/cad_pid", + "value": "0\n" + }, { + "key": "cap_last_cap", + "source": "/proc/sys/kernel/cap_last_cap", + "value": "40\n" + }, { + "key": "core_pattern", + "source": "/proc/sys/kernel/core_pattern", + "value": "|/usr/share/apport/apport %p %s %c %d %P %E\n" + }, { + "key": "core_pipe_limit", + "source": "/proc/sys/kernel/core_pipe_limit", + "value": "0\n" + }, { + "key": "core_uses_pid", + "source": "/proc/sys/kernel/core_uses_pid", + "value": "0\n" + }, { + "key": "ctrl-alt-del", + "source": "/proc/sys/kernel/ctrl-alt-del", + "value": "0\n" + }, { + "key": "dmesg_restrict", + "source": "/proc/sys/kernel/dmesg_restrict", + "value": "0\n" + }, { + "key": "domainname", + "source": "/proc/sys/kernel/domainname", + "value": "(none)\n" + }, { + "key": "force_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/force_sysfs_fallback", + "value": "0\n" + }, { + "key": "ignore_sysfs_fallback", + "source": "/proc/sys/kernel/firmware_config/ignore_sysfs_fallback", + "value": "0\n" + }, { + "key": "ftrace_dump_on_oops", + "source": "/proc/sys/kernel/ftrace_dump_on_oops", + "value": "0\n" + }, { + "key": "ftrace_enabled", + "source": "/proc/sys/kernel/ftrace_enabled", + "value": "1\n" + }, { + "key": "hardlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/hardlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hardlockup_panic", + "source": "/proc/sys/kernel/hardlockup_panic", + "value": "0\n" + }, { + "key": "hostname", + "source": "/proc/sys/kernel/hostname", + "value": "minikube\n" + }, { + "key": "hotplug", + "source": "/proc/sys/kernel/hotplug", + "value": "\n" + }, { + "key": "hung_task_all_cpu_backtrace", + "source": "/proc/sys/kernel/hung_task_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "hung_task_check_count", + "source": "/proc/sys/kernel/hung_task_check_count", + "value": "4194304\n" + }, { + "key": "hung_task_check_interval_secs", + "source": "/proc/sys/kernel/hung_task_check_interval_secs", + "value": "0\n" + }, { + "key": "hung_task_panic", + "source": "/proc/sys/kernel/hung_task_panic", + "value": "0\n" + }, { + "key": "hung_task_timeout_secs", + "source": "/proc/sys/kernel/hung_task_timeout_secs", + "value": "120\n" + }, { + "key": "hung_task_warnings", + "source": "/proc/sys/kernel/hung_task_warnings", + "value": "10\n" + }, { + "key": "io_delay_type", + "source": "/proc/sys/kernel/io_delay_type", + "value": "1\n" + }, { + "key": "kexec_load_disabled", + "source": "/proc/sys/kernel/kexec_load_disabled", + "value": "0\n" + }, { + "key": "gc_delay", + "source": "/proc/sys/kernel/keys/gc_delay", + "value": "300\n" + }, { + "key": "maxbytes", + "source": "/proc/sys/kernel/keys/maxbytes", + "value": "20000\n" + }, { + "key": "maxkeys", + "source": "/proc/sys/kernel/keys/maxkeys", + "value": "200\n" + }, { + "key": "persistent_keyring_expiry", + "source": "/proc/sys/kernel/keys/persistent_keyring_expiry", + "value": "259200\n" + }, { + "key": "root_maxbytes", + "source": "/proc/sys/kernel/keys/root_maxbytes", + "value": "25000000\n" + }, { + "key": "root_maxkeys", + "source": "/proc/sys/kernel/keys/root_maxkeys", + "value": "1000000\n" + }, { + "key": "kptr_restrict", + "source": "/proc/sys/kernel/kptr_restrict", + "value": "1\n" + }, { + "key": "max_lock_depth", + "source": "/proc/sys/kernel/max_lock_depth", + "value": "1024\n" + }, { + "key": "max_rcu_stall_to_panic", + "source": "/proc/sys/kernel/max_rcu_stall_to_panic", + "value": "0\n" + }, { + "key": "modprobe", + "source": "/proc/sys/kernel/modprobe", + "value": "/sbin/modprobe\n" + }, { + "key": "modules_disabled", + "source": "/proc/sys/kernel/modules_disabled", + "value": "0\n" + }, { + "key": "msg_next_id", + "source": "/proc/sys/kernel/msg_next_id", + "value": "-1\n" + }, { + "key": "msgmax", + "source": "/proc/sys/kernel/msgmax", + "value": "8192\n" + }, { + "key": "msgmnb", + "source": "/proc/sys/kernel/msgmnb", + "value": "16384\n" + }, { + "key": "msgmni", + "source": "/proc/sys/kernel/msgmni", + "value": "32000\n" + }, { + "key": "ngroups_max", + "source": "/proc/sys/kernel/ngroups_max", + "value": "65536\n" + }, { + "key": "nmi_watchdog", + "source": "/proc/sys/kernel/nmi_watchdog", + "value": "0\n" + }, { + "key": "ns_last_pid", + "source": "/proc/sys/kernel/ns_last_pid", + "value": "17618\n" + }, { + "key": "numa_balancing", + "source": "/proc/sys/kernel/numa_balancing", + "value": "0\n" + }, { + "key": "oops_all_cpu_backtrace", + "source": "/proc/sys/kernel/oops_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "osrelease", + "source": "/proc/sys/kernel/osrelease", + "value": "5.13.0-39-generic\n" + }, { + "key": "ostype", + "source": "/proc/sys/kernel/ostype", + "value": "Linux\n" + }, { + "key": "overflowgid", + "source": "/proc/sys/kernel/overflowgid", + "value": "65534\n" + }, { + "key": "overflowuid", + "source": "/proc/sys/kernel/overflowuid", + "value": "65534\n" + }, { + "key": "panic", + "source": "/proc/sys/kernel/panic", + "value": "10\n" + }, { + "key": "panic_on_io_nmi", + "source": "/proc/sys/kernel/panic_on_io_nmi", + "value": "0\n" + }, { + "key": "panic_on_oops", + "source": "/proc/sys/kernel/panic_on_oops", + "value": "1\n" + }, { + "key": "panic_on_rcu_stall", + "source": "/proc/sys/kernel/panic_on_rcu_stall", + "value": "0\n" + }, { + "key": "panic_on_unrecovered_nmi", + "source": "/proc/sys/kernel/panic_on_unrecovered_nmi", + "value": "0\n" + }, { + "key": "panic_on_warn", + "source": "/proc/sys/kernel/panic_on_warn", + "value": "0\n" + }, { + "key": "panic_print", + "source": "/proc/sys/kernel/panic_print", + "value": "0\n" + }, { + "key": "perf_cpu_time_max_percent", + "source": "/proc/sys/kernel/perf_cpu_time_max_percent", + "value": "25\n" + }, { + "key": "perf_event_max_contexts_per_stack", + "source": "/proc/sys/kernel/perf_event_max_contexts_per_stack", + "value": "8\n" + }, { + "key": "perf_event_max_sample_rate", + "source": "/proc/sys/kernel/perf_event_max_sample_rate", + "value": "100000\n" + }, { + "key": "perf_event_max_stack", + "source": "/proc/sys/kernel/perf_event_max_stack", + "value": "127\n" + }, { + "key": "perf_event_mlock_kb", + "source": "/proc/sys/kernel/perf_event_mlock_kb", + "value": "516\n" + }, { + "key": "perf_event_paranoid", + "source": "/proc/sys/kernel/perf_event_paranoid", + "value": "4\n" + }, { + "key": "pid_max", + "source": "/proc/sys/kernel/pid_max", + "value": "4194304\n" + }, { + "key": "poweroff_cmd", + "source": "/proc/sys/kernel/poweroff_cmd", + "value": "/sbin/poweroff\n" + }, { + "key": "print-fatal-signals", + "source": "/proc/sys/kernel/print-fatal-signals", + "value": "0\n" + }, { + "key": "printk", + "source": "/proc/sys/kernel/printk", + "value": "4\t4\t1\t7\n" + }, { + "key": "printk_delay", + "source": "/proc/sys/kernel/printk_delay", + "value": "0\n" + }, { + "key": "printk_devkmsg", + "source": "/proc/sys/kernel/printk_devkmsg", + "value": "on\n" + }, { + "key": "printk_ratelimit", + "source": "/proc/sys/kernel/printk_ratelimit", + "value": "5\n" + }, { + "key": "printk_ratelimit_burst", + "source": "/proc/sys/kernel/printk_ratelimit_burst", + "value": "10\n" + }, { + "key": "max", + "source": "/proc/sys/kernel/pty/max", + "value": "4096\n" + }, { + "key": "nr", + "source": "/proc/sys/kernel/pty/nr", + "value": "4\n" + }, { + "key": "reserve", + "source": "/proc/sys/kernel/pty/reserve", + "value": "1024\n" + }, { + "key": "boot_id", + "source": "/proc/sys/kernel/random/boot_id", + "value": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb\n" + }, { + "key": "entropy_avail", + "source": "/proc/sys/kernel/random/entropy_avail", + "value": "3806\n" + }, { + "key": "poolsize", + "source": "/proc/sys/kernel/random/poolsize", + "value": "4096\n" + }, { + "key": "urandom_min_reseed_secs", + "source": "/proc/sys/kernel/random/urandom_min_reseed_secs", + "value": "60\n" + }, { + "key": "uuid", + "source": "/proc/sys/kernel/random/uuid", + "value": "7b6b5bf9-9af4-49db-aba6-f0be1c57e2b8\n" + }, { + "key": "write_wakeup_threshold", + "source": "/proc/sys/kernel/random/write_wakeup_threshold", + "value": "896\n" + }, { + "key": "randomize_va_space", + "source": "/proc/sys/kernel/randomize_va_space", + "value": "2\n" + }, { + "key": "real-root-dev", + "source": "/proc/sys/kernel/real-root-dev", + "value": "0\n" + }, { + "key": "sched_autogroup_enabled", + "source": "/proc/sys/kernel/sched_autogroup_enabled", + "value": "1\n" + }, { + "key": "sched_cfs_bandwidth_slice_us", + "source": "/proc/sys/kernel/sched_cfs_bandwidth_slice_us", + "value": "5000\n" + }, { + "key": "sched_child_runs_first", + "source": "/proc/sys/kernel/sched_child_runs_first", + "value": "0\n" + }, { + "key": "sched_deadline_period_max_us", + "source": "/proc/sys/kernel/sched_deadline_period_max_us", + "value": "4194304\n" + }, { + "key": "sched_deadline_period_min_us", + "source": "/proc/sys/kernel/sched_deadline_period_min_us", + "value": "100\n" + }, { + "key": "sched_energy_aware", + "source": "/proc/sys/kernel/sched_energy_aware", + "value": "1\n" + }, { + "key": "sched_rr_timeslice_ms", + "source": "/proc/sys/kernel/sched_rr_timeslice_ms", + "value": "100\n" + }, { + "key": "sched_rt_period_us", + "source": "/proc/sys/kernel/sched_rt_period_us", + "value": "1000000\n" + }, { + "key": "sched_rt_runtime_us", + "source": "/proc/sys/kernel/sched_rt_runtime_us", + "value": "950000\n" + }, { + "key": "sched_schedstats", + "source": "/proc/sys/kernel/sched_schedstats", + "value": "0\n" + }, { + "key": "sched_util_clamp_max", + "source": "/proc/sys/kernel/sched_util_clamp_max", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min", + "source": "/proc/sys/kernel/sched_util_clamp_min", + "value": "1024\n" + }, { + "key": "sched_util_clamp_min_rt_default", + "source": "/proc/sys/kernel/sched_util_clamp_min_rt_default", + "value": "1024\n" + }, { + "key": "actions_avail", + "source": "/proc/sys/kernel/seccomp/actions_avail", + "value": "kill_process kill_thread trap errno user_notif trace log allow\n" + }, { + "key": "actions_logged", + "source": "/proc/sys/kernel/seccomp/actions_logged", + "value": "kill_process kill_thread trap errno user_notif trace log\n" + }, { + "key": "sem", + "source": "/proc/sys/kernel/sem", + "value": "32000\t1024000000\t500\t32000\n" + }, { + "key": "sem_next_id", + "source": "/proc/sys/kernel/sem_next_id", + "value": "-1\n" + }, { + "key": "sg-big-buff", + "source": "/proc/sys/kernel/sg-big-buff", + "value": "32768\n" + }, { + "key": "shm_next_id", + "source": "/proc/sys/kernel/shm_next_id", + "value": "-1\n" + }, { + "key": "shm_rmid_forced", + "source": "/proc/sys/kernel/shm_rmid_forced", + "value": "0\n" + }, { + "key": "shmall", + "source": "/proc/sys/kernel/shmall", + "value": "18446744073692774399\n" + }, { + "key": "shmmax", + "source": "/proc/sys/kernel/shmmax", + "value": "18446744073692774399\n" + }, { + "key": "shmmni", + "source": "/proc/sys/kernel/shmmni", + "value": "4096\n" + }, { + "key": "soft_watchdog", + "source": "/proc/sys/kernel/soft_watchdog", + "value": "1\n" + }, { + "key": "softlockup_all_cpu_backtrace", + "source": "/proc/sys/kernel/softlockup_all_cpu_backtrace", + "value": "0\n" + }, { + "key": "softlockup_panic", + "source": "/proc/sys/kernel/softlockup_panic", + "value": "0\n" + }, { + "key": "stack_tracer_enabled", + "source": "/proc/sys/kernel/stack_tracer_enabled", + "value": "0\n" + }, { + "key": "sysctl_writes_strict", + "source": "/proc/sys/kernel/sysctl_writes_strict", + "value": "1\n" + }, { + "key": "sysrq", + "source": "/proc/sys/kernel/sysrq", + "value": "176\n" + }, { + "key": "tainted", + "source": "/proc/sys/kernel/tainted", + "value": "12288\n" + }, { + "key": "threads-max", + "source": "/proc/sys/kernel/threads-max", + "value": "80984\n" + }, { + "key": "timer_migration", + "source": "/proc/sys/kernel/timer_migration", + "value": "1\n" + }, { + "key": "traceoff_on_warning", + "source": "/proc/sys/kernel/traceoff_on_warning", + "value": "0\n" + }, { + "key": "tracepoint_printk", + "source": "/proc/sys/kernel/tracepoint_printk", + "value": "0\n" + }, { + "key": "unknown_nmi_panic", + "source": "/proc/sys/kernel/unknown_nmi_panic", + "value": "0\n" + }, { + "key": "unprivileged_bpf_disabled", + "source": "/proc/sys/kernel/unprivileged_bpf_disabled", + "value": "2\n" + }, { + "key": "unprivileged_userns_apparmor_policy", + "source": "/proc/sys/kernel/unprivileged_userns_apparmor_policy", + "value": "1\n" + }, { + "key": "unprivileged_userns_clone", + "source": "/proc/sys/kernel/unprivileged_userns_clone", + "value": "0\n" + }, { + "key": "bset", + "source": "/proc/sys/kernel/usermodehelper/bset", + "value": "4294967295\t511\n" + }, { + "key": "inheritable", + "source": "/proc/sys/kernel/usermodehelper/inheritable", + "value": "4294967295\t511\n" + }, { + "key": "version", + "source": "/proc/sys/kernel/version", + "value": "#44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022\n" + }, { + "key": "watchdog", + "source": "/proc/sys/kernel/watchdog", + "value": "1\n" + }, { + "key": "watchdog_cpumask", + "source": "/proc/sys/kernel/watchdog_cpumask", + "value": "0-3\n" + }, { + "key": "watchdog_thresh", + "source": "/proc/sys/kernel/watchdog_thresh", + "value": "10\n" + }, { + "key": "ptrace_scope", + "source": "/proc/sys/kernel/yama/ptrace_scope", + "value": "1\n" + }], + "kind": "LinuxKernelVariables", + "metadata": { + "name": "minikube" + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0185/test/test_generic_pass/input/node.json b/rules/CVE-2022-0185/test/test_generic_pass/input/node.json new file mode 100644 index 000000000..b483df64f --- /dev/null +++ b/rules/CVE-2022-0185/test/test_generic_pass/input/node.json @@ -0,0 +1,264 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2022-04-26T05:54:17Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "3e64b11ed75e56e4898ea85f96b2e4af0301f43d", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_04_26T08_54_20_0700", + "minikube.k8s.io/version": "v1.25.1", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "", + "node.kubernetes.io/exclude-from-external-load-balancers": "" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubeadm.alpha.kubernetes.io/cri-socket": {}, + "f:volumes.kubernetes.io/controller-managed-attach-detach": {} + }, + "f:labels": { + ".": {}, + "f:beta.kubernetes.io/arch": {}, + "f:beta.kubernetes.io/os": {}, + "f:kubernetes.io/arch": {}, + "f:kubernetes.io/hostname": {}, + "f:kubernetes.io/os": {}, + "f:node-role.kubernetes.io/control-plane": {}, + "f:node-role.kubernetes.io/master": {}, + "f:node.kubernetes.io/exclude-from-external-load-balancers": {} + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "time": "2022-04-26T05:54:20Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:labels": { + "f:minikube.k8s.io/commit": {}, + "f:minikube.k8s.io/name": {}, + "f:minikube.k8s.io/updated_at": {}, + "f:minikube.k8s.io/version": {} + } + } + }, + "manager": "kubectl-label", + "operation": "Update", + "time": "2022-04-26T05:54:21Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:conditions": { + "k:{\"type\":\"DiskPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"MemoryPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"PIDPressure\"}": { + "f:lastHeartbeatTime": {} + }, + "k:{\"type\":\"Ready\"}": { + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {} + } + } + } + }, + "manager": "Go-http-client", + "operation": "Update", + "subresource": "status", + "time": "2022-04-26T05:54:31Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:node.alpha.kubernetes.io/ttl": {} + } + }, + "f:spec": { + "f:podCIDR": {}, + "f:podCIDRs": { + ".": {}, + "v:\"10.244.0.0/24\"": {} + } + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2022-04-26T05:54:33Z" + }], + "name": "minikube", + "resourceVersion": "4245", + "uid": "5a3a25d4-b1e5-42d3-a533-4d36f084314e" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": ["10.244.0.0/24"] + }, + "status": { + "addresses": [{ + "address": "192.168.49.2", + "type": "InternalIP" + }, { + "address": "minikube", + "type": "Hostname" + }], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "94850516Ki", + "hugepages-2Mi": "0", + "memory": "10432976Ki", + "pods": "110" + }, + "conditions": [{ + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:14Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, { + "lastHeartbeatTime": "2022-04-26T07:21:25Z", + "lastTransitionTime": "2022-04-26T05:54:31Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + }], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [{ + "names": ["quay.io/armosec/k8s-ca-vuln-scan-ubi@sha256:275fa8a7a1e58cbd3c94bbf6c6a423970d6b44c5355021f2a7ca937563c26593", "quay.io/armosec/k8s-ca-vuln-scan-ubi:127"], + "sizeBytes": 1018599142 + }, { + "names": ["gcr.io/google-samples/node-hello@sha256:d238d0ab54efb76ec0f7b1da666cefa9b40be59ef34346a761b8adc2dd45459b", "gcr.io/google-samples/node-hello:1.0"], + "sizeBytes": 643762709 + }, { + "names": ["requarks/wiki@sha256:dd83fff15e77843ff934b25c28c865ac000edf7653e5d11adad1dd51df87439d"], + "sizeBytes": 441083858 + }, { + "names": ["mariadb@sha256:821d0411208eaa88f9e1f0daccd1d534f88d19baf724eb9a2777cbedb10b6c66"], + "sizeBytes": 400782682 + }, { + "names": ["k8s.gcr.io/etcd@sha256:64b9ea357325d5db9f8a723dcf503b5a449177b17ac87d69481e126bb724c263", "k8s.gcr.io/etcd:3.5.1-0"], + "sizeBytes": 292558922 + }, { + "names": ["kubernetesui/dashboard@sha256:ec27f462cf1946220f5a9ace416a84a57c18f98c777876a8054405d1428cc92e", "kubernetesui/dashboard:v2.3.1"], + "sizeBytes": 220033604 + }, { + "names": ["httpd@sha256:94cd479f4875e3e0fba620baf7a0e9353e15783368f4f74b9ea5bdc729b3f366", "httpd:2.4"], + "sizeBytes": 143610390 + }, { + "names": ["quay.io/armosec/k8s-ca-dashboard-aggregator-ubi@sha256:5dd4c701070c0168dda6bf4932f2752212a6b8f9d70c0fa15f10f29d82ed460a", "quay.io/armosec/k8s-ca-dashboard-aggregator-ubi:185"], + "sizeBytes": 138395979 + }, { + "names": ["k8s.gcr.io/kube-apiserver@sha256:f54681a71cce62cbc1b13ebb3dbf1d880f849112789811f98b6aebd2caa2f255", "k8s.gcr.io/kube-apiserver:v1.23.1"], + "sizeBytes": 135162256 + }, { + "names": ["k8s.gcr.io/kube-controller-manager@sha256:a7ed87380108a2d811f0d392a3fe87546c85bc366e0d1e024dfa74eb14468604", "k8s.gcr.io/kube-controller-manager:v1.23.1"], + "sizeBytes": 124971684 + }, { + "names": ["k8s.gcr.io/kube-proxy@sha256:e40f3a28721588affcf187f3f246d1e078157dabe274003eaa2957a83f7170c8", "k8s.gcr.io/kube-proxy:v1.23.1"], + "sizeBytes": 112327826 + }, { + "names": ["quay.io/armosec/notification-server-ubi@sha256:4fc284ba63683e00468b92db20f51c1209ae475a6d0bd53c1b025964876d0eea", "quay.io/armosec/notification-server-ubi:89"], + "sizeBytes": 109413165 + }, { + "names": ["nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d"], + "sizeBytes": 109129446 + }, { + "names": ["quay.io/armosec/kubescape@sha256:b76503638466be6a9b988890202fa00de0e8806819a4a4438328e50abdac270c", "quay.io/armosec/kubescape:v2.0.149"], + "sizeBytes": 55122796 + }, { + "names": ["k8s.gcr.io/kube-scheduler@sha256:8be4eb1593cf9ff2d91b44596633b7815a3753696031a1eb4273d1b39427fa8c", "k8s.gcr.io/kube-scheduler:v1.23.1"], + "sizeBytes": 53488305 + }, { + "names": ["k8s.gcr.io/coredns/coredns@sha256:5b6ec0d6de9baaf3e92d0f66cd96a25b9edbce8716f5f15dcd1a616b3abd590e", "k8s.gcr.io/coredns/coredns:v1.8.6"], + "sizeBytes": 46829283 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:a5eba54aeada7d995f83356dcabb6c505e3922016d29246fa0e8a3c179533861", "quay.io/armosec/k8s-ca-websocket-ubi:458"], + "sizeBytes": 45050289 + }, { + "names": ["kubernetesui/metrics-scraper@sha256:36d5b3f60e1a144cc5ada820910535074bdf5cf73fb70d1ff1681537eef4e172", "kubernetesui/metrics-scraper:v1.0.7"], + "sizeBytes": 34446077 + }, { + "names": ["gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944", "gcr.io/k8s-minikube/storage-provisioner:v5"], + "sizeBytes": 31465472 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:b592a099c72c5f7ccc9da011b9c9f3297e7a60f5910a20f994c9dfa6142d9204"], + "sizeBytes": 11807596 + }, { + "names": ["quay.io/armosec/kube-host-sensor@sha256:82139d2561039726be060df2878ef023c59df7c536fbd7f6d766af5a99569fee", "quay.io/armosec/kube-host-sensor:latest"], + "sizeBytes": 11796788 + }, { + "names": ["busybox@sha256:caa382c432891547782ce7140fb3b7304613d3b0438834dce1cad68896ab110a", "busybox:latest"], + "sizeBytes": 1239748 + }, { + "names": ["k8s.gcr.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", "k8s.gcr.io/pause:3.6"], + "sizeBytes": 682696 + }], + "nodeInfo": { + "architecture": "amd64", + "bootID": "a025a04b-23a2-44b6-aa3a-2b3d3650bcbb", + "containerRuntimeVersion": "docker://20.10.12", + "kernelVersion": "5.13.0-39-generic", + "kubeProxyVersion": "v1.23.1", + "kubeletVersion": "v1.23.1", + "machineID": "8de776e053e140d6a14c2d2def3d6bb8", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "8d013ac0-0dbc-4c34-b2bd-0365fd0fd31c" + } + } +} \ No newline at end of file diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego deleted file mode 100644 index 64c2a42bb..000000000 --- a/rules/CVE-2022-0492/raw.rego +++ /dev/null @@ -1,377 +0,0 @@ -package armo_builtins - - -# Case 1: -# - Container runs as root OR allows privilege escalation (allowPrivilegeEscalation = true or not present), AND -# - No AppArmor , AND -# - No SELinux, AND -# - No Seccomp -# If container is privileged or has CAP_SYS_ADMIN, don't fail - -deny[msga] { - pod := input[_] - pod.kind == "Pod" - container := pod.spec.containers[i] - - # Path to send - start_of_path := "spec" - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_seccomp_pod(pod) - - is_no_SELinux_container(container) - is_no_Seccomp_Container(container) - - # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) - - # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # Get paths - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) - - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, - "alertObject": { - "k8sApiObjects": [pod] - } - } -} - -deny[msga] { - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - start_of_path := "spec.template.spec" - - pod := wl.spec.template - container := pod.spec.containers[i] - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_seccomp_pod(pod) - - is_no_SELinux_container(container) - is_no_Seccomp_Container(container) - - # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) - - # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # Get paths - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) - - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, - "alertObject": { - "k8sApiObjects": [wl] - } - } -} - -deny[msga] { - wl := input[_] - wl.kind == "CronJob" - start_of_path := "spec.jobTemplate.spec.template.spec" - - pod := wl.spec.jobTemplate.spec.template - container = pod.spec.containers[i] - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_seccomp_pod(pod) - - is_no_SELinux_container(container) - is_no_Seccomp_Container(container) - - # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) - - # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # Get paths - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, - "alertObject": { - "k8sApiObjects": [wl] - } - } -} - - -################################################################################# -# Case 2: -# - Container has CAP_DAC_OVERRIDE capability, AND -# - No AppArmor, AND -# - No SELinux -# If container is privileged or has CAP_SYS_ADMIN, don't fail - -deny[msga] { - pod := input[_] - pod.kind == "Pod" - container := pod.spec.containers[i] - - start_of_path := "spec." - - result := isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_SELinux_container(container) - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "deletePaths": [result], - "failedPaths": [result], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [pod] - } - } -} - -deny[msga] { - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - - pod := wl.spec.template - container := pod.spec.containers[i] - - start_of_path := "spec.template.spec." - - result := isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_SELinux_container(container) - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "deletePaths": [result], - "failedPaths": [result], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [wl] - } - } -} - -deny[msga] { - wl := input[_] - wl.kind == "CronJob" - - pod := wl.spec.jobTemplate.spec.template - container = pod.spec.containers[i] - - start_of_path := "spec.jobTemplate.spec.template.spec." - - result := isCAP_DAC_OVERRIDE(container, start_of_path, i) - - # If container is privileged or has CAP_SYS_ADMIN, pass - not container.securityContext.privileged == true - not is_cap_sys_admin(container, start_of_path) - - is_no_SELinux_No_AppArmor_Pod(pod) - is_no_SELinux_container(container) - - msga := { - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "packagename": "armo_builtins", - "alertScore": 4, - "deletePaths": [result], - "failedPaths": [result], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [wl] - } - } -} - - - - -is_cap_sys_admin(container, start_of_path) { - capability = container.securityContext.capabilities.add[k] - capability == "SYS_ADMIN" -} - -isCAP_DAC_OVERRIDE(container, start_of_path, i) = path { - capability = container.securityContext.capabilities.add[k] - capability == "DAC_OVERRIDE" - path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) -} - - - -################################################################################# - -get_failed_path(alertInfo, i) = [replace(alertInfo.failed_path,"container_ndx",format_int(i,10))] { - alertInfo.failed_path != "" -} else = [] - - -get_fixed_path(alertInfo, i) = [{"path":replace(alertInfo.fixPath[0].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[0].value}, {"path":replace(alertInfo.fixPath[1].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[1].value}]{ - count(alertInfo.fixPath) == 2 -} else = [{"path":replace(alertInfo.fixPath[0].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[0].value}] { - count(alertInfo.fixPath) == 1 -} else = [] - - - - - -################################################################################# - -# Check if appArmor or SELinux or seccompProfile is used -# Fails if none of them is used -is_no_SELinux_No_AppArmor_Pod(pod){ - not pod.spec.securityContext.seLinuxOptions - annotations := [pod.metadata.annotations[i] | annotaion = i; startswith(i, "container.apparmor.security.beta.kubernetes.io")] - not count(annotations) > 0 -} - -is_no_SELinux_container(container){ - not container.securityContext.seLinuxOptions -} - -is_no_seccomp_pod(pod) { - not pod.spec.securityContext.seccompProfile -} - -is_no_Seccomp_Container(container) { - not container.securityContext.seccompProfile -} - - - - - - -################################################################################# -# Workload evaluation - -evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { - runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) - runAsNonRootValue.value == false - - runAsUserValue := get_run_as_user_value(container, pod, start_of_path) - runAsUserValue.value == 0 - - alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) -} else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) - allowPrivilegeEscalationValue.value == true - - alertInfo := allowPrivilegeEscalationValue -} - - -################################################################################# - -# Checking for non-root and allowPrivilegeEscalation enabled -get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) - runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} -} else = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) - runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false} { - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} - -get_run_as_user_value(container, pod, start_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) - runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} -} else = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) - runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], - "defined" : false} - -get_run_as_group_value(container, pod, start_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) - runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) - runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false}{ - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], - "defined" : false -} - -get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) - allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) - allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} - -choose_first_if_defined(l1, l2) = c { - l1.defined - c := l1 -} else = l2 - - -is_allow_privilege_escalation_field(container, pod) { - container.securityContext.allowPrivilegeEscalation == false -} - -is_allow_privilege_escalation_field(container, pod) { - pod.spec.securityContext.allowPrivilegeEscalation == false -} diff --git a/rules/CVE-2022-0492/test/ca_dac_override_pass/input/deploy.yaml b/rules/CVE-2022-0492/test/ca_dac_override_pass/input/deploy.yaml deleted file mode 100644 index 181d1889d..000000000 --- a/rules/CVE-2022-0492/test/ca_dac_override_pass/input/deploy.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - deployment.kubernetes.io/revision: "1" - kubectl.kubernetes.io/last-applied-configuration: | - {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx"},"name":"nginx-deployment","namespace":"default"},"spec":{"replicas":3,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.14.2","name":"nginx","ports":[{"containerPort":80}]}],"securityContext":{"runAsNonRoot":false}}}}} - creationTimestamp: "2022-03-07T15:57:36Z" - generation: 1 - labels: - app: nginx - name: nginx-deployment - namespace: default - resourceVersion: "4416" - uid: 608c546a-e4e9-4665-baeb-4a70c09b6c8b -spec: - progressDeadlineSeconds: 600 - replicas: 3 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: nginx - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - labels: - app: nginx - spec: - containers: - - image: nginx:1.14.2 - securityContext: - capabilities: - add: ["DAC_OVERRIDE", "SYS_ADMIN"] - imagePullPolicy: IfNotPresent - name: nginx - ports: - - containerPort: 80 - protocol: TCP - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - terminationGracePeriodSeconds: 30 -status: - availableReplicas: 3 - conditions: - - lastTransitionTime: "2022-03-07T15:57:38Z" - lastUpdateTime: "2022-03-07T15:57:38Z" - message: Deployment has minimum availability. - reason: MinimumReplicasAvailable - status: "True" - type: Available - - lastTransitionTime: "2022-03-07T15:57:36Z" - lastUpdateTime: "2022-03-07T15:57:38Z" - message: ReplicaSet "nginx-deployment-548f9774bc" has successfully progressed. - reason: NewReplicaSetAvailable - status: "True" - type: Progressing - observedGeneration: 1 - readyReplicas: 3 - replicas: 3 - updatedReplicas: 3 diff --git a/rules/CVE-2022-0492/test/cap_dac_override_fail/expected.json b/rules/CVE-2022-0492/test/cap_dac_override_fail/expected.json deleted file mode 100644 index f595d6d0d..000000000 --- a/rules/CVE-2022-0492/test/cap_dac_override_fail/expected.json +++ /dev/null @@ -1,20 +0,0 @@ -[{ - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "failedPaths": ["spec.template.spec.containers[0].securityContext.capabilities.add[0]"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 4, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "nginx" - }, - "name": "nginx-deployment" - } - }] - } -}] \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/cap_dac_override_fail/input/deploy.yaml b/rules/CVE-2022-0492/test/cap_dac_override_fail/input/deploy.yaml deleted file mode 100644 index f45d3a8da..000000000 --- a/rules/CVE-2022-0492/test/cap_dac_override_fail/input/deploy.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - deployment.kubernetes.io/revision: "1" - kubectl.kubernetes.io/last-applied-configuration: | - {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx"},"name":"nginx-deployment","namespace":"default"},"spec":{"replicas":3,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.14.2","name":"nginx","ports":[{"containerPort":80}]}],"securityContext":{"runAsNonRoot":false}}}}} - creationTimestamp: "2022-03-07T15:57:36Z" - generation: 1 - labels: - app: nginx - name: nginx-deployment - namespace: default - resourceVersion: "4416" - uid: 608c546a-e4e9-4665-baeb-4a70c09b6c8b -spec: - progressDeadlineSeconds: 600 - replicas: 3 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: nginx - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - labels: - app: nginx - spec: - containers: - - image: nginx:1.14.2 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - capabilities: - add: ["DAC_OVERRIDE"] - imagePullPolicy: IfNotPresent - name: nginx - ports: - - containerPort: 80 - protocol: TCP - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - terminationGracePeriodSeconds: 30 -status: - availableReplicas: 3 - conditions: - - lastTransitionTime: "2022-03-07T15:57:38Z" - lastUpdateTime: "2022-03-07T15:57:38Z" - message: Deployment has minimum availability. - reason: MinimumReplicasAvailable - status: "True" - type: Available - - lastTransitionTime: "2022-03-07T15:57:36Z" - lastUpdateTime: "2022-03-07T15:57:38Z" - message: ReplicaSet "nginx-deployment-548f9774bc" has successfully progressed. - reason: NewReplicaSetAvailable - status: "True" - type: Progressing - observedGeneration: 1 - readyReplicas: 3 - replicas: 3 - updatedReplicas: 3 diff --git a/rules/CVE-2022-0492/test/no_new_privs_fail/expected.json b/rules/CVE-2022-0492/test/no_new_privs_fail/expected.json deleted file mode 100644 index 24529d2a7..000000000 --- a/rules/CVE-2022-0492/test/no_new_privs_fail/expected.json +++ /dev/null @@ -1,23 +0,0 @@ -[{ - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot", - "value": "true" - }, { - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", - "value": "false" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 4, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "batch/v1", - "kind": "CronJob", - "metadata": { - "name": "hello" - } - }] - } -}] \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/root_user_fail/expected.json b/rules/CVE-2022-0492/test/root_user_fail/expected.json deleted file mode 100644 index 15a4c2acb..000000000 --- a/rules/CVE-2022-0492/test/root_user_fail/expected.json +++ /dev/null @@ -1,17 +0,0 @@ -[{ - "alertMessage": "You may be vulnerable to CVE-2022-0492", - "failedPaths": ["spec.containers[0].securityContext.runAsUser"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 4, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "nginx" - } - }] - } -}] \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/root_user_fail/input/pod.yaml b/rules/CVE-2022-0492/test/root_user_fail/input/pod.yaml deleted file mode 100644 index 222e96e18..000000000 --- a/rules/CVE-2022-0492/test/root_user_fail/input/pod.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx -spec: - containers: - - name: nginx - image: nginx:1.14.2 - securityContext: - runAsUser: 0 - ports: - - containerPort: 80 \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/root_user_pass/input/pod.yaml b/rules/CVE-2022-0492/test/root_user_pass/input/pod.yaml deleted file mode 100644 index 4071cfc1f..000000000 --- a/rules/CVE-2022-0492/test/root_user_pass/input/pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx -spec: - containers: - - name: nginx - image: nginx:1.14.2 - securityContext: - seccompProfile: - type: RuntimeDefault - runAsUser: 0 - allowPrivilegeEscalation: false - ports: - - containerPort: 80 \ No newline at end of file diff --git a/rules/CVE-2022-23648/rule.metadata.json b/rules/CVE-2022-23648/rule.metadata.json index 0413a3cce..52262a4d2 100644 --- a/rules/CVE-2022-23648/rule.metadata.json +++ b/rules/CVE-2022-23648/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-23648", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2022-24348/rule.metadata.json b/rules/CVE-2022-24348/rule.metadata.json index 8597e6907..7024003a2 100644 --- a/rules/CVE-2022-24348/rule.metadata.json +++ b/rules/CVE-2022-24348/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-24348", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2022-3172/rule.metadata.json b/rules/CVE-2022-3172/rule.metadata.json index 277ea2706..dd0333f8f 100644 --- a/rules/CVE-2022-3172/rule.metadata.json +++ b/rules/CVE-2022-3172/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-3172", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2022-39328/rule.metadata.json b/rules/CVE-2022-39328/rule.metadata.json index a1c25f088..6db538630 100644 --- a/rules/CVE-2022-39328/rule.metadata.json +++ b/rules/CVE-2022-39328/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-39328", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/CVE-2022-47633/rule.metadata.json b/rules/CVE-2022-47633/rule.metadata.json index b314635cc..87bb0f2b4 100644 --- a/rules/CVE-2022-47633/rule.metadata.json +++ b/rules/CVE-2022-47633/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "CVE-2022-47633", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive/rule.metadata.json b/rules/Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive/rule.metadata.json index 869aad6c4..068a05601 100644 --- a/rules/Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive/rule.metadata.json +++ b/rules/Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "Ensure-that-the-kubeconfig-file-permissions-are-set-to-644-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/access-container-service-account-v1/rule.metadata.json b/rules/access-container-service-account-v1/rule.metadata.json index efe4e87c1..26f708f90 100644 --- a/rules/access-container-service-account-v1/rule.metadata.json +++ b/rules/access-container-service-account-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "access-container-service-account-v1", "attributes": { "m$K8sThreatMatrix": "Credential Access::Access container service account, Lateral Movement::Container service account", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/access-container-service-account/raw.rego b/rules/access-container-service-account/raw.rego deleted file mode 100644 index 37f5c0690..000000000 --- a/rules/access-container-service-account/raw.rego +++ /dev/null @@ -1,333 +0,0 @@ -package armo_builtins - - -# Returns for each Pod, what are the permission of its service account - -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - pods := [pod | pod=input[_]; pod.kind =="Pod"] - pod := pods[_] - pod.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, pod) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "Role"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("Pod: %v has the following permissions in the cluster: %v", [pod.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "failedPaths": [], - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [rolebinding, role, pod] - } - } -} - -# Returns for each Pod, what are the permission of its service account - deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - pods := [pod | pod=input[_]; pod.kind =="Pod"] - pod := pods[_] - pod.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, pod) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("Pod: %v has the following permissions in the cluster: %v", [pod.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, pod] - } - } -} - -# Returns for each Pod, what are the permission of its service account - - deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - pods := [pod | pod=input[_]; pod.kind =="Pod"] - pod := pods[_] - pod.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, pod) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("Pod: %v has the following permissions in the cluster: %v", [pod.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, pod] - } - } -} - - - - -### ---------------- ##### - - - -# Returns for each Workloads, what are the permission of its service account -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - - wl.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "Role"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("%v: %v has the following permissions in the cluster: %v", [wl.kind, wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - - -# Returns for each Workloads, what are the permission of its service account -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - - wl.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("%v: %v has the following permissions in the cluster: %v", [wl.kind, wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - - - -# Returns for each Workloads, what are the permission of its service account -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - - wl.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - - msga := { - "alertMessage": sprintf("%v: %v has the following permissions in the cluster: %v", [wl.kind, wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - - - - -### ---------------- ##### - - -# Returns for each Cronjob, what are the permission of its service account - -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - wl := input[_] - wl.kind == "CronJob" - wl.spec.jobTemplate.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.jobTemplate.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "Role"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("Cronjob: %v has the following permissions in the cluster: %v", [wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - - - -# Returns for each Cronjob, what are the permission of its service account -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - - wl := input[_] - wl.kind == "CronJob" - wl.spec.jobTemplate.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.jobTemplate.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - msga := { - "alertMessage": sprintf("Cronjob: %v has the following permissions in the cluster: %v", [wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - - -# Returns for each Cronjob, what are the permission of its service account -deny[msga] { - serviceAccounts := [serviceaccount | serviceaccount= input[_]; serviceaccount.kind == "ServiceAccount"] - serviceaccount := serviceAccounts[_] - serviceAccountName := serviceaccount.metadata.name - - - wl := input[_] - wl.kind == "CronJob" - wl.spec.jobTemplate.spec.template.spec.serviceAccountName == serviceAccountName - - not isNotAutoMount(serviceaccount, wl.spec.jobTemplate.spec.template) - - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - rolebinding := rolebindings[_] - rolesubject := rolebinding.subjects[_] - rolesubject.name == serviceAccountName - - roles := [role | role = input[_]; role.kind == "ClusterRole"] - role := roles[_] - role.metadata.name == rolebinding.roleRef.name - - - msga := { - "alertMessage": sprintf("Cronjob: %v has the following permissions in the cluster: %v", [wl.metadata.name, rolebinding.roleRef.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "alertObject": { - "k8sApiObjects": [rolebinding, role, wl] - } - } -} - -# =============================================================== - -isNotAutoMount(serviceaccount, pod) { - pod.spec.automountServiceAccountToken == false -} -isNotAutoMount(serviceaccount, pod) { - serviceaccount.automountServiceAccountToken == false - not pod.spec["automountServiceAccountToken"] -} - diff --git a/rules/access-container-service-account/rule.metadata.json b/rules/access-container-service-account/rule.metadata.json deleted file mode 100644 index d097827b9..000000000 --- a/rules/access-container-service-account/rule.metadata.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "name": "access-container-service-account", - "attributes": { - "m$K8sThreatMatrix": "Credential Access::Access container service account, Lateral Movement::Container service account", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Pod", - "ServiceAccount" - ] - }, - { - "apiGroups": [ - "apps" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Deployment", - "ReplicaSet", - "DaemonSet", - "StatefulSet" - ] - }, - { - "apiGroups": [ - "batch" - ], - "apiVersions": [ - "*" - ], - "resources": [ - "Job", - "CronJob" - ] - }, - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "RoleBinding", - "ClusterRoleBinding", - "Role", - "ClusterRole" - ] - } - ], - "ruleDependencies": [ - - ], - "description": "determines which service accounts can be used to access other resources in the cluster", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" -} diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 581e43660..2bc5e3b19 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -9,14 +9,17 @@ deny[msga] { start_of_path := "spec." result := is_dangerous_volume(volume, start_of_path, i) podname := pod.metadata.name + volumeMounts := pod.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) msga := { "alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [pod] @@ -33,14 +36,17 @@ deny[msga] { volume := volumes[i] start_of_path := "spec.template.spec." result := is_dangerous_volume(volume, start_of_path, i) + volumeMounts := wl.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [wl] @@ -56,12 +62,16 @@ deny[msga] { volume := volumes[i] start_of_path := "spec.jobTemplate.spec.template.spec." result := is_dangerous_volume(volume, start_of_path, i) + volumeMounts := wl.spec.jobTemplate.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.jobTemplate.spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([result], pathMounts) + msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [wl] @@ -71,5 +81,10 @@ deny[msga] { is_dangerous_volume(volume, start_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)]) -} \ No newline at end of file + path = sprintf("%vvolumes[%v]", [start_of_path, format_int(i, 10)]) +} + +volume_mounts(name, volume_mounts, str) = [path] { + name == volume_mounts[j].name + path := sprintf("%s.volumeMounts[%v]", [str, j]) +} else = [] \ No newline at end of file diff --git a/rules/alert-any-hostpath/rule.metadata.json b/rules/alert-any-hostpath/rule.metadata.json index e5d329d31..224cf4713 100644 --- a/rules/alert-any-hostpath/rule.metadata.json +++ b/rules/alert-any-hostpath/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "alert-any-hostpath", "attributes": { - "m$K8sThreatMatrix": "Privilege Escalation::hostPath mount", - "armoBuiltin": true + "m$K8sThreatMatrix": "Privilege Escalation::hostPath mount" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/alert-any-hostpath/test/deployment/expected.json b/rules/alert-any-hostpath/test/deployment/expected.json index 2e28d5105..4825bb3f9 100644 --- a/rules/alert-any-hostpath/test/deployment/expected.json +++ b/rules/alert-any-hostpath/test/deployment/expected.json @@ -2,7 +2,12 @@ { "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", "failedPaths": [ - "spec.template.spec.volumes[0].hostPath.path" + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", @@ -26,7 +31,12 @@ { "alertMessage": "Deployment: my-deployment has: test-volume2 as hostPath volume", "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" + ], + "deletePaths": [ + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/alert-any-hostpath/test/deployment/input/deployment.yaml b/rules/alert-any-hostpath/test/deployment/input/deployment.yaml index c25ccfec4..5585f9402 100644 --- a/rules/alert-any-hostpath/test/deployment/input/deployment.yaml +++ b/rules/alert-any-hostpath/test/deployment/input/deployment.yaml @@ -23,7 +23,7 @@ spec: name : test-volume - mountPath : /test-pd2 - name : test-volume + name : test-volume2 volumes : - name : test-volume hostPath : diff --git a/rules/alert-any-hostpath/test/pod/expected.json b/rules/alert-any-hostpath/test/pod/expected.json index a88f4447b..d4c433aeb 100644 --- a/rules/alert-any-hostpath/test/pod/expected.json +++ b/rules/alert-any-hostpath/test/pod/expected.json @@ -1,21 +1,28 @@ -{ - "alertMessage": "pod: test-pd has: test-volume as hostPath volume", - "failedPaths": [ - "spec.volumes[0].hostPath.path" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "test-pd" +[ + { + "alertMessage": "pod: test-pd has: test-volume as hostPath volume", + "failedPaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } } - } - ] + ] + } } -} \ No newline at end of file +] \ No newline at end of file diff --git a/rules/alert-container-optimized-os-not-in-use/rule.metadata.json b/rules/alert-container-optimized-os-not-in-use/rule.metadata.json index 72fd5da1c..e20724003 100644 --- a/rules/alert-container-optimized-os-not-in-use/rule.metadata.json +++ b/rules/alert-container-optimized-os-not-in-use/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "alert-container-optimized-os-not-in-use", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/alert-container-optimized-os-not-in-use/test/failed/expected.json b/rules/alert-container-optimized-os-not-in-use/test/failed/expected.json index 225d80dfe..058b8af4a 100644 --- a/rules/alert-container-optimized-os-not-in-use/test/failed/expected.json +++ b/rules/alert-container-optimized-os-not-in-use/test/failed/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Prefer using Container-Optimized OS when possible", + "ReviewPaths": ["status.nodeInfo.osImage"], "failedPaths": ["status.nodeInfo.osImage"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/alert-fargate-not-in-use/rule.metadata.json b/rules/alert-fargate-not-in-use/rule.metadata.json index f45b9dd12..9931ad4b5 100644 --- a/rules/alert-fargate-not-in-use/rule.metadata.json +++ b/rules/alert-fargate-not-in-use/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "alert-fargate-not-in-use", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/alert-mount-potential-credentials-paths/raw.rego b/rules/alert-mount-potential-credentials-paths/raw.rego index f28c15776..68e476863 100644 --- a/rules/alert-mount-potential-credentials-paths/raw.rego +++ b/rules/alert-mount-potential-credentials-paths/raw.rego @@ -6,18 +6,22 @@ deny[msga] { provider := data.dataControlInputs.cloudProvider provider != "" resources := input[_] - volumes_data := get_volumes(resources) - volumes := volumes_data["volumes"] + spec_data := get_pod_spec(resources) + spec := spec_data["spec"] + volumes := spec.volumes volume := volumes[i] - start_of_path := volumes_data["start_of_path"] - result := is_unsafe_paths(volume, start_of_path, provider,i) + start_of_path := spec_data["start_of_path"] + result := is_unsafe_paths(volume, start_of_path, provider, i) + volumeMounts := spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("%vcontainers[%d]", [start_of_path, j])) + finalPath := array.concat([result], pathMounts) msga := { "alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "deletePaths": [result], - "failedPaths": [result], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertObject": { "k8sApiObjects": [resources] @@ -25,24 +29,23 @@ deny[msga] { } } - -# get_volume - get resource volumes paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} -get_volumes(resources) := result { +# get_volume - get resource spec paths for {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} +get_pod_spec(resources) := result { resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} resources_kinds[resources.kind] - result = {"volumes": resources.spec.template.spec.volumes, "start_of_path": "spec.template.spec."} + result = {"spec": resources.spec.template.spec, "start_of_path": "spec.template.spec."} } -# get_volume - get resource volumes paths for "Pod" -get_volumes(resources) := result { +# get_volume - get resource spec paths for "Pod" +get_pod_spec(resources) := result { resources.kind == "Pod" - result = {"volumes": resources.spec.volumes, "start_of_path": "spec."} + result = {"spec": resources.spec, "start_of_path": "spec."} } -# get_volume - get resource volumes paths for "CronJob" -get_volumes(resources) := result { +# get_volume - get resource spec paths for "CronJob" +get_pod_spec(resources) := result { resources.kind == "CronJob" - result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "start_of_path": "spec.jobTemplate.spec.template.spec."} + result = {"spec": resources.spec.jobTemplate.spec.template.spec, "start_of_path": "spec.jobTemplate.spec.template.spec."} } @@ -50,7 +53,7 @@ get_volumes(resources) := result { is_unsafe_paths(volume, start_of_path, provider, i) = result { unsafe := unsafe_paths(provider) unsafe[_] == fix_path(volume.hostPath.path) - result= sprintf("%vvolumes[%d].hostPath.path", [start_of_path, i]) + result = sprintf("%vvolumes[%d]", [start_of_path, i]) } @@ -89,3 +92,7 @@ unsafe_paths(x) := ["/.config/gcloud/", "/.config/gcloud/application_default_credentials.json", "/gcloud/application_default_credentials.json"] if {x=="gke"} +volume_mounts(name, volume_mounts, str) = [path] { + name == volume_mounts[j].name + path := sprintf("%s.volumeMounts[%v]", [str, j]) +} else = [] \ No newline at end of file diff --git a/rules/alert-mount-potential-credentials-paths/rule.metadata.json b/rules/alert-mount-potential-credentials-paths/rule.metadata.json index 10ea952cc..58c0eb9dc 100644 --- a/rules/alert-mount-potential-credentials-paths/rule.metadata.json +++ b/rules/alert-mount-potential-credentials-paths/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "alert-mount-potential-credentials-paths", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/expected.json b/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/expected.json index bf74987c4..4b25ada8c 100644 --- a/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/expected.json +++ b/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/expected.json @@ -2,7 +2,12 @@ { "alertMessage": "Deployment: my-deployment has: test-volume as volume with potential credentials access.", "failedPaths": [ - "spec.template.spec.volumes[0].hostPath.path" + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.template.spec.volumes[0]", + "spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", @@ -26,7 +31,12 @@ { "alertMessage": "Deployment: my-deployment has: test-volume2 as volume with potential credentials access.", "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" + ], + "deletePaths": [ + "spec.template.spec.volumes[1]", + "spec.template.spec.containers[0].volumeMounts[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/input/deployment.yaml b/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/input/deployment.yaml index cf95f620b..aa07d6fa6 100644 --- a/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/input/deployment.yaml +++ b/rules/alert-mount-potential-credentials-paths/test/deployment_eks_failed/input/deployment.yaml @@ -23,7 +23,7 @@ spec: name : test-volume - mountPath : /test-pd2 - name : test-volume + name : test-volume2 volumes : - name : test-volume hostPath : diff --git a/rules/alert-mount-potential-credentials-paths/test/pod_eks_failed/expected.json b/rules/alert-mount-potential-credentials-paths/test/pod_eks_failed/expected.json index 588e86d77..00f0f7995 100644 --- a/rules/alert-mount-potential-credentials-paths/test/pod_eks_failed/expected.json +++ b/rules/alert-mount-potential-credentials-paths/test/pod_eks_failed/expected.json @@ -1,21 +1,28 @@ -{ - "alertMessage": "Pod: test-pd has: test-volume as volume with potential credentials access.", - "failedPaths": [ - "spec.volumes[0].hostPath.path" - ], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "test-pd" +[ + { + "alertMessage": "Pod: test-pd has: test-volume as volume with potential credentials access.", + "failedPaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } } - } - ] + ] + } } -} \ No newline at end of file +] \ No newline at end of file diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index 96195abb3..d3f989e09 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -12,9 +12,7 @@ deny[msga] { volume_mount := container.volumeMounts[k] volume_mount.name == volume.name start_of_path := "spec." - result := is_rw_mount(volume_mount, start_of_path, i, k) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + fix_path := is_rw_mount(volume_mount, start_of_path, i, k) podname := pod.metadata.name @@ -22,9 +20,7 @@ deny[msga] { "alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "fixPaths": fixed_path, - "deletePaths": failed_path, - "failedPaths": failed_path, + "fixPaths": [fix_path], "alertObject": { "k8sApiObjects": [pod] } @@ -43,17 +39,13 @@ deny[msga] { volume_mount := container.volumeMounts[k] volume_mount.name == volume.name start_of_path := "spec.template.spec." - result := is_rw_mount(volume_mount, start_of_path, i, k) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + fix_path := is_rw_mount(volume_mount, start_of_path, i, k) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "fixPaths": fixed_path, - "deletePaths": failed_path, - "failedPaths": failed_path, + "fixPaths": [fix_path], "alertObject": { "k8sApiObjects": [wl] } @@ -73,43 +65,22 @@ deny[msga] { volume_mount := container.volumeMounts[k] volume_mount.name == volume.name start_of_path := "spec.jobTemplate.spec.template.spec." - result := is_rw_mount(volume_mount, start_of_path, i, k) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + fix_path := is_rw_mount(volume_mount, start_of_path, i, k) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, - "fixPaths": fixed_path, - "deletePaths": failed_path, - "failedPaths": failed_path, + "fixPaths": [fix_path], "alertObject": { "k8sApiObjects": [wl] } } } -get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - - -is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { +is_rw_mount(mount, start_of_path, i, k) = fix_path { not mount.readOnly == true - not mount.readOnly == false - failed_path = "" - fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]), "value":"true"} + fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, i, k]), "value":"true"} } - -is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { - mount.readOnly == false - failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]) - fix_path = "" -} \ No newline at end of file diff --git a/rules/alert-rw-hostpath/rule.metadata.json b/rules/alert-rw-hostpath/rule.metadata.json index c41eddc35..f502cdb97 100644 --- a/rules/alert-rw-hostpath/rule.metadata.json +++ b/rules/alert-rw-hostpath/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "alert-rw-hostpath", "attributes": { - "m$K8sThreatMatrix": "Persistence::Writable hostPath mount, Lateral Movement::Writable volume mounts on the host", - "armoBuiltin": true + "m$K8sThreatMatrix": "Persistence::Writable hostPath mount, Lateral Movement::Writable volume mounts on the host" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/alert-rw-hostpath/test/deployment/expected.json b/rules/alert-rw-hostpath/test/deployment/expected.json index 9781faf1d..f142fca21 100644 --- a/rules/alert-rw-hostpath/test/deployment/expected.json +++ b/rules/alert-rw-hostpath/test/deployment/expected.json @@ -1,42 +1,54 @@ -[{ - "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", - "failedPaths": ["spec.template.spec.containers[0].volumeMounts[0].readOnly"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "purpose": "demonstrate-command" - }, - "name": "my-deployment" +[ + { + "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].volumeMounts[0].readOnly", + "value": "true" } - }] - } -}, { - "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.template.spec.containers[0].volumeMounts[1].readOnly", - "value": "true" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "purpose": "demonstrate-command" - }, - "name": "my-deployment" + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "my-deployment" + } + } + ] + } + }, + { + "alertMessage": "Deployment: my-deployment has: test-volume as hostPath volume", + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].volumeMounts[1].readOnly", + "value": "true" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "my-deployment" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/anonymous-access-enabled/rule.metadata.json b/rules/anonymous-access-enabled/rule.metadata.json index ed0b38635..8419cd25d 100644 --- a/rules/anonymous-access-enabled/rule.metadata.json +++ b/rules/anonymous-access-enabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "anonymous-access-enabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/anonymous-access-enabled/test/fail/expected.json b/rules/anonymous-access-enabled/test/fail/expected.json index f3757ef2f..22406d5f3 100644 --- a/rules/anonymous-access-enabled/test/fail/expected.json +++ b/rules/anonymous-access-enabled/test/fail/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "the following RoleBinding: system:public-info-viewer gives permissions to anonymous users", + "deletePaths": ["subjects[1]"], "failedPaths": ["subjects[1]"], "fixPaths": null, "ruleStatus": "", diff --git a/rules/anonymous-requests-to-kubelet-updated/raw.rego b/rules/anonymous-requests-to-kubelet-updated/raw.rego index 462306ce7..f09b64710 100644 --- a/rules/anonymous-requests-to-kubelet-updated/raw.rego +++ b/rules/anonymous-requests-to-kubelet-updated/raw.rego @@ -22,25 +22,6 @@ deny[msga] { } } -deny[msga] { - obj := input[_] - is_kubelet_info(obj) - command := obj.data.cmdLine - - not contains(command, "--anonymous-auth") - not contains(command, "--config") - - external_obj := json.filter(obj, ["apiVersion", "data/cmdLine", "kind", "metadata"]) - - msga := { - "alertMessage": "Anonymous requests is enabled.", - "alertScore": 7, - "failedPaths": [], - "fixPaths": [], - "packagename": "armo_builtins", - "alertObject": {"externalObjects": external_obj}, - } -} deny[msga] { obj := input[_] @@ -52,7 +33,7 @@ deny[msga] { decodedConfigContent := base64.decode(obj.data.configFile.content) yamlConfig := yaml.unmarshal(decodedConfigContent) - not yamlConfig.authentication.anonymous.enabled == false + yamlConfig.authentication.anonymous.enabled == true msga := { "alertMessage": "Anonymous requests is enabled.", diff --git a/rules/anonymous-requests-to-kubelet-updated/rule.metadata.json b/rules/anonymous-requests-to-kubelet-updated/rule.metadata.json index dc9d88007..bb5f93163 100644 --- a/rules/anonymous-requests-to-kubelet-updated/rule.metadata.json +++ b/rules/anonymous-requests-to-kubelet-updated/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "anonymous-requests-to-kubelet-service-updated", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json b/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json index e8f1d1429..0637a088a 100644 --- a/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json +++ b/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-no-value/expected.json @@ -1,25 +1 @@ -[ - { - "alertMessage": "Anonymous requests is enabled.", - "alertObject": { - "externalObjects": { - "apiVersion": "hostdata.kubescape.cloud/v1beta0", - "data": { - "configFile": { - "content": "apiVersion: kubelet.config.k8s.io/v1beta1\nstreamingConnectionIdleTimeout: 0\neventRecordQPS: 0\nprotectKernelDefaults: false\nauthentication:\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /var/lib/minikube/certs/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s" - } - }, - "kind": "KubeletInfo", - "metadata": { - "name": "" - } - } - }, - "alertScore": 7, - "failedPaths": [ - "authentication.anonymous.enabled" - ], - "fixPaths": [], - "packagename": "armo_builtins" - } -] \ No newline at end of file +[] \ No newline at end of file diff --git a/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-value/expected.json b/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-value/expected.json index 28962d390..3e0dd71cd 100644 --- a/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-value/expected.json +++ b/rules/anonymous-requests-to-kubelet-updated/test/invalid-config-value/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 7, + "reviewPaths": [ + "authentication.anonymous.enabled" + ], "failedPaths": [ "authentication.anonymous.enabled" ], diff --git a/rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json b/rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json index a1644b5b3..0637a088a 100644 --- a/rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json +++ b/rules/anonymous-requests-to-kubelet-updated/test/no-cli-params/expected.json @@ -1,22 +1 @@ -[ - { - "alertMessage": "Anonymous requests is enabled.", - "alertObject": { - "externalObjects": { - "apiVersion": "hostdata.kubescape.cloud/v1beta0", - "data": { - "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf" - }, - "kind": "KubeletInfo", - "metadata": { - "name": "" - } - } - }, - "alertScore": 7, - "failedPaths": [], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins" - } -] \ No newline at end of file +[] \ No newline at end of file diff --git a/rules/anonymous-requests-to-kubelet-updated/test/valid-cli/input/kubelet-info.json b/rules/anonymous-requests-to-kubelet-updated/test/valid-cli/input/kubelet-info.json index 0dc5f80f7..760292ad6 100644 --- a/rules/anonymous-requests-to-kubelet-updated/test/valid-cli/input/kubelet-info.json +++ b/rules/anonymous-requests-to-kubelet-updated/test/valid-cli/input/kubelet-info.json @@ -2,7 +2,7 @@ "apiVersion": "hostdata.kubescape.cloud/v1beta0", "kind": "KubeletInfo", "data": { - "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --anonymous-auth=false --config=ss", + "cmdLine": "/var/lib/minikube/binaries/v1.23.1/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --config=ss", "configFile": { "content": "YXBpVmVyc2lvbjoga3ViZWxldC5jb25maWcuazhzLmlvL3YxYmV0YTEKc3RyZWFtaW5nQ29ubmVjdGlvbklkbGVUaW1lb3V0OiAwCmV2ZW50UmVjb3JkUVBTOiAwCnByb3RlY3RLZXJuZWxEZWZhdWx0czogZmFsc2UKYXV0aGVudGljYXRpb246CiAgYW5vbnltb3VzOgogICAgZW5hYmxlZDogZmFsc2UKICB3ZWJob29rOgogICAgY2FjaGVUVEw6IDBzCiAgICBlbmFibGVkOiB0cnVlCiAgeDUwOToKICAgIGNsaWVudENBRmlsZTogL3Zhci9saWIvbWluaWt1YmUvY2VydHMvY2EuY3J0CmF1dGhvcml6YXRpb246CiAgbW9kZTogV2ViaG9vawogIHdlYmhvb2s6CiAgICBjYWNoZUF1dGhvcml6ZWRUVEw6IDBzCiAgICBjYWNoZVVuYXV0aG9yaXplZFRUTDogMHM=" } diff --git a/rules/audit-policy-content/rule.metadata.json b/rules/audit-policy-content/rule.metadata.json index b68e74cf5..ebbc8faa1 100644 --- a/rules/audit-policy-content/rule.metadata.json +++ b/rules/audit-policy-content/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "audit-policy-content", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/automount-default-service-account/rule.metadata.json b/rules/automount-default-service-account/rule.metadata.json index 5c9ed5ebc..492e39d30 100644 --- a/rules/automount-default-service-account/rule.metadata.json +++ b/rules/automount-default-service-account/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "automount-default-service-account", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/automount-default-service-account/test/both-mount-default/expected.json b/rules/automount-default-service-account/test/both-mount-default/expected.json index 58f508865..f5d3e170e 100644 --- a/rules/automount-default-service-account/test/both-mount-default/expected.json +++ b/rules/automount-default-service-account/test/both-mount-default/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", + "deletePaths": [], "failedPaths": [], "fixPaths": [{ "path": "automountServiceAccountToken", diff --git a/rules/automount-default-service-account/test/both-mount/expected.json b/rules/automount-default-service-account/test/both-mount/expected.json index 38d6f3e6c..a34721287 100644 --- a/rules/automount-default-service-account/test/both-mount/expected.json +++ b/rules/automount-default-service-account/test/both-mount/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", + "deletePaths": ["automountServiceAccountToken"], "failedPaths": ["automountServiceAccountToken"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/automount-default-service-account/test/sa-mount/expected.json b/rules/automount-default-service-account/test/sa-mount/expected.json index 38d6f3e6c..a34721287 100644 --- a/rules/automount-default-service-account/test/sa-mount/expected.json +++ b/rules/automount-default-service-account/test/sa-mount/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", + "deletePaths": ["automountServiceAccountToken"], "failedPaths": ["automountServiceAccountToken"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/automount-service-account/rule.metadata.json b/rules/automount-service-account/rule.metadata.json index f007931a9..39cbac449 100644 --- a/rules/automount-service-account/rule.metadata.json +++ b/rules/automount-service-account/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "automount-service-account", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/automount-service-account/test/both-mount-default/expected.json b/rules/automount-service-account/test/both-mount-default/expected.json index 58f508865..8e717a17a 100644 --- a/rules/automount-service-account/test/both-mount-default/expected.json +++ b/rules/automount-service-account/test/both-mount-default/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", "failedPaths": [], + "deletePaths": [], "fixPaths": [{ "path": "automountServiceAccountToken", "value": "false" diff --git a/rules/automount-service-account/test/both-mount/expected.json b/rules/automount-service-account/test/both-mount/expected.json index 38d6f3e6c..a34721287 100644 --- a/rules/automount-service-account/test/both-mount/expected.json +++ b/rules/automount-service-account/test/both-mount/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", + "deletePaths": ["automountServiceAccountToken"], "failedPaths": ["automountServiceAccountToken"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/automount-service-account/test/sa-mount/expected.json b/rules/automount-service-account/test/sa-mount/expected.json index 38d6f3e6c..a34721287 100644 --- a/rules/automount-service-account/test/sa-mount/expected.json +++ b/rules/automount-service-account/test/sa-mount/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "the following service account: default in the following namespace: default mounts service account tokens in pods by default", + "deletePaths": ["automountServiceAccountToken"], "failedPaths": ["automountServiceAccountToken"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/cluster-admin-role/rule.metadata.json b/rules/cluster-admin-role/rule.metadata.json index aebce77d0..fccdec3f6 100644 --- a/rules/cluster-admin-role/rule.metadata.json +++ b/rules/cluster-admin-role/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "cluster-admin-role", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/cluster-admin-role/test/clusterrole-clusterrolebinding/expected.json b/rules/cluster-admin-role/test/clusterrole-clusterrolebinding/expected.json index 1ef9b1b2a..455a17e54 100644 --- a/rules/cluster-admin-role/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/cluster-admin-role/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-dev is bound to cluster-admin role", + "deletePaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[1]", @@ -71,6 +78,13 @@ }, { "alertMessage": "Subject: Group-manager is bound to cluster-admin role", + "deletePaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[1]", diff --git a/rules/configmap-in-default-namespace/rule.metadata.json b/rules/configmap-in-default-namespace/rule.metadata.json index 100d36e58..9b1bd6cce 100644 --- a/rules/configmap-in-default-namespace/rule.metadata.json +++ b/rules/configmap-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "configmap-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/configmap-in-default-namespace/test/configmap/expected.json b/rules/configmap-in-default-namespace/test/configmap/expected.json index 656beee22..e7cec61ce 100644 --- a/rules/configmap-in-default-namespace/test/configmap/expected.json +++ b/rules/configmap-in-default-namespace/test/configmap/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "ConfigMap: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/configured-liveness-probe/rule.metadata.json b/rules/configured-liveness-probe/rule.metadata.json index 6e2247163..fbc8c3449 100644 --- a/rules/configured-liveness-probe/rule.metadata.json +++ b/rules/configured-liveness-probe/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "configured-liveness-probe", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/configured-readiness-probe/rule.metadata.json b/rules/configured-readiness-probe/rule.metadata.json index ae6c96313..1b75c1ec4 100644 --- a/rules/configured-readiness-probe/rule.metadata.json +++ b/rules/configured-readiness-probe/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "configured-readiness-probe", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/container-hostPort/rule.metadata.json b/rules/container-hostPort/rule.metadata.json index 6f59ab962..3ee8ab535 100644 --- a/rules/container-hostPort/rule.metadata.json +++ b/rules/container-hostPort/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "container-hostPort", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/container-hostPort/test/cronjob/expected.json b/rules/container-hostPort/test/cronjob/expected.json index 9f52c82f7..30628ea84 100644 --- a/rules/container-hostPort/test/cronjob/expected.json +++ b/rules/container-hostPort/test/cronjob/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Container: influxdb in CronJob: hello has Host-port", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].ports[1].hostPort" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].ports[1].hostPort" ], diff --git a/rules/container-hostPort/test/pod/expected.json b/rules/container-hostPort/test/pod/expected.json index cc444736a..1ee69de26 100644 --- a/rules/container-hostPort/test/pod/expected.json +++ b/rules/container-hostPort/test/pod/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Container: influxdb has Host-port", + "deletePaths": [ + "spec.containers[0].ports[0].hostPort" + ], "failedPaths": [ "spec.containers[0].ports[0].hostPort" ], diff --git a/rules/container-image-repository-v1/rule.metadata.json b/rules/container-image-repository-v1/rule.metadata.json index 292c8495d..22cba00f5 100644 --- a/rules/container-image-repository-v1/rule.metadata.json +++ b/rules/container-image-repository-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "container-image-repository-v1", "attributes": { "m$K8sThreatMatrix": "Collection::Images from private registry", - "armoBuiltin": true, "useFromKubescapeVersion": "v2.9.0" }, "ruleLanguage": "Rego", diff --git a/rules/container-image-repository/rule.metadata.json b/rules/container-image-repository/rule.metadata.json index 989bceb09..7be7bbf89 100644 --- a/rules/container-image-repository/rule.metadata.json +++ b/rules/container-image-repository/rule.metadata.json @@ -2,7 +2,6 @@ "name": "container-image-repository", "attributes": { "m$K8sThreatMatrix": "Collection::Images from private registry", - "armoBuiltin": true, "useUntilKubescapeVersion": "v2.3.8" }, "ruleLanguage": "Rego", diff --git a/rules/container-image-repository/test/cronjob-failed/expected.json b/rules/container-image-repository/test/cronjob-failed/expected.json index 85752a127..71c7be5e6 100644 --- a/rules/container-image-repository/test/cronjob-failed/expected.json +++ b/rules/container-image-repository/test/cronjob-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "image 'influxdb' in container 'influxdb' comes from untrusted registry", + "reviewPaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].image" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].image" ], diff --git a/rules/container-image-repository/test/pod-failed/expected.json b/rules/container-image-repository/test/pod-failed/expected.json index 0aa9115a3..a58b50872 100644 --- a/rules/container-image-repository/test/pod-failed/expected.json +++ b/rules/container-image-repository/test/pod-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "image 'debian' in container 'command-demo-container' comes from untrusted registry", + "reviewPaths": [ + "spec.containers[0].image" + ], "failedPaths": [ "spec.containers[0].image" ], diff --git a/rules/container-image-repository/test/workload-failed/expected.json b/rules/container-image-repository/test/workload-failed/expected.json index 9f714e929..fef767bd4 100644 --- a/rules/container-image-repository/test/workload-failed/expected.json +++ b/rules/container-image-repository/test/workload-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "image 'k8s.gcb.io/goproxy:0.1' in container 'goproxy' comes from untrusted registry", + "reviewPaths": [ + "spec.template.spec.containers[0].image" + ], "failedPaths": [ "spec.template.spec.containers[0].image" ], diff --git a/rules/containers-mounting-docker-socket/raw.rego b/rules/containers-mounting-docker-socket/raw.rego index 9c74778af..b52a6b453 100644 --- a/rules/containers-mounting-docker-socket/raw.rego +++ b/rules/containers-mounting-docker-socket/raw.rego @@ -7,12 +7,15 @@ deny[msga] { volume := pod.spec.volumes[i] host_path := volume.hostPath is_runtime_socket_mounting(host_path) - path := sprintf("spec.volumes[%v].hostPath.path", [format_int(i, 10)]) + path := sprintf("spec.volumes[%v]", [format_int(i, 10)]) + volumeMounts := pod.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("spec.containers[%v]", [j])) + finalPath := array.concat([path], pathMounts) msga := { "alertMessage": sprintf("volume: %v in pod: %v has mounting to Docker internals.", [volume.name, pod.metadata.name]), "packagename": "armo_builtins", - "deletePaths": [path], - "failedPaths": [path], + "deletePaths":finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertScore": 5, "alertObject": { @@ -30,12 +33,15 @@ deny[msga] { volume := wl.spec.template.spec.volumes[i] host_path := volume.hostPath is_runtime_socket_mounting(host_path) - path := sprintf("spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)]) + path := sprintf("spec.template.spec.volumes[%v]", [format_int(i, 10)]) + volumeMounts := wl.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([path], pathMounts) msga := { "alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", - "deletePaths": [path], - "failedPaths": [path], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertScore": 5, "alertObject": { @@ -51,12 +57,15 @@ deny[msga] { volume = wl.spec.jobTemplate.spec.template.spec.volumes[i] host_path := volume.hostPath is_runtime_socket_mounting(host_path) - path := sprintf("spec.jobTemplate.spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)]) + path := sprintf("spec.jobTemplate.spec.template.spec.volumes[%v]", [format_int(i, 10)]) + volumeMounts := wl.spec.jobTemplate.spec.template.spec.containers[j].volumeMounts + pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.jobTemplate.spec.template.spec.containers[%v]", [j])) + finalPath := array.concat([path], pathMounts) msga := { "alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", - "deletePaths": [path], - "failedPaths": [path], + "deletePaths": finalPath, + "failedPaths": finalPath, "fixPaths":[], "alertScore": 5, "alertObject": { @@ -65,6 +74,10 @@ deny[msga] { } } +volume_mounts(name, volume_mounts, str) = [path] { + name == volume_mounts[j].name + path := sprintf("%s.volumeMounts[%v]", [str, j]) +} else = [] is_runtime_socket_mounting(host_path) { host_path.path == "/var/run/docker.sock" diff --git a/rules/containers-mounting-docker-socket/rule.metadata.json b/rules/containers-mounting-docker-socket/rule.metadata.json index 283bef733..5187c46a3 100644 --- a/rules/containers-mounting-docker-socket/rule.metadata.json +++ b/rules/containers-mounting-docker-socket/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "containers-mounting-docker-socket", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json b/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json index e68280d60..f87bbe7f8 100644 --- a/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json +++ b/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json @@ -1,8 +1,14 @@ [ { "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" + + ], "failedPaths": [ - "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path" + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json b/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json index e68280d60..b14f08fb7 100644 --- a/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json +++ b/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ - "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path" + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/cronjob/expected.json b/rules/containers-mounting-docker-socket/test/cronjob/expected.json index e68280d60..f87bbe7f8 100644 --- a/rules/containers-mounting-docker-socket/test/cronjob/expected.json +++ b/rules/containers-mounting-docker-socket/test/cronjob/expected.json @@ -1,8 +1,14 @@ [ { "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" + + ], "failedPaths": [ - "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path" + "spec.jobTemplate.spec.template.spec.volumes[0]", + "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json b/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json index ee28e47f2..86e5dda70 100644 --- a/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json +++ b/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.", + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ - "spec.volumes[0].hostPath.path" + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/pod-crio/expected.json b/rules/containers-mounting-docker-socket/test/pod-crio/expected.json index ee28e47f2..86e5dda70 100644 --- a/rules/containers-mounting-docker-socket/test/pod-crio/expected.json +++ b/rules/containers-mounting-docker-socket/test/pod-crio/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.", + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ - "spec.volumes[0].hostPath.path" + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/pod/expected.json b/rules/containers-mounting-docker-socket/test/pod/expected.json index ee28e47f2..86e5dda70 100644 --- a/rules/containers-mounting-docker-socket/test/pod/expected.json +++ b/rules/containers-mounting-docker-socket/test/pod/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.", + "deletePaths": [ + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ - "spec.volumes[0].hostPath.path" + "spec.volumes[0]", + "spec.containers[0].volumeMounts[0]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json b/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json index ebbe78199..17d23ad59 100644 --- a/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json +++ b/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json @@ -1,8 +1,11 @@ [ { "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.", + "deletePaths": [ + "spec.template.spec.volumes[1]" + ], "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json b/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json index ebbe78199..17d23ad59 100644 --- a/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json +++ b/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json @@ -1,8 +1,11 @@ [ { "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.", + "deletePaths": [ + "spec.template.spec.volumes[1]" + ], "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/containers-mounting-docker-socket/test/workloads/expected.json b/rules/containers-mounting-docker-socket/test/workloads/expected.json index ebbe78199..17d23ad59 100644 --- a/rules/containers-mounting-docker-socket/test/workloads/expected.json +++ b/rules/containers-mounting-docker-socket/test/workloads/expected.json @@ -1,8 +1,11 @@ [ { "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.", + "deletePaths": [ + "spec.template.spec.volumes[1]" + ], "failedPaths": [ - "spec.template.spec.volumes[1].hostPath.path" + "spec.template.spec.volumes[1]" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/csistoragecapacity-in-default-namespace/rule.metadata.json b/rules/csistoragecapacity-in-default-namespace/rule.metadata.json index a1d360607..a991ad8cb 100644 --- a/rules/csistoragecapacity-in-default-namespace/rule.metadata.json +++ b/rules/csistoragecapacity-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "csistoragecapacity-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ @@ -10,7 +9,7 @@ "storage.k8s.io" ], "apiVersions": [ - "v1beta1" + "*" ], "resources": [ "CSIStorageCapacity" diff --git a/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json b/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json index 0c9059593..286e75534 100644 --- a/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json +++ b/rules/csistoragecapacity-in-default-namespace/test/csistoragecapacity/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "CSIStorageCapacity: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/drop-capability-netraw/rule.metadata.json b/rules/drop-capability-netraw/rule.metadata.json index d3eaba387..4f085e093 100644 --- a/rules/drop-capability-netraw/rule.metadata.json +++ b/rules/drop-capability-netraw/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "drop-capability-netraw", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/drop-capability-netraw/test/cronjob/expected.json b/rules/drop-capability-netraw/test/cronjob/expected.json index 9a0ee5d1a..b52f6557f 100644 --- a/rules/drop-capability-netraw/test/cronjob/expected.json +++ b/rules/drop-capability-netraw/test/cronjob/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Cronjob: hello does not drop the capability NET_RAW", + "deletePaths": [], "failedPaths": [], "fixPaths": [ { @@ -25,6 +26,7 @@ }, { "alertMessage": "Cronjob: hello does not drop the capability NET_RAW", + "deletePaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/drop-capability-netraw/test/pod/expected.json b/rules/drop-capability-netraw/test/pod/expected.json index 5e9b32afd..5f76fb9a9 100644 --- a/rules/drop-capability-netraw/test/pod/expected.json +++ b/rules/drop-capability-netraw/test/pod/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Pod: audit-pod does not drop the capability NET_RAW", + "deletePaths": [], "failedPaths": [], "fixPaths": [ { @@ -28,6 +29,7 @@ }, { "alertMessage": "Pod: audit-pod does not drop the capability NET_RAW", + "deletePaths": ["spec.containers[2].securityContext.capabilities.add"], "failedPaths": ["spec.containers[2].securityContext.capabilities.add"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/drop-capability-netraw/test/workloads/expected.json b/rules/drop-capability-netraw/test/workloads/expected.json index 0d6f3f776..969791ead 100644 --- a/rules/drop-capability-netraw/test/workloads/expected.json +++ b/rules/drop-capability-netraw/test/workloads/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Workload: my-deployment does not drop the capability NET_RAW", + "deletePaths": [], "failedPaths": [], "fixPaths": [ { @@ -28,6 +29,7 @@ }, { "alertMessage": "Workload: my-deployment does not drop the capability NET_RAW", + "deletePaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/rule.metadata.json b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/rule.metadata.json index 342db3f52..e857b989d 100644 --- a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/rule.metadata.json +++ b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "encrypt-traffic-to-https-load-balancers-with-tls-certificates", "attributes": { - "armoBuiltin": true, "hostSensorRule": "false", "imageScanRelated": false }, diff --git a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/test/failed_ingress_tls_not_set/expected.json b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/test/failed_ingress_tls_not_set/expected.json index d494ee7d6..9cf59bbd9 100644 --- a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/test/failed_ingress_tls_not_set/expected.json +++ b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/test/failed_ingress_tls_not_set/expected.json @@ -4,6 +4,7 @@ "alertMessage": "Ingress object has 'spec.tls' value not set.", "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": ["spec.tls"], "failedPaths": ["spec.tls"], "fixPaths":[], "alertObject": { diff --git a/rules/endpoints-in-default-namespace/rule.metadata.json b/rules/endpoints-in-default-namespace/rule.metadata.json index 16dd4da7b..974e90296 100644 --- a/rules/endpoints-in-default-namespace/rule.metadata.json +++ b/rules/endpoints-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "endpoints-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/endpoints-in-default-namespace/test/endpoints/expected.json b/rules/endpoints-in-default-namespace/test/endpoints/expected.json index e44bbe18f..8eedd1cb2 100644 --- a/rules/endpoints-in-default-namespace/test/endpoints/expected.json +++ b/rules/endpoints-in-default-namespace/test/endpoints/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Endpoints: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/endpointslice-in-default-namespace/rule.metadata.json b/rules/endpointslice-in-default-namespace/rule.metadata.json index 27d9b3ff7..a603c5dd2 100644 --- a/rules/endpointslice-in-default-namespace/rule.metadata.json +++ b/rules/endpointslice-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "endpointslice-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json b/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json index 38fe3cd8d..cc5884a38 100644 --- a/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json +++ b/rules/endpointslice-in-default-namespace/test/endpointslice/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "EndpointSlice: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego index 5df9eea58..329995c8c 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego +++ b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego @@ -43,6 +43,7 @@ deny[msga] { msga := { "alertMessage": "kubelet client TLS authentication is not enabled", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -69,6 +70,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/rule.metadata.json b/rules/enforce-kubelet-client-tls-authentication-updated/rule.metadata.json index 27c330f5c..043e5e7b4 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/rule.metadata.json +++ b/rules/enforce-kubelet-client-tls-authentication-updated/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "enforce-kubelet-client-tls-authentication-updated", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-argument-not-set/expected.json b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-argument-not-set/expected.json index 682d16051..8f2838217 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-argument-not-set/expected.json +++ b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-argument-not-set/expected.json @@ -11,6 +11,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-only/expected.json b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-only/expected.json index 5863c59b7..cd3800c6b 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-only/expected.json +++ b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-only/expected.json @@ -16,6 +16,10 @@ } }, "alertScore": 6, + "reviewPaths": [ + "authentication.x509.clientCAFile" + ], + "failedPaths": [ "authentication.x509.clientCAFile" ], diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-sensor-failed/expected.json b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-sensor-failed/expected.json index c2ce5c960..223ea52b4 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-sensor-failed/expected.json +++ b/rules/enforce-kubelet-client-tls-authentication-updated/test/fail-config-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/ensure-aws-policies-are-present/rule.metadata.json b/rules/ensure-aws-policies-are-present/rule.metadata.json index 1b983e164..683738f18 100644 --- a/rules/ensure-aws-policies-are-present/rule.metadata.json +++ b/rules/ensure-aws-policies-are-present/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-aws-policies-are-present", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/ensure-azure-rbac-is-set/rule.metadata.json b/rules/ensure-azure-rbac-is-set/rule.metadata.json index 6f7d105d7..4d87f1aff 100644 --- a/rules/ensure-azure-rbac-is-set/rule.metadata.json +++ b/rules/ensure-azure-rbac-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-azure-rbac-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled/rule.metadata.json b/rules/ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled/rule.metadata.json index 2662aa233..ffcee362b 100644 --- a/rules/ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled/rule.metadata.json +++ b/rules/ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-clusters-are-created-with-private-endpoint-enabled-and-public-access-disabled", "attributes": { - "armoBuiltin": true, "hostSensorRule": "false", "imageScanRelated": false }, diff --git a/rules/ensure-clusters-are-created-with-private-nodes/rule.metadata.json b/rules/ensure-clusters-are-created-with-private-nodes/rule.metadata.json index ba7b9f467..b1144fc1d 100644 --- a/rules/ensure-clusters-are-created-with-private-nodes/rule.metadata.json +++ b/rules/ensure-clusters-are-created-with-private-nodes/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-clusters-are-created-with-private-nodes", "attributes": { - "armoBuiltin": true, "hostSensorRule": false, "imageScanRelated": false }, diff --git a/rules/ensure-default-service-accounts-has-only-default-roles/rule.metadata.json b/rules/ensure-default-service-accounts-has-only-default-roles/rule.metadata.json index 4549dbc8c..f1e2e4479 100644 --- a/rules/ensure-default-service-accounts-has-only-default-roles/rule.metadata.json +++ b/rules/ensure-default-service-accounts-has-only-default-roles/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-default-service-accounts-has-only-default-roles", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding/expected.json b/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding/expected.json index d83d2a4c7..261928aa8 100644 --- a/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding/expected.json +++ b/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "ClusterRoleBinding: read-secrets-global has for ServiceAccount 'default' rules bound to it that are not defaults", + "deletePaths": ["subjects[0]"], "failedPaths": ["subjects[0]"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding_boots_none_default/expected.json b/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding_boots_none_default/expected.json index 88114f643..751e75ab5 100644 --- a/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding_boots_none_default/expected.json +++ b/rules/ensure-default-service-accounts-has-only-default-roles/test/failed_clusterrolebinding_boots_none_default/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "ClusterRoleBinding: read-secrets-global has for ServiceAccount 'default' rules bound to it that are not defaults", + "deletePaths": ["subjects[0]"], "failedPaths": ["subjects[0]"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks/rule.metadata.json b/rules/ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks/rule.metadata.json index ebd0191aa..94b922269 100644 --- a/rules/ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks/rule.metadata.json +++ b/rules/ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-endpointprivateaccess-is-enabled-and-endpointpublicaccess-is-disabled-eks", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-endpointprivateaccess-is-enabled/rule.metadata.json b/rules/ensure-endpointprivateaccess-is-enabled/rule.metadata.json index d1d52c640..9567cd3d0 100644 --- a/rules/ensure-endpointprivateaccess-is-enabled/rule.metadata.json +++ b/rules/ensure-endpointprivateaccess-is-enabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-endpointprivateaccess-is-enabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks/rule.metadata.json b/rules/ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks/rule.metadata.json index e622b7b89..d2763c36e 100644 --- a/rules/ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks/rule.metadata.json +++ b/rules/ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-endpointpublicaccess-is-disabled-on-private-nodes-eks", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-external-secrets-storage-is-in-use/rule.metadata.json b/rules/ensure-external-secrets-storage-is-in-use/rule.metadata.json index 73782a4d3..a0bd55f38 100644 --- a/rules/ensure-external-secrets-storage-is-in-use/rule.metadata.json +++ b/rules/ensure-external-secrets-storage-is-in-use/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-external-secrets-storage-is-in-use", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-https-loadbalancers-encrypted-with-tls-aws/rule.metadata.json b/rules/ensure-https-loadbalancers-encrypted-with-tls-aws/rule.metadata.json index 4627b8fbb..7eb58db02 100644 --- a/rules/ensure-https-loadbalancers-encrypted-with-tls-aws/rule.metadata.json +++ b/rules/ensure-https-loadbalancers-encrypted-with-tls-aws/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-https-loadbalancers-encrypted-with-tls-aws", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-image-scanning-enabled-cloud/rule.metadata.json b/rules/ensure-image-scanning-enabled-cloud/rule.metadata.json index 2b9176412..7dd06667a 100644 --- a/rules/ensure-image-scanning-enabled-cloud/rule.metadata.json +++ b/rules/ensure-image-scanning-enabled-cloud/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-image-scanning-enabled-cloud", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider/rule.metadata.json b/rules/ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider/rule.metadata.json index 4b8e56923..0e03d0b57 100644 --- a/rules/ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider/rule.metadata.json +++ b/rules/ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-image-vulnerability-scanning-using-azure-defender-image-scanning-or-a-third-party-provider", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [], diff --git a/rules/ensure-network-policy-is-enabled-eks/rule.metadata.json b/rules/ensure-network-policy-is-enabled-eks/rule.metadata.json index c07665d3f..5d2b8b48e 100644 --- a/rules/ensure-network-policy-is-enabled-eks/rule.metadata.json +++ b/rules/ensure-network-policy-is-enabled-eks/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-network-policy-is-enabled-eks", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-service-principle-has-read-only-permissions/rule.metadata.json b/rules/ensure-service-principle-has-read-only-permissions/rule.metadata.json index 5d5729a0d..ac6639802 100644 --- a/rules/ensure-service-principle-has-read-only-permissions/rule.metadata.json +++ b/rules/ensure-service-principle-has-read-only-permissions/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-service-principle-has-read-only-permissions", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/rule.metadata.json b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/rule.metadata.json index caff35020..15b2d4375 100644 --- a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/rule.metadata.json +++ b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/test/failed/expected.json b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/test/failed/expected.json index 46fd37e27..fe72ba3d7 100644 --- a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/test/failed/expected.json +++ b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/test/failed/expected.json @@ -1 +1,97 @@ -[{"alertMessage":"The API server is not configured to use strong cryptographic ciphers","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"The API server is not configured to use strong cryptographic ciphers","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[{"path":"spec.containers[0].command[1]","value":"--tls-cipher-suites=Foo,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"The API server is not configured to use strong cryptographic ciphers","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[{"path":"spec.containers[0].command[1]","value":"--tls-cipher-suites=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "The API server is not configured to use strong cryptographic ciphers", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "The API server is not configured to use strong cryptographic ciphers", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[1]", + "value": "--tls-cipher-suites=Foo,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "The API server is not configured to use strong cryptographic ciphers", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[1]", + "value": "--tls-cipher-suites=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json index 5d02130ec..cc2cce906 100644 --- a/rules/ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-API-server-pod-specification-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index ed6c12993..1a53b0986 100644 --- a/rules/ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-API-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root/rule.metadata.json index de8a8c690..227fa639e 100644 --- a/rules/ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-Container-Network-Interface-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 5738f87b0..48b4fefb3 100644 --- a/rules/ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-Container-Network-Interface-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index d9e48b420..a906903c3 100644 --- a/rules/ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-Kubernetes-PKI-certificate-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root/rule.metadata.json index 4baafa603..9a5501ad2 100644 --- a/rules/ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-Kubernetes-PKI-directory-and-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600/rule.metadata.json b/rules/ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600/rule.metadata.json index 62a3c569d..38653ca77 100644 --- a/rules/ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600/rule.metadata.json +++ b/rules/ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-Kubernetes-PKI-key-file-permissions-are-set-to-600", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-admin.conf-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-admin.conf-file-ownership-is-set-to-root-root/rule.metadata.json index f37b99149..31dd53c8b 100644 --- a/rules/ensure-that-the-admin.conf-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-admin.conf-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admin.conf-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-admin.conf-file-permissions-are-set-to-600/rule.metadata.json b/rules/ensure-that-the-admin.conf-file-permissions-are-set-to-600/rule.metadata.json index de0d53a70..02ec7853d 100644 --- a/rules/ensure-that-the-admin.conf-file-permissions-are-set-to-600/rule.metadata.json +++ b/rules/ensure-that-the-admin.conf-file-permissions-are-set-to-600/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admin.conf-file-permissions-are-set-to-600", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/rule.metadata.json index 763b6f081..c9beafa54 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/test/failed/expected.json index 8ccf0c9e5..222e29df0 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/rule.metadata.json index fcd22b13a..1cd351f20 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/test/failed/expected.json index b2430a68e..11a2442ac 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"Admission control policy is not set to AlwaysPullImages","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,AlwaysPullImages"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"Admission control policy is not set to AlwaysPullImages","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--enable-admission-plugins=AlwaysPullImages"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "Admission control policy is not set to AlwaysPullImages", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,AlwaysPullImages" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "Admission control policy is not set to AlwaysPullImages", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--enable-admission-plugins=AlwaysPullImages" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/rule.metadata.json index 849d0928c..03aa5b9e3 100644 --- a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-EventRateLimit-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/test/failed/expected.json index 9fd39ec40..2589a4b02 100644 --- a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,EventRateLimit"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--enable-admission-plugins=EventRateLimit"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,EventRateLimit" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--enable-admission-plugins=EventRateLimit" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/rule.metadata.json index 70bcbe44e..c1cb33ca1 100644 --- a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/test/failed/expected.json index 4dd96783f..3f87526fa 100644 --- a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[6]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[6]"],"fixPaths":[{"path":"spec.containers[0].command[6]","value":"--disable-admission-plugins=ServiceAccount"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[6]" + ], + "failedPaths": [ + "spec.containers[0].command[6]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[6]" + ], + "failedPaths": [ + "spec.containers[0].command[6]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[6]", + "value": "--disable-admission-plugins=ServiceAccount" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/rule.metadata.json index 37d3cb478..81f2dbdc4 100644 --- a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-NodeRestriction-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/test/failed/expected.json index 99f0bce5e..1464cab1c 100644 --- a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"NodeRestriction is not enabled","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"NodeRestriction is not enabled","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--enable-admission-plugins=NodeRestriction"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "NodeRestriction is not enabled", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "NodeRestriction is not enabled", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--enable-admission-plugins=NodeRestriction" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/rule.metadata.json index b518d505f..5bfb939d5 100644 --- a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/test/failed/expected.json index 2da08b9e4..3bc427d1a 100644 --- a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/test/failed/expected.json @@ -1 +1,35 @@ -[{"alertMessage":"The SecurityContextDeny addmission controller is not enabled. This could allow for privilege escalation in the cluster","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,SecurityContextDeny"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "The SecurityContextDeny addmission controller is not enabled. This could allow for privilege escalation in the cluster", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,SecurityContextDeny" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/rule.metadata.json b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/rule.metadata.json index cb03d9867..ab50edd93 100644 --- a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/rule.metadata.json +++ b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-admission-control-plugin-ServiceAccount-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/test/failed/expected.json b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/test/failed/expected.json index f1a159300..c6bd6c54b 100644 --- a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[6]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[6]"],"fixPaths":[{"path":"spec.containers[0].command[6]","value":"--disable-admission-plugins=NamespaceLifecycle"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[6]" + ], + "failedPaths": [ + "spec.containers[0].command[6]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[6]" + ], + "failedPaths": [ + "spec.containers[0].command[6]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[6]", + "value": "--disable-admission-plugins=NamespaceLifecycle" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/rule.metadata.json b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/rule.metadata.json index e73637bf8..92db6916b 100644 --- a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/rule.metadata.json +++ b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/test/failed/expected.json b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/test/failed/expected.json index 08805ee09..68a6bfa1a 100644 --- a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers","failedPaths":["spec.containers[0].command[5]"],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], + "failedPaths": [ + "spec.containers[0].command[5]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/rule.metadata.json b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/rule.metadata.json index f87800209..d49478d40 100644 --- a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/rule.metadata.json +++ b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/test/failed/expected.json b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/test/failed/expected.json index 6c9bf3c06..9858e4961 100644 --- a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/test/failed/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "anonymous requests is enabled", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { @@ -29,6 +30,9 @@ }, { "alertMessage": "anonymous requests is enabled", + "reviewPaths": [ + "spec.containers[0].command[26]" + ], "failedPaths": [ "spec.containers[0].command[26]" ], diff --git a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/rule.metadata.json index dfeaa3032..ec6a9b66a 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/test/failed/expected.json index fe6fb2a79..8a82186d6 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"Audit log retention period is 29 days, which is too small (should be at least 30 days)","failedPaths":["spec.containers[0].command[2]"],"fixPaths":[{"path":"spec.containers[0].command[2]","value":"--audit-log-maxage=30"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"Audit log retention period is not set","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--audit-log-maxage=30"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "Audit log retention period is 29 days, which is too small (should be at least 30 days)", + "reviewPaths": [ + "spec.containers[0].command[2]" + ], + "failedPaths": [ + "spec.containers[0].command[2]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[2]", + "value": "--audit-log-maxage=30" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "Audit log retention period is not set", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--audit-log-maxage=30" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/rule.metadata.json index 8b0774d09..c4f6839df 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/test/failed/expected.json index 4eae1f730..e63b2768d 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"Audit log max backup is not set","failedPaths":["spec.containers[0].command[26]"],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--audit-log-maxbackup=YOUR_VALUE"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"Please validate that the audit log max backup is set to an appropriate value","failedPaths":["spec.containers[0].command[27]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "Audit log max backup is not set", + "reviewPaths": [ + "spec.containers[0].command[26]" + ], + "failedPaths": [ + "spec.containers[0].command[26]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--audit-log-maxbackup=YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "Please validate that the audit log max backup is set to an appropriate value", + "reviewPaths": [ + "spec.containers[0].command[27]" + ], + "failedPaths": [ + "spec.containers[0].command[27]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/rule.metadata.json index f6b992b4f..76af08e90 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true", "useFromKubescapeVersion": "v2.0.159" }, diff --git a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/test/failed/expected.json index adf8d606d..0e6b91b5a 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/test/failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Please validate that audit-log-maxsize has an appropriate value", + "reviewPaths": [ + "spec.containers[0].command[26]" + ], "failedPaths": [ "spec.containers[0].command[26]" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "Audit log max size not set", + "reviewPaths": [ + "spec.containers[0].command[27]" + ], "failedPaths": [ "spec.containers[0].command[27]" ], diff --git a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/rule.metadata.json b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/rule.metadata.json index 0382e6620..13fcd826e 100644 --- a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/rule.metadata.json +++ b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-audit-log-path-argument-is-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/test/failed/expected.json b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/test/failed/expected.json index 51ee20640..965d3f5f8 100644 --- a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"kubernetes API Server is not audited","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--audit-log-path=/var/log/apiserver/audit.log"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "kubernetes API Server is not audited", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--audit-log-path=/var/log/apiserver/audit.log" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/rule.metadata.json b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/rule.metadata.json index e44b2db81..82715dd37 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/rule.metadata.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-authorization-mode-argument-includes-Node", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/test/failed/expected.json b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/test/failed/expected.json index 096c4d3d8..3c8ee3a85 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"kubelet nodes can read objects that are not associated with them","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--authorization-mode=RBAC,Node"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"kubelet nodes can read objects that are not associated with them","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--authorization-mode=Node"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "kubelet nodes can read objects that are not associated with them", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--authorization-mode=RBAC,Node" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "kubelet nodes can read objects that are not associated with them", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--authorization-mode=Node" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/rule.metadata.json b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/rule.metadata.json index e5a1e7fe5..7992f4ee6 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/rule.metadata.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-authorization-mode-argument-includes-RBAC", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/test/failed/expected.json b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/test/failed/expected.json index 0521132de..e0fdb3898 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"RBAC is not enabled","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--authorization-mode=Node,RBAC"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"RBAC is not enabled","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--authorization-mode=RBAC"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "RBAC is not enabled", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--authorization-mode=Node,RBAC" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "RBAC is not enabled", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--authorization-mode=RBAC" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/rule.metadata.json b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/rule.metadata.json index a01f79941..2ecf5bcf1 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/rule.metadata.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/test/failed/expected.json b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/test/failed/expected.json index fbf3223dc..627662511 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/test/failed/expected.json @@ -1 +1,68 @@ -[{"alertMessage":"AlwaysAllow authorization mode is enabled","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--authorization-mode=RBAC"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"AlwaysAllow authorization mode is enabled","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--authorization-mode=Node"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "AlwaysAllow authorization mode is enabled", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--authorization-mode=RBAC" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "AlwaysAllow authorization mode is enabled", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--authorization-mode=Node" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/rule.metadata.json index 769f90734..1d18ce2c6 100644 --- a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/test/failed/expected.json index 2429e7128..3e5bc2d61 100644 --- a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"API server communication is not encrypted properly","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--client-ca-file=\u003cpath/to/client-ca.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "API server communication is not encrypted properly", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--client-ca-file=\u003cpath/to/client-ca.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate/rule.metadata.json index 3c6dd9599..4855e4658 100644 --- a/rules/ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-encryption-provider-config-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-api-server-encryption-providers-are-appropriately-configured/rule.metadata.json b/rules/ensure-that-the-api-server-encryption-providers-are-appropriately-configured/rule.metadata.json index f0fa0f1a9..e067d4432 100644 --- a/rules/ensure-that-the-api-server-encryption-providers-are-appropriately-configured/rule.metadata.json +++ b/rules/ensure-that-the-api-server-encryption-providers-are-appropriately-configured/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-encryption-providers-are-appropriately-configured", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/rule.metadata.json index 3523b2dd4..9acd3ae47 100644 --- a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/test/failed/expected.json index 5b1ff99de..0e43d8a50 100644 --- a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"API server is not configured to use SSL Certificate Authority file for etcd","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--etcd-cafile=\u003cpath/to/ca-file.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "API server is not configured to use SSL Certificate Authority file for etcd", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--etcd-cafile=\u003cpath/to/ca-file.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/rule.metadata.json index 01aa7a4f3..c366e6a1c 100644 --- a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/test/failed/expected.json index aba7bb300..143e0323c 100644 --- a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/test/failed/expected.json @@ -1 +1,93 @@ -[{"alertMessage":"etcd is not configured to use TLS properly","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[27]","value":"--etcd-keyfile=\u003cpath/to/client-key-file.key\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"etcd is not configured to use TLS properly","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--etcd-certfile=\u003cpath/to/client-certificate-file.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"etcd is not configured to use TLS properly","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--etcd-certfile=\u003cpath/to/client-certificate-file.crt\u003e"},{"path":"spec.containers[0].command[26]","value":"--etcd-keyfile=\u003cpath/to/client-key-file.key\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "etcd is not configured to use TLS properly", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[27]", + "value": "--etcd-keyfile=\u003cpath/to/client-key-file.key\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "etcd is not configured to use TLS properly", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--etcd-certfile=\u003cpath/to/client-certificate-file.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "etcd is not configured to use TLS properly", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--etcd-certfile=\u003cpath/to/client-certificate-file.crt\u003e" + }, + { + "path": "spec.containers[0].command[26]", + "value": "--etcd-keyfile=\u003cpath/to/client-key-file.key\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/rule.metadata.json index ff43cd65f..ec9a8a90b 100644 --- a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/test/failed/expected.json index 53a17a968..ecfa754ca 100644 --- a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"TLS certificate authority file is not specified","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--kubelet-certificate-authority=\u003cpath/to/ca.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "TLS certificate authority file is not specified", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--kubelet-certificate-authority=\u003cpath/to/ca.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/rule.metadata.json index b8d92ac73..4793b934c 100644 --- a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/test/failed/expected.json index fe38e8941..89f5a0bec 100644 --- a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/test/failed/expected.json @@ -1 +1,93 @@ -[{"alertMessage":"certificate based kubelet authentication is not enabled","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[29]","value":"--kubelet-client-key=\u003cpath/to/appropriate/file\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"certificate based kubelet authentication is not enabled","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[28]","value":"--kubelet-client-certificate=\u003cpath/to/appropriate/file\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"certificate based kubelet authentication is not enabled","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--kubelet-client-certificate=\u003cpath/to/appropriate/file\u003e"},{"path":"spec.containers[0].command[27]","value":"--kubelet-client-key=\u003cpath/to/appropriate/file\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "certificate based kubelet authentication is not enabled", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[29]", + "value": "--kubelet-client-key=\u003cpath/to/appropriate/file\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "certificate based kubelet authentication is not enabled", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[28]", + "value": "--kubelet-client-certificate=\u003cpath/to/appropriate/file\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "certificate based kubelet authentication is not enabled", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--kubelet-client-certificate=\u003cpath/to/appropriate/file\u003e" + }, + { + "path": "spec.containers[0].command[27]", + "value": "--kubelet-client-key=\u003cpath/to/appropriate/file\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/rule.metadata.json b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/rule.metadata.json index 20b014cf1..f3308351c 100644 --- a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/rule.metadata.json +++ b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-profiling-argument-is-set-to-false", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/test/failed/expected.json b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/test/failed/expected.json index 1831fa39c..7f1ef7088 100644 --- a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"profiling is enabled. This could potentially be exploited to uncover system and program details.","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[26]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"profiling is enabled. This could potentially be exploited to uncover system and program details.","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "profiling is enabled. This could potentially be exploited to uncover system and program details.", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[26]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "profiling is enabled. This could potentially be exploited to uncover system and program details.", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/rule.metadata.json index f4602037e..1d276cd72 100644 --- a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/test/failed/expected.json index 760d4376e..b40aab351 100644 --- a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,30 @@ -[{"alertMessage":"Please validate the request timeout flag is set to an appropriate value","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "Please validate the request timeout flag is set to an appropriate value", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/rule.metadata.json b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/rule.metadata.json index 8ef4c297e..dff71b9f1 100644 --- a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/rule.metadata.json +++ b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-secure-port-argument-is-not-set-to-0", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/test/failed/expected.json b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/test/failed/expected.json index d086fbdaf..ac540417c 100644 --- a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/test/failed/expected.json @@ -1 +1,30 @@ -[{"alertMessage":"the secure port is disabled","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "the secure port is disabled", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/rule.metadata.json index cf000a0dc..638501fd3 100644 --- a/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true", "useFromKubescapeVersion": "v2.0.159" }, diff --git a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/rule.metadata.json b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/rule.metadata.json index 06f782fb6..6c82785cb 100644 --- a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/rule.metadata.json +++ b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/test/failed/expected.json b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/test/failed/expected.json index 161dbf5fc..c337e46b7 100644 --- a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"anonymous requests is enabled","failedPaths":["spec.containers[0].command[2]"],"fixPaths":[{"path":"spec.containers[0].command[2]","value":"--allow-privileged=true --service-account-lookup=true"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"anonymous requests is enabled","failedPaths":["spec.containers[0].command[2]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "anonymous requests is enabled", + "reviewPaths": [ + "spec.containers[0].command[2]" + ], + "failedPaths": [ + "spec.containers[0].command[2]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[2]", + "value": "--allow-privileged=true --service-account-lookup=true" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "anonymous requests is enabled", + "reviewPaths": [ + "spec.containers[0].command[2]" + ], + "failedPaths": [ + "spec.containers[0].command[2]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/rule.metadata.json index a16c24707..434a42c45 100644 --- a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/test/failed/expected.json index 5db9be818..5d746c322 100644 --- a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/test/failed/expected.json @@ -1 +1,93 @@ -[{"alertMessage":"API server is not configured to serve only HTTPS traffic","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--tls-cert-file=\u003cpath/to/tls-certificate-file.crt\u003e"},{"path":"spec.containers[0].command[26]","value":"--tls-private-key-file=\u003cpath/to/tls-key-file.key\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"API server is not configured to serve only HTTPS traffic","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[27]","value":"--tls-private-key-file=\u003cpath/to/tls-key-file.key\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"API server is not configured to serve only HTTPS traffic","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--tls-cert-file=\u003cpath/to/tls-certificate-file.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "API server is not configured to serve only HTTPS traffic", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--tls-cert-file=\u003cpath/to/tls-certificate-file.crt\u003e" + }, + { + "path": "spec.containers[0].command[26]", + "value": "--tls-private-key-file=\u003cpath/to/tls-key-file.key\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "API server is not configured to serve only HTTPS traffic", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[27]", + "value": "--tls-private-key-file=\u003cpath/to/tls-key-file.key\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "API server is not configured to serve only HTTPS traffic", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--tls-cert-file=\u003cpath/to/tls-certificate-file.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/rule.metadata.json b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/rule.metadata.json index 0e787d555..69f121fd8 100644 --- a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/rule.metadata.json +++ b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-api-server-token-auth-file-parameter-is-not-set", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/test/failed/expected.json b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/test/failed/expected.json index 0440e2eb2..445a23325 100644 --- a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/test/failed/expected.json +++ b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"API server TLS is not configured","failedPaths":["spec.containers[0].command[26]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}},{"alertMessage":"API server TLS is not configured","failedPaths":["spec.containers[0].command[25]"],"fixPaths":[{"path":"spec.containers[0].command[25]","value":"--tls-private-key-file=/var/lib/minikube/certs/apiserver.key"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-apiserver","tier":"control-plane"},"name":"kube-apiserver-minikube"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "API server TLS is not configured", + "reviewPaths": [ + "spec.containers[0].command[26]" + ], + "failedPaths": [ + "spec.containers[0].command[26]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + }, + { + "alertMessage": "API server TLS is not configured", + "reviewPaths": [ + "spec.containers[0].command[25]" + ], + "failedPaths": [ + "spec.containers[0].command[25]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[25]", + "value": "--tls-private-key-file=/var/lib/minikube/certs/apiserver.key" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "name": "kube-apiserver-minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index e8e8658d5..ea7d3eccb 100644 --- a/rules/ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root/rule.metadata.json index 44a650774..a0c5c7503 100644 --- a/rules/ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-cni-in-use-supports-network-policies/rule.metadata.json b/rules/ensure-that-the-cni-in-use-supports-network-policies/rule.metadata.json index df6a74c4a..8c5e119e7 100644 --- a/rules/ensure-that-the-cni-in-use-supports-network-policies/rule.metadata.json +++ b/rules/ensure-that-the-cni-in-use-supports-network-policies/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-cni-in-use-supports-network-policies", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/rule.metadata.json b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/rule.metadata.json index 81fe89ea2..b863714b0 100644 --- a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/test/failed/expected.json b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/test/failed/expected.json index 1b9330992..f691b0543 100644 --- a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/test/failed/expected.json @@ -1 +1,35 @@ -[{"alertMessage":"`RotateKubeletServerCertificate` is set to false on the controller manager","failedPaths":["spec.containers[0].command[4]"],"fixPaths":[{"path":"spec.containers[0].command[4]","value":"--feature-gates=RotateKubeletServerCertificate=true"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "`RotateKubeletServerCertificate` is set to false on the controller manager", + "reviewPaths": [ + "spec.containers[0].command[4]" + ], + "failedPaths": [ + "spec.containers[0].command[4]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[4]", + "value": "--feature-gates=RotateKubeletServerCertificate=true" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json index 323081f2f..cb50c6499 100644 --- a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json index ab7654159..ad619bdf5 100644 --- a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"the Controller Manager API service is not bound to a localhost interface only","failedPaths":["spec.containers[0].command[4]"],"fixPaths":[{"path":"spec.containers[0].command[4]","value":"--bind-address=127.0.0.1"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}},{"alertMessage":"the Controller Manager API service is not bound to a localhost interface only","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--bind-address=127.0.0.1"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "the Controller Manager API service is not bound to a localhost interface only", + "reviewPaths": [ + "spec.containers[0].command[4]" + ], + "failedPaths": [ + "spec.containers[0].command[4]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[4]", + "value": "--bind-address=127.0.0.1" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + }, + { + "alertMessage": "the Controller Manager API service is not bound to a localhost interface only", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--bind-address=127.0.0.1" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json index 89bacd267..132390ac7 100644 --- a/rules/ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 6de688bf1..4681b2595 100644 --- a/rules/ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/rule.metadata.json b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/rule.metadata.json index c069d0684..d76782926 100644 --- a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-profiling-argument-is-set-to-false", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/test/failed/expected.json b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/test/failed/expected.json index 1d4b8229a..034d65c3b 100644 --- a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"profiling is enabled for the kube-controller-manager","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}},{"alertMessage":"profiling is enabled for the kube-controller-manager","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[{"path":"spec.containers[0].command[1]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "profiling is enabled for the kube-controller-manager", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + }, + { + "alertMessage": "profiling is enabled for the kube-controller-manager", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[1]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/rule.metadata.json index 6d6d7781f..ddbaff1b7 100644 --- a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/test/failed/expected.json index 3ca1a46e2..aabf0c682 100644 --- a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"the controller manager is not configured to inject the trusted ca.crt file into pods so that they can verify TLS connections to the API server","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--root-ca-file=\u003cpath/to/key/ca.crt\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "the controller manager is not configured to inject the trusted ca.crt file into pods so that they can verify TLS connections to the API server", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--root-ca-file=\u003cpath/to/key/ca.crt\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/rule.metadata.json index 40979ff34..b2e0046cb 100644 --- a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/test/failed/expected.json index 883baa4b5..f2447981d 100644 --- a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,31 @@ -[{"alertMessage":"service account token can not be rotated as needed","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--service-account-private-key-file=\u003cpath/to/key/filename.key\u003e"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "service account token can not be rotated as needed", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--service-account-private-key-file=\u003cpath/to/key/filename.key\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/rule.metadata.json b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/rule.metadata.json index ddd3ae8f6..e16d539fc 100644 --- a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/test/failed/expected.json b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/test/failed/expected.json index 968e35692..387f9bbb8 100644 --- a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/test/failed/expected.json @@ -1 +1,63 @@ -[{"alertMessage":"--terminated-pod-gc-threshold flag not set to an appropriate value","failedPaths":["spec.containers[0].command[18]"],"fixPaths":[{"path":"spec.containers[0].command[18]","value":"--terminated-pod-gc-threshold=YOUR_VALUE"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}},{"alertMessage":"Please validate that --terminated-pod-gc-threshold is set to an appropriate value","failedPaths":["spec.containers[0].command[18]"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "--terminated-pod-gc-threshold flag not set to an appropriate value", + "reviewPaths": [ + "spec.containers[0].command[18]" + ], + "failedPaths": [ + "spec.containers[0].command[18]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[18]", + "value": "--terminated-pod-gc-threshold=YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + }, + { + "alertMessage": "Please validate that --terminated-pod-gc-threshold is set to an appropriate value", + "reviewPaths": [ + "spec.containers[0].command[18]" + ], + "failedPaths": [ + "spec.containers[0].command[18]" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/rule.metadata.json b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/rule.metadata.json index e22505dc3..7c493cd83 100644 --- a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/test/failed/expected.json b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/test/failed/expected.json index 005fd6b3d..784fd292e 100644 --- a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/test/failed/expected.json +++ b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"--use-service-account-credentials is set to false in the controller manager","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--use-service-account-credentials=true"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}},{"alertMessage":"--use-service-account-credentials is set to false in the controller manager","failedPaths":["spec.containers[0].command[17]"],"fixPaths":[{"path":"spec.containers[0].command[17]","value":"--use-service-account-credentials=true"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-controller-manager","tier":"control-plane"},"name":"kube-controller-manager"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "--use-service-account-credentials is set to false in the controller manager", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--use-service-account-credentials=true" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + }, + { + "alertMessage": "--use-service-account-credentials is set to false in the controller manager", + "reviewPaths": [ + "spec.containers[0].command[17]" + ], + "failedPaths": [ + "spec.containers[0].command[17]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[17]", + "value": "--use-service-account-credentials=true" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root/rule.metadata.json index 30290ee67..abef3a875 100644 --- a/rules/ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager.conf-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 195383ef6..c94de82dd 100644 --- a/rules/ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-controller-manager.conf-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd/rule.metadata.json b/rules/ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd/rule.metadata.json index 95d9d480c..3178ffcd1 100644 --- a/rules/ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd/rule.metadata.json +++ b/rules/ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-etcd", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive/rule.metadata.json index 8906bf5e3..9d91e7c67 100644 --- a/rules/ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json index ef08a93b0..8617cc394 100644 --- a/rules/ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 76d7599d5..83127510f 100644 --- a/rules/ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root/rule.metadata.json index 3d22e8d5f..6374b36aa 100644 --- a/rules/ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubeconfig-kubelet.conf-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index f00f4931f..0798c831c 100644 --- a/rules/ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubeconfig-kubelet.conf-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive/rule.metadata.json index 5af700e25..f0fe4e6f4 100644 --- a/rules/ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubelet-configuration-file-has-permissions-set-to-644-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root/rule.metadata.json index 0859e732a..418799c90 100644 --- a/rules/ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubelet-configuration-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root/rule.metadata.json index fa87c6128..683695901 100644 --- a/rules/ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubelet-service-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index fc627c5c8..0300b9474 100644 --- a/rules/ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json index 4a394e0ae..d0c7fe079 100644 --- a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json +++ b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json index f7b4aa588..9d63baf84 100644 --- a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json +++ b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"the kube scheduler is not bound to a localhost interface only","failedPaths":["spec.containers[0].command[3]"],"fixPaths":[{"path":"spec.containers[0].command[3]","value":"--bind-address=127.0.0.1"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-scheduler","tier":"control-plane"},"name":"kube-scheduler"}}]}},{"alertMessage":"the kube scheduler is not bound to a localhost interface only","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[5]","value":"--bind-address=127.0.0.1"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-scheduler","tier":"control-plane"},"name":"kube-scheduler"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "the kube scheduler is not bound to a localhost interface only", + "reviewPaths": [ + "spec.containers[0].command[3]" + ], + "failedPaths": [ + "spec.containers[0].command[3]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[3]", + "value": "--bind-address=127.0.0.1" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-scheduler", + "tier": "control-plane" + }, + "name": "kube-scheduler" + } + } + ] + } + }, + { + "alertMessage": "the kube scheduler is not bound to a localhost interface only", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[5]", + "value": "--bind-address=127.0.0.1" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-scheduler", + "tier": "control-plane" + }, + "name": "kube-scheduler" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json index 0fc19891e..b26511559 100644 --- a/rules/ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index ac94be6df..071d70234 100644 --- a/rules/ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/rule.metadata.json b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/rule.metadata.json index 049b72786..474ca793e 100644 --- a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/rule.metadata.json +++ b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler-profiling-argument-is-set-to-false", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/test/failed/expected.json b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/test/failed/expected.json index 5e161b4e7..48d2b0964 100644 --- a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/test/failed/expected.json +++ b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/test/failed/expected.json @@ -1 +1,64 @@ -[{"alertMessage":"profiling is enabled for the kube-scheduler","failedPaths":[],"fixPaths":[{"path":"spec.containers[0].command[6]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-scheduler","tier":"control-plane"},"name":"kube-scheduler"}}]}},{"alertMessage":"profiling is enabled for the kube-scheduler","failedPaths":["spec.containers[0].command[1]"],"fixPaths":[{"path":"spec.containers[0].command[1]","value":"--profiling=false"}],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"component":"kube-scheduler","tier":"control-plane"},"name":"kube-scheduler"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "profiling is enabled for the kube-scheduler", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].command[6]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-scheduler", + "tier": "control-plane" + }, + "name": "kube-scheduler" + } + } + ] + } + }, + { + "alertMessage": "profiling is enabled for the kube-scheduler", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], + "failedPaths": [ + "spec.containers[0].command[1]" + ], + "fixPaths": [ + { + "path": "spec.containers[0].command[1]", + "value": "--profiling=false" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "component": "kube-scheduler", + "tier": "control-plane" + }, + "name": "kube-scheduler" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root/rule.metadata.json b/rules/ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root/rule.metadata.json index c678b3afc..44e2e1188 100644 --- a/rules/ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler.conf-file-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 2cdb5e5fe..24d952319 100644 --- a/rules/ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure-that-the-scheduler.conf-file-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/ensure_network_policy_configured_in_labels/rule.metadata.json b/rules/ensure_network_policy_configured_in_labels/rule.metadata.json index 64711b69e..3e72e46d7 100644 --- a/rules/ensure_network_policy_configured_in_labels/rule.metadata.json +++ b/rules/ensure_network_policy_configured_in_labels/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure_network_policy_configured_in_labels", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/rule.metadata.json b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/rule.metadata.json index ad8ff0292..e7f4b1f26 100644 --- a/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/rule.metadata.json +++ b/rules/ensure_nodeinstancerole_has_right_permissions_for_ecr/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ensure_nodeinstancerole_has_right_permissions_for_ecr", "attributes": { - "armoBuiltin": true, "useFromKubescapeVersion": "v2.2.5" }, "ruleLanguage": "Rego", diff --git a/rules/etcd-auto-tls-disabled/rule.metadata.json b/rules/etcd-auto-tls-disabled/rule.metadata.json index be0dbf59e..e1c47da82 100644 --- a/rules/etcd-auto-tls-disabled/rule.metadata.json +++ b/rules/etcd-auto-tls-disabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-auto-tls-disabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-auto-tls-disabled/test/fail-argument-set-to-true/expected.json b/rules/etcd-auto-tls-disabled/test/fail-argument-set-to-true/expected.json index fe82b8f78..1fd9d4b44 100644 --- a/rules/etcd-auto-tls-disabled/test/fail-argument-set-to-true/expected.json +++ b/rules/etcd-auto-tls-disabled/test/fail-argument-set-to-true/expected.json @@ -1,7 +1,9 @@ [ { "alertMessage": "Auto tls is enabled. Clients are able to use self-signed certificates for TLS.", - "failedPaths": [ + "reviewPaths": [ + "spec.containers[0].command[1]" + ], "failedPaths": [ "spec.containers[0].command[1]" ], "fixPaths": [ diff --git a/rules/etcd-client-auth-cert/rule.metadata.json b/rules/etcd-client-auth-cert/rule.metadata.json index b71384cd5..58664390c 100644 --- a/rules/etcd-client-auth-cert/rule.metadata.json +++ b/rules/etcd-client-auth-cert/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-client-auth-cert", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-client-auth-cert/test/fail-argument-set-to-false/expected.json b/rules/etcd-client-auth-cert/test/fail-argument-set-to-false/expected.json index e432e6468..e1fc5f631 100644 --- a/rules/etcd-client-auth-cert/test/fail-argument-set-to-false/expected.json +++ b/rules/etcd-client-auth-cert/test/fail-argument-set-to-false/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Etcd server is not requiring a valid client certificate", + "reviewPaths": [ + "spec.containers[0].command[2]" + ], "failedPaths": [ "spec.containers[0].command[2]" ], diff --git a/rules/etcd-client-auth-cert/test/fail-missing-argument/expected.json b/rules/etcd-client-auth-cert/test/fail-missing-argument/expected.json index ef179075b..31b38f3c1 100644 --- a/rules/etcd-client-auth-cert/test/fail-missing-argument/expected.json +++ b/rules/etcd-client-auth-cert/test/fail-missing-argument/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Etcd server is not requiring a valid client certificate", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/etcd-encryption-native/rule.metadata.json b/rules/etcd-encryption-native/rule.metadata.json index 7b18a6acd..abadf0ac7 100644 --- a/rules/etcd-encryption-native/rule.metadata.json +++ b/rules/etcd-encryption-native/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-encryption-native", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "apiserver-pod", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/etcd-peer-auto-tls-disabled/rule.metadata.json b/rules/etcd-peer-auto-tls-disabled/rule.metadata.json index c220accbd..a99ea9024 100644 --- a/rules/etcd-peer-auto-tls-disabled/rule.metadata.json +++ b/rules/etcd-peer-auto-tls-disabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-peer-auto-tls-disabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-peer-auto-tls-disabled/test/fail-argument-set-to-true/expected.json b/rules/etcd-peer-auto-tls-disabled/test/fail-argument-set-to-true/expected.json index 80b6737a8..14af8cab7 100644 --- a/rules/etcd-peer-auto-tls-disabled/test/fail-argument-set-to-true/expected.json +++ b/rules/etcd-peer-auto-tls-disabled/test/fail-argument-set-to-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Peer auto tls is enabled. Peer clients are able to use self-signed certificates for TLS.", + "reviewPaths": [ + "spec.containers[0].command[1]" + ], "failedPaths": [ "spec.containers[0].command[1]" ], diff --git a/rules/etcd-peer-client-auth-cert/rule.metadata.json b/rules/etcd-peer-client-auth-cert/rule.metadata.json index ed751e622..cc63ad8bc 100644 --- a/rules/etcd-peer-client-auth-cert/rule.metadata.json +++ b/rules/etcd-peer-client-auth-cert/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-peer-client-auth-cert", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-peer-client-auth-cert/test/fail-argument-set-false/expected.json b/rules/etcd-peer-client-auth-cert/test/fail-argument-set-false/expected.json index 4016b51a0..cda71b6e3 100644 --- a/rules/etcd-peer-client-auth-cert/test/fail-argument-set-false/expected.json +++ b/rules/etcd-peer-client-auth-cert/test/fail-argument-set-false/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Etcd server is not requiring a valid client certificate.", + "reviewPaths": [ + "spec.containers[0].command[11]" + ], "failedPaths": [ "spec.containers[0].command[11]" ], diff --git a/rules/etcd-peer-client-auth-cert/test/fail-missing-argument/expected.json b/rules/etcd-peer-client-auth-cert/test/fail-missing-argument/expected.json index 87fec1880..9abd7a316 100644 --- a/rules/etcd-peer-client-auth-cert/test/fail-missing-argument/expected.json +++ b/rules/etcd-peer-client-auth-cert/test/fail-missing-argument/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Etcd server is not requiring a valid client certificate.", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/etcd-peer-tls-enabled/rule.metadata.json b/rules/etcd-peer-tls-enabled/rule.metadata.json index bbfa1861d..eeb9c791c 100644 --- a/rules/etcd-peer-tls-enabled/rule.metadata.json +++ b/rules/etcd-peer-tls-enabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-peer-tls-enabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-peer-tls-enabled/test/fail-missing-cert-argument/expected.json b/rules/etcd-peer-tls-enabled/test/fail-missing-cert-argument/expected.json index b621b49b3..e5d60f27b 100644 --- a/rules/etcd-peer-tls-enabled/test/fail-missing-cert-argument/expected.json +++ b/rules/etcd-peer-tls-enabled/test/fail-missing-cert-argument/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Etcd encryption for peer connection is not enabled.", + "reviewPaths": [ + "spec.containers[0].command" + ], "failedPaths": [ "spec.containers[0].command" ], diff --git a/rules/etcd-peer-tls-enabled/test/fail-missing-key-argument/expected.json b/rules/etcd-peer-tls-enabled/test/fail-missing-key-argument/expected.json index da45b3baa..1d9600fb2 100644 --- a/rules/etcd-peer-tls-enabled/test/fail-missing-key-argument/expected.json +++ b/rules/etcd-peer-tls-enabled/test/fail-missing-key-argument/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Etcd encryption for peer connection is not enabled.", + "reviewPaths": [ + "spec.containers[0].command" + ], "failedPaths": [ "spec.containers[0].command" ], diff --git a/rules/etcd-tls-enabled/rule.metadata.json b/rules/etcd-tls-enabled/rule.metadata.json index f4b91589d..8a368da6d 100644 --- a/rules/etcd-tls-enabled/rule.metadata.json +++ b/rules/etcd-tls-enabled/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-tls-enabled", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-tls-enabled/test/fail-missing-cert-argument/expected.json b/rules/etcd-tls-enabled/test/fail-missing-cert-argument/expected.json index 26c0d378f..1fd4a7a5b 100644 --- a/rules/etcd-tls-enabled/test/fail-missing-cert-argument/expected.json +++ b/rules/etcd-tls-enabled/test/fail-missing-cert-argument/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "etcd encryption is not enabled", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/etcd-tls-enabled/test/fail-missing-key-argument/expected.json b/rules/etcd-tls-enabled/test/fail-missing-key-argument/expected.json index d29cb6eab..2381198cd 100644 --- a/rules/etcd-tls-enabled/test/fail-missing-key-argument/expected.json +++ b/rules/etcd-tls-enabled/test/fail-missing-key-argument/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "etcd encryption is not enabled", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/etcd-unique-ca/rule.metadata.json b/rules/etcd-unique-ca/rule.metadata.json index a830c6d99..7104327b8 100644 --- a/rules/etcd-unique-ca/rule.metadata.json +++ b/rules/etcd-unique-ca/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "etcd-unique-ca", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/etcd-unique-ca/test/fail-same-key-file/expected.json b/rules/etcd-unique-ca/test/fail-same-key-file/expected.json index af2042681..74bbd2202 100644 --- a/rules/etcd-unique-ca/test/fail-same-key-file/expected.json +++ b/rules/etcd-unique-ca/test/fail-same-key-file/expected.json @@ -29,6 +29,10 @@ ] }, "alertScore": 8, + "reviewPaths": [ + "spec.containers[0].command[15]", + "spec.containers[0].command[4]" + ], "failedPaths": [ "spec.containers[0].command[15]", "spec.containers[0].command[4]" diff --git a/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json b/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json index f72603726..c5482dc31 100644 --- a/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json +++ b/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json @@ -2,7 +2,6 @@ "name": "excessive_amount_of_vulnerabilities_pods", "attributes": { "microsoftK8sThreatMatrix": "Initial access::Exposed critical vulnerable pods", - "armoBuiltin": true, "useFromKubescapeVersion": "v1.0.133", "imageScanRelated": true }, diff --git a/rules/excessive_amount_of_vulnerabilities_pods/test/test-failed/expected.json b/rules/excessive_amount_of_vulnerabilities_pods/test/test-failed/expected.json index 8af711374..470a8c026 100644 --- a/rules/excessive_amount_of_vulnerabilities_pods/test/test-failed/expected.json +++ b/rules/excessive_amount_of_vulnerabilities_pods/test/test-failed/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "pod 'nginx' exposed with critical vulnerabilities", + "reviewPaths": ["status.containerStatuses[0].imageID"], "failedPaths": ["status.containerStatuses[0].imageID"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/exec-into-container-v1/rule.metadata.json b/rules/exec-into-container-v1/rule.metadata.json index 66f49c77b..b0da940e9 100644 --- a/rules/exec-into-container-v1/rule.metadata.json +++ b/rules/exec-into-container-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "exec-into-container-v1", "attributes": { "m$K8sThreatMatrix": "Privilege Escalation::Exec into container", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/exec-into-container-v1/test/clusterrole/expected.json b/rules/exec-into-container-v1/test/clusterrole/expected.json index 52b641cb4..e7d964550 100644 --- a/rules/exec-into-container-v1/test/clusterrole/expected.json +++ b/rules/exec-into-container-v1/test/clusterrole/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-dave can exec into containers", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/exec-into-container-v1/test/role/expected.json b/rules/exec-into-container-v1/test/role/expected.json index cdffa41ef..61d2e3c75 100644 --- a/rules/exec-into-container-v1/test/role/expected.json +++ b/rules/exec-into-container-v1/test/role/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can exec into containers", + "reviewPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].verbs[3]", "relatedObjects[1].rules[0].apiGroups[1]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].verbs[3]", "relatedObjects[1].rules[0].apiGroups[1]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/exec-into-container/raw.rego b/rules/exec-into-container/raw.rego deleted file mode 100644 index 2ddac11d1..000000000 --- a/rules/exec-into-container/raw.rego +++ /dev/null @@ -1,136 +0,0 @@ -package armo_builtins - -import data.cautils - -# input: clusterrolebindings + rolebindings -# apiversion: rbac.authorization.k8s.io/v1 -# returns subjects that can exec into container - -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - can_exec_to_pod_resource(rule) - can_exec_to_pod_verb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can exec into containers", [subject.kind, subject.name]), - "alertScore": 9, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# input: clusterrolebindings + rolebindings -# apiversion: rbac.authorization.k8s.io/v1 -# returns subjects that can exec into container - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - can_exec_to_pod_resource(rule) - can_exec_to_pod_verb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can exec into containers", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# input: clusterrolebindings + rolebindings -# apiversion: rbac.authorization.k8s.io/v1 -# returns subjects that can exec into container - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - can_exec_to_pod_resource(rule) - can_exec_to_pod_verb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can exec into containers", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -can_exec_to_pod_verb(rule) { - cautils.list_contains(rule.verbs, "create") -} -can_exec_to_pod_verb(rule) { - cautils.list_contains(rule.verbs, "*") -} - -can_exec_to_pod_resource(rule) { - cautils.list_contains(rule.resources, "pods/exec") - -} -can_exec_to_pod_resource(rule) { - cautils.list_contains(rule.resources, "pods/*") -} -can_exec_to_pod_resource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources, "*") -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} \ No newline at end of file diff --git a/rules/exec-into-container/rule.metadata.json b/rules/exec-into-container/rule.metadata.json deleted file mode 100644 index 02b57ced7..000000000 --- a/rules/exec-into-container/rule.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "exec-into-container", - "attributes": { - "m$K8sThreatMatrix": "Privilege Escalation::Exec into container", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "RoleBinding", - "ClusterRoleBinding", - "Role", - "ClusterRole" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users have permissions to exec into pods", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" -} \ No newline at end of file diff --git a/rules/exposed-critical-pods/rule.metadata.json b/rules/exposed-critical-pods/rule.metadata.json index 0015fbb1d..d163b1fb2 100644 --- a/rules/exposed-critical-pods/rule.metadata.json +++ b/rules/exposed-critical-pods/rule.metadata.json @@ -2,7 +2,6 @@ "name": "exposed-critical-pods", "attributes": { "m$K8sThreatMatrix": "exposed-critical-pods", - "armoBuiltin": true, "imageScanRelated": true }, "ruleLanguage": "Rego", diff --git a/rules/exposed-rce-pods/rule.metadata.json b/rules/exposed-rce-pods/rule.metadata.json index 98f9c922d..f19277015 100644 --- a/rules/exposed-rce-pods/rule.metadata.json +++ b/rules/exposed-rce-pods/rule.metadata.json @@ -2,7 +2,6 @@ "name": "exposed-rce-pods", "attributes": { "m$K8sThreatMatrix": "exposed-rce-pods", - "armoBuiltin": true, "useFromKubescapeVersion": "v2.0.150", "imageScanRelated": true diff --git a/rules/exposed-rce-pods/test/test-failed/expected.json b/rules/exposed-rce-pods/test/test-failed/expected.json index 5d7ee1112..d6b108076 100644 --- a/rules/exposed-rce-pods/test/test-failed/expected.json +++ b/rules/exposed-rce-pods/test/test-failed/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "pod 'nginx' exposed with rce vulnerability", + "reviewPaths": ["status.containerStatuses[0].imageID"], "failedPaths": ["status.containerStatuses[0].imageID"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/exposed-sensitive-interfaces-v1/raw.rego b/rules/exposed-sensitive-interfaces-v1/raw.rego index b606343bc..ea0d2b665 100644 --- a/rules/exposed-sensitive-interfaces-v1/raw.rego +++ b/rules/exposed-sensitive-interfaces-v1/raw.rego @@ -121,10 +121,10 @@ deny[msga] { wl_connectedto_service(wl, service) = paths{ count({x | service.spec.selector[x] == wl.metadata.labels[x]}) == count(service.spec.selector) - paths = ["spec.selector.matchLabels", "service.spec.selector"] + paths = ["spec.selector.matchLabels", "spec.selector"] } wl_connectedto_service(wl, service) = paths { wl.spec.selector.matchLabels == service.spec.selector - paths = ["spec.selector.matchLabels", "service.spec.selector"] + paths = ["spec.selector.matchLabels", "spec.selector"] } \ No newline at end of file diff --git a/rules/exposed-sensitive-interfaces-v1/rule.metadata.json b/rules/exposed-sensitive-interfaces-v1/rule.metadata.json index 17a5910c0..93f5503ae 100644 --- a/rules/exposed-sensitive-interfaces-v1/rule.metadata.json +++ b/rules/exposed-sensitive-interfaces-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "exposed-sensitive-interfaces-v1", "attributes": { "microsoftK8sThreatMatrix": "Initial access::Exposed sensitive interfaces", - "armoBuiltin": true, "useFromKubescapeVersion": "v1.0.133" }, "ruleLanguage": "Rego", diff --git a/rules/exposed-sensitive-interfaces-v1/test/pod/expected.json b/rules/exposed-sensitive-interfaces-v1/test/pod/expected.json index 0a1bcdf1b..94e22a34c 100644 --- a/rules/exposed-sensitive-interfaces-v1/test/pod/expected.json +++ b/rules/exposed-sensitive-interfaces-v1/test/pod/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "service: my-service is exposed", - "failedPaths": ["spec.selector.matchLabels", "service.spec.selector"], + "reviewPaths": ["spec.selector.matchLabels", "spec.selector"], + "failedPaths": ["spec.selector.matchLabels", "spec.selector"], "fixPaths": [], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/exposed-sensitive-interfaces-v1/test/workloads/expected.json b/rules/exposed-sensitive-interfaces-v1/test/workloads/expected.json index ee046f52c..24da81f54 100644 --- a/rules/exposed-sensitive-interfaces-v1/test/workloads/expected.json +++ b/rules/exposed-sensitive-interfaces-v1/test/workloads/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "service: my-service is exposed", - "failedPaths": ["spec.selector.matchLabels", "service.spec.selector"], + "reviewPaths": ["spec.selector.matchLabels", "spec.selector"], + "failedPaths": ["spec.selector.matchLabels", "spec.selector"], "fixPaths": [], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/exposed-sensitive-interfaces-v1/test/workloads2/expected.json b/rules/exposed-sensitive-interfaces-v1/test/workloads2/expected.json index ccaa9857f..feb2448e5 100644 --- a/rules/exposed-sensitive-interfaces-v1/test/workloads2/expected.json +++ b/rules/exposed-sensitive-interfaces-v1/test/workloads2/expected.json @@ -1,9 +1,13 @@ [ { "alertMessage": "service: jenkins-service is exposed", + "reviewPaths": [ + "spec.selector.matchLabels", + "spec.selector" + ], "failedPaths": [ "spec.selector.matchLabels", - "service.spec.selector" + "spec.selector" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/exposed-sensitive-interfaces/raw.rego b/rules/exposed-sensitive-interfaces/raw.rego deleted file mode 100644 index f33b9dcf8..000000000 --- a/rules/exposed-sensitive-interfaces/raw.rego +++ /dev/null @@ -1,113 +0,0 @@ -package armo_builtins - -import data.kubernetes.api.client - -# loadbalancer -deny[msga] { - service := input[_] - service.kind == "Service" - service.spec.type == "LoadBalancer" - - wl := input[_] - workload_types = {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job", "Pod", "CronJob"} - workload_types[wl.kind] - result := wl_connectedto_service(wl, service) - - # see default-config-inputs.json for list values - services_names := data.postureControlInputs.servicesNames - services_names[service.metadata.name] - # externalIP := service.spec.externalIPs[_] - externalIP := service.status.loadBalancer.ingress[0].ip - - - msga := { - "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "reviewPaths": result, - "failedPaths": result, - "alertObject": { - "k8sApiObjects": [wl, service] - } - } -} - - -# nodePort -# get a pod connected to that service, get nodeIP (hostIP?) -# use ip + nodeport -deny[msga] { - service := input[_] - service.kind == "Service" - service.spec.type == "NodePort" - - # see default-config-inputs.json for list values - services_names := data.postureControlInputs.servicesNames - services_names[service.metadata.name] - - pod := input[_] - pod.kind == "Pod" - - result := wl_connectedto_service(pod, service) - - - - msga := { - "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "reviewPaths": result, - "failedPaths": result, - "alertObject": { - "k8sApiObjects": [pod, service] - } - } -} - -# nodePort -# get a workload connected to that service, get nodeIP (hostIP?) -# use ip + nodeport -deny[msga] { - service := input[_] - service.kind == "Service" - service.spec.type == "NodePort" - - # see default-config-inputs.json for list values - services_names := data.postureControlInputs.servicesNames - services_names[service.metadata.name] - - wl := input[_] - spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job", "CronJob"} - spec_template_spec_patterns[wl.kind] - - result := wl_connectedto_service(wl, service) - - pods_resource := client.query_all("pods") - pod := pods_resource.body.items[_] - my_pods := [pod | startswith(pod.metadata.name, wl.metadata.name)] - - - - msga := { - "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "reviewPaths": result, - "failedPaths": result, - "alertObject": { - "k8sApiObjects": [wl, service] - } - } -} - -# ==================================================================================== - -wl_connectedto_service(wl, service) = paths{ - count({x | service.spec.selector[x] == wl.metadata.labels[x]}) == count(service.spec.selector) - paths = ["spec.selector.matchLabels", "service.spec.selector"] -} - -wl_connectedto_service(wl, service) = paths { - wl.spec.selector.matchLabels == service.spec.selector - paths = ["spec.selector.matchLabels", "service.spec.selector"] -} diff --git a/rules/exposed-sensitive-interfaces/rule.metadata.json b/rules/exposed-sensitive-interfaces/rule.metadata.json deleted file mode 100644 index 2f479e9f2..000000000 --- a/rules/exposed-sensitive-interfaces/rule.metadata.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "name": "exposed-sensitive-interfaces", - "attributes": { - "microsoftK8sThreatMatrix": "Initial access::Exposed sensitive interfaces", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Pod", - "Service" - ] - }, - { - "apiGroups": [ - "apps" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Deployment", - "ReplicaSet", - "DaemonSet", - "StatefulSet" - ] - }, - { - "apiGroups": [ - "batch" - ], - "apiVersions": [ - "*" - ], - "resources": [ - "Job", - "CronJob" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "kubernetes.api.client" - } - ], - "configInputs": [ - "settings.postureControlInputs.servicesNames" - ], - "controlConfigInputs": [ - { - "path": "settings.postureControlInputs.servicesNames", - "name": "Service names", - "description": "List of services relating to known software interfaces that should not generally be exposed to the Internet." - } - ], - "description": "fails if known interfaces have exposed services", - "remediation": "", - "ruleQuery": "armo_builtins" -} \ No newline at end of file diff --git a/rules/exposure-to-internet-via-gateway-api/raw.rego b/rules/exposure-to-internet-via-gateway-api/raw.rego new file mode 100644 index 000000000..0fac5da2d --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/raw.rego @@ -0,0 +1,78 @@ +package armo_builtins +import future.keywords.in + + +deny[msga] { + httproute := input[_] + httproute.kind in ["HTTPRoute", "TCPRoute", "UDPRoute"] + + svc := input[_] + svc.kind == "Service" + + # Make sure that they belong to the same namespace + svc.metadata.namespace == httproute.metadata.namespace + + # avoid duplicate alerts + # if service is already exposed through NodePort or LoadBalancer workload will fail on that + not is_exposed_service(svc) + + wl := input[_] + wl.metadata.namespace == svc.metadata.namespace + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"} + spec_template_spec_patterns[wl.kind] + wl_connected_to_service(wl, svc) + + result := svc_connected_to_httproute(svc, httproute) + + msga := { + "alertMessage": sprintf("workload '%v' is exposed through httproute '%v'", [wl.metadata.name, httproute.metadata.name]), + "packagename": "armo_builtins", + "failedPaths": [], + "fixPaths": [], + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [wl] + }, + "relatedObjects": [ + { + "object": httproute, + "reviewPaths": result, + "failedPaths": result, + }, + { + "object": svc, + } + ] + } +} + +# ==================================================================================== + +is_exposed_service(svc) { + svc.spec.type == "NodePort" +} + +is_exposed_service(svc) { + svc.spec.type == "LoadBalancer" +} + +wl_connected_to_service(wl, svc) { + count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector) +} + +wl_connected_to_service(wl, svc) { + wl.spec.selector.matchLabels == svc.spec.selector +} + +wl_connected_to_service(wl, svc) { + count({x | svc.spec.selector[x] == wl.spec.template.metadata.labels[x]}) == count(svc.spec.selector) +} + +svc_connected_to_httproute(svc, httproute) = result { + rule := httproute.spec.rules[i] + ref := rule.backendRefs[j] + ref.kind == "Service" + svc.metadata.name == ref.name + result := [sprintf("spec.rules[%d].backendRefs[%d].name", [i,j])] +} + diff --git a/rules/rule-can-ssh-to-pod/rule.metadata.json b/rules/exposure-to-internet-via-gateway-api/rule.metadata.json similarity index 61% rename from rules/rule-can-ssh-to-pod/rule.metadata.json rename to rules/exposure-to-internet-via-gateway-api/rule.metadata.json index af170a8f3..54b1aaad3 100644 --- a/rules/rule-can-ssh-to-pod/rule.metadata.json +++ b/rules/exposure-to-internet-via-gateway-api/rule.metadata.json @@ -1,9 +1,7 @@ { - "name": "rule-can-ssh-to-pod", + "name": "exposure-to-internet-via-gateway-api", "attributes": { - "microsoftK8sThreatMatrix": "Execution::SSH server running inside container", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" + "useFromKubescapeVersion": "v3.0.9" }, "ruleLanguage": "Rego", "match": [ @@ -44,10 +42,22 @@ "Job", "CronJob" ] + }, + { + "apiGroups": [ + "gateway.networking.k8s.io" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "HTTPRoute", + "TCPRoute", + "UDPRoute" + ] } ], - "ruleDependencies": [], - "description": "denies pods with SSH ports opened(22/222)", + "description": "fails if the running workload is bound to a Service that is exposed to the Internet through a Gateway.", "remediation": "", "ruleQuery": "armo_builtins" -} \ No newline at end of file +} diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/expected.json b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/expected.json new file mode 100644 index 000000000..defc283a5 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/expected.json @@ -0,0 +1,185 @@ +[ + { + "alertMessage": "workload 'httpbin' is exposed through httproute 'http'", + "failedPaths": [], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "httpbin" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "gateway.networking.k8s.io/v1", + "kind": "HTTPRoute", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"gateway.networking.k8s.io/v1beta1\",\"kind\":\"HTTPRoute\",\"metadata\":{\"annotations\":{},\"name\":\"http\",\"namespace\":\"default\"},\"spec\":{\"hostnames\":[\"httpbin.example.com\"],\"parentRefs\":[{\"name\":\"gateway\",\"namespace\":\"istio-ingress\"}],\"rules\":[{\"backendRefs\":[{\"name\":\"httpbin\",\"port\":8000}],\"matches\":[{\"path\":{\"type\":\"PathPrefix\",\"value\":\"/get\"}}]}]}}\n" + }, + "creationTimestamp": "2024-04-14T07:41:31Z", + "generation": 1, + "name": "http", + "namespace": "default", + "resourceVersion": "2647", + "uid": "b7c1d09f-0cf8-4fc6-ada8-ec415b463038" + }, + "spec": { + "hostnames": [ + "httpbin.example.com" + ], + "parentRefs": [ + { + "group": "gateway.networking.k8s.io", + "kind": "Gateway", + "name": "gateway", + "namespace": "istio-ingress" + } + ], + "rules": [ + { + "backendRefs": [ + { + "group": "", + "kind": "Service", + "name": "httpbin", + "port": 8000, + "weight": 1 + } + ], + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/get" + } + } + ] + } + ] + }, + "status": { + "parents": [ + { + "conditions": [ + { + "lastTransitionTime": "2024-04-14T07:41:38Z", + "message": "", + "observedGeneration": 1, + "reason": "Accepted", + "status": "True", + "type": "Accepted" + }, + { + "lastTransitionTime": "2024-04-14T07:41:38Z", + "message": "", + "observedGeneration": 1, + "reason": "ResolvedRefs", + "status": "True", + "type": "ResolvedRefs" + } + ], + "controllerName": "solo.io/gloo-gateway", + "parentRef": { + "group": "gateway.networking.k8s.io", + "kind": "Gateway", + "name": "gateway", + "namespace": "istio-ingress" + } + }, + { + "conditions": [ + { + "lastTransitionTime": "2024-04-14T07:41:38Z", + "message": "Route was valid", + "observedGeneration": 1, + "reason": "Accepted", + "status": "True", + "type": "Accepted" + }, + { + "lastTransitionTime": "2024-04-14T07:41:38Z", + "message": "All references resolved", + "observedGeneration": 1, + "reason": "ResolvedRefs", + "status": "True", + "type": "ResolvedRefs" + } + ], + "controllerName": "istio.io/gateway-controller", + "parentRef": { + "group": "gateway.networking.k8s.io", + "kind": "Gateway", + "name": "gateway", + "namespace": "istio-ingress" + } + } + ] + } + }, + "failedPaths": [ + "spec.rules[0].backendRefs[0].name" + ], + "reviewPaths": [ + "spec.rules[0].backendRefs[0].name" + ] + }, + { + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"httpbin\",\"service\":\"httpbin\"},\"name\":\"httpbin\",\"namespace\":\"default\"},\"spec\":{\"ports\":[{\"name\":\"http\",\"port\":8000,\"targetPort\":8080}],\"selector\":{\"app\":\"httpbin\"}}}\n" + }, + "creationTimestamp": "2024-04-14T07:39:35Z", + "labels": { + "app": "httpbin", + "service": "httpbin" + }, + "name": "httpbin", + "namespace": "default", + "resourceVersion": "2328", + "uid": "5b675069-a387-4fa4-83b6-8fd25462f714" + }, + "spec": { + "clusterIP": "10.96.126.137", + "clusterIPs": [ + "10.96.126.137" + ], + "internalTrafficPolicy": "Cluster", + "ipFamilies": [ + "IPv4" + ], + "ipFamilyPolicy": "SingleStack", + "ports": [ + { + "name": "http", + "port": 8000, + "protocol": "TCP", + "targetPort": 8080 + } + ], + "selector": { + "app": "httpbin" + }, + "sessionAffinity": "None", + "type": "ClusterIP" + }, + "status": { + "loadBalancer": {} + } + } + } + ] + } +] \ No newline at end of file diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/deployment.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/deployment.yaml new file mode 100644 index 000000000..98b05fcf7 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/deployment.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"httpbin","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"httpbin","version":"v1"}},"template":{"metadata":{"labels":{"app":"httpbin","version":"v1"}},"spec":{"containers":[{"command":["gunicorn","-b","0.0.0.0:8080","httpbin:app","-k","gevent"],"env":[{"name":"WORKON_HOME","value":"/tmp"}],"image":"docker.io/kong/httpbin","imagePullPolicy":"IfNotPresent","name":"httpbin","ports":[{"containerPort":8080}]}],"serviceAccountName":"httpbin"}}}} + creationTimestamp: "2024-04-14T07:39:35Z" + generation: 1 + name: httpbin + namespace: default + resourceVersion: "2376" + uid: d5e57f81-0001-4454-9623-c3d8bb429c90 +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: httpbin + version: v1 + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: httpbin + version: v1 + spec: + containers: + - command: + - gunicorn + - -b + - 0.0.0.0:8080 + - httpbin:app + - -k + - gevent + env: + - name: WORKON_HOME + value: /tmp + image: docker.io/kong/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: httpbin + serviceAccountName: httpbin + terminationGracePeriodSeconds: 30 +status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2024-04-14T07:39:48Z" + lastUpdateTime: "2024-04-14T07:39:48Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2024-04-14T07:39:35Z" + lastUpdateTime: "2024-04-14T07:39:48Z" + message: ReplicaSet "httpbin-54b5c865df" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 1 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 \ No newline at end of file diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/httproute.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/httproute.yaml new file mode 100644 index 000000000..56ae5046c --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/httproute.yaml @@ -0,0 +1,71 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"HTTPRoute","metadata":{"annotations":{},"name":"http","namespace":"default"},"spec":{"hostnames":["httpbin.example.com"],"parentRefs":[{"name":"gateway","namespace":"istio-ingress"}],"rules":[{"backendRefs":[{"name":"httpbin","port":8000}],"matches":[{"path":{"type":"PathPrefix","value":"/get"}}]}]}} + creationTimestamp: "2024-04-14T07:41:31Z" + generation: 1 + name: http + namespace: default + resourceVersion: "2647" + uid: b7c1d09f-0cf8-4fc6-ada8-ec415b463038 +spec: + hostnames: + - httpbin.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway + namespace: istio-ingress + rules: + - backendRefs: + - group: "" + kind: Service + name: httpbin + port: 8000 + weight: 1 + matches: + - path: + type: PathPrefix + value: /get +status: + parents: + - conditions: + - lastTransitionTime: "2024-04-14T07:41:38Z" + message: "" + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2024-04-14T07:41:38Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: solo.io/gloo-gateway + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway + namespace: istio-ingress + - conditions: + - lastTransitionTime: "2024-04-14T07:41:38Z" + message: Route was valid + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2024-04-14T07:41:38Z" + message: All references resolved + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: istio.io/gateway-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway + namespace: istio-ingress diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/service.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/service.yaml new file mode 100644 index 000000000..0177f6752 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute-istio/input/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"httpbin","service":"httpbin"},"name":"httpbin","namespace":"default"},"spec":{"ports":[{"name":"http","port":8000,"targetPort":8080}],"selector":{"app":"httpbin"}}} + creationTimestamp: "2024-04-14T07:39:35Z" + labels: + app: httpbin + service: httpbin + name: httpbin + namespace: default + resourceVersion: "2328" + uid: 5b675069-a387-4fa4-83b6-8fd25462f714 +spec: + clusterIP: 10.96.126.137 + clusterIPs: + - 10.96.126.137 + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 8000 + protocol: TCP + targetPort: 8080 + selector: + app: httpbin + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} \ No newline at end of file diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/expected.json b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/expected.json new file mode 100644 index 000000000..1c52ffa5d --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/expected.json @@ -0,0 +1,161 @@ +[ + { + "alertMessage": "workload 'httpbin' is exposed through httproute 'httpbin'", + "failedPaths": [], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "httpbin" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "gateway.networking.k8s.io/v1", + "kind": "HTTPRoute", + "metadata": { + "creationTimestamp": "2024-02-04T19:06:03Z", + "generation": 1, + "labels": { + "example": "httpbin-route" + }, + "name": "httpbin", + "namespace": "httpbin", + "resourceVersion": "914", + "uid": "fd820080-801d-4fa7-934a-e23abe8bf746" + }, + "spec": { + "hostnames": [ + "www.example.com" + ], + "parentRefs": [ + { + "group": "gateway.networking.k8s.io", + "kind": "Gateway", + "name": "http", + "namespace": "gloo-system" + } + ], + "rules": [ + { + "backendRefs": [ + { + "group": "", + "kind": "Service", + "name": "httpbin", + "port": 8000, + "weight": 1 + } + ], + "matches": [ + { + "path": { + "type": "PathPrefix", + "value": "/" + } + } + ] + } + ] + }, + "status": { + "parents": [ + { + "conditions": [ + { + "lastTransitionTime": "2024-02-04T19:06:03Z", + "message": "", + "observedGeneration": 1, + "reason": "Accepted", + "status": "True", + "type": "Accepted" + }, + { + "lastTransitionTime": "2024-02-04T19:06:03Z", + "message": "", + "observedGeneration": 1, + "reason": "ResolvedRefs", + "status": "True", + "type": "ResolvedRefs" + } + ], + "controllerName": "solo.io/gloo-gateway", + "parentRef": { + "group": "gateway.networking.k8s.io", + "kind": "Gateway", + "name": "http", + "namespace": "gloo-system" + } + } + ] + } + }, + "failedPaths": [ + "spec.rules[0].backendRefs[0].name" + ], + "reviewPaths": [ + "spec.rules[0].backendRefs[0].name" + ] + }, + { + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "creationTimestamp": "2024-02-04T19:05:12Z", + "labels": { + "app": "httpbin", + "service": "httpbin" + }, + "name": "httpbin", + "namespace": "httpbin", + "resourceVersion": "811", + "uid": "c391feb7-54e5-41b2-869b-33166869f1b7" + }, + "spec": { + "clusterIP": "10.96.162.234", + "clusterIPs": [ + "10.96.162.234" + ], + "internalTrafficPolicy": "Cluster", + "ipFamilies": [ + "IPv4" + ], + "ipFamilyPolicy": "SingleStack", + "ports": [ + { + "name": "http", + "port": 8000, + "protocol": "TCP", + "targetPort": 8080 + }, + { + "name": "tcp", + "port": 9000, + "protocol": "TCP", + "targetPort": 9000 + } + ], + "selector": { + "app": "httpbin" + }, + "sessionAffinity": "None", + "type": "ClusterIP" + }, + "status": { + "loadBalancer": {} + } + } + } + ] + } +] \ No newline at end of file diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/deployment.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/deployment.yaml new file mode 100644 index 000000000..2b40cae26 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/deployment.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "1" + creationTimestamp: "2024-02-04T19:05:12Z" + generation: 1 + name: httpbin + namespace: httpbin + resourceVersion: "870" + uid: 7462bb4c-b5a2-413e-80ee-c1baaf34aade +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: httpbin + version: v1 + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + containers: + - args: + - -port + - "8080" + - -max-duration + - 600s + command: + - go-httpbin + image: docker.io/mccutchen/go-httpbin:v2.6.0 + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + - command: + - tail + - -f + - /dev/null + image: curlimages/curl:7.83.1 + imagePullPolicy: IfNotPresent + name: curl + resources: + limits: + cpu: 200m + requests: + cpu: 100m + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + - image: gcr.io/solo-public/docs/hey:0.1.4 + imagePullPolicy: IfNotPresent + name: hey + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: httpbin + serviceAccountName: httpbin + terminationGracePeriodSeconds: 30 +status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2024-02-04T19:05:32Z" + lastUpdateTime: "2024-02-04T19:05:32Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2024-02-04T19:05:12Z" + lastUpdateTime: "2024-02-04T19:05:32Z" + message: ReplicaSet "httpbin-f46cc8b9b" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 1 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/httproute.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/httproute.yaml new file mode 100644 index 000000000..44b941b78 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/httproute.yaml @@ -0,0 +1,51 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + creationTimestamp: "2024-02-04T19:06:03Z" + generation: 1 + labels: + example: httpbin-route + name: httpbin + namespace: httpbin + resourceVersion: "914" + uid: fd820080-801d-4fa7-934a-e23abe8bf746 +spec: + hostnames: + - www.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: http + namespace: gloo-system + rules: + - backendRefs: + - group: "" + kind: Service + name: httpbin + port: 8000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / +status: + parents: + - conditions: + - lastTransitionTime: "2024-02-04T19:06:03Z" + message: "" + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2024-02-04T19:06:03Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: solo.io/gloo-gateway + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: http + namespace: gloo-system diff --git a/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/service.yaml b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/service.yaml new file mode 100644 index 000000000..40e721d26 --- /dev/null +++ b/rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/service.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: "2024-02-04T19:05:12Z" + labels: + app: httpbin + service: httpbin + name: httpbin + namespace: httpbin + resourceVersion: "811" + uid: c391feb7-54e5-41b2-869b-33166869f1b7 +spec: + clusterIP: 10.96.162.234 + clusterIPs: + - 10.96.162.234 + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 8000 + protocol: TCP + targetPort: 8080 + - name: tcp + port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: httpbin + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego index e31379b8b..d4e849926 100644 --- a/rules/exposure-to-internet/raw.rego +++ b/rules/exposure-to-internet/raw.rego @@ -5,7 +5,7 @@ deny[msga] { service := input[_] service.kind == "Service" is_exposed_service(service) - + wl := input[_] spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"} spec_template_spec_patterns[wl.kind] @@ -32,9 +32,13 @@ deny[msga] { deny[msga] { ingress := input[_] ingress.kind == "Ingress" - + svc := input[_] svc.kind == "Service" + + # Make sure that they belong to the same namespace + svc.metadata.namespace == ingress.metadata.namespace + # avoid duplicate alerts # if service is already exposed through NodePort or LoadBalancer workload will fail on that not is_exposed_service(svc) @@ -45,7 +49,7 @@ deny[msga] { wl_connected_to_service(wl, svc) result := svc_connected_to_ingress(svc, ingress) - + msga := { "alertMessage": sprintf("workload '%v' is exposed through ingress '%v'", [wl.metadata.name, ingress.metadata.name]), "packagename": "armo_builtins", @@ -55,13 +59,18 @@ deny[msga] { "alertObject": { "k8sApiObjects": [wl] }, - "relatedObjects": [{ - "object": ingress, + "relatedObjects": [ + { + "object": ingress, "reviewPaths": result, - "failedPaths": result, - }] + "failedPaths": result, + }, + { + "object": svc, + } + ] } -} +} # ==================================================================================== @@ -81,6 +90,10 @@ wl_connected_to_service(wl, svc) { wl.spec.selector.matchLabels == svc.spec.selector } +wl_connected_to_service(wl, svc) { + count({x | svc.spec.selector[x] == wl.spec.template.metadata.labels[x]}) == count(svc.spec.selector) +} + # check if service is connected to ingress svc_connected_to_ingress(svc, ingress) = result { rule := ingress.spec.rules[i] @@ -89,3 +102,4 @@ svc_connected_to_ingress(svc, ingress) = result { result := [sprintf("spec.rules[%d].http.paths[%d].backend.service.name", [i,j])] } + diff --git a/rules/exposure-to-internet/rule.metadata.json b/rules/exposure-to-internet/rule.metadata.json index 139c3018a..d1357ee94 100644 --- a/rules/exposure-to-internet/rule.metadata.json +++ b/rules/exposure-to-internet/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "exposure-to-internet", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/exposure-to-internet/test/failed_with_ingress/expected.json b/rules/exposure-to-internet/test/failed_with_ingress/expected.json index 958f9eaf0..8a79e4654 100644 --- a/rules/exposure-to-internet/test/failed_with_ingress/expected.json +++ b/rules/exposure-to-internet/test/failed_with_ingress/expected.json @@ -23,7 +23,8 @@ "apiVersion": "networking.k8s.io/v1", "kind": "Ingress", "metadata": { - "name": "my-ingress" + "name": "my-ingress", + "namespace": "default" }, "spec": { "ingressClassName": "nginx", @@ -50,10 +51,35 @@ ] } }, + "reviewPaths": [ + "spec.rules[0].http.paths[0].backend.service.name" + ], "failedPaths": [ "spec.rules[0].http.paths[0].backend.service.name" ], "fixPaths": null + }, + { + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "my-service", + "namespace": "default" + }, + "spec": { + "ports": [ + { + "port": 80, + "targetPort": 80 + } + ], + "selector": { + "app": "my-app" + }, + "type": "ClusterIP" + } + } } ] } diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml index 096c24a22..4cc9b174d 100644 --- a/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml +++ b/rules/exposure-to-internet/test/failed_with_ingress/input/ingress.yaml @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress + namespace: default spec: ingressClassName: nginx rules: diff --git a/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml b/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml index 7ba441575..9ad14d173 100644 --- a/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml +++ b/rules/exposure-to-internet/test/failed_with_ingress/input/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: my-service + namespace: default spec: selector: app: my-app diff --git a/rules/exposure-to-internet/test/failed_with_service_loadbalancer/expected.json b/rules/exposure-to-internet/test/failed_with_service_loadbalancer/expected.json index 797e9c436..1a30f02bf 100644 --- a/rules/exposure-to-internet/test/failed_with_service_loadbalancer/expected.json +++ b/rules/exposure-to-internet/test/failed_with_service_loadbalancer/expected.json @@ -49,6 +49,9 @@ } } }, + "reviewPaths": [ + "spec.type" + ], "failedPaths": [ "spec.type" ], diff --git a/rules/exposure-to-internet/test/failed_with_service_nodeport/expected.json b/rules/exposure-to-internet/test/failed_with_service_nodeport/expected.json index 53167dd6c..f7b9f7d97 100644 --- a/rules/exposure-to-internet/test/failed_with_service_nodeport/expected.json +++ b/rules/exposure-to-internet/test/failed_with_service_nodeport/expected.json @@ -39,6 +39,9 @@ "type": "NodePort" } }, + "reviewPaths": [ + "spec.type" + ], "failedPaths": [ "spec.type" ], diff --git a/rules/external-secret-storage/rule.metadata.json b/rules/external-secret-storage/rule.metadata.json index 3285e7250..1701b3ebf 100644 --- a/rules/external-secret-storage/rule.metadata.json +++ b/rules/external-secret-storage/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "external-secret-storage", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/has-image-signature/rule.metadata.json b/rules/has-image-signature/rule.metadata.json index 8dbde72cd..def0f70ab 100644 --- a/rules/has-image-signature/rule.metadata.json +++ b/rules/has-image-signature/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "has-image-signature", "attributes": { - "armoBuiltin": true, "useFromKubescapeVersion": "v2.1.3" }, "ruleLanguage": "Rego", diff --git a/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json b/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json index fbdcb2e65..c738ef369 100644 --- a/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json +++ b/rules/horizontalpodautoscaler-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "horizontalpodautoscaler-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json b/rules/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json index 8292048c0..ebd69e1bb 100644 --- a/rules/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json +++ b/rules/horizontalpodautoscaler-in-default-namespace/test/horizontalpodautoscaler/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "HorizontalPodAutoscaler: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/host-network-access/rule.metadata.json b/rules/host-network-access/rule.metadata.json index 8a2d0e9b0..bc1dbb921 100644 --- a/rules/host-network-access/rule.metadata.json +++ b/rules/host-network-access/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "host-network-access", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/host-network-access/test/cronjob/expected.json b/rules/host-network-access/test/cronjob/expected.json index d8d348a34..2f03d58c8 100644 --- a/rules/host-network-access/test/cronjob/expected.json +++ b/rules/host-network-access/test/cronjob/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "CronJob: hello has a pod connected to the host network", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.hostNetwork" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.hostNetwork" ], diff --git a/rules/host-network-access/test/pod/expected.json b/rules/host-network-access/test/pod/expected.json index e533ea29a..75c2753f3 100644 --- a/rules/host-network-access/test/pod/expected.json +++ b/rules/host-network-access/test/pod/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: test is connected to the host network", + "deletePaths": [ + "spec.hostNetwork" + ], "failedPaths": [ "spec.hostNetwork" ], diff --git a/rules/host-network-access/test/workloads/expected.json b/rules/host-network-access/test/workloads/expected.json index 8c1efb482..4072332c4 100644 --- a/rules/host-network-access/test/workloads/expected.json +++ b/rules/host-network-access/test/workloads/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Deployment: my-deployment has a pod connected to the host network", + "deletePaths": [ + "spec.template.spec.hostNetwork" + ], "failedPaths": [ "spec.template.spec.hostNetwork" ], diff --git a/rules/host-pid-ipc-privileges/rule.metadata.json b/rules/host-pid-ipc-privileges/rule.metadata.json index f6522dbd6..5a695c371 100644 --- a/rules/host-pid-ipc-privileges/rule.metadata.json +++ b/rules/host-pid-ipc-privileges/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "host-pid-ipc-privileges", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/host-pid-ipc-privileges/test/cronjob/expected.json b/rules/host-pid-ipc-privileges/test/cronjob/expected.json index 5e9a05aee..fbe463618 100644 --- a/rules/host-pid-ipc-privileges/test/cronjob/expected.json +++ b/rules/host-pid-ipc-privileges/test/cronjob/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "CronJob: hello has a pod with hostIPC enabled", + "deletePaths": ["spec.jobTemplate.spec.template.spec.hostIPC"], "failedPaths": ["spec.jobTemplate.spec.template.spec.hostIPC"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/host-pid-ipc-privileges/test/pod/expected.json b/rules/host-pid-ipc-privileges/test/pod/expected.json index 1e697ed90..b66d1f612 100644 --- a/rules/host-pid-ipc-privileges/test/pod/expected.json +++ b/rules/host-pid-ipc-privileges/test/pod/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Pod: test has hostPID enabled", + "deletePaths": ["spec.hostPID"], "failedPaths": ["spec.hostPID"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/host-pid-ipc-privileges/test/workload/expected.json b/rules/host-pid-ipc-privileges/test/workload/expected.json index 1aa6f25af..ca771da26 100644 --- a/rules/host-pid-ipc-privileges/test/workload/expected.json +++ b/rules/host-pid-ipc-privileges/test/workload/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Deployment: my-deployment has a pod with hostPID enabled", + "deletePaths": ["spec.template.spec.hostPID"], "failedPaths": ["spec.template.spec.hostPID"], "fixPaths": [], "ruleStatus": "", @@ -19,6 +20,7 @@ } }, { "alertMessage": "Deployment: my-deployment has a pod with hostIPC enabled", + "deletePaths": ["spec.template.spec.hostIPC"], "failedPaths": ["spec.template.spec.hostIPC"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root/rule.metadata.json b/rules/if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root/rule.metadata.json index b5d05588d..0b2fc6ae1 100644 --- a/rules/if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root/rule.metadata.json +++ b/rules/if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-root", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json b/rules/if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json index 84c54aed3..7cd151707 100644 --- a/rules/if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive/rule.metadata.json b/rules/if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive/rule.metadata.json index 38eade5a4..f8847ea77 100644 --- a/rules/if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive/rule.metadata.json +++ b/rules/if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "if-the-kubelet-config.yaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/image-pull-policy-is-not-set-to-always/raw.rego b/rules/image-pull-policy-is-not-set-to-always/raw.rego index d6a4e1fce..a54988bb8 100644 --- a/rules/image-pull-policy-is-not-set-to-always/raw.rego +++ b/rules/image-pull-policy-is-not-set-to-always/raw.rego @@ -11,6 +11,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in pod: %v has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 2, + "reviewPaths": paths, "failedPaths": paths, "fixPaths":[], "alertObject": { @@ -30,6 +31,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in %v: %v has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 2, + "reviewPaths": paths, "failedPaths": paths, "fixPaths":[], "alertObject": { @@ -48,6 +50,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in cronjob: %v has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 2, + "reviewPaths": paths, "failedPaths": paths, "fixPaths":[], "alertObject": { diff --git a/rules/image-pull-policy-is-not-set-to-always/rule.metadata.json b/rules/image-pull-policy-is-not-set-to-always/rule.metadata.json index cbcb2a069..a67332d2c 100644 --- a/rules/image-pull-policy-is-not-set-to-always/rule.metadata.json +++ b/rules/image-pull-policy-is-not-set-to-always/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "image-pull-policy-is-not-set-to-always", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/image-pull-policy-is-not-set-to-always/test/cronjob/expected.json b/rules/image-pull-policy-is-not-set-to-always/test/cronjob/expected.json index 875472f19..4ac54d87d 100644 --- a/rules/image-pull-policy-is-not-set-to-always/test/cronjob/expected.json +++ b/rules/image-pull-policy-is-not-set-to-always/test/cronjob/expected.json @@ -1,6 +1,10 @@ [ { "alertMessage": "container: php in cronjob: hello has 'latest' tag on image but imagePullPolicy is not set to 'Always'", + "reviewPaths": [ + "spec.jobTemplate.spec.template.spec.containers[1].image", + "spec.jobTemplate.spec.template.spec.containers[1].imagePullPolicy" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[1].image", "spec.jobTemplate.spec.template.spec.containers[1].imagePullPolicy" diff --git a/rules/image-pull-policy-is-not-set-to-always/test/pod/expected.json b/rules/image-pull-policy-is-not-set-to-always/test/pod/expected.json index 8b670bdd3..e3d856341 100644 --- a/rules/image-pull-policy-is-not-set-to-always/test/pod/expected.json +++ b/rules/image-pull-policy-is-not-set-to-always/test/pod/expected.json @@ -1,6 +1,10 @@ [ { "alertMessage": "container: test in pod: test has 'latest' tag on image but imagePullPolicy is not set to 'Always'", + "reviewPaths": [ + "spec.containers[0].image", + "spec.containers[0].imagePullPolicy" + ], "failedPaths": [ "spec.containers[0].image", "spec.containers[0].imagePullPolicy" diff --git a/rules/image-pull-policy-is-not-set-to-always/test/workload/expected.json b/rules/image-pull-policy-is-not-set-to-always/test/workload/expected.json index 5c79a2929..be4c65876 100644 --- a/rules/image-pull-policy-is-not-set-to-always/test/workload/expected.json +++ b/rules/image-pull-policy-is-not-set-to-always/test/workload/expected.json @@ -1,6 +1,10 @@ [ { "alertMessage": "container: mysql in Deployment: my-deployment has 'latest' tag on image but imagePullPolicy is not set to 'Always'", + "reviewPaths": [ + "spec.template.spec.containers[0].image", + "spec.template.spec.containers[0].imagePullPolicy" + ], "failedPaths": [ "spec.template.spec.containers[0].image", "spec.template.spec.containers[0].imagePullPolicy" diff --git a/rules/immutable-container-filesystem/raw.rego b/rules/immutable-container-filesystem/raw.rego index 6f2d9aaff..f3438c6d3 100644 --- a/rules/immutable-container-filesystem/raw.rego +++ b/rules/immutable-container-filesystem/raw.rego @@ -7,15 +7,14 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] start_of_path := "spec." - result := is_mutable_filesystem(container, start_of_path, i) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_mutable_filesystem(container) + fixPath = {"path": sprintf("%vcontainers[%d].securityContext.readOnlyRootFilesystem", [start_of_path, i]), "value": "true"} msga := { "alertMessage": sprintf("container: %v in pod: %v has mutable filesystem", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "failedPaths": [], + "fixPaths": [fixPath], "alertObject": { "k8sApiObjects": [pod] } @@ -29,15 +28,14 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] start_of_path := "spec.template.spec." - result := is_mutable_filesystem(container, start_of_path, i) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_mutable_filesystem(container) + fixPath = {"path": sprintf("%vcontainers[%d].securityContext.readOnlyRootFilesystem", [start_of_path, i]), "value": "true"} msga := { "alertMessage": sprintf("container :%v in %v: %v has mutable filesystem", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "failedPaths": [], + "fixPaths": [fixPath], "alertObject": { "k8sApiObjects": [wl] } @@ -51,16 +49,15 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] start_of_path := "spec.jobTemplate.spec.template.spec." - result := is_mutable_filesystem(container, start_of_path, i) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_mutable_filesystem(container) + fixPath = {"path": sprintf("%vcontainers[%d].securityContext.readOnlyRootFilesystem", [start_of_path, i]), "value": "true"} msga := { "alertMessage": sprintf("container :%v in %v: %v has mutable filesystem", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "failedPaths": [], + "fixPaths": [fixPath], "alertObject": { "k8sApiObjects": [wl] } @@ -68,25 +65,11 @@ deny[msga] { } # Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec -is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { +is_mutable_filesystem(container) { container.securityContext.readOnlyRootFilesystem == false - failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]) - fixPath = "" - } +} - is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { +is_mutable_filesystem(container) { not container.securityContext.readOnlyRootFilesystem == false not container.securityContext.readOnlyRootFilesystem == true - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]), "value": "true"} - failed_path = "" - } - - - get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] +} diff --git a/rules/immutable-container-filesystem/rule.metadata.json b/rules/immutable-container-filesystem/rule.metadata.json index a70b05ebe..e54bc2588 100644 --- a/rules/immutable-container-filesystem/rule.metadata.json +++ b/rules/immutable-container-filesystem/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "immutable-container-filesystem", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/immutable-container-filesystem/test/workloads/expected.json b/rules/immutable-container-filesystem/test/workloads/expected.json index d54293443..fb11fba4b 100644 --- a/rules/immutable-container-filesystem/test/workloads/expected.json +++ b/rules/immutable-container-filesystem/test/workloads/expected.json @@ -1,7 +1,10 @@ [{ "alertMessage": "container :mysql in Deployment: my-deployment has mutable filesystem", - "failedPaths": ["spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem"], - "fixPaths": [], + "failedPaths": [], + "fixPaths": [{ + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + }], "ruleStatus": "", "packagename": "armo_builtins", "alertScore": 7, diff --git a/rules/ingress-and-egress-blocked/rule.metadata.json b/rules/ingress-and-egress-blocked/rule.metadata.json index 9f046a281..f986a5af6 100644 --- a/rules/ingress-and-egress-blocked/rule.metadata.json +++ b/rules/ingress-and-egress-blocked/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ingress-and-egress-blocked", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ingress-in-default-namespace/rule.metadata.json b/rules/ingress-in-default-namespace/rule.metadata.json index 6fdce98a8..6980ce5ce 100644 --- a/rules/ingress-in-default-namespace/rule.metadata.json +++ b/rules/ingress-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "ingress-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/ingress-in-default-namespace/test/ingress/expected.json b/rules/ingress-in-default-namespace/test/ingress/expected.json index 4a040855b..383137cfe 100644 --- a/rules/ingress-in-default-namespace/test/ingress/expected.json +++ b/rules/ingress-in-default-namespace/test/ingress/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Ingress: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/ingress-no-tls/raw.rego b/rules/ingress-no-tls/raw.rego new file mode 100644 index 000000000..769e2cea9 --- /dev/null +++ b/rules/ingress-no-tls/raw.rego @@ -0,0 +1,22 @@ +package armo_builtins + +# Checks if Ingress is connected to a service and a workload to expose something +deny[msga] { + ingress := input[_] + ingress.kind == "Ingress" + + # Check if ingress has TLS enabled + not ingress.spec.tls + + msga := { + "alertMessage": sprintf("Ingress '%v' has not TLS definition", [ingress.metadata.name]), + "packagename": "armo_builtins", + "failedPaths": [], + "fixPaths": [{ + "path": "spec.tls", + "value": "" + }], + "alertScore": 7, + "alertObject": {"k8sApiObjects": [ingress]} + } +} diff --git a/rules/ingress-no-tls/rule.metadata.json b/rules/ingress-no-tls/rule.metadata.json new file mode 100644 index 000000000..0afd57d8f --- /dev/null +++ b/rules/ingress-no-tls/rule.metadata.json @@ -0,0 +1,22 @@ +{ + "name": "ingress-no-tls", + "attributes": { + }, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "networking.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Ingress" + ] + } + ], + "description": "Ingress should not be configured without TLS", + "remediation": "", + "ruleQuery": "armo_builtins" +} diff --git a/rules/ingress-no-tls/test/failed_with_ingress/expected.json b/rules/ingress-no-tls/test/failed_with_ingress/expected.json new file mode 100644 index 000000000..18e7b81ff --- /dev/null +++ b/rules/ingress-no-tls/test/failed_with_ingress/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Ingress 'my-ingress' has not TLS definition", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.tls", + "value": "\u003cyour-tls-definition\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "networking.k8s.io/v1", + "kind": "Ingress", + "metadata": { + "name": "my-ingress" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/ingress-no-tls/test/failed_with_ingress/input/ingress.yaml b/rules/ingress-no-tls/test/failed_with_ingress/input/ingress.yaml new file mode 100644 index 000000000..4cc9b174d --- /dev/null +++ b/rules/ingress-no-tls/test/failed_with_ingress/input/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: my-ingress + namespace: default +spec: + ingressClassName: nginx + rules: + - host: myservicea.foo.org + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: my-service + port: + number: 80 diff --git a/rules/ingress-no-tls/test/success_with_ingress/expected.json b/rules/ingress-no-tls/test/success_with_ingress/expected.json new file mode 100644 index 000000000..fe51488c7 --- /dev/null +++ b/rules/ingress-no-tls/test/success_with_ingress/expected.json @@ -0,0 +1 @@ +[] diff --git a/rules/ingress-no-tls/test/success_with_ingress/input/ingress.yaml b/rules/ingress-no-tls/test/success_with_ingress/input/ingress.yaml new file mode 100644 index 000000000..bc34f9984 --- /dev/null +++ b/rules/ingress-no-tls/test/success_with_ingress/input/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: example-ingress-tls + namespace: default + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + tls: + - hosts: + - example.com + secretName: example-tls-secret + rules: + - host: example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: example-service + port: + number: 80 diff --git a/rules/insecure-capabilities/rule.metadata.json b/rules/insecure-capabilities/rule.metadata.json index 7b1f0160b..e85783cef 100644 --- a/rules/insecure-capabilities/rule.metadata.json +++ b/rules/insecure-capabilities/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "insecure-capabilities", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/insecure-capabilities/test/cronjob/expected.json b/rules/insecure-capabilities/test/cronjob/expected.json index e03da180f..cde076ba4 100644 --- a/rules/insecure-capabilities/test/cronjob/expected.json +++ b/rules/insecure-capabilities/test/cronjob/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "container: mysql in cronjob: hello have dangerous capabilities", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.add[0]" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.add[0]" ], diff --git a/rules/insecure-capabilities/test/pod/expected.json b/rules/insecure-capabilities/test/pod/expected.json index c46a19734..1631fcccc 100644 --- a/rules/insecure-capabilities/test/pod/expected.json +++ b/rules/insecure-capabilities/test/pod/expected.json @@ -1,6 +1,10 @@ [ { "alertMessage": "container: test2 in pod: test have dangerous capabilities", + "deletePaths": [ + "spec.containers[1].securityContext.capabilities.add[0]", + "spec.containers[1].securityContext.capabilities.add[1]" + ], "failedPaths": [ "spec.containers[1].securityContext.capabilities.add[0]", "spec.containers[1].securityContext.capabilities.add[1]" diff --git a/rules/insecure-capabilities/test/workloads/expected.json b/rules/insecure-capabilities/test/workloads/expected.json index f08d87f4c..cb02491dc 100644 --- a/rules/insecure-capabilities/test/workloads/expected.json +++ b/rules/insecure-capabilities/test/workloads/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "container: php in workload: my-deployment have dangerous capabilities", + "deletePaths": [ + "spec.template.spec.containers[1].securityContext.capabilities.add[0]" + ], "failedPaths": [ "spec.template.spec.containers[1].securityContext.capabilities.add[0]" ], diff --git a/rules/insecure-port-flag/rule.metadata.json b/rules/insecure-port-flag/rule.metadata.json index e3d78ea4c..d4ec397eb 100644 --- a/rules/insecure-port-flag/rule.metadata.json +++ b/rules/insecure-port-flag/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "insecure-port-flag", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/insecure-port-flag/test/test/expected.json b/rules/insecure-port-flag/test/test/expected.json index 0c3505845..2048d964b 100644 --- a/rules/insecure-port-flag/test/test/expected.json +++ b/rules/insecure-port-flag/test/test/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "The API server container: kube-apiserver has insecure-port flag enabled", + "reviewPaths": [ + "spec.containers[0].command[11]" + ], "failedPaths": [ "spec.containers[0].command[11]" ], diff --git a/rules/instance-metadata-api-access/rule.metadata.json b/rules/instance-metadata-api-access/rule.metadata.json index b07f44bf1..6792a26fd 100644 --- a/rules/instance-metadata-api-access/rule.metadata.json +++ b/rules/instance-metadata-api-access/rule.metadata.json @@ -2,7 +2,6 @@ "name": "instance-metadata-api-access", "attributes": { "m$K8sThreatMatrix": "Credential Access::Instance Metadata API", - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/internal-networking/rule.metadata.json b/rules/internal-networking/rule.metadata.json index f5d845bd6..cff78c7fc 100644 --- a/rules/internal-networking/rule.metadata.json +++ b/rules/internal-networking/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "internal-networking", "attributes": { - "m$K8sThreatMatrix": "Lateral Movement::Container internal networking, Discovery::Network mapping", - "armoBuiltin": true + "m$K8sThreatMatrix": "Lateral Movement::Container internal networking, Discovery::Network mapping" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/k8s-audit-logs-enabled-cloud/rule.metadata.json b/rules/k8s-audit-logs-enabled-cloud/rule.metadata.json index 21e8d3709..53bc6c5fd 100644 --- a/rules/k8s-audit-logs-enabled-cloud/rule.metadata.json +++ b/rules/k8s-audit-logs-enabled-cloud/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "k8s-audit-logs-enabled-cloud", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/k8s-audit-logs-enabled-native-cis/rule.metadata.json b/rules/k8s-audit-logs-enabled-native-cis/rule.metadata.json index 460ac0966..3e16d2a36 100644 --- a/rules/k8s-audit-logs-enabled-native-cis/rule.metadata.json +++ b/rules/k8s-audit-logs-enabled-native-cis/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "k8s-audit-logs-enabled-native-cis", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/k8s-audit-logs-enabled-native-cis/test/test-failed/expected.json b/rules/k8s-audit-logs-enabled-native-cis/test/test-failed/expected.json index 52d645e25..20ae19816 100644 --- a/rules/k8s-audit-logs-enabled-native-cis/test/test-failed/expected.json +++ b/rules/k8s-audit-logs-enabled-native-cis/test/test-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "audit logs are not enabled", + "reviewPaths": [ + "spec.containers[0].command[11]" + ], "failedPaths": [ "spec.containers[0].command[11]" ], diff --git a/rules/k8s-audit-logs-enabled-native/rule.metadata.json b/rules/k8s-audit-logs-enabled-native/rule.metadata.json index c33ea2d02..9969a5a21 100644 --- a/rules/k8s-audit-logs-enabled-native/rule.metadata.json +++ b/rules/k8s-audit-logs-enabled-native/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "k8s-audit-logs-enabled-native", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "apiserver-pod", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/k8s-audit-logs-enabled-native/test/test-failed/expected.json b/rules/k8s-audit-logs-enabled-native/test/test-failed/expected.json index 94e4a6581..10c154932 100644 --- a/rules/k8s-audit-logs-enabled-native/test/test-failed/expected.json +++ b/rules/k8s-audit-logs-enabled-native/test/test-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "audit logs is not enabled", + "reviewPaths": [ + "spec.containers[0].command" + ], "failedPaths": [ "spec.containers[0].command" ], diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index 238b41216..7a6a29c7e 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -87,21 +87,21 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/k8s-common-labels-usage/rule.metadata.json b/rules/k8s-common-labels-usage/rule.metadata.json index fdf0b6bc4..e62f86480 100644 --- a/rules/k8s-common-labels-usage/rule.metadata.json +++ b/rules/k8s-common-labels-usage/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "k8s-common-labels-usage", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/k8s-common-labels-usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json index 2f9d26829..39bd3724c 100644 --- a/rules/k8s-common-labels-usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", + "path": "spec.jobTemplate.spec.template.metadata.labels[app.kubernetes.io/name]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json index 2a4cac865..ee876ef1b 100644 --- a/rules/k8s-common-labels-usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_LABEL", + "path": "metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json index 3a98cdfa0..105929639 100644 --- a/rules/k8s-common-labels-usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.app.kubernetes.io/name", + "path": "spec.template.metadata.labels[app.kubernetes.io/name]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego index 052efa4c2..b5387d85e 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/raw.rego +++ b/rules/kubelet-authorization-mode-alwaysAllow/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": "Anonymous requests are enabled", "alertScore": 10, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -70,6 +71,7 @@ deny[msga] { msga := { "alertMessage": "Anonymous requests are enabled", "alertScore": 10, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -92,6 +94,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-authorization-mode-alwaysAllow/rule.metadata.json b/rules/kubelet-authorization-mode-alwaysAllow/rule.metadata.json index 1d744f0cd..b7a8e20d2 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/rule.metadata.json +++ b/rules/kubelet-authorization-mode-alwaysAllow/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-authorization-mode-alwaysAllow", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-authorization-mode-alwaysAllow/test/fail-no-cli-and-config/expected.json b/rules/kubelet-authorization-mode-alwaysAllow/test/fail-no-cli-and-config/expected.json index 62840632b..501aa0fee 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/test/fail-no-cli-and-config/expected.json +++ b/rules/kubelet-authorization-mode-alwaysAllow/test/fail-no-cli-and-config/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 10, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-authorization-mode-alwaysAllow/test/fail-sensor-failed/expected.json b/rules/kubelet-authorization-mode-alwaysAllow/test/fail-sensor-failed/expected.json index b2eca50fe..3bb1d7be7 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/test/fail-sensor-failed/expected.json +++ b/rules/kubelet-authorization-mode-alwaysAllow/test/fail-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-cli-argument/expected.json b/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-cli-argument/expected.json index ba0f96edc..db49befb9 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-cli-argument/expected.json +++ b/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-cli-argument/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 10, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-config-value/expected.json b/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-config-value/expected.json index d611bcc49..0a6a445d1 100644 --- a/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-config-value/expected.json +++ b/rules/kubelet-authorization-mode-alwaysAllow/test/invalid-config-value/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 10, + "reviewPaths": [ + "authorization.mode" + ], "failedPaths": [ "authorization.mode" ], diff --git a/rules/kubelet-event-qps/raw.rego b/rules/kubelet-event-qps/raw.rego index ad0eed856..25eb0220a 100644 --- a/rules/kubelet-event-qps/raw.rego +++ b/rules/kubelet-event-qps/raw.rego @@ -51,6 +51,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-event-qps/rule.metadata.json b/rules/kubelet-event-qps/rule.metadata.json index f4a351bd6..a28e99e20 100644 --- a/rules/kubelet-event-qps/rule.metadata.json +++ b/rules/kubelet-event-qps/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-event-qps", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-event-qps/test/fail-eventRecordQPS=0-config/expected.json b/rules/kubelet-event-qps/test/fail-eventRecordQPS=0-config/expected.json index d179f9208..2caf95c77 100644 --- a/rules/kubelet-event-qps/test/fail-eventRecordQPS=0-config/expected.json +++ b/rules/kubelet-event-qps/test/fail-eventRecordQPS=0-config/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 2, + "reviewPaths": [ + "eventRecordQPS" + ], "failedPaths": [ "eventRecordQPS" ], diff --git a/rules/kubelet-event-qps/test/fail-sensor-failed/expected.json b/rules/kubelet-event-qps/test/fail-sensor-failed/expected.json index 141e00b00..49a7cc679 100644 --- a/rules/kubelet-event-qps/test/fail-sensor-failed/expected.json +++ b/rules/kubelet-event-qps/test/fail-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-hostname-override/rule.metadata.json b/rules/kubelet-hostname-override/rule.metadata.json index cb0a7d528..ef39fcb34 100644 --- a/rules/kubelet-hostname-override/rule.metadata.json +++ b/rules/kubelet-hostname-override/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-hostname-override", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-ip-tables/raw.rego b/rules/kubelet-ip-tables/raw.rego index 0373e1f6b..dc706b2d5 100644 --- a/rules/kubelet-ip-tables/raw.rego +++ b/rules/kubelet-ip-tables/raw.rego @@ -18,6 +18,7 @@ deny[msga] { msga := { "alertMessage": "Argument --make-iptables-util-chains is not set to true.", "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -69,6 +70,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-ip-tables/rule.metadata.json b/rules/kubelet-ip-tables/rule.metadata.json index 7b097aa36..3d9582871 100644 --- a/rules/kubelet-ip-tables/rule.metadata.json +++ b/rules/kubelet-ip-tables/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-ip-tables", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-ip-tables/test/fail-sensor-failed/expected.json b/rules/kubelet-ip-tables/test/fail-sensor-failed/expected.json index b2eca50fe..3bb1d7be7 100644 --- a/rules/kubelet-ip-tables/test/fail-sensor-failed/expected.json +++ b/rules/kubelet-ip-tables/test/fail-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-ip-tables/test/fail-set-via-cli/expected.json b/rules/kubelet-ip-tables/test/fail-set-via-cli/expected.json index d7611546b..aada67a9a 100644 --- a/rules/kubelet-ip-tables/test/fail-set-via-cli/expected.json +++ b/rules/kubelet-ip-tables/test/fail-set-via-cli/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-ip-tables/test/fail-set-via-config/expected.json b/rules/kubelet-ip-tables/test/fail-set-via-config/expected.json index 96d2dc983..3fb7f6895 100644 --- a/rules/kubelet-ip-tables/test/fail-set-via-config/expected.json +++ b/rules/kubelet-ip-tables/test/fail-set-via-config/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 3, + "reviewPaths": [ + "makeIPTablesUtilChains" + ], "failedPaths": [ "makeIPTablesUtilChains" ], diff --git a/rules/kubelet-protect-kernel-defaults/raw.rego b/rules/kubelet-protect-kernel-defaults/raw.rego index 963ccc6fc..35b25fc41 100644 --- a/rules/kubelet-protect-kernel-defaults/raw.rego +++ b/rules/kubelet-protect-kernel-defaults/raw.rego @@ -18,6 +18,7 @@ deny[msga] { msga := { "alertMessage": "Argument --protect-kernel-defaults is not set to true.", "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -68,6 +69,7 @@ deny[msga] { msga := { "alertMessage": "Argument --protect-kernel-defaults is not set to true.", "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -90,6 +92,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-protect-kernel-defaults/rule.metadata.json b/rules/kubelet-protect-kernel-defaults/rule.metadata.json index 63d98e80d..885771946 100644 --- a/rules/kubelet-protect-kernel-defaults/rule.metadata.json +++ b/rules/kubelet-protect-kernel-defaults/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-protect-kernel-defaults", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-protect-kernel-defaults/test/deny-config-file-false/expected.json b/rules/kubelet-protect-kernel-defaults/test/deny-config-file-false/expected.json index b8a32681c..d12c18516 100644 --- a/rules/kubelet-protect-kernel-defaults/test/deny-config-file-false/expected.json +++ b/rules/kubelet-protect-kernel-defaults/test/deny-config-file-false/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 2, + "reviewPaths": [ + "protectKernelDefaults" + ], "failedPaths": [ "protectKernelDefaults" ], diff --git a/rules/kubelet-protect-kernel-defaults/test/fail-no-config-and-cli/expected.json b/rules/kubelet-protect-kernel-defaults/test/fail-no-config-and-cli/expected.json index ca21f3c4f..df74ca04f 100644 --- a/rules/kubelet-protect-kernel-defaults/test/fail-no-config-and-cli/expected.json +++ b/rules/kubelet-protect-kernel-defaults/test/fail-no-config-and-cli/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-protect-kernel-defaults/test/fail-set-via-cli/expected.json b/rules/kubelet-protect-kernel-defaults/test/fail-set-via-cli/expected.json index f8f43865f..3ff0abe09 100644 --- a/rules/kubelet-protect-kernel-defaults/test/fail-set-via-cli/expected.json +++ b/rules/kubelet-protect-kernel-defaults/test/fail-set-via-cli/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 2, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-rotate-certificates/raw.rego b/rules/kubelet-rotate-certificates/raw.rego index bbe633709..c6c53e5ad 100644 --- a/rules/kubelet-rotate-certificates/raw.rego +++ b/rules/kubelet-rotate-certificates/raw.rego @@ -18,6 +18,7 @@ deny[msga] { msga := { "alertMessage": "Kubelet client certificates rotation is disabled", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -69,6 +70,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-rotate-certificates/rule.metadata.json b/rules/kubelet-rotate-certificates/rule.metadata.json index b09a0256b..3efe50cbf 100644 --- a/rules/kubelet-rotate-certificates/rule.metadata.json +++ b/rules/kubelet-rotate-certificates/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-rotate-certificates", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-rotate-certificates/test/fail-cli-argument-set-false/expected.json b/rules/kubelet-rotate-certificates/test/fail-cli-argument-set-false/expected.json index cf48e1af8..b2ebc760d 100644 --- a/rules/kubelet-rotate-certificates/test/fail-cli-argument-set-false/expected.json +++ b/rules/kubelet-rotate-certificates/test/fail-cli-argument-set-false/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-rotate-certificates/test/fail-sensor-failed/expected.json b/rules/kubelet-rotate-certificates/test/fail-sensor-failed/expected.json index b2eca50fe..3bb1d7be7 100644 --- a/rules/kubelet-rotate-certificates/test/fail-sensor-failed/expected.json +++ b/rules/kubelet-rotate-certificates/test/fail-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 6, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-rotate-certificates/test/fail-set-false-via-config-file/expected.json b/rules/kubelet-rotate-certificates/test/fail-set-false-via-config-file/expected.json index b8ff51b1a..7b20fa052 100644 --- a/rules/kubelet-rotate-certificates/test/fail-set-false-via-config-file/expected.json +++ b/rules/kubelet-rotate-certificates/test/fail-set-false-via-config-file/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 6, + "reviewPaths": [ + "rotateCertificates" + ], "failedPaths": [ "rotateCertificates" ], diff --git a/rules/kubelet-rotate-kubelet-server-certificate/rule.metadata.json b/rules/kubelet-rotate-kubelet-server-certificate/rule.metadata.json index 1627f6966..912c3d558 100644 --- a/rules/kubelet-rotate-kubelet-server-certificate/rule.metadata.json +++ b/rules/kubelet-rotate-kubelet-server-certificate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-rotate-kubelet-server-certificate", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-streaming-connection-idle-timeout/raw.rego b/rules/kubelet-streaming-connection-idle-timeout/raw.rego index 86532b50c..37157385c 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/raw.rego +++ b/rules/kubelet-streaming-connection-idle-timeout/raw.rego @@ -18,6 +18,7 @@ deny[msga] { msga := { "alertMessage": "Timeouts on streaming connections are enabled", "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -69,6 +70,7 @@ deny[msga] { msga := { "alertMessage": "Failed to analyze config file", "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-streaming-connection-idle-timeout/rule.metadata.json b/rules/kubelet-streaming-connection-idle-timeout/rule.metadata.json index d85135e69..49f631623 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/rule.metadata.json +++ b/rules/kubelet-streaming-connection-idle-timeout/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-streaming-connection-idle-timeout", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-streaming-connection-idle-timeout/test/fail-config-file/expected.json b/rules/kubelet-streaming-connection-idle-timeout/test/fail-config-file/expected.json index c59f4c362..03049ff53 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/test/fail-config-file/expected.json +++ b/rules/kubelet-streaming-connection-idle-timeout/test/fail-config-file/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 3, + "reviewPaths": [ + "streamingConnectionIdleTimeout" + ], "failedPaths": [ "streamingConnectionIdleTimeout" ], diff --git a/rules/kubelet-streaming-connection-idle-timeout/test/fail-sensor-failed/expected.json b/rules/kubelet-streaming-connection-idle-timeout/test/fail-sensor-failed/expected.json index eca26bacd..4f6d2acb3 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/test/fail-sensor-failed/expected.json +++ b/rules/kubelet-streaming-connection-idle-timeout/test/fail-sensor-failed/expected.json @@ -12,6 +12,7 @@ } }, "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-streaming-connection-idle-timeout/test/fail-set-via-cli/expected.json b/rules/kubelet-streaming-connection-idle-timeout/test/fail-set-via-cli/expected.json index 6c4d42f08..f0b8d262b 100644 --- a/rules/kubelet-streaming-connection-idle-timeout/test/fail-set-via-cli/expected.json +++ b/rules/kubelet-streaming-connection-idle-timeout/test/fail-set-via-cli/expected.json @@ -9,6 +9,7 @@ "kind": "KubeletInfo" }, "alertScore": 3, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins" diff --git a/rules/kubelet-strong-cryptography-ciphers/raw.rego b/rules/kubelet-strong-cryptography-ciphers/raw.rego index 5871f6968..6f1e057c0 100644 --- a/rules/kubelet-strong-cryptography-ciphers/raw.rego +++ b/rules/kubelet-strong-cryptography-ciphers/raw.rego @@ -19,6 +19,7 @@ deny[msga] { msga := { "alertMessage": "Kubelet is not configured to only use strong cryptographic ciphers", "alertScore": 5, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", @@ -71,6 +72,7 @@ deny[msga] { msga := { "alertMessage": "Kubelet is not configured to only use strong cryptographic ciphers", "alertScore": 5, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/kubelet-strong-cryptography-ciphers/rule.metadata.json b/rules/kubelet-strong-cryptography-ciphers/rule.metadata.json index b5572a5cf..cbf24c136 100644 --- a/rules/kubelet-strong-cryptography-ciphers/rule.metadata.json +++ b/rules/kubelet-strong-cryptography-ciphers/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "kubelet-strong-cryptographics-ciphers", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/kubelet-strong-cryptography-ciphers/test/fail-cli-and-config-not-set/expected.json b/rules/kubelet-strong-cryptography-ciphers/test/fail-cli-and-config-not-set/expected.json index 546cf33e7..5bfe968bb 100644 --- a/rules/kubelet-strong-cryptography-ciphers/test/fail-cli-and-config-not-set/expected.json +++ b/rules/kubelet-strong-cryptography-ciphers/test/fail-cli-and-config-not-set/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 5, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-strong-cryptography-ciphers/test/fail-cli/expected.json b/rules/kubelet-strong-cryptography-ciphers/test/fail-cli/expected.json index 5179ac94a..8303f834f 100644 --- a/rules/kubelet-strong-cryptography-ciphers/test/fail-cli/expected.json +++ b/rules/kubelet-strong-cryptography-ciphers/test/fail-cli/expected.json @@ -14,6 +14,7 @@ } }, "alertScore": 5, + "reviewPaths": [], "failedPaths": [], "fixPaths": [], "ruleStatus": "", diff --git a/rules/kubelet-strong-cryptography-ciphers/test/fail-config-not-supported-value/expected.json b/rules/kubelet-strong-cryptography-ciphers/test/fail-config-not-supported-value/expected.json index a3acada9d..f5219c7e4 100644 --- a/rules/kubelet-strong-cryptography-ciphers/test/fail-config-not-supported-value/expected.json +++ b/rules/kubelet-strong-cryptography-ciphers/test/fail-config-not-supported-value/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 5, + "reviewPaths": [ + "TLSCipherSuites" + ], "failedPaths": [ "TLSCipherSuites" ], diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index a8f8e82e8..06047c3b5 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -85,21 +85,21 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) label_key := get_label_key("") - path = [{"path": sprintf("%vmetadata.labels.%v", [start_of_path, label_key]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels[%v]", [start_of_path, label_key]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { diff --git a/rules/label-usage-for-resources/rule.metadata.json b/rules/label-usage-for-resources/rule.metadata.json index bbcc42e18..e8bd45b4e 100644 --- a/rules/label-usage-for-resources/rule.metadata.json +++ b/rules/label-usage-for-resources/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "label-usage-for-resources", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index 595a928d3..8e24502e9 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_LABEL", + "path": "metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", + "path": "spec.jobTemplate.spec.template.metadata.labels[YOUR_LABEL]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index ffcc45464..159053bb6 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.app", + "path": "metadata.labels[app]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index dcf7acfeb..ff103d96a 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.app", + "path": "spec.template.metadata.labels[app]", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/lease-in-default-namespace/rule.metadata.json b/rules/lease-in-default-namespace/rule.metadata.json index 6366b597e..4513d3645 100644 --- a/rules/lease-in-default-namespace/rule.metadata.json +++ b/rules/lease-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "lease-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/lease-in-default-namespace/test/lease/expected.json b/rules/lease-in-default-namespace/test/lease/expected.json index fb727cdb2..79d9a2a35 100644 --- a/rules/lease-in-default-namespace/test/lease/expected.json +++ b/rules/lease-in-default-namespace/test/lease/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Lease: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/linux-hardening/rule.metadata.json b/rules/linux-hardening/rule.metadata.json index e04eb97df..4de9f6920 100644 --- a/rules/linux-hardening/rule.metadata.json +++ b/rules/linux-hardening/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "linux-hardening", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/list-all-mutating-webhooks/rule.metadata.json b/rules/list-all-mutating-webhooks/rule.metadata.json index f2fed196a..ee3f697dc 100644 --- a/rules/list-all-mutating-webhooks/rule.metadata.json +++ b/rules/list-all-mutating-webhooks/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "list-all-mutating-webhooks", "attributes": { - "m$K8sThreatMatrix": "Persistence::Validate admission controller", - "armoBuiltin": true + "m$K8sThreatMatrix": "Persistence::Validate admission controller" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/list-all-namespaces/rule.metadata.json b/rules/list-all-namespaces/rule.metadata.json index 3a09df65e..be6f7dd3d 100644 --- a/rules/list-all-namespaces/rule.metadata.json +++ b/rules/list-all-namespaces/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "list-all-namespaces", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/list-all-validating-webhooks/rule.metadata.json b/rules/list-all-validating-webhooks/rule.metadata.json index d14d41057..f0973e277 100644 --- a/rules/list-all-validating-webhooks/rule.metadata.json +++ b/rules/list-all-validating-webhooks/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "list-all-validating-webhooks", "attributes": { - "m$K8sThreatMatrix": "Credential Access::Validate admission controller", - "armoBuiltin": true + "m$K8sThreatMatrix": "Credential Access::Validate admission controller" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/list-role-definitions-in-acr/rule.metadata.json b/rules/list-role-definitions-in-acr/rule.metadata.json index 618f868b8..bf558370a 100644 --- a/rules/list-role-definitions-in-acr/rule.metadata.json +++ b/rules/list-role-definitions-in-acr/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "list-role-definitions-in-acr", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/naked-pods/rule.metadata.json b/rules/naked-pods/rule.metadata.json index 4049345bf..317152ca7 100644 --- a/rules/naked-pods/rule.metadata.json +++ b/rules/naked-pods/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "naked-pods", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/namespace-without-service-account/rule.metadata.json b/rules/namespace-without-service-account/rule.metadata.json index caebdf371..954acb5d0 100644 --- a/rules/namespace-without-service-account/rule.metadata.json +++ b/rules/namespace-without-service-account/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "namespace-without-service-account", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/non-root-containers/raw.rego b/rules/non-root-containers/raw.rego index 08c6e74ae..618d4b41f 100644 --- a/rules/non-root-containers/raw.rego +++ b/rules/non-root-containers/raw.rego @@ -9,17 +9,19 @@ deny[msga] { container := pod.spec.containers[i] start_of_path := "spec" - alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) + run_as_user_fixpath := evaluate_workload_run_as_user(container, pod, start_of_path) + run_as_group_fixpath := evaluate_workload_run_as_group(container, pod, start_of_path) + all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath) + count(all_fixpaths) > 0 + fixPaths := get_fixed_paths(all_fixpaths, i) msga := { "alertMessage": sprintf("container: %v in pod: %v may run as root", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [pod] } @@ -34,16 +36,19 @@ deny[msga] { container := wl.spec.template.spec.containers[i] start_of_path := "spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.template, start_of_path) - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) + run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.template, start_of_path) + run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.template, start_of_path) + all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath) + count(all_fixpaths) > 0 + fixPaths := get_fixed_paths(all_fixpaths, i) + msga := { - "alertMessage": sprintf("container :%v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), + "alertMessage": sprintf("container: %v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [wl] } @@ -57,39 +62,38 @@ deny[msga] { container = wl.spec.jobTemplate.spec.template.spec.containers[i] start_of_path := "spec.jobTemplate.spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, start_of_path) - fixPath := get_fixed_path(alertInfo, i) - failed_path := get_failed_path(alertInfo, i) + run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.jobTemplate.spec.template, start_of_path) + run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.jobTemplate.spec.template, start_of_path) + all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath) + count(all_fixpaths) > 0 + fixPaths := get_fixed_paths(all_fixpaths, i) msga := { - "alertMessage": sprintf("container :%v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), + "alertMessage": sprintf("container: %v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixPath, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [wl] } } } -get_failed_path(alertInfo, i) = [replace(alertInfo.failed_path,"container_ndx",format_int(i,10))] { - alertInfo.failed_path != "" -} else = [] - -get_fixed_path(alertInfo, i) = [{"path":replace(alertInfo.fixPath[0].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[0].value}, {"path":replace(alertInfo.fixPath[1].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[1].value}]{ - count(alertInfo.fixPath) == 2 -} else = [{"path":replace(alertInfo.fixPath[0].path,"container_ndx",format_int(i,10)), "value":alertInfo.fixPath[0].value}] { - count(alertInfo.fixPath) == 1 -} else = [] +get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}]{ + count(all_fixpaths) == 2 +} else = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}] ################################################################################# # Workload evaluation -evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { +# if runAsUser is set to 0 and runAsNonRoot is set to false/ not set - suggest to set runAsUser to 1000 +# if runAsUser is not set and runAsNonRoot is set to false/ not set - suggest to set runAsNonRoot to true +# all checks are both on the pod and the container level +evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath { runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false @@ -97,12 +101,18 @@ evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo runAsUserValue.value == 0 alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) -} else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) - allowPrivilegeEscalationValue.value == true + fixPath := alertInfo.fixPath +} else = [] - alertInfo := allowPrivilegeEscalationValue -} + +# if runAsGroup is set to 0/ not set - suggest to set runAsGroup to 1000 +# all checks are both on the pod and the container level +evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath { + runAsGroupValue := get_run_as_group_value(container, pod, start_of_path) + runAsGroupValue.value == 0 + + fixPath := runAsGroupValue.fixPath +} else = [] ################################################################################# @@ -110,60 +120,32 @@ evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) - runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} + runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true} } else = runAsNonRoot { - failed_path := sprintf("%v.securityContext.runAsNonRoot", [start_of_path]) - runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false} { - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} + runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true} +} else = {"value" : false, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}], "defined" : false} get_run_as_user_value(container, pod, start_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) - runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} + path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) + runAsUser := {"value" : container.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}], "defined" : true} } else = runAsUser { - failed_path := sprintf("%v.securityContext.runAsUser", [start_of_path]) - runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], + path := sprintf("%v.securityContext.runAsUser", [start_of_path]) + runAsUser := {"value" : pod.spec.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}],"defined" : true} +} else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false} get_run_as_group_value(container, pod, start_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) - runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} + path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) + runAsGroup := {"value" : container.securityContext.runAsGroup, "fixPath": [{"path": path, "value": "1000"}],"defined" : true} } else = runAsGroup { - failed_path := sprintf("%v.securityContext.runAsGroup", [start_of_path]) - runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false}{ - is_allow_privilege_escalation_field(container, pod) -} else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], + path := sprintf("%v.securityContext.runAsGroup", [start_of_path]) + runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "fixPath":[{"path": path, "value": "1000"}], "defined" : true} +} else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]), "value":"1000"}], "defined" : false } -get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) - allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) - allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} - choose_first_if_defined(l1, l2) = c { l1.defined c := l1 } else = l2 - -is_allow_privilege_escalation_field(container, pod) { - container.securityContext.allowPrivilegeEscalation == false -} - -is_allow_privilege_escalation_field(container, pod) { - pod.spec.securityContext.allowPrivilegeEscalation == false -} - - diff --git a/rules/non-root-containers/rule.metadata.json b/rules/non-root-containers/rule.metadata.json index 7e3a644f9..315d4b6d0 100644 --- a/rules/non-root-containers/rule.metadata.json +++ b/rules/non-root-containers/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "non-root-containers", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ @@ -46,6 +45,6 @@ "ruleDependencies": [ ], "description": "fails if container can run as root", - "remediation": "Make sure that the user/group in the securityContext of pod/container is set to an id less than 1000, or the runAsNonRoot flag is set to true. Also make sure that the allowPrivilegeEscalation field is set to false", + "remediation": "Make sure that the user/group in the securityContext of pod/container is set to an id over 0, or the runAsNonRoot flag is set to true.", "ruleQuery": "armo_builtins" } \ No newline at end of file diff --git a/rules/non-root-containers/test/cronjob-fixed-path/expected.json b/rules/non-root-containers/test/cronjob-runasuser/expected.json similarity index 65% rename from rules/non-root-containers/test/cronjob-fixed-path/expected.json rename to rules/non-root-containers/test/cronjob-runasuser/expected.json index 55e04cef0..a1ff2e9dd 100644 --- a/rules/non-root-containers/test/cronjob-fixed-path/expected.json +++ b/rules/non-root-containers/test/cronjob-runasuser/expected.json @@ -1,12 +1,14 @@ [{ - "alertMessage": "container :hello in CronJob: hello may run as root", + "alertMessage": "container: hello in CronJob: hello may run as root", + "reviewPaths": [], "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot", - "value": "true" - }, { - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", - "value": "false" + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsUser", + "value": "1000" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsGroup", + "value": "1000" }], "ruleStatus": "", "packagename": "armo_builtins", @@ -21,14 +23,12 @@ }] } }, { - "alertMessage": "container :hello2 in CronJob: hello may run as root", + "alertMessage": "container: hello2 in CronJob: hello may run as root", + "reviewPaths": [], "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.runAsNonRoot", - "value": "true" - }, { - "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.runAsGroup", + "value": "1000" }], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/CVE-2022-0492/test/no_new_privs_pass/input/cronjob.yaml b/rules/non-root-containers/test/cronjob-runasuser/input/cronjob.yaml similarity index 79% rename from rules/CVE-2022-0492/test/no_new_privs_pass/input/cronjob.yaml rename to rules/non-root-containers/test/cronjob-runasuser/input/cronjob.yaml index eef252e89..4bcd36b47 100644 --- a/rules/CVE-2022-0492/test/no_new_privs_pass/input/cronjob.yaml +++ b/rules/non-root-containers/test/cronjob-runasuser/input/cronjob.yaml @@ -10,12 +10,15 @@ spec: spec: containers: - name: hello - securityContext: - privileged: true image: busybox imagePullPolicy: IfNotPresent command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster + securityContext: + runAsUser: 0 + - name: hello2 + securityContext: + runAsUser: 1000 restartPolicy: OnFailure \ No newline at end of file diff --git a/rules/non-root-containers/test/cronjob/expected.json b/rules/non-root-containers/test/cronjob/expected.json index 2fd82b7a9..5b499aed2 100644 --- a/rules/non-root-containers/test/cronjob/expected.json +++ b/rules/non-root-containers/test/cronjob/expected.json @@ -1,12 +1,14 @@ [{ - "alertMessage": "container :hello in CronJob: hello may run as root", + "alertMessage": "container: hello in CronJob: hello may run as root", + "reviewPaths": [], "failedPaths": [], "fixPaths": [{ "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot", "value": "true" - }, { - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", - "value": "false" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsGroup", + "value": "1000" }], "ruleStatus": "", "packagename": "armo_builtins", @@ -21,9 +23,17 @@ }] } }, { - "alertMessage": "container :hello2 in CronJob: hello may run as root", - "failedPaths": ["spec.jobTemplate.spec.template.spec.containers[1].securityContext.runAsNonRoot"], - "fixPaths": [], + "alertMessage": "container: hello2 in CronJob: hello may run as root", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [{ + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.runAsNonRoot", + "value": "true" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.runAsGroup", + "value": "1000" + }], "ruleStatus": "", "packagename": "armo_builtins", "alertScore": 7, diff --git a/rules/non-root-containers/test/cronjob/input/cronjob.yaml b/rules/non-root-containers/test/cronjob/input/cronjob.yaml index de23a020b..c2befc84d 100644 --- a/rules/non-root-containers/test/cronjob/input/cronjob.yaml +++ b/rules/non-root-containers/test/cronjob/input/cronjob.yaml @@ -8,6 +8,8 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: false containers: - name: hello image: busybox diff --git a/rules/non-root-containers/test/deployment-fail/expected.json b/rules/non-root-containers/test/deployment-fail/expected.json new file mode 100644 index 000000000..1a41e40ba --- /dev/null +++ b/rules/non-root-containers/test/deployment-fail/expected.json @@ -0,0 +1,48 @@ +[{ + "alertMessage": "container: nginx in Deployment: nginx-deployment may run as root", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [{ + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + }], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "nginx" + }, + "name": "nginx-deployment" + } + }] + } +}, +{ + "alertMessage": "container: nginx2 in Deployment: nginx-deployment may run as root", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [{ + "path": "spec.template.spec.containers[1].securityContext.runAsGroup", + "value": "1000" + }], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "nginx" + }, + "name": "nginx-deployment" + } + }] + } +}] \ No newline at end of file diff --git a/rules/non-root-containers/test/deployment-fail/input/deployment.yaml b/rules/non-root-containers/test/deployment-fail/input/deployment.yaml new file mode 100644 index 000000000..286857f11 --- /dev/null +++ b/rules/non-root-containers/test/deployment-fail/input/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + containers: + - name: nginx + securityContext: + runAsNonRoot: false + runAsGroup: 2000 + image: nginx:1.14.2 + ports: + - containerPort: 80 + - name: nginx2 + securityContext: + runAsGroup: 0 + image: nginx:1.14.2 + ports: + - containerPort: 80 \ No newline at end of file diff --git a/rules/non-root-containers/test/deployment-fixed-path/input/deploy.yaml b/rules/non-root-containers/test/deployment-fixed-path/input/deploy.yaml deleted file mode 100644 index fef5c078f..000000000 --- a/rules/non-root-containers/test/deployment-fixed-path/input/deploy.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: static-web - labels: - role: myrole -spec: - securityContext: - allowPrivilegeEscalation: false - runAsGroup: 1 - containers: - - name: web - image: nginx - ports: - - name: web - containerPort: 80 - protocol: TCP \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/root_user_pass/expected.json b/rules/non-root-containers/test/deployment-pass/expected.json similarity index 100% rename from rules/CVE-2022-0492/test/root_user_pass/expected.json rename to rules/non-root-containers/test/deployment-pass/expected.json diff --git a/rules/non-root-containers/test/deployment/input/deployment.yaml b/rules/non-root-containers/test/deployment-pass/input/deployment.yaml similarity index 86% rename from rules/non-root-containers/test/deployment/input/deployment.yaml rename to rules/non-root-containers/test/deployment-pass/input/deployment.yaml index fc8442f6b..7268e27ac 100644 --- a/rules/non-root-containers/test/deployment/input/deployment.yaml +++ b/rules/non-root-containers/test/deployment-pass/input/deployment.yaml @@ -17,7 +17,8 @@ spec: containers: - name: nginx securityContext: - runAsUser: 0 + runAsNonRoot: true + runAsGroup: 2000 image: nginx:1.14.2 ports: - containerPort: 80 \ No newline at end of file diff --git a/rules/non-root-containers/test/deployment/expected.json b/rules/non-root-containers/test/deployment/expected.json deleted file mode 100644 index 3cee13298..000000000 --- a/rules/non-root-containers/test/deployment/expected.json +++ /dev/null @@ -1,20 +0,0 @@ -[{ - "alertMessage": "container :nginx in Deployment: nginx-deployment may run as root", - "failedPaths": ["spec.template.spec.containers[0].securityContext.runAsUser"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "nginx" - }, - "name": "nginx-deployment" - } - }] - } -}] \ No newline at end of file diff --git a/rules/non-root-containers/test/pod/expected.json b/rules/non-root-containers/test/pod/expected.json index 5214ad4f2..c9c230d15 100644 --- a/rules/non-root-containers/test/pod/expected.json +++ b/rules/non-root-containers/test/pod/expected.json @@ -1,23 +1,30 @@ -[{ - "alertMessage": "container: web in pod: static-web may run as root", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.containers[0].securityContext.runAsNonRoot", - "value": "true" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "labels": { - "role": "myrole" - }, - "name": "static-web" +[ + { + "alertMessage": "container: web in pod: static-web may run as root", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "role": "myrole" + }, + "name": "static-web" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/non-root-containers/test/pod/input/pod.yaml b/rules/non-root-containers/test/pod/input/pod.yaml index 8dc43eecc..cbf23e96b 100644 --- a/rules/non-root-containers/test/pod/input/pod.yaml +++ b/rules/non-root-containers/test/pod/input/pod.yaml @@ -6,11 +6,13 @@ metadata: role: myrole spec: securityContext: - allowPrivilegeEscalation: false + runAsNonRoot: false containers: - name: web image: nginx ports: - name: web containerPort: 80 - protocol: TCP \ No newline at end of file + protocol: TCP + securityContext: + runAsGroup: 1000 \ No newline at end of file diff --git a/rules/outdated-k8s-version/raw.rego b/rules/outdated-k8s-version/raw.rego new file mode 100644 index 000000000..810931a3b --- /dev/null +++ b/rules/outdated-k8s-version/raw.rego @@ -0,0 +1,25 @@ +package armo_builtins + +import future.keywords.every + +deny[msga] { + node := input[_] + node.kind == "Node" + current_version := node.status.nodeInfo.kubeletVersion + has_outdated_version(current_version) + path := "status.nodeInfo.kubeletVersion" + msga := { + "alertMessage": sprintf("Your kubelet version: %s, in node: %s is outdated", [current_version, node.metadata.name]), + "reviewPaths": [path], + "alertObject": {"k8SApiObjects": [node]}, + } +} + + +has_outdated_version(version) { + # the `supported_k8s_versions` is validated in the validations script against "https://api.github.com/repos/kubernetes/kubernetes/releases" + supported_k8s_versions := ["v1.31", "v1.30", "v1.29"] + every v in supported_k8s_versions{ + not startswith(version, v) + } +} diff --git a/rules/outdated-k8s-version/rule.metadata.json b/rules/outdated-k8s-version/rule.metadata.json new file mode 100644 index 000000000..4efa6cf6a --- /dev/null +++ b/rules/outdated-k8s-version/rule.metadata.json @@ -0,0 +1,22 @@ +{ + "name": "outdated-k8s-version", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Node" + ] + } + ], + "ruleDependencies": [], + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/outdated-k8s-version/test/fail/expected.json b/rules/outdated-k8s-version/test/fail/expected.json new file mode 100644 index 000000000..4191e8669 --- /dev/null +++ b/rules/outdated-k8s-version/test/fail/expected.json @@ -0,0 +1,38 @@ +[ + { + "alertMessage": "Your kubelet version: v1.20.7, in node: minikube is outdated", + "failedPaths": null, + "reviewPaths": [ + "status.nodeInfo.kubeletVersion" + ], + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "76d74191d82c47883dc7e1319ef7cebd3e00ee11", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_01_03T11_57_45_0700", + "minikube.k8s.io/version": "v1.21.0", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "" + }, + "name": "minikube" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/outdated-k8s-version/test/fail/input/node.json b/rules/outdated-k8s-version/test/fail/input/node.json new file mode 100644 index 000000000..15ef17826 --- /dev/null +++ b/rules/outdated-k8s-version/test/fail/input/node.json @@ -0,0 +1,211 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2022-01-03T09:57:41Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "76d74191d82c47883dc7e1319ef7cebd3e00ee11", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_01_03T11_57_45_0700", + "minikube.k8s.io/version": "v1.21.0", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "" + }, + "name": "minikube", + "resourceVersion": "33341", + "uid": "6b3a6670-92aa-41b5-a8a7-a96372b4986b" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": [ + "10.244.0.0/24" + ] + }, + "status": { + "addresses": [ + { + "address": "192.168.49.2", + "type": "InternalIP" + }, + { + "address": "minikube", + "type": "Hostname" + } + ], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "92563096Ki", + "hugepages-2Mi": "0", + "memory": "10486240Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "92563096Ki", + "hugepages-2Mi": "0", + "memory": "10486240Ki", + "pods": "110" + }, + "conditions": [ + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:58:00Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + } + ], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [ + { + "names": [ + "influxdb@sha256:1a48c5c4b957b795cdf381bcf91e0d7de9edea2d9be984afbd6e4922e2e24484", + "influxdb:latest" + ], + "sizeBytes": 345902306 + }, + { + "names": [ + "k8s.gcr.io/etcd@sha256:4ad90a11b55313b182afc186b9876c8e891531b8db4c9bf1541953021618d0e2", + "k8s.gcr.io/etcd:3.4.13-0" + ], + "sizeBytes": 253392289 + }, + { + "names": [ + "kubernetesui/dashboard@sha256:7f80b5ba141bead69c4fee8661464857af300d7d7ed0274cf7beecedc00322e6", + "kubernetesui/dashboard:v2.1.0" + ], + "sizeBytes": 225733746 + }, + { + "names": [ + "k8s.gcr.io/kube-apiserver@sha256:5ab3d676c426bfb272fb7605e6978b90d5676913636a6105688862849961386f", + "k8s.gcr.io/kube-apiserver:v1.20.7" + ], + "sizeBytes": 121762183 + }, + { + "names": [ + "k8s.gcr.io/kube-proxy@sha256:5d2be61150535ed37b7a5fa5a8239f89afee505ab2fae05247447851eed710a8", + "k8s.gcr.io/kube-proxy:v1.20.7" + ], + "sizeBytes": 118396107 + }, + { + "names": [ + "k8s.gcr.io/kube-controller-manager@sha256:eb9b121cbe40cf9016b95cefd34fb9e62c4caf1516188a98b64f091d871a2d46", + "k8s.gcr.io/kube-controller-manager:v1.20.7" + ], + "sizeBytes": 116298119 + }, + { + "names": [ + "nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d", + "nginx:1.14.2" + ], + "sizeBytes": 109129446 + }, + { + "names": [ + "k8s.gcr.io/kube-scheduler@sha256:6fdb12580353b6cd59de486ca650e3ba9270bc8d52f1d3052cd9bb1d4f28e189", + "k8s.gcr.io/kube-scheduler:v1.20.7" + ], + "sizeBytes": 47268231 + }, + { + "names": [ + "k8s.gcr.io/coredns@sha256:73ca82b4ce829766d4f1f10947c3a338888f876fbed0540dc849c89ff256e90c", + "k8s.gcr.io/coredns:1.7.0" + ], + "sizeBytes": 45227747 + }, + { + "names": [ + "kubernetesui/metrics-scraper@sha256:555981a24f184420f3be0c79d4efb6c948a85cfce84034f85a563f4151a81cbf", + "kubernetesui/metrics-scraper:v1.0.4" + ], + "sizeBytes": 36937728 + }, + { + "names": [ + "gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944", + "gcr.io/k8s-minikube/storage-provisioner:v5" + ], + "sizeBytes": 31465472 + }, + { + "names": [ + "k8s.gcr.io/goproxy@sha256:5334c7ad43048e3538775cb09aaf184f5e8acf4b0ea60e3bc8f1d93c209865a5", + "k8s.gcr.io/goproxy:0.1" + ], + "sizeBytes": 5489816 + }, + { + "names": [ + "k8s.gcr.io/test-webserver@sha256:f63e365c13646f231ec4a16791c6133ddd7b80fcd1947f41ab193968e02b0745", + "k8s.gcr.io/test-webserver:latest" + ], + "sizeBytes": 4534272 + }, + { + "names": [ + "k8s.gcr.io/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f", + "k8s.gcr.io/pause:3.2" + ], + "sizeBytes": 682696 + } + ], + "nodeInfo": { + "architecture": "amd64", + "bootID": "85cb3c8a-7d8e-4885-9a9c-e8a340332f21", + "containerRuntimeVersion": "docker://20.10.7", + "kernelVersion": "5.11.0-43-generic", + "kubeProxyVersion": "v1.20.7", + "kubeletVersion": "v1.20.7", + "machineID": "b77ec962e3734760b1e756ffc5e83152", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "5bc452e6-12eb-404d-a17e-7df23ff82f57" + } + } +} diff --git a/rules/outdated-k8s-version/test/fail2/expected.json b/rules/outdated-k8s-version/test/fail2/expected.json new file mode 100644 index 000000000..ba3ba0217 --- /dev/null +++ b/rules/outdated-k8s-version/test/fail2/expected.json @@ -0,0 +1,35 @@ +[ + { + "alertMessage": "Your kubelet version: v1.25.3, in node: attack-chain-6-control-plane is outdated", + "failedPaths": null, + "reviewPaths": [ + "status.nodeInfo.kubeletVersion" + ], + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "ingress-ready": "true", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "attack-chain-6-control-plane", + "kubernetes.io/os": "linux", + "node-role.kubernetes.io/control-plane": "", + "node.kubernetes.io/exclude-from-external-load-balancers": "" + }, + "name": "attack-chain-6-control-plane" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/outdated-k8s-version/test/fail2/input/node.json b/rules/outdated-k8s-version/test/fail2/input/node.json new file mode 100644 index 000000000..f4404ec98 --- /dev/null +++ b/rules/outdated-k8s-version/test/fail2/input/node.json @@ -0,0 +1,296 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "unix:///run/containerd/containerd.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2024-02-20T11:17:49Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "ingress-ready": "true", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "attack-chain-6-control-plane", + "kubernetes.io/os": "linux", + "node-role.kubernetes.io/control-plane": "", + "node.kubernetes.io/exclude-from-external-load-balancers": "" + }, + "name": "attack-chain-6-control-plane", + "resourceVersion": "291629", + "uid": "7102f06c-ec50-4150-a962-83f5e35b7d9d" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": [ + "10.244.0.0/24" + ], + "providerID": "kind://docker/attack-chain-6/attack-chain-6-control-plane" + }, + "status": { + "addresses": [ + { + "address": "172.18.0.2", + "type": "InternalIP" + }, + { + "address": "attack-chain-6-control-plane", + "type": "Hostname" + } + ], + "allocatable": { + "cpu": "8", + "ephemeral-storage": "486903968Ki", + "hugepages-1Gi": "0", + "hugepages-2Mi": "0", + "memory": "16081500Ki", + "pods": "110" + }, + "capacity": { + "cpu": "8", + "ephemeral-storage": "486903968Ki", + "hugepages-1Gi": "0", + "hugepages-2Mi": "0", + "memory": "16081500Ki", + "pods": "110" + }, + "conditions": [ + { + "lastHeartbeatTime": "2024-03-04T09:45:05Z", + "lastTransitionTime": "2024-02-20T11:17:46Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, + { + "lastHeartbeatTime": "2024-03-04T09:45:05Z", + "lastTransitionTime": "2024-02-20T11:17:46Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, + { + "lastHeartbeatTime": "2024-03-04T09:45:05Z", + "lastTransitionTime": "2024-02-20T11:17:46Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, + { + "lastHeartbeatTime": "2024-03-04T09:45:05Z", + "lastTransitionTime": "2024-02-20T11:18:12Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + } + ], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [ + { + "names": [ + "docker.io/library/wordpress@sha256:5f1873a461105cb1dc1a75731671125f1fb406b18e3fcf63210e8f7f84ce560b", + "docker.io/library/wordpress:6.0.1-php7.4" + ], + "sizeBytes": 214624632 + }, + { + "names": [ + "docker.io/library/mysql@sha256:ff5ab9cdce0b4c59704b4e2a09deed5ab8467be795e0ea20228b8528f53fcf82", + "docker.io/library/mysql:oracle" + ], + "sizeBytes": 183413119 + }, + { + "names": [ + "registry.k8s.io/etcd:3.5.4-0" + ], + "sizeBytes": 102157811 + }, + { + "names": [ + "docker.io/bitnami/kubectl@sha256:15f8664618ec2efea467067e86591b876eef0ef84f1ad09e15aab5ca5bc441fb", + "docker.io/bitnami/kubectl:1.27.6" + ], + "sizeBytes": 80620317 + }, + { + "names": [ + "docker.io/library/import-2022-11-02@sha256:975ab6838f71ba7f8ed71ea319124bc7adbdc41a639e329e76d0beda84d5c193", + "registry.k8s.io/kube-apiserver:v1.25.3" + ], + "sizeBytes": 76530158 + }, + { + "names": [ + "quay.io/kubescape/kubescape@sha256:9ccc948e83b22cd3fc6919b4e3e44536530cc9426a13b8d5e07bf3b2bd1b0f22", + "quay.io/kubescape/kubescape:v3.0.3" + ], + "sizeBytes": 71122909 + }, + { + "names": [ + "docker.io/library/import-2022-11-02@sha256:ea11577bfe5c64a2c95b291596042b878dcc627903e3d9e3734c51b0fc019af1", + "registry.k8s.io/kube-controller-manager:v1.25.3" + ], + "sizeBytes": 64499324 + }, + { + "names": [ + "docker.io/library/import-2022-11-02@sha256:a8333982f3c16667801faa12373e05cc7024e0182e4d034679b83e4911d1fdd1", + "registry.k8s.io/kube-proxy:v1.25.3" + ], + "sizeBytes": 63273981 + }, + { + "names": [ + "docker.io/library/import-2022-11-02@sha256:2a436be2b9f9f6973775123308760aeb44edaeda099374efd3ddab5a91812121", + "registry.k8s.io/kube-scheduler:v1.25.3" + ], + "sizeBytes": 51920508 + }, + { + "names": [ + "quay.io/kubescape/kubevuln@sha256:94cbbb94f8d6bdf2529d5f9c5279ac4c7411182f4e8e5a3d0b5e8f10a465f73a", + "quay.io/kubescape/kubevuln:v0.3.2" + ], + "sizeBytes": 51702904 + }, + { + "names": [ + "quay.io/kubescape/storage@sha256:9b712b34dbc38cc40a212e7857cac5ce3880624bd7afdd34fb7ff89867cbfaaa", + "quay.io/kubescape/storage:v0.0.69" + ], + "sizeBytes": 43160553 + }, + { + "names": [ + "quay.io/kubescape/storage@sha256:b6ecc63dc4e16e1ae395c9bde571e39665166c5cc30d57f4f2dcb20cffac6fa7", + "quay.io/kubescape/storage:v0.0.67" + ], + "sizeBytes": 43122123 + }, + { + "names": [ + "quay.io/kubescape/synchronizer@sha256:205b3a3ea5f68ea537c820b353baa542ca126aa8223b76cbc8396e581698eaa4", + "quay.io/kubescape/synchronizer:v0.0.59" + ], + "sizeBytes": 39717995 + }, + { + "names": [ + "quay.io/kubescape/node-agent@sha256:c15f198440e20d404dcb1eed4efed1393b8871c09b31fb49c9a0eb335ad7097c", + "quay.io/kubescape/node-agent:v0.2.12" + ], + "sizeBytes": 38501567 + }, + { + "names": [ + "quay.io/kubescape/node-agent@sha256:77a965ea2abffdd6b4a6988db7c7e009912e8bea1cb2c05f31c0bd74daf50c10", + "quay.io/kubescape/node-agent:v0.2.10" + ], + "sizeBytes": 38455760 + }, + { + "names": [ + "quay.io/kubescape/operator@sha256:dd2adac214bae06915d9b2b5b383212f8dae463d7fe4e56cb26b20f88cb623ee", + "quay.io/kubescape/operator:v0.2.4" + ], + "sizeBytes": 37683286 + }, + { + "names": [ + "quay.io/kubescape/gateway@sha256:f3852c3deb8838d4891cfa63f6d266fbe0daed34152219f1f5e970bbb4e35b1e", + "quay.io/kubescape/gateway:v0.1.20" + ], + "sizeBytes": 29748754 + }, + { + "names": [ + "docker.io/otel/opentelemetry-collector@sha256:92f6e2efd014152bee26f8324e3a511980b512a36d8793d3fee708715caaa6c0", + "docker.io/otel/opentelemetry-collector:0.92.0" + ], + "sizeBytes": 28355004 + }, + { + "names": [ + "docker.io/kindest/kindnetd:v20221004-44d545d1" + ], + "sizeBytes": 25830582 + }, + { + "names": [ + "docker.io/kindest/local-path-provisioner:v0.0.22-kind.0" + ], + "sizeBytes": 17375346 + }, + { + "names": [ + "quay.io/kubescape/kollector@sha256:da216606a706e97a3456a3c2f3eee380db9579de3140a5f26623febe4ca4e6c4", + "quay.io/kubescape/kollector:v0.1.33" + ], + "sizeBytes": 16993483 + }, + { + "names": [ + "registry.k8s.io/coredns/coredns:v1.9.3" + ], + "sizeBytes": 14837849 + }, + { + "names": [ + "quay.io/kubescape/http-request@sha256:42e1d32255ad77cf980e5edfafaa1ee2688c217b67ac50b218e909bc5bb39276", + "quay.io/kubescape/http-request:v0.2.2" + ], + "sizeBytes": 7339246 + }, + { + "names": [ + "quay.io/kubescape/http-request@sha256:4b5f47715f2daefd4eb6265d410588bcda90e97a0588383f7b0904cac9baea26", + "quay.io/kubescape/http-request:v0.0.14" + ], + "sizeBytes": 6489710 + }, + { + "names": [ + "quay.io/kubescape/host-scanner@sha256:89fe7df48898769110dc6fb96050c3a8f58dd8d8dbc795b21471bb68148516f2", + "quay.io/kubescape/host-scanner:v1.0.66" + ], + "sizeBytes": 6472151 + }, + { + "names": [ + "docker.io/kindest/local-path-helper:v20220607-9a4d8d2a" + ], + "sizeBytes": 2859509 + }, + { + "names": [ + "registry.k8s.io/pause:3.7" + ], + "sizeBytes": 311278 + } + ], + "nodeInfo": { + "architecture": "amd64", + "bootID": "a0a0427b-40ea-4cf5-9f24-53d6e200ef2d", + "containerRuntimeVersion": "containerd://1.6.9", + "kernelVersion": "6.5.0-21-generic", + "kubeProxyVersion": "v1.25.3", + "kubeletVersion": "v1.25.3", + "machineID": "9cbf8e2fbf5540cd8ff218ef016ba690", + "operatingSystem": "linux", + "osImage": "Ubuntu 22.04.1 LTS", + "systemUUID": "3f39a350-3cd4-400f-875d-c270379817b0" + } + } +} diff --git a/rules/outdated-k8s-version/test/pass/expected.json b/rules/outdated-k8s-version/test/pass/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/outdated-k8s-version/test/pass/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/outdated-k8s-version/test/pass/input/node.json b/rules/outdated-k8s-version/test/pass/input/node.json new file mode 100644 index 000000000..30e409c70 --- /dev/null +++ b/rules/outdated-k8s-version/test/pass/input/node.json @@ -0,0 +1,211 @@ +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2022-01-03T09:57:41Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "minikube", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "76d74191d82c47883dc7e1319ef7cebd3e00ee11", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2022_01_03T11_57_45_0700", + "minikube.k8s.io/version": "v1.21.0", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "" + }, + "name": "minikube", + "resourceVersion": "33341", + "uid": "6b3a6670-92aa-41b5-a8a7-a96372b4986b" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": [ + "10.244.0.0/24" + ] + }, + "status": { + "addresses": [ + { + "address": "192.168.49.2", + "type": "InternalIP" + }, + { + "address": "minikube", + "type": "Hostname" + } + ], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "92563096Ki", + "hugepages-2Mi": "0", + "memory": "10486240Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "92563096Ki", + "hugepages-2Mi": "0", + "memory": "10486240Ki", + "pods": "110" + }, + "conditions": [ + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:57:39Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, + { + "lastHeartbeatTime": "2022-01-05T07:47:39Z", + "lastTransitionTime": "2022-01-03T09:58:00Z", + "message": "kubelet is posting ready status", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + } + ], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [ + { + "names": [ + "influxdb@sha256:1a48c5c4b957b795cdf381bcf91e0d7de9edea2d9be984afbd6e4922e2e24484", + "influxdb:latest" + ], + "sizeBytes": 345902306 + }, + { + "names": [ + "k8s.gcr.io/etcd@sha256:4ad90a11b55313b182afc186b9876c8e891531b8db4c9bf1541953021618d0e2", + "k8s.gcr.io/etcd:3.4.13-0" + ], + "sizeBytes": 253392289 + }, + { + "names": [ + "kubernetesui/dashboard@sha256:7f80b5ba141bead69c4fee8661464857af300d7d7ed0274cf7beecedc00322e6", + "kubernetesui/dashboard:v2.1.0" + ], + "sizeBytes": 225733746 + }, + { + "names": [ + "k8s.gcr.io/kube-apiserver@sha256:5ab3d676c426bfb272fb7605e6978b90d5676913636a6105688862849961386f", + "k8s.gcr.io/kube-apiserver:v1.28.6" + ], + "sizeBytes": 121762183 + }, + { + "names": [ + "k8s.gcr.io/kube-proxy@sha256:5d2be61150535ed37b7a5fa5a8239f89afee505ab2fae05247447851eed710a8", + "k8s.gcr.io/kube-proxy:v1.28.6" + ], + "sizeBytes": 118396107 + }, + { + "names": [ + "k8s.gcr.io/kube-controller-manager@sha256:eb9b121cbe40cf9016b95cefd34fb9e62c4caf1516188a98b64f091d871a2d46", + "k8s.gcr.io/kube-controller-manager:v1.28.6" + ], + "sizeBytes": 116298119 + }, + { + "names": [ + "nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d", + "nginx:1.14.2" + ], + "sizeBytes": 109129446 + }, + { + "names": [ + "k8s.gcr.io/kube-scheduler@sha256:6fdb12580353b6cd59de486ca650e3ba9270bc8d52f1d3052cd9bb1d4f28e189", + "k8s.gcr.io/kube-scheduler:v1.28.6" + ], + "sizeBytes": 47268231 + }, + { + "names": [ + "k8s.gcr.io/coredns@sha256:73ca82b4ce829766d4f1f10947c3a338888f876fbed0540dc849c89ff256e90c", + "k8s.gcr.io/coredns:1.7.0" + ], + "sizeBytes": 45227747 + }, + { + "names": [ + "kubernetesui/metrics-scraper@sha256:555981a24f184420f3be0c79d4efb6c948a85cfce84034f85a563f4151a81cbf", + "kubernetesui/metrics-scraper:v1.0.4" + ], + "sizeBytes": 36937728 + }, + { + "names": [ + "gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944", + "gcr.io/k8s-minikube/storage-provisioner:v5" + ], + "sizeBytes": 31465472 + }, + { + "names": [ + "k8s.gcr.io/goproxy@sha256:5334c7ad43048e3538775cb09aaf184f5e8acf4b0ea60e3bc8f1d93c209865a5", + "k8s.gcr.io/goproxy:0.1" + ], + "sizeBytes": 5489816 + }, + { + "names": [ + "k8s.gcr.io/test-webserver@sha256:f63e365c13646f231ec4a16791c6133ddd7b80fcd1947f41ab193968e02b0745", + "k8s.gcr.io/test-webserver:latest" + ], + "sizeBytes": 4534272 + }, + { + "names": [ + "k8s.gcr.io/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f", + "k8s.gcr.io/pause:3.2" + ], + "sizeBytes": 682696 + } + ], + "nodeInfo": { + "architecture": "amd64", + "bootID": "85cb3c8a-7d8e-4885-9a9c-e8a340332f21", + "containerRuntimeVersion": "docker://20.10.7", + "kernelVersion": "5.11.0-43-generic", + "kubeProxyVersion": "v1.31.6", + "kubeletVersion": "v1.31.6", + "machineID": "b77ec962e3734760b1e756ffc5e83152", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "5bc452e6-12eb-404d-a17e-7df23ff82f57" + } + } +} diff --git a/rules/persistentvolumeclaim-in-default-namespace/rule.metadata.json b/rules/persistentvolumeclaim-in-default-namespace/rule.metadata.json index aa95aa8cb..8ac640583 100644 --- a/rules/persistentvolumeclaim-in-default-namespace/rule.metadata.json +++ b/rules/persistentvolumeclaim-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "persistentvolumeclaim-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/persistentvolumeclaim-in-default-namespace/test/persistentvolumeclaim/expected.json b/rules/persistentvolumeclaim-in-default-namespace/test/persistentvolumeclaim/expected.json index 2879c2c7c..e03ee3612 100644 --- a/rules/persistentvolumeclaim-in-default-namespace/test/persistentvolumeclaim/expected.json +++ b/rules/persistentvolumeclaim-in-default-namespace/test/persistentvolumeclaim/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PersistentVolumeClaim: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/pod-security-admission-applied-1/rule.metadata.json b/rules/pod-security-admission-applied-1/rule.metadata.json index 73bfc5ac3..41f2762c3 100644 --- a/rules/pod-security-admission-applied-1/rule.metadata.json +++ b/rules/pod-security-admission-applied-1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-applied-1", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pod-security-admission-applied-2/rule.metadata.json b/rules/pod-security-admission-applied-2/rule.metadata.json index cd339c400..1361e9b1d 100644 --- a/rules/pod-security-admission-applied-2/rule.metadata.json +++ b/rules/pod-security-admission-applied-2/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-applied-2", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pod-security-admission-baseline-applied-1/rule.metadata.json b/rules/pod-security-admission-baseline-applied-1/rule.metadata.json index 017d627d5..1227691ba 100644 --- a/rules/pod-security-admission-baseline-applied-1/rule.metadata.json +++ b/rules/pod-security-admission-baseline-applied-1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-baseline-applied-1", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pod-security-admission-baseline-applied-2/rule.metadata.json b/rules/pod-security-admission-baseline-applied-2/rule.metadata.json index c6585ec4b..e9ec115f9 100644 --- a/rules/pod-security-admission-baseline-applied-2/rule.metadata.json +++ b/rules/pod-security-admission-baseline-applied-2/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-baseline-applied-2", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pod-security-admission-restricted-applied-1/rule.metadata.json b/rules/pod-security-admission-restricted-applied-1/rule.metadata.json index 1d7d13acb..8b1204ad3 100644 --- a/rules/pod-security-admission-restricted-applied-1/rule.metadata.json +++ b/rules/pod-security-admission-restricted-applied-1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-restricted-applied-1", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pod-security-admission-restricted-applied-2/rule.metadata.json b/rules/pod-security-admission-restricted-applied-2/rule.metadata.json index ae004d1e1..70c8aaaa8 100644 --- a/rules/pod-security-admission-restricted-applied-2/rule.metadata.json +++ b/rules/pod-security-admission-restricted-applied-2/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pod-security-admission-restricted-applied-2", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/poddisruptionbudget-in-default-namespace/rule.metadata.json b/rules/poddisruptionbudget-in-default-namespace/rule.metadata.json index f1842b843..e8dd28ec9 100644 --- a/rules/poddisruptionbudget-in-default-namespace/rule.metadata.json +++ b/rules/poddisruptionbudget-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "poddisruptionbudget-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/poddisruptionbudget-in-default-namespace/test/poddisruptionbudget/expected.json b/rules/poddisruptionbudget-in-default-namespace/test/poddisruptionbudget/expected.json index 7ac71c1eb..865c4db6c 100644 --- a/rules/poddisruptionbudget-in-default-namespace/test/poddisruptionbudget/expected.json +++ b/rules/poddisruptionbudget-in-default-namespace/test/poddisruptionbudget/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodDisruptionBudget: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/pods-in-default-namespace/rule.metadata.json b/rules/pods-in-default-namespace/rule.metadata.json index 0a4793b8a..d60f709f5 100644 --- a/rules/pods-in-default-namespace/rule.metadata.json +++ b/rules/pods-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "pods-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pods-in-default-namespace/test/cronjob/expected.json b/rules/pods-in-default-namespace/test/cronjob/expected.json index e918da7bd..586b1c277 100644 --- a/rules/pods-in-default-namespace/test/cronjob/expected.json +++ b/rules/pods-in-default-namespace/test/cronjob/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "CronJob: hello has pods running in the 'default' namespace", "fixPaths": [], + "reviewPaths": ["metadata.namespace"], "failedPaths": ["metadata.namespace"], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/pods-in-default-namespace/test/pod/expected.json b/rules/pods-in-default-namespace/test/pod/expected.json index 25d0a4afd..88d988ed9 100644 --- a/rules/pods-in-default-namespace/test/pod/expected.json +++ b/rules/pods-in-default-namespace/test/pod/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Pod: envar-demo has pods running in the 'default' namespace", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/pods-in-default-namespace/test/workload/expected.json b/rules/pods-in-default-namespace/test/workload/expected.json index 9c6cea39b..d77fdf0af 100644 --- a/rules/pods-in-default-namespace/test/workload/expected.json +++ b/rules/pods-in-default-namespace/test/workload/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Deployment: test has pods running in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/podtemplate-in-default-namespace/rule.metadata.json b/rules/podtemplate-in-default-namespace/rule.metadata.json index af0137234..95e52a409 100644 --- a/rules/podtemplate-in-default-namespace/rule.metadata.json +++ b/rules/podtemplate-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "podtemplate-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/podtemplate-in-default-namespace/test/podtemplate/expected.json b/rules/podtemplate-in-default-namespace/test/podtemplate/expected.json index 3d0b0addd..a622dfa80 100644 --- a/rules/podtemplate-in-default-namespace/test/podtemplate/expected.json +++ b/rules/podtemplate-in-default-namespace/test/podtemplate/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodTemplate: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/psp-deny-allowed-capabilities/rule.metadata.json b/rules/psp-deny-allowed-capabilities/rule.metadata.json index 703a24c02..7512e8c08 100644 --- a/rules/psp-deny-allowed-capabilities/rule.metadata.json +++ b/rules/psp-deny-allowed-capabilities/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-allowed-capabilities", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-allowed-capabilities/test/fail-many-true/expected.json b/rules/psp-deny-allowed-capabilities/test/fail-many-true/expected.json index 4d6c7b068..2531fa8e0 100644 --- a/rules/psp-deny-allowed-capabilities/test/fail-many-true/expected.json +++ b/rules/psp-deny-allowed-capabilities/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has allowedCapabilities.", + "deletePaths": [ + "spec.allowedCapabilities" + ], "failedPaths": [ "spec.allowedCapabilities" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has allowedCapabilities.", + "deletePaths": [ + "spec.allowedCapabilities" + ], "failedPaths": [ "spec.allowedCapabilities" ], diff --git a/rules/psp-deny-allowed-capabilities/test/fail-only-one-true/expected.json b/rules/psp-deny-allowed-capabilities/test/fail-only-one-true/expected.json index b633e668e..e6253fbe6 100644 --- a/rules/psp-deny-allowed-capabilities/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-allowed-capabilities/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has allowedCapabilities.", + "deletePaths": [ + "spec.allowedCapabilities" + ], "failedPaths": [ "spec.allowedCapabilities" ], diff --git a/rules/psp-deny-allowprivilegeescalation/rule.metadata.json b/rules/psp-deny-allowprivilegeescalation/rule.metadata.json index 0130c1cb7..4e558e338 100644 --- a/rules/psp-deny-allowprivilegeescalation/rule.metadata.json +++ b/rules/psp-deny-allowprivilegeescalation/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-allowprivilegeescalation", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-allowprivilegeescalation/test/fail-many-true/expected.json b/rules/psp-deny-allowprivilegeescalation/test/fail-many-true/expected.json index 78877ccb0..0d87c6515 100644 --- a/rules/psp-deny-allowprivilegeescalation/test/fail-many-true/expected.json +++ b/rules/psp-deny-allowprivilegeescalation/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has allowPrivilegeEscalation set as true.", + "deletePaths": [ + "spec.allowPrivilegeEscalation" + ], "failedPaths": [ "spec.allowPrivilegeEscalation" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has allowPrivilegeEscalation set as true.", + "deletePaths": [ + "spec.allowPrivilegeEscalation" + ], "failedPaths": [ "spec.allowPrivilegeEscalation" ], diff --git a/rules/psp-deny-allowprivilegeescalation/test/fail-only-one-true/expected.json b/rules/psp-deny-allowprivilegeescalation/test/fail-only-one-true/expected.json index 6c69f9c40..c5b62a58e 100644 --- a/rules/psp-deny-allowprivilegeescalation/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-allowprivilegeescalation/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has allowPrivilegeEscalation set as true.", + "deletePaths": [ + "spec.allowPrivilegeEscalation" + ], "failedPaths": [ "spec.allowPrivilegeEscalation" ], diff --git a/rules/psp-deny-hostipc/rule.metadata.json b/rules/psp-deny-hostipc/rule.metadata.json index b40d771e1..08e649706 100644 --- a/rules/psp-deny-hostipc/rule.metadata.json +++ b/rules/psp-deny-hostipc/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-hostipc", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-hostipc/test/fail-many-true/expected.json b/rules/psp-deny-hostipc/test/fail-many-true/expected.json index af8375778..a3f050beb 100644 --- a/rules/psp-deny-hostipc/test/fail-many-true/expected.json +++ b/rules/psp-deny-hostipc/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostIPC set as true.", + "deletePaths": [ + "spec.hostIPC" + ], "failedPaths": [ "spec.hostIPC" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has hostIPC set as true.", + "deletePaths": [ + "spec.hostIPC" + ], "failedPaths": [ "spec.hostIPC" ], diff --git a/rules/psp-deny-hostipc/test/fail-only-one-true/expected.json b/rules/psp-deny-hostipc/test/fail-only-one-true/expected.json index c13c18869..cec348136 100644 --- a/rules/psp-deny-hostipc/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-hostipc/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostIPC set as true.", + "deletePaths": [ + "spec.hostIPC" + ], "failedPaths": [ "spec.hostIPC" ], diff --git a/rules/psp-deny-hostnetwork/rule.metadata.json b/rules/psp-deny-hostnetwork/rule.metadata.json index c73ed47f2..3940d038f 100644 --- a/rules/psp-deny-hostnetwork/rule.metadata.json +++ b/rules/psp-deny-hostnetwork/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-hostnetwork", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-hostnetwork/test/fail-many-true/expected.json b/rules/psp-deny-hostnetwork/test/fail-many-true/expected.json index c3c022f42..fd31bead1 100644 --- a/rules/psp-deny-hostnetwork/test/fail-many-true/expected.json +++ b/rules/psp-deny-hostnetwork/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostNetwork set as true.", + "deletePaths": [ + "spec.hostNetwork" + ], "failedPaths": [ "spec.hostNetwork" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has hostNetwork set as true.", + "deletePaths": [ + "spec.hostNetwork" + ], "failedPaths": [ "spec.hostNetwork" ], diff --git a/rules/psp-deny-hostnetwork/test/fail-only-one-true/expected.json b/rules/psp-deny-hostnetwork/test/fail-only-one-true/expected.json index 2d6598a06..257906445 100644 --- a/rules/psp-deny-hostnetwork/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-hostnetwork/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostNetwork set as true.", + "deletePaths": [ + "spec.hostNetwork" + ], "failedPaths": [ "spec.hostNetwork" ], diff --git a/rules/psp-deny-hostpid/rule.metadata.json b/rules/psp-deny-hostpid/rule.metadata.json index 09c49ce67..6913cc1dd 100644 --- a/rules/psp-deny-hostpid/rule.metadata.json +++ b/rules/psp-deny-hostpid/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-hostpid", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-hostpid/test/fail-many-true/expected.json b/rules/psp-deny-hostpid/test/fail-many-true/expected.json index c3ce6928a..cb1be0601 100644 --- a/rules/psp-deny-hostpid/test/fail-many-true/expected.json +++ b/rules/psp-deny-hostpid/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostPID set as true.", + "deletePaths": [ + "spec.hostPID" + ], "failedPaths": [ "spec.hostPID" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has hostPID set as true.", + "deletePaths": [ + "spec.hostPID" + ], "failedPaths": [ "spec.hostPID" ], diff --git a/rules/psp-deny-hostpid/test/fail-only-one-true/expected.json b/rules/psp-deny-hostpid/test/fail-only-one-true/expected.json index 20b297e64..9c7340fc7 100644 --- a/rules/psp-deny-hostpid/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-hostpid/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has hostPID set as true.", + "deletePaths": [ + "spec.hostPID" + ], "failedPaths": [ "spec.hostPID" ], diff --git a/rules/psp-deny-privileged-container/rule.metadata.json b/rules/psp-deny-privileged-container/rule.metadata.json index 3a5bb8a6b..3da2bf6cb 100644 --- a/rules/psp-deny-privileged-container/rule.metadata.json +++ b/rules/psp-deny-privileged-container/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-privileged-container", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-privileged-container/test/fail-many-true/expected.json b/rules/psp-deny-privileged-container/test/fail-many-true/expected.json index fd5515975..fab7a4d0c 100644 --- a/rules/psp-deny-privileged-container/test/fail-many-true/expected.json +++ b/rules/psp-deny-privileged-container/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has privileged set as true.", + "deletePaths": [ + "spec.privileged" + ], "failedPaths": [ "spec.privileged" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' has privileged set as true.", + "deletePaths": [ + "spec.privileged" + ], "failedPaths": [ "spec.privileged" ], diff --git a/rules/psp-deny-privileged-container/test/fail-only-one-true/expected.json b/rules/psp-deny-privileged-container/test/fail-only-one-true/expected.json index 15c18b4cd..1a96548f7 100644 --- a/rules/psp-deny-privileged-container/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-privileged-container/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' has privileged set as true.", + "deletePaths": [ + "spec.privileged" + ], "failedPaths": [ "spec.privileged" ], diff --git a/rules/psp-deny-root-container/rule.metadata.json b/rules/psp-deny-root-container/rule.metadata.json index e93b72109..d968bb14a 100644 --- a/rules/psp-deny-root-container/rule.metadata.json +++ b/rules/psp-deny-root-container/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-deny-root-container", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-deny-root-container/test/fail-many-true/expected.json b/rules/psp-deny-root-container/test/fail-many-true/expected.json index 01a89a6db..ec899eb5e 100644 --- a/rules/psp-deny-root-container/test/fail-many-true/expected.json +++ b/rules/psp-deny-root-container/test/fail-many-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' permits containers to run as the root user.", + "deletePaths": [ + "spec.runAsUser.rule" + ], "failedPaths": [ "spec.runAsUser.rule" ], @@ -26,6 +29,9 @@ }, { "alertMessage": "PodSecurityPolicy: 'eks.privileged1' permits containers to run as the root user.", + "deletePaths": [ + "spec.runAsUser.rule" + ], "failedPaths": [ "spec.runAsUser.rule" ], diff --git a/rules/psp-deny-root-container/test/fail-only-one-true/expected.json b/rules/psp-deny-root-container/test/fail-only-one-true/expected.json index 8618f025a..6246d7a6e 100644 --- a/rules/psp-deny-root-container/test/fail-only-one-true/expected.json +++ b/rules/psp-deny-root-container/test/fail-only-one-true/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy: 'eks.privileged' permits containers to run as the root user.", + "deletePaths": [ + "spec.runAsUser.rule" + ], "failedPaths": [ "spec.runAsUser.rule" ], diff --git a/rules/psp-enabled-cloud/rule.metadata.json b/rules/psp-enabled-cloud/rule.metadata.json index 69bd842f8..fdd126f0f 100644 --- a/rules/psp-enabled-cloud/rule.metadata.json +++ b/rules/psp-enabled-cloud/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-enabled-cloud", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/psp-enabled-native/rule.metadata.json b/rules/psp-enabled-native/rule.metadata.json index e4935133d..9b8c1fe5b 100644 --- a/rules/psp-enabled-native/rule.metadata.json +++ b/rules/psp-enabled-native/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-enabled-native", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "apiserver-pod", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/psp-enabled-native/test/test-failed/expected.json b/rules/psp-enabled-native/test/test-failed/expected.json index 537c6d491..20f42ac92 100644 --- a/rules/psp-enabled-native/test/test-failed/expected.json +++ b/rules/psp-enabled-native/test/test-failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "PodSecurityPolicy is not enabled", + "reviewPaths": [ + "spec.containers[0].command[5]" + ], "failedPaths": [ "spec.containers[0].command[5]" ], diff --git a/rules/psp-required-drop-capabilities/rule.metadata.json b/rules/psp-required-drop-capabilities/rule.metadata.json index c4dc3964f..42b92bdb9 100644 --- a/rules/psp-required-drop-capabilities/rule.metadata.json +++ b/rules/psp-required-drop-capabilities/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "psp-required-drop-capabilities", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/pv-without-encryption/raw.rego b/rules/pv-without-encryption/raw.rego new file mode 100644 index 000000000..cc9233d9f --- /dev/null +++ b/rules/pv-without-encryption/raw.rego @@ -0,0 +1,46 @@ +package armo_builtins + +# Checks if Ingress is connected to a service and a workload to expose something +deny[msga] { + pv := input[_] + pv.kind == "PersistentVolume" + + # Find the related storage class + storageclass := input[_] + storageclass.kind == "StorageClass" + pv.spec.storageClassName == storageclass.metadata.name + + # Check if storage class is encrypted + not is_storage_class_encrypted(storageclass) + + msga := { + "alertMessage": sprintf("Volume '%v' has is using a storage class that does not use encryption", [pv.metadata.name]), + "packagename": "armo_builtins", + "failedPaths": [], + "fixPaths": [{ + "path": "spec.storageClassName", + "value": "" + }], + "alertScore": 7, + "alertObject": {"k8sApiObjects": [pv]} + } +} + +# Storage class is encrypted - AWS +is_storage_class_encrypted(storageclass) { + storageclass.parameters.encrypted == "true" +} + +# Storage class is encrypted - Azure +is_storage_class_encrypted(storageclass) { + storageclass.provisioner + contains(storageclass.provisioner,"azure") +} + +# Storage class is encrypted - GCP +is_storage_class_encrypted(storageclass) { + # GKE encryption is enabled by default https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-use-your-own-keys-to-protect-your-data-on-gke + storageclass.provisioner + contains(storageclass.provisioner,"csi.storage.gke.io") +} + diff --git a/rules/pv-without-encryption/rule.metadata.json b/rules/pv-without-encryption/rule.metadata.json new file mode 100644 index 000000000..883df4e5c --- /dev/null +++ b/rules/pv-without-encryption/rule.metadata.json @@ -0,0 +1,34 @@ +{ + "name": "pv-without-encryption", + "attributes": { + "useFromKubescapeVersion": "v3.0.3" + }, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "PersistentVolume" + ] + }, + { + "apiGroups": [ + "storage.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "StorageClass" + ] + } + ], + "description": "PersistentVolume without encryption", + "remediation": "", + "ruleQuery": "armo_builtins" +} diff --git a/rules/pv-without-encryption/test/aks/expected.json b/rules/pv-without-encryption/test/aks/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/pv-without-encryption/test/aks/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/pv-without-encryption/test/aks/input/pv.yaml b/rules/pv-without-encryption/test/aks/input/pv.yaml new file mode 100644 index 000000000..d1d8beb89 --- /dev/null +++ b/rules/pv-without-encryption/test/aks/input/pv.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pvc-0eeeeefe-5193-472c-a81e-104f3919130e +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 40Gi + persistentVolumeReclaimPolicy: Retain + storageClassName: azure-disk-cmk \ No newline at end of file diff --git a/rules/pv-without-encryption/test/aks/input/sc.yaml b/rules/pv-without-encryption/test/aks/input/sc.yaml new file mode 100644 index 000000000..3dfeb0ea0 --- /dev/null +++ b/rules/pv-without-encryption/test/aks/input/sc.yaml @@ -0,0 +1,9 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: azure-disk-cmk +provisioner: kubernetes.io/azure-disk +parameters: + skuname: Standard_LRS + kind: Managed + diskEncryptionSetID: /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSet-name} diff --git a/rules/pv-without-encryption/test/eks/expected.json b/rules/pv-without-encryption/test/eks/expected.json new file mode 100644 index 000000000..cfd549621 --- /dev/null +++ b/rules/pv-without-encryption/test/eks/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Volume 'pvc-0eeeeefe-5193-472c-a81e-104f3919130e' has is using a storage class that does not use encryption", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.storageClassName", + "value": "\u003cyour encrypted storage class\u003e" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "PersistentVolume", + "metadata": { + "name": "pvc-0eeeeefe-5193-472c-a81e-104f3919130e" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/pv-without-encryption/test/eks/input/pv.yaml b/rules/pv-without-encryption/test/eks/input/pv.yaml new file mode 100644 index 000000000..42efa09f0 --- /dev/null +++ b/rules/pv-without-encryption/test/eks/input/pv.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pvc-0eeeeefe-5193-472c-a81e-104f3919130e +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 40Gi + persistentVolumeReclaimPolicy: Retain + storageClassName: gp3retain \ No newline at end of file diff --git a/rules/pv-without-encryption/test/eks/input/sc.yaml b/rules/pv-without-encryption/test/eks/input/sc.yaml new file mode 100644 index 000000000..f6fa35be8 --- /dev/null +++ b/rules/pv-without-encryption/test/eks/input/sc.yaml @@ -0,0 +1,10 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gp3retain +parameters: + type: gp3 +provisioner: ebs.csi.aws.com +reclaimPolicy: Retain +volumeBindingMode: WaitForFirstConsumer \ No newline at end of file diff --git a/rules/pv-without-encryption/test/fail/expected.json b/rules/pv-without-encryption/test/fail/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/pv-without-encryption/test/fail/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/pv-without-encryption/test/fail/input/pv.yaml b/rules/pv-without-encryption/test/fail/input/pv.yaml new file mode 100644 index 000000000..42efa09f0 --- /dev/null +++ b/rules/pv-without-encryption/test/fail/input/pv.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pvc-0eeeeefe-5193-472c-a81e-104f3919130e +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 40Gi + persistentVolumeReclaimPolicy: Retain + storageClassName: gp3retain \ No newline at end of file diff --git a/rules/pv-without-encryption/test/fail/input/sc.yaml b/rules/pv-without-encryption/test/fail/input/sc.yaml new file mode 100644 index 000000000..d60feef9f --- /dev/null +++ b/rules/pv-without-encryption/test/fail/input/sc.yaml @@ -0,0 +1,11 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gp3retain +parameters: + encrypted: "true" + type: gp3 +provisioner: ebs.csi.aws.com +reclaimPolicy: Retain +volumeBindingMode: WaitForFirstConsumer \ No newline at end of file diff --git a/rules/pv-without-encryption/test/gke/expected.json b/rules/pv-without-encryption/test/gke/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/pv-without-encryption/test/gke/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/pv-without-encryption/test/gke/input/pv.yaml b/rules/pv-without-encryption/test/gke/input/pv.yaml new file mode 100644 index 000000000..ac9a1bc67 --- /dev/null +++ b/rules/pv-without-encryption/test/gke/input/pv.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pvc-0eeeeefe-5193-472c-a81e-104f3919130e +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 40Gi + persistentVolumeReclaimPolicy: Retain + storageClassName: standard-cmek \ No newline at end of file diff --git a/rules/pv-without-encryption/test/gke/input/sc.yaml b/rules/pv-without-encryption/test/gke/input/sc.yaml new file mode 100644 index 000000000..7242e5664 --- /dev/null +++ b/rules/pv-without-encryption/test/gke/input/sc.yaml @@ -0,0 +1,9 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: standard-cmek +provisioner: pd.csi.storage.gke.io +parameters: + type: pd-standard + csi.storage.k8s.io/fstype: ext4 + pdName: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key diff --git a/rules/rbac-enabled-cloud/rule.metadata.json b/rules/rbac-enabled-cloud/rule.metadata.json index a787f6d9c..ef10ac751 100644 --- a/rules/rbac-enabled-cloud/rule.metadata.json +++ b/rules/rbac-enabled-cloud/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rbac-enabled-cloud", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rbac-enabled-cloud/test/failed/expected.json b/rules/rbac-enabled-cloud/test/failed/expected.json index 0c6c87b67..7b49d0712 100644 --- a/rules/rbac-enabled-cloud/test/failed/expected.json +++ b/rules/rbac-enabled-cloud/test/failed/expected.json @@ -3,6 +3,7 @@ "alertMessage": "rbac is not enabled", "alertScore": 3, "packagename": "armo_builtins", + "reviewPaths": ["data.properties.enableRBAC"], "failedPaths": ["data.properties.enableRBAC"], "fixCommand": "", "fixPaths": [], diff --git a/rules/rbac-enabled-native/rule.metadata.json b/rules/rbac-enabled-native/rule.metadata.json index 7c8b1e447..f90f3b852 100644 --- a/rules/rbac-enabled-native/rule.metadata.json +++ b/rules/rbac-enabled-native/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rbac-enabled-native", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "apiserver-pod", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/read-only-port-enabled-updated/rule.metadata.json b/rules/read-only-port-enabled-updated/rule.metadata.json index 375539cca..62867daf6 100644 --- a/rules/read-only-port-enabled-updated/rule.metadata.json +++ b/rules/read-only-port-enabled-updated/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "read-only-port-enabled-updated", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/read-only-port-enabled-updated/test/config-fail/expected.json b/rules/read-only-port-enabled-updated/test/config-fail/expected.json index 64864b2ce..d9b986492 100644 --- a/rules/read-only-port-enabled-updated/test/config-fail/expected.json +++ b/rules/read-only-port-enabled-updated/test/config-fail/expected.json @@ -16,6 +16,9 @@ } }, "alertScore": 4, + "reviewPaths": [ + "readOnlyPort" + ], "failedPaths": [ "readOnlyPort" ], diff --git a/rules/replicationcontroller-in-default-namespace/rule.metadata.json b/rules/replicationcontroller-in-default-namespace/rule.metadata.json index e4be5ff2e..1ccbb7fdb 100644 --- a/rules/replicationcontroller-in-default-namespace/rule.metadata.json +++ b/rules/replicationcontroller-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "replicationcontroller-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/replicationcontroller-in-default-namespace/test/replicationcontroller/expected.json b/rules/replicationcontroller-in-default-namespace/test/replicationcontroller/expected.json index eaae124e9..b20af5ca4 100644 --- a/rules/replicationcontroller-in-default-namespace/test/replicationcontroller/expected.json +++ b/rules/replicationcontroller-in-default-namespace/test/replicationcontroller/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "ReplicationController: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/resource-policies/rule.metadata.json b/rules/resource-policies/rule.metadata.json index bd1d1e82d..fd045110e 100644 --- a/rules/resource-policies/rule.metadata.json +++ b/rules/resource-policies/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "resource-policies", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/resources-cpu-limit-and-request/raw.rego b/rules/resources-cpu-limit-and-request/raw.rego index 317be212e..c3b9672cf 100644 --- a/rules/resources-cpu-limit-and-request/raw.rego +++ b/rules/resources-cpu-limit-and-request/raw.rego @@ -1,19 +1,20 @@ package armo_builtins -# Fails if pod does not have container with CPU-limit or request +# ==================================== no CPU requests ============================================= +# Fails if pod does not have container with CPU request deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - not request_or_limit_cpu(container) + not container.resources.requests.cpu - fixPaths := [{"path": sprintf("spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + fixPaths := [{"path": sprintf("spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v does not have CPU-limit or request", [ container.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [], "failedPaths": [], "fixPaths": fixPaths, "alertObject": { @@ -22,21 +23,21 @@ deny[msga] { } } -# Fails if workload does not have container with CPU-limit or request +# Fails if workload does not have container with CPU requests deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - not request_or_limit_cpu(container) + not container.resources.requests.cpu - fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [], "failedPaths": [], "fixPaths": fixPaths, "alertObject": { @@ -45,20 +46,20 @@ deny[msga] { } } -# Fails if cronjob does not have container with CPU-limit or request +# Fails if cronjob does not have container with CPU requests deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - not request_or_limit_cpu(container) + not container.resources.requests.cpu - fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [], "failedPaths": [], "fixPaths": fixPaths, "alertObject": { @@ -67,21 +68,88 @@ deny[msga] { } } +# ==================================== no CPU limits ============================================= +# Fails if pod does not have container with CPU-limits +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.limits.cpu + fixPaths := [{"path": sprintf("spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + msga := { + "alertMessage": sprintf("Container: %v does not have CPU-limit or request", [ container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [pod] + } + } +} -################################################################################################################### +# Fails if workload does not have container with CPU-limits +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.limits.cpu + + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + +# Fails if cronjob does not have container with CPU-limits +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.limits.cpu + + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + + + +# ============================================= cpu limits exceed min/max ============================================= # Fails if pod exceeds CPU-limit or request deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - request_or_limit_cpu(container) - resource := is_min_max_exceeded_cpu(container) - resource != "" + path := "resources.limits.cpu" + cpu_limit := container.resources.limits.cpu + is_limit_exceeded_cpu(cpu_limit) - failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), path]) msga := { "alertMessage": sprintf("Container: %v exceeds CPU-limit or request", [ container.name]), @@ -103,11 +171,11 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - request_or_limit_cpu(container) - resource := is_min_max_exceeded_cpu(container) - resource != "" + path := "resources.limits.cpu" + cpu_limit := container.resources.limits.cpu + is_limit_exceeded_cpu(cpu_limit) - failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) msga := { "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), @@ -128,11 +196,11 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - request_or_limit_cpu(container) - resource := is_min_max_exceeded_cpu(container) - resource != "" + path := "resources.limits.cpu" + cpu_limit := container.resources.limits.cpu + is_limit_exceeded_cpu(cpu_limit) - failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) msga := { "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), @@ -147,17 +215,87 @@ deny[msga] { } } +# ============================================= cpu requests exceed min/max ============================================= + +# Fails if pod exceeds CPU-limit or request +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + path := "resources.requests.cpu" + cpu_req := container.resources.requests.cpu + is_req_exceeded_cpu(cpu_req) + + failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), path]) + + msga := { + "alertMessage": sprintf("Container: %v exceeds CPU-limit or request", [ container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": { + "k8sApiObjects": [pod] + } + } +} + +# Fails if workload exceeds CPU-limit or request +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + path := "resources.requests.cpu" + cpu_req := container.resources.requests.cpu + is_req_exceeded_cpu(cpu_req) + failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) -################################################################################################################# + msga := { + "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + +# Fails if cronjob doas exceeds CPU-limit or request +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + + path := "resources.requests.cpu" + cpu_req := container.resources.requests.cpu + is_req_exceeded_cpu(cpu_req) + + failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) -request_or_limit_cpu(container) { - container.resources.limits.cpu - container.resources.requests.cpu + msga := { + "alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": { + "k8sApiObjects": [wl] + } + } } +################################################################################################################# + + is_min_max_exceeded_cpu(container) = "resources.limits.cpu" { cpu_limit := container.resources.limits.cpu is_limit_exceeded_cpu(cpu_limit) @@ -212,7 +350,7 @@ compare_max(max, given) { endswith(given, "Mi") split_max := split(max, "Mi")[0] split_given := split(given, "Mi")[0] - split_given > split_max + to_number(split_given) > to_number(split_max) } compare_max(max, given) { @@ -220,7 +358,7 @@ compare_max(max, given) { endswith(given, "M") split_max := split(max, "M")[0] split_given := split(given, "M")[0] - split_given > split_max + to_number(split_given) > to_number(split_max) } compare_max(max, given) { @@ -228,13 +366,13 @@ compare_max(max, given) { endswith(given, "m") split_max := split(max, "m")[0] split_given := split(given, "m")[0] - split_given > split_max + to_number(split_given) > to_number(split_max) } compare_max(max, given) { not is_special_measure(max) not is_special_measure(given) - given > max + to_number(given) > to_number(max) } @@ -246,7 +384,7 @@ compare_min(min, given) { endswith(given, "Mi") split_min := split(min, "Mi")[0] split_given := split(given, "Mi")[0] - split_given < split_min + to_number(split_given) < to_number(split_min) } compare_min(min, given) { @@ -254,7 +392,7 @@ compare_min(min, given) { endswith(given, "M") split_min := split(min, "M")[0] split_given := split(given, "M")[0] - split_given < split_min + to_number(split_given) < to_number(split_min) } compare_min(min, given) { @@ -262,13 +400,15 @@ compare_min(min, given) { endswith(given, "m") split_min := split(min, "m")[0] split_given := split(given, "m")[0] - split_given < split_min + to_number(split_given) < to_number(split_min) + } compare_min(min, given) { not is_special_measure(min) not is_special_measure(given) - given < min + to_number(given) < to_number(min) + } diff --git a/rules/resources-cpu-limit-and-request/rule.metadata.json b/rules/resources-cpu-limit-and-request/rule.metadata.json index 26fda2dfe..6ece8ff98 100644 --- a/rules/resources-cpu-limit-and-request/rule.metadata.json +++ b/rules/resources-cpu-limit-and-request/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "resources-cpu-limit-and-request", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/resources-cpu-limit-and-request/test/cronjob/expected.json b/rules/resources-cpu-limit-and-request/test/cronjob/expected.json index 28b1ab3ba..07f3941e9 100644 --- a/rules/resources-cpu-limit-and-request/test/cronjob/expected.json +++ b/rules/resources-cpu-limit-and-request/test/cronjob/expected.json @@ -1,9 +1,39 @@ [ { "alertMessage": "Container: hello in CronJob: hello does not have CPU-limit or request", + "reviewPaths": [], "failedPaths": [], - "fixPaths" : [{"path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu", "value": "YOUR_VALUE"}, - {"path": "spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu", "value": "YOUR_VALUE"}], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + }, + { + "alertMessage": "Container: hello in CronJob: hello does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], "ruleStatus": "", "packagename": "armo_builtins", "alertScore": 7, diff --git a/rules/resources-cpu-limit-and-request/test/pod-only-limits/expected.json b/rules/resources-cpu-limit-and-request/test/pod-only-limits/expected.json new file mode 100644 index 000000000..0774d1458 --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/pod-only-limits/expected.json @@ -0,0 +1,23 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths" : [{"path":"spec.containers[1].resources.limits.cpu", "value": "YOUR_VALUE"}], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] + diff --git a/rules/resources-cpu-limit-and-request/test/pod-only-limits/input/pod.yaml b/rules/resources-cpu-limit-and-request/test/pod-only-limits/input/pod.yaml new file mode 100644 index 000000000..d1207f1bb --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/pod-only-limits/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" diff --git a/rules/resources-cpu-limit-and-request/test/pod-only-requests/expected.json b/rules/resources-cpu-limit-and-request/test/pod-only-requests/expected.json new file mode 100644 index 000000000..83beae079 --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/pod-only-requests/expected.json @@ -0,0 +1,22 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths" : [{"path": "spec.containers[1].resources.requests.cpu", "value": "YOUR_VALUE"}], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-limit-and-request/test/pod-only-requests/input/pod.yaml b/rules/resources-cpu-limit-and-request/test/pod-only-requests/input/pod.yaml new file mode 100644 index 000000000..0495de5d3 --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/pod-only-requests/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/rules/resources-cpu-limit-and-request/test/pod/expected.json b/rules/resources-cpu-limit-and-request/test/pod/expected.json index 24a8f72bb..08d1752e1 100644 --- a/rules/resources-cpu-limit-and-request/test/pod/expected.json +++ b/rules/resources-cpu-limit-and-request/test/pod/expected.json @@ -1,9 +1,39 @@ [ { "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], "failedPaths": [], - "fixPaths" : [{"path":"spec.containers[1].resources.limits.cpu", "value": "YOUR_VALUE"}, - {"path": "spec.containers[1].resources.requests.cpu", "value": "YOUR_VALUE"}], + "fixPaths": [ + { + "path": "spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + }, + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], "ruleStatus": "", "packagename": "armo_builtins", "alertScore": 7, diff --git a/rules/resources-cpu-limit-and-request/test/workload-exceeded/data.json b/rules/resources-cpu-limit-and-request/test/workload-exceeded/data.json new file mode 100644 index 000000000..0ee80232d --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/workload-exceeded/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "cpu_request_max": ["50m"], + "cpu_request_min": ["50m"], + "cpu_limit_max": ["50m"], + "cpu_limit_min": ["50m"] + } +} \ No newline at end of file diff --git a/rules/resources-cpu-limit-and-request/test/workload-exceeded/expected.json b/rules/resources-cpu-limit-and-request/test/workload-exceeded/expected.json new file mode 100644 index 000000000..a5a1d7bd5 --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/workload-exceeded/expected.json @@ -0,0 +1,52 @@ +[ + { + "alertMessage": "Container: health-check in Deployment: health-check-deployment does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "health-check-deployment" + } + } + ] + } + }, + { + "alertMessage": "Container: health-check in Deployment: health-check-deployment exceeds CPU-limit or request", + "reviewPaths": [ + "spec.template.spec.containers[0].resources.limits.cpu" + ], + + "failedPaths": [ + "spec.template.spec.containers[0].resources.limits.cpu" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "health-check-deployment" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-limit-and-request/test/workload-exceeded/input/deployment.yaml b/rules/resources-cpu-limit-and-request/test/workload-exceeded/input/deployment.yaml new file mode 100644 index 000000000..4c09ee1d5 --- /dev/null +++ b/rules/resources-cpu-limit-and-request/test/workload-exceeded/input/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: '1' + creationTimestamp: '2023-10-17T12:50:59Z' + generation: 1 + name: health-check-deployment + namespace: default + resourceVersion: '1383' + uid: 405080f2-c98e-450e-8e74-9f7e73a9c421 +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: health-check + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: health-check + spec: + containers: + - image: madhuakula/k8s-goat-health-check + imagePullPolicy: Always + name: health-check + ports: + - containerPort: 80 + protocol: TCP + resources: + limits: + cpu: 80m + memory: 100Mi + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /custom/docker/docker.sock + name: docker-sock-volume + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - hostPath: + path: /var/run/docker.sock + type: Socket + name: docker-sock-volume diff --git a/rules/resources-cpu-limit-and-request/test/workload/expected.json b/rules/resources-cpu-limit-and-request/test/workload/expected.json index aa8d65acf..3cdc23f4e 100644 --- a/rules/resources-cpu-limit-and-request/test/workload/expected.json +++ b/rules/resources-cpu-limit-and-request/test/workload/expected.json @@ -1,26 +1,58 @@ -[{ - "alertMessage": "Container: app in Deployment: test does not have CPU-limit or request", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.template.spec.containers[0].resources.limits.cpu", - "value": "YOUR_VALUE" - }, { - "path": "spec.template.spec.containers[0].resources.requests.cpu", - "value": "YOUR_VALUE" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "purpose": "demonstrate-command" - }, - "name": "test" +[ + { + "alertMessage": "Container: app in Deployment: test does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + }, + { + "alertMessage": "Container: app in Deployment: test does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/resources-cpu-limits/raw.rego b/rules/resources-cpu-limits/raw.rego new file mode 100644 index 000000000..0b0356470 --- /dev/null +++ b/rules/resources-cpu-limits/raw.rego @@ -0,0 +1,72 @@ +package armo_builtins + + +# ==================================== no CPU limits ============================================= +# Fails if pod does not have container with CPU-limits +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.limits.cpu + + fixPaths := [{"path": sprintf("spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v does not have CPU-limit or request", [ container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [pod] + } + } +} + +# Fails if workload does not have container with CPU-limits +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.limits.cpu + + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + +# Fails if cronjob does not have container with CPU-limits +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.limits.cpu + + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + + diff --git a/rules/resources-cpu-limits/rule.metadata.json b/rules/resources-cpu-limits/rule.metadata.json new file mode 100644 index 000000000..f3cda4488 --- /dev/null +++ b/rules/resources-cpu-limits/rule.metadata.json @@ -0,0 +1,48 @@ +{ + "name": "resources-cpu-limits", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "description": "CPU limits are not set.", + "remediation": "Ensure CPU limits are set.", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/resources-cpu-limits/test/cronjob/expected.json b/rules/resources-cpu-limits/test/cronjob/expected.json new file mode 100644 index 000000000..bc2c0e2d5 --- /dev/null +++ b/rules/resources-cpu-limits/test/cronjob/expected.json @@ -0,0 +1,27 @@ +[ + { + "alertMessage": "Container: hello in CronJob: hello does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/CVE-2022-0492/test/no_new_privs_fail/input/cronjob.yaml b/rules/resources-cpu-limits/test/cronjob/input/cronjob.yaml similarity index 71% rename from rules/CVE-2022-0492/test/no_new_privs_fail/input/cronjob.yaml rename to rules/resources-cpu-limits/test/cronjob/input/cronjob.yaml index d3df84dc7..ea5e131c7 100644 --- a/rules/CVE-2022-0492/test/no_new_privs_fail/input/cronjob.yaml +++ b/rules/resources-cpu-limits/test/cronjob/input/cronjob.yaml @@ -1,19 +1,19 @@ -apiVersion: batch/v1 +apiVersion: batch/v1beta1 kind: CronJob metadata: name: hello spec: - schedule: "* * * * *" + schedule: "*/1 * * * *" jobTemplate: spec: template: spec: + restartPolicy: OnFailure containers: - name: hello - image: busybox + image: busybox:latest imagePullPolicy: IfNotPresent command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure \ No newline at end of file diff --git a/rules/resources-cpu-limits/test/pod-only-limits/expected.json b/rules/resources-cpu-limits/test/pod-only-limits/expected.json new file mode 100644 index 000000000..0774d1458 --- /dev/null +++ b/rules/resources-cpu-limits/test/pod-only-limits/expected.json @@ -0,0 +1,23 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths" : [{"path":"spec.containers[1].resources.limits.cpu", "value": "YOUR_VALUE"}], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] + diff --git a/rules/resources-cpu-limits/test/pod-only-limits/input/pod.yaml b/rules/resources-cpu-limits/test/pod-only-limits/input/pod.yaml new file mode 100644 index 000000000..d1207f1bb --- /dev/null +++ b/rules/resources-cpu-limits/test/pod-only-limits/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" diff --git a/rules/resources-cpu-limits/test/pod/expected.json b/rules/resources-cpu-limits/test/pod/expected.json new file mode 100644 index 000000000..aaedc1fbf --- /dev/null +++ b/rules/resources-cpu-limits/test/pod/expected.json @@ -0,0 +1,27 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-limits/test/pod/input/pod.yaml b/rules/resources-cpu-limits/test/pod/input/pod.yaml new file mode 100644 index 000000000..19a64f850 --- /dev/null +++ b/rules/resources-cpu-limits/test/pod/input/pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" diff --git a/rules/resources-cpu-limits/test/workload/expected.json b/rules/resources-cpu-limits/test/workload/expected.json new file mode 100644 index 000000000..a139b8d79 --- /dev/null +++ b/rules/resources-cpu-limits/test/workload/expected.json @@ -0,0 +1,30 @@ +[ + { + "alertMessage": "Container: app in Deployment: test does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-limits/test/workload/input/deployment.yaml b/rules/resources-cpu-limits/test/workload/input/deployment.yaml new file mode 100644 index 000000000..28b3afed1 --- /dev/null +++ b/rules/resources-cpu-limits/test/workload/input/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: default + labels: + purpose: demonstrate-command +spec: + selector: + matchLabels: + purpose: demonstrate-command + template: + metadata: + labels: + purpose: demonstrate-command + spec : + containers : + - + name : app + image : images.my-company.example/app:v4 + - + name : log-aggregator + image : images.my-company.example/log-aggregator:v6 + resources : + requests : + memory : "64Mi" + cpu : "250m" + limits : + memory : "128Mi" + cpu : "500m" + \ No newline at end of file diff --git a/rules/resources-cpu-requests/raw.rego b/rules/resources-cpu-requests/raw.rego new file mode 100644 index 000000000..3a0c3d0c2 --- /dev/null +++ b/rules/resources-cpu-requests/raw.rego @@ -0,0 +1,69 @@ +package armo_builtins + +# ==================================== no CPU requests ============================================= +# Fails if pod does not have container with CPU request +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.requests.cpu + + fixPaths := [{"path": sprintf("spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v does not have CPU-limit or request", [ container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [pod] + } + } +} + +# Fails if workload does not have container with CPU requests +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.requests.cpu + + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} + +# Fails if cronjob does not have container with CPU requests +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.requests.cpu + + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.cpu", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [], + "failedPaths": [], + "fixPaths": fixPaths, + "alertObject": { + "k8sApiObjects": [wl] + } + } +} diff --git a/rules/resources-cpu-requests/rule.metadata.json b/rules/resources-cpu-requests/rule.metadata.json new file mode 100644 index 000000000..6ca821706 --- /dev/null +++ b/rules/resources-cpu-requests/rule.metadata.json @@ -0,0 +1,48 @@ +{ + "name": "resources-cpu-requests", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "description": "CPU requests are not set.", + "remediation": "Ensure CPU requests are set.", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/resources-cpu-requests/test/cronjob/expected.json b/rules/resources-cpu-requests/test/cronjob/expected.json new file mode 100644 index 000000000..344180dd5 --- /dev/null +++ b/rules/resources-cpu-requests/test/cronjob/expected.json @@ -0,0 +1,27 @@ +[ + { + "alertMessage": "Container: hello in CronJob: hello does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/non-root-containers/test/cronjob-fixed-path/input/cronjob.yaml b/rules/resources-cpu-requests/test/cronjob/input/cronjob.yaml similarity index 70% rename from rules/non-root-containers/test/cronjob-fixed-path/input/cronjob.yaml rename to rules/resources-cpu-requests/test/cronjob/input/cronjob.yaml index d5c08bac8..ea5e131c7 100644 --- a/rules/non-root-containers/test/cronjob-fixed-path/input/cronjob.yaml +++ b/rules/resources-cpu-requests/test/cronjob/input/cronjob.yaml @@ -1,20 +1,19 @@ -apiVersion: batch/v1 +apiVersion: batch/v1beta1 kind: CronJob metadata: name: hello spec: - schedule: "* * * * *" + schedule: "*/1 * * * *" jobTemplate: spec: template: spec: + restartPolicy: OnFailure containers: - name: hello - image: busybox + image: busybox:latest imagePullPolicy: IfNotPresent command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster - - name: hello2 - restartPolicy: OnFailure \ No newline at end of file diff --git a/rules/resources-cpu-requests/test/pod-only-requests/expected.json b/rules/resources-cpu-requests/test/pod-only-requests/expected.json new file mode 100644 index 000000000..83beae079 --- /dev/null +++ b/rules/resources-cpu-requests/test/pod-only-requests/expected.json @@ -0,0 +1,22 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths" : [{"path": "spec.containers[1].resources.requests.cpu", "value": "YOUR_VALUE"}], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-requests/test/pod-only-requests/input/pod.yaml b/rules/resources-cpu-requests/test/pod-only-requests/input/pod.yaml new file mode 100644 index 000000000..0495de5d3 --- /dev/null +++ b/rules/resources-cpu-requests/test/pod-only-requests/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/rules/resources-cpu-requests/test/pod/expected.json b/rules/resources-cpu-requests/test/pod/expected.json new file mode 100644 index 000000000..f17c98b0a --- /dev/null +++ b/rules/resources-cpu-requests/test/pod/expected.json @@ -0,0 +1,27 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-requests/test/pod/input/pod.yaml b/rules/resources-cpu-requests/test/pod/input/pod.yaml new file mode 100644 index 000000000..19a64f850 --- /dev/null +++ b/rules/resources-cpu-requests/test/pod/input/pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" diff --git a/rules/resources-cpu-requests/test/workload/expected.json b/rules/resources-cpu-requests/test/workload/expected.json new file mode 100644 index 000000000..c6e3a66c6 --- /dev/null +++ b/rules/resources-cpu-requests/test/workload/expected.json @@ -0,0 +1,30 @@ +[ + { + "alertMessage": "Container: app in Deployment: test does not have CPU-limit or request", + "reviewPaths": [], + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.requests.cpu", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-cpu-requests/test/workload/input/deployment.yaml b/rules/resources-cpu-requests/test/workload/input/deployment.yaml new file mode 100644 index 000000000..28b3afed1 --- /dev/null +++ b/rules/resources-cpu-requests/test/workload/input/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: default + labels: + purpose: demonstrate-command +spec: + selector: + matchLabels: + purpose: demonstrate-command + template: + metadata: + labels: + purpose: demonstrate-command + spec : + containers : + - + name : app + image : images.my-company.example/app:v4 + - + name : log-aggregator + image : images.my-company.example/log-aggregator:v6 + resources : + requests : + memory : "64Mi" + cpu : "250m" + limits : + memory : "128Mi" + cpu : "500m" + \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/raw.rego b/rules/resources-memory-limit-and-request/raw.rego index cf1c9f289..c33c03c4e 100644 --- a/rules/resources-memory-limit-and-request/raw.rego +++ b/rules/resources-memory-limit-and-request/raw.rego @@ -1,15 +1,13 @@ package armo_builtins -# Fails if pod does not have container with memory-limit or request +# ================================== no memory limits ================================== +# Fails if pod does not have container with memory-limits deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - not request_or_limit_memory(container) - fixPaths := [ - {"path": sprintf("spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - ] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v does not have memory-limit or request", [container.name]), @@ -21,17 +19,14 @@ deny[msga] { } } -# Fails if workload does not have container with memory-limit or request +# Fails if workload does not have container with memory-limits deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - not request_or_limit_memory(container) - fixPaths := [ - {"path": sprintf("spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - ] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), @@ -43,16 +38,13 @@ deny[msga] { } } -# Fails if cronjob does not have container with memory-limit or request +# Fails if cronjob does not have container with memory-limits deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - not request_or_limit_memory(container) - fixPaths := [ - {"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - {"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}, - ] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), @@ -64,26 +56,78 @@ deny[msga] { } } -request_or_limit_memory(container) { - container.resources.limits.memory - container.resources.requests.memory +# ================================== no memory requests ================================== +# Fails if pod does not have container with memory requests +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v does not have memory-limit or request", [container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [pod]}, + } } -###################################################################################################### +# Fails if workload does not have container with memory requests +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] -# Fails if pod exceeds memory-limit or request + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + +# Fails if cronjob does not have container with memory requests +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + + +# ============================================= memory requests exceed min/max ============================================= + +# Fails if pod exceeds memory request deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - request_or_limit_memory(container) - resource := is_min_max_exceeded_memory(container) - resource != "" + memory_req := container.resources.requests.memory + is_req_exceeded_memory(memory_req) + path := "resources.requests.memory" - failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), path]) msga := { - "alertMessage": sprintf("Container: %v exceeds memory-limit or request", [container.name]), + "alertMessage": sprintf("Container: %v exceeds memory request", [container.name]), "packagename": "armo_builtins", "alertScore": 7, "reviewPaths": [failed_paths], @@ -93,21 +137,21 @@ deny[msga] { } } -# Fails if workload exceeds memory-limit or request +# Fails if workload exceeds memory request deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - request_or_limit_memory(container) - resource := is_min_max_exceeded_memory(container) - resource != "" + memory_req := container.resources.requests.memory + is_req_exceeded_memory(memory_req) + path := "resources.requests.memory" - failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) msga := { - "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "alertMessage": sprintf("Container: %v in %v: %v exceeds memory request", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, "reviewPaths": [failed_paths], @@ -117,20 +161,20 @@ deny[msga] { } } -# Fails if cronjob exceeds memory-limit or request +# Fails if cronjob exceeds memory request deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - request_or_limit_memory(container) - resource := is_min_max_exceeded_memory(container) - resource != "" + memory_req := container.resources.requests.memory + is_req_exceeded_memory(memory_req) + path := "resources.requests.memory" - failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), resource]) + failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) msga := { - "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "alertMessage": sprintf("Container: %v in %v: %v exceeds memory request", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, "reviewPaths": [failed_paths], @@ -140,18 +184,80 @@ deny[msga] { } } -###################################################################################################### +# ============================================= memory limits exceed min/max ============================================= -is_min_max_exceeded_memory(container) = "resources.limits.memory" { +# Fails if pod exceeds memory-limit +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] memory_limit := container.resources.limits.memory is_limit_exceeded_memory(memory_limit) -} else = "resources.requests.memory" { - memory_req := container.resources.requests.memory - is_req_exceeded_memory(memory_req) -} else = "" { - true + path := "resources.limits.memory" + + failed_paths := sprintf("spec.containers[%v].%v", [format_int(i, 10), path]) + + msga := { + "alertMessage": sprintf("Container: %v exceeds memory-limit ", [container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": {"k8sApiObjects": [pod]}, + } +} + +# Fails if workload exceeds memory-limit +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + + memory_limit := container.resources.limits.memory + is_limit_exceeded_memory(memory_limit) + path := "resources.limits.memory" + + failed_paths := sprintf("spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } } +# Fails if cronjob exceeds memory-limit +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + + memory_limit := container.resources.limits.memory + is_limit_exceeded_memory(memory_limit) + path := "resources.limits.memory" + + failed_paths := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].%v", [format_int(i, 10), path]) + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "reviewPaths": [failed_paths], + "failedPaths": [failed_paths], + "fixPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + +###################################################################################################### + + is_limit_exceeded_memory(memory_limit) { is_min_limit_exceeded_memory(memory_limit) } @@ -171,7 +277,7 @@ is_req_exceeded_memory(memory_req) { # helpers is_max_limit_exceeded_memory(memory_limit) { - memory_limit_max :=data.postureControlInputs.memory_limit_max[_] + memory_limit_max := data.postureControlInputs.memory_limit_max[_] compare_max(memory_limit_max, memory_limit) } @@ -190,6 +296,7 @@ is_min_request_exceeded_memory(memory_req) { compare_min(memory_req_min, memory_req) } + ############## # helpers @@ -197,25 +304,25 @@ is_min_request_exceeded_memory(memory_req) { compare_max(max, given) { endswith(max, "Mi") endswith(given, "Mi") - split_max := split(max, "Mi")[0] - split_given := split(given, "Mi")[0] - split_given > split_max + split_max := split(max, "Mi")[0] + split_given := split(given, "Mi")[0] + to_number(split_given) > to_number(split_max) } compare_max(max, given) { endswith(max, "M") endswith(given, "M") - split_max := split(max, "M")[0] - split_given := split(given, "M")[0] - split_given > split_max + split_max := split(max, "M")[0] + split_given := split(given, "M")[0] + to_number(split_given) > to_number(split_max) } compare_max(max, given) { endswith(max, "m") endswith(given, "m") - split_max := split(max, "m")[0] - split_given := split(given, "m")[0] - split_given > split_max + split_max := split(max, "m")[0] + split_given := split(given, "m")[0] + to_number(split_given) > to_number(split_max) } compare_max(max, given) { @@ -224,40 +331,40 @@ compare_max(max, given) { given > max } - - ################ # Compare according to unit - min compare_min(min, given) { endswith(min, "Mi") endswith(given, "Mi") - split_min := split(min, "Mi")[0] - split_given := split(given, "Mi")[0] - split_given < split_min + split_min := split(min, "Mi")[0] + split_given := split(given, "Mi")[0] + to_number(split_given) < to_number(split_min) } compare_min(min, given) { endswith(min, "M") endswith(given, "M") - split_min := split(min, "M")[0] - split_given := split(given, "M")[0] - split_given < split_min + split_min := split(min, "M")[0] + split_given := split(given, "M")[0] + to_number(split_given) < to_number(split_min) + } compare_min(min, given) { endswith(min, "m") endswith(given, "m") - split_min := split(min, "m")[0] - split_given := split(given, "m")[0] - split_given < split_min + split_min := split(min, "m")[0] + split_given := split(given, "m")[0] + to_number(split_given) < to_number(split_min) + } compare_min(min, given) { not is_special_measure(min) not is_special_measure(given) - given < min -} + to_number(given) < to_number(min) +} # Check that is same unit is_special_measure(unit) { diff --git a/rules/resources-memory-limit-and-request/rule.metadata.json b/rules/resources-memory-limit-and-request/rule.metadata.json index 8505c889b..4813e61b3 100644 --- a/rules/resources-memory-limit-and-request/rule.metadata.json +++ b/rules/resources-memory-limit-and-request/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "resources-memory-limit-and-request", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/resources-memory-limit-and-request/test/cronjob/expected.json b/rules/resources-memory-limit-and-request/test/cronjob/expected.json index 7ca8b207e..3444a7588 100644 --- a/rules/resources-memory-limit-and-request/test/cronjob/expected.json +++ b/rules/resources-memory-limit-and-request/test/cronjob/expected.json @@ -6,7 +6,27 @@ { "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory", "value": "YOUR_VALUE" - }, + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + }, + { + "alertMessage": "Container: hello in CronJob: hello does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ { "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory", "value": "YOUR_VALUE" diff --git a/rules/non-root-containers/test/deployment-fixed-path/expected.json b/rules/resources-memory-limit-and-request/test/pod-only-limits/expected.json similarity index 51% rename from rules/non-root-containers/test/deployment-fixed-path/expected.json rename to rules/resources-memory-limit-and-request/test/pod-only-limits/expected.json index 5214ad4f2..6b6a0addf 100644 --- a/rules/non-root-containers/test/deployment-fixed-path/expected.json +++ b/rules/resources-memory-limit-and-request/test/pod-only-limits/expected.json @@ -1,9 +1,9 @@ [{ - "alertMessage": "container: web in pod: static-web may run as root", + "alertMessage": "Container: log-aggregator does not have memory-limit or request", "failedPaths": [], "fixPaths": [{ - "path": "spec.containers[0].securityContext.runAsNonRoot", - "value": "true" + "path": "spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" }], "ruleStatus": "", "packagename": "armo_builtins", @@ -13,10 +13,7 @@ "apiVersion": "v1", "kind": "Pod", "metadata": { - "labels": { - "role": "myrole" - }, - "name": "static-web" + "name": "frontend" } }] } diff --git a/rules/resources-memory-limit-and-request/test/pod-only-limits/input/pod.yaml b/rules/resources-memory-limit-and-request/test/pod-only-limits/input/pod.yaml new file mode 100644 index 000000000..7774dea5f --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod-only-limits/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + cpu: "500m" diff --git a/rules/resources-memory-limit-and-request/test/pod-only-requests/expected.json b/rules/resources-memory-limit-and-request/test/pod-only-requests/expected.json new file mode 100644 index 000000000..4648d72fc --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod-only-requests/expected.json @@ -0,0 +1,20 @@ +[{ + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [{ + "path": "spec.containers[1].resources.requests.memory", + "value": "YOUR_VALUE" + }], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + }] + } +}] \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/pod-only-requests/input/pod.yaml b/rules/resources-memory-limit-and-request/test/pod-only-requests/input/pod.yaml new file mode 100644 index 000000000..d146d134a --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod-only-requests/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/rules/resources-memory-limit-and-request/test/pod/expected.json b/rules/resources-memory-limit-and-request/test/pod/expected.json index 67802dc0e..7521c44a2 100644 --- a/rules/resources-memory-limit-and-request/test/pod/expected.json +++ b/rules/resources-memory-limit-and-request/test/pod/expected.json @@ -1,23 +1,50 @@ -[{ - "alertMessage": "Container: log-aggregator does not have memory-limit or request", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.containers[1].resources.limits.memory", - "value": "YOUR_VALUE" - }, { - "path": "spec.containers[1].resources.requests.memory", - "value": "YOUR_VALUE" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "frontend" +[ + { + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + }, + { + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.requests.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/pod_pass/data.json b/rules/resources-memory-limit-and-request/test/pod_pass/data.json new file mode 100644 index 000000000..7fc81fd94 --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod_pass/data.json @@ -0,0 +1,6 @@ +{ + "postureControlInputs": { + "memory_limit_max": ["256Mi"], + "memory_request_max": ["128Mi"] + } +} \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/pod_pass/expected.json b/rules/resources-memory-limit-and-request/test/pod_pass/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod_pass/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/pod_pass/input/pod.yaml b/rules/resources-memory-limit-and-request/test/pod_pass/input/pod.yaml new file mode 100644 index 000000000..e84566463 --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/pod_pass/input/pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/workload-exceeded/data.json b/rules/resources-memory-limit-and-request/test/workload-exceeded/data.json new file mode 100644 index 000000000..276227e9e --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/workload-exceeded/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "memory_request_max": ["300Mi"], + "memory_request_min": ["300Mi"], + "memory_limit_max": ["300Mi"], + "memory_limit_min": ["300Mi"] + } +} \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/workload-exceeded/expected.json b/rules/resources-memory-limit-and-request/test/workload-exceeded/expected.json new file mode 100644 index 000000000..15a317325 --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/workload-exceeded/expected.json @@ -0,0 +1,56 @@ +[ + { + "alertMessage": "Container: log-aggregator in Deployment: test exceeds memory request", + "reviewPaths": [ + "spec.template.spec.containers[0].resources.requests.memory" + ], + "failedPaths": [ + "spec.template.spec.containers[0].resources.requests.memory" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + }, + { + "alertMessage": "Container: log-aggregator in Deployment: test exceeds memory-limit", + "reviewPaths": [ + "spec.template.spec.containers[0].resources.limits.memory" + ], + "failedPaths": [ + "spec.template.spec.containers[0].resources.limits.memory" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/workload-exceeded/input/deployment.yaml b/rules/resources-memory-limit-and-request/test/workload-exceeded/input/deployment.yaml new file mode 100644 index 000000000..208339fff --- /dev/null +++ b/rules/resources-memory-limit-and-request/test/workload-exceeded/input/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: default + labels: + purpose: demonstrate-command +spec: + selector: + matchLabels: + purpose: demonstrate-command + template: + metadata: + labels: + purpose: demonstrate-command + spec : + containers : + - + name : log-aggregator + image : images.my-company.example/log-aggregator:v6 + resources : + requests : + memory : "64Mi" + cpu : "250m" + limits : + memory : "328Mi" + cpu : "500m" + \ No newline at end of file diff --git a/rules/resources-memory-limit-and-request/test/workload/expected.json b/rules/resources-memory-limit-and-request/test/workload/expected.json index 123dc187f..35d582692 100644 --- a/rules/resources-memory-limit-and-request/test/workload/expected.json +++ b/rules/resources-memory-limit-and-request/test/workload/expected.json @@ -6,7 +6,30 @@ { "path": "spec.template.spec.containers[0].resources.limits.memory", "value": "YOUR_VALUE" - }, + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + }, + { + "alertMessage": "Container: app in Deployment: test does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ { "path": "spec.template.spec.containers[0].resources.requests.memory", "value": "YOUR_VALUE" diff --git a/rules/resources-memory-limits/raw.rego b/rules/resources-memory-limits/raw.rego new file mode 100644 index 000000000..1c307d57d --- /dev/null +++ b/rules/resources-memory-limits/raw.rego @@ -0,0 +1,57 @@ +package armo_builtins + +# ================================== no memory limits ================================== +# Fails if pod does not have container with memory-limits +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v does not have memory-limit or request", [container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [pod]}, + } +} + +# Fails if workload does not have container with memory-limits +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + +# Fails if cronjob does not have container with memory-limits +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.limits.memory + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.limits.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} diff --git a/rules/resources-memory-limits/rule.metadata.json b/rules/resources-memory-limits/rule.metadata.json new file mode 100644 index 000000000..17d2d44e8 --- /dev/null +++ b/rules/resources-memory-limits/rule.metadata.json @@ -0,0 +1,48 @@ +{ + "name": "resources-memory-limits", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "description": "memory limits are not set.", + "remediation": "Ensure memory limits are set.", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/resources-memory-limits/test/cronjob/expected.json b/rules/resources-memory-limits/test/cronjob/expected.json new file mode 100644 index 000000000..151841bc4 --- /dev/null +++ b/rules/resources-memory-limits/test/cronjob/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Container: hello in CronJob: hello does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-limits/test/cronjob/input/cronjob.yaml b/rules/resources-memory-limits/test/cronjob/input/cronjob.yaml new file mode 100644 index 000000000..ea5e131c7 --- /dev/null +++ b/rules/resources-memory-limits/test/cronjob/input/cronjob.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: hello + image: busybox:latest + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster diff --git a/rules/resources-memory-limits/test/pod-only-limits/expected.json b/rules/resources-memory-limits/test/pod-only-limits/expected.json new file mode 100644 index 000000000..6b6a0addf --- /dev/null +++ b/rules/resources-memory-limits/test/pod-only-limits/expected.json @@ -0,0 +1,20 @@ +[{ + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [{ + "path": "spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + }], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + }] + } +}] \ No newline at end of file diff --git a/rules/resources-memory-limits/test/pod-only-limits/input/pod.yaml b/rules/resources-memory-limits/test/pod-only-limits/input/pod.yaml new file mode 100644 index 000000000..7774dea5f --- /dev/null +++ b/rules/resources-memory-limits/test/pod-only-limits/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + cpu: "500m" diff --git a/rules/resources-memory-limits/test/pod/expected.json b/rules/resources-memory-limits/test/pod/expected.json new file mode 100644 index 000000000..c038718d6 --- /dev/null +++ b/rules/resources-memory-limits/test/pod/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-limits/test/pod/input/pod.yaml b/rules/resources-memory-limits/test/pod/input/pod.yaml new file mode 100644 index 000000000..c3e7d26a1 --- /dev/null +++ b/rules/resources-memory-limits/test/pod/input/pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + cpu: "250m" + limits: + cpu: "500m" diff --git a/rules/resources-memory-limits/test/pod_pass/data.json b/rules/resources-memory-limits/test/pod_pass/data.json new file mode 100644 index 000000000..7fc81fd94 --- /dev/null +++ b/rules/resources-memory-limits/test/pod_pass/data.json @@ -0,0 +1,6 @@ +{ + "postureControlInputs": { + "memory_limit_max": ["256Mi"], + "memory_request_max": ["128Mi"] + } +} \ No newline at end of file diff --git a/rules/resources-memory-limits/test/pod_pass/expected.json b/rules/resources-memory-limits/test/pod_pass/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/resources-memory-limits/test/pod_pass/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/resources-memory-limits/test/pod_pass/input/pod.yaml b/rules/resources-memory-limits/test/pod_pass/input/pod.yaml new file mode 100644 index 000000000..e84566463 --- /dev/null +++ b/rules/resources-memory-limits/test/pod_pass/input/pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" \ No newline at end of file diff --git a/rules/resources-memory-limits/test/workload/expected.json b/rules/resources-memory-limits/test/workload/expected.json new file mode 100644 index 000000000..2a1b71846 --- /dev/null +++ b/rules/resources-memory-limits/test/workload/expected.json @@ -0,0 +1,29 @@ +[ + { + "alertMessage": "Container: app in Deployment: test does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-limits/test/workload/input/deployment.yaml b/rules/resources-memory-limits/test/workload/input/deployment.yaml new file mode 100644 index 000000000..28b3afed1 --- /dev/null +++ b/rules/resources-memory-limits/test/workload/input/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: default + labels: + purpose: demonstrate-command +spec: + selector: + matchLabels: + purpose: demonstrate-command + template: + metadata: + labels: + purpose: demonstrate-command + spec : + containers : + - + name : app + image : images.my-company.example/app:v4 + - + name : log-aggregator + image : images.my-company.example/log-aggregator:v6 + resources : + requests : + memory : "64Mi" + cpu : "250m" + limits : + memory : "128Mi" + cpu : "500m" + \ No newline at end of file diff --git a/rules/resources-memory-limits/test/workload_passed/deployment1.yaml b/rules/resources-memory-limits/test/workload_passed/deployment1.yaml new file mode 100644 index 000000000..a1adda28e --- /dev/null +++ b/rules/resources-memory-limits/test/workload_passed/deployment1.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + generation: 19 + labels: + app: dtr-customer-myapp + name: dtr-customer-myapp + namespace: dtr-customer +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: dtr-customer-myapp + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: dtr-customer-myapp + spec: + containers: + - envFrom: + - configMapRef: + name: dtr-customer-myapp-configmap + - secretRef: + name: dtr-customer-myapp-secrets + image: myrepo.domain.com/cre/dtr-customer-myapp:1.1.1 + imagePullPolicy: IfNotPresent + name: dtr-customer-myapp + ports: + - containerPort: 343 + protocol: TCP + resources: + limits: + cpu: 450m + memory: "512Mi" + requests: + cpu: 100m + memory: "200Mi" + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: myimagesecret + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app: dtr-customer-myapp + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway \ No newline at end of file diff --git a/rules/resources-memory-limits/test/workload_passed/expected.json b/rules/resources-memory-limits/test/workload_passed/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/resources-memory-limits/test/workload_passed/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/resources-memory-requests/raw.rego b/rules/resources-memory-requests/raw.rego new file mode 100644 index 000000000..2caf8b372 --- /dev/null +++ b/rules/resources-memory-requests/raw.rego @@ -0,0 +1,58 @@ +package armo_builtins + +# ================================== no memory requests ================================== +# Fails if pod does not have container with memory requests +deny[msga] { + pod := input[_] + pod.kind == "Pod" + container := pod.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v does not have memory-limit or request", [container.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [pod]}, + } +} + +# Fails if workload does not have container with memory requests +deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + spec_template_spec_patterns[wl.kind] + container := wl.spec.template.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + +# Fails if cronjob does not have container with memory requests +deny[msga] { + wl := input[_] + wl.kind == "CronJob" + container = wl.spec.jobTemplate.spec.template.spec.containers[i] + not container.resources.requests.memory + fixPaths := [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%v].resources.requests.memory", [format_int(i, 10)]), "value": "YOUR_VALUE"}] + + msga := { + "alertMessage": sprintf("Container: %v in %v: %v does not have memory-limit or request", [container.name, wl.kind, wl.metadata.name]), + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": fixPaths, + "failedPaths": [], + "alertObject": {"k8sApiObjects": [wl]}, + } +} + diff --git a/rules/resources-memory-requests/rule.metadata.json b/rules/resources-memory-requests/rule.metadata.json new file mode 100644 index 000000000..aef86df41 --- /dev/null +++ b/rules/resources-memory-requests/rule.metadata.json @@ -0,0 +1,48 @@ +{ + "name": "resources-memory-requests", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "description": "memory requests are not set.", + "remediation": "Ensure memory requests are set.", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/resources-memory-requests/test/cronjob/expected.json b/rules/resources-memory-requests/test/cronjob/expected.json new file mode 100644 index 000000000..7ae170d0b --- /dev/null +++ b/rules/resources-memory-requests/test/cronjob/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Container: hello in CronJob: hello does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-requests/test/cronjob/input/cronjob.yaml b/rules/resources-memory-requests/test/cronjob/input/cronjob.yaml new file mode 100644 index 000000000..ea5e131c7 --- /dev/null +++ b/rules/resources-memory-requests/test/cronjob/input/cronjob.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: hello + image: busybox:latest + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster diff --git a/rules/resources-memory-requests/test/pod-only-requests/expected.json b/rules/resources-memory-requests/test/pod-only-requests/expected.json new file mode 100644 index 000000000..4648d72fc --- /dev/null +++ b/rules/resources-memory-requests/test/pod-only-requests/expected.json @@ -0,0 +1,20 @@ +[{ + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [{ + "path": "spec.containers[1].resources.requests.memory", + "value": "YOUR_VALUE" + }], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + }] + } +}] \ No newline at end of file diff --git a/rules/resources-memory-requests/test/pod-only-requests/input/pod.yaml b/rules/resources-memory-requests/test/pod-only-requests/input/pod.yaml new file mode 100644 index 000000000..d146d134a --- /dev/null +++ b/rules/resources-memory-requests/test/pod-only-requests/input/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/rules/resources-memory-requests/test/pod/expected.json b/rules/resources-memory-requests/test/pod/expected.json new file mode 100644 index 000000000..d87f0e699 --- /dev/null +++ b/rules/resources-memory-requests/test/pod/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Container: log-aggregator does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.containers[1].resources.requests.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "frontend" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-requests/test/pod/input/pod.yaml b/rules/resources-memory-requests/test/pod/input/pod.yaml new file mode 100644 index 000000000..c3e7d26a1 --- /dev/null +++ b/rules/resources-memory-requests/test/pod/input/pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + cpu: "250m" + limits: + cpu: "500m" diff --git a/rules/resources-memory-requests/test/pod_pass/data.json b/rules/resources-memory-requests/test/pod_pass/data.json new file mode 100644 index 000000000..7fc81fd94 --- /dev/null +++ b/rules/resources-memory-requests/test/pod_pass/data.json @@ -0,0 +1,6 @@ +{ + "postureControlInputs": { + "memory_limit_max": ["256Mi"], + "memory_request_max": ["128Mi"] + } +} \ No newline at end of file diff --git a/rules/resources-memory-requests/test/pod_pass/expected.json b/rules/resources-memory-requests/test/pod_pass/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/resources-memory-requests/test/pod_pass/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/resources-memory-requests/test/pod_pass/input/pod.yaml b/rules/resources-memory-requests/test/pod_pass/input/pod.yaml new file mode 100644 index 000000000..e84566463 --- /dev/null +++ b/rules/resources-memory-requests/test/pod_pass/input/pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" \ No newline at end of file diff --git a/rules/resources-memory-requests/test/workload/expected.json b/rules/resources-memory-requests/test/workload/expected.json new file mode 100644 index 000000000..e2f67c7eb --- /dev/null +++ b/rules/resources-memory-requests/test/workload/expected.json @@ -0,0 +1,29 @@ +[ + { + "alertMessage": "Container: app in Deployment: test does not have memory-limit or request", + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].resources.requests.memory", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "purpose": "demonstrate-command" + }, + "name": "test" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/resources-memory-requests/test/workload/input/deployment.yaml b/rules/resources-memory-requests/test/workload/input/deployment.yaml new file mode 100644 index 000000000..28b3afed1 --- /dev/null +++ b/rules/resources-memory-requests/test/workload/input/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: default + labels: + purpose: demonstrate-command +spec: + selector: + matchLabels: + purpose: demonstrate-command + template: + metadata: + labels: + purpose: demonstrate-command + spec : + containers : + - + name : app + image : images.my-company.example/app:v4 + - + name : log-aggregator + image : images.my-company.example/log-aggregator:v6 + resources : + requests : + memory : "64Mi" + cpu : "250m" + limits : + memory : "128Mi" + cpu : "500m" + \ No newline at end of file diff --git a/rules/resources-memory-requests/test/workload_passed/deployment1.yaml b/rules/resources-memory-requests/test/workload_passed/deployment1.yaml new file mode 100644 index 000000000..a1adda28e --- /dev/null +++ b/rules/resources-memory-requests/test/workload_passed/deployment1.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + generation: 19 + labels: + app: dtr-customer-myapp + name: dtr-customer-myapp + namespace: dtr-customer +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: dtr-customer-myapp + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: dtr-customer-myapp + spec: + containers: + - envFrom: + - configMapRef: + name: dtr-customer-myapp-configmap + - secretRef: + name: dtr-customer-myapp-secrets + image: myrepo.domain.com/cre/dtr-customer-myapp:1.1.1 + imagePullPolicy: IfNotPresent + name: dtr-customer-myapp + ports: + - containerPort: 343 + protocol: TCP + resources: + limits: + cpu: 450m + memory: "512Mi" + requests: + cpu: 100m + memory: "200Mi" + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: myimagesecret + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app: dtr-customer-myapp + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway \ No newline at end of file diff --git a/rules/resources-memory-requests/test/workload_passed/expected.json b/rules/resources-memory-requests/test/workload_passed/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/resources-memory-requests/test/workload_passed/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/resources-secret-in-default-namespace/rule.metadata.json b/rules/resources-secret-in-default-namespace/rule.metadata.json index 1ee07168d..8f91c04d1 100644 --- a/rules/resources-secret-in-default-namespace/rule.metadata.json +++ b/rules/resources-secret-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "resources-secret-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/resources-secret-in-default-namespace/test/configmap/expected.json b/rules/resources-secret-in-default-namespace/test/configmap/expected.json index 656beee22..e7cec61ce 100644 --- a/rules/resources-secret-in-default-namespace/test/configmap/expected.json +++ b/rules/resources-secret-in-default-namespace/test/configmap/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "ConfigMap: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/restrict-access-to-the-control-plane-endpoint/raw.rego b/rules/restrict-access-to-the-control-plane-endpoint/raw.rego index 14eae0211..eab684e2b 100644 --- a/rules/restrict-access-to-the-control-plane-endpoint/raw.rego +++ b/rules/restrict-access-to-the-control-plane-endpoint/raw.rego @@ -15,6 +15,7 @@ deny[msga] { "alertMessage": "Parameter 'authorizedIPRanges' was not set.", "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [], "failedPaths": [], "fixPaths":[], "fixCommand": "az aks update -n '' -g '' --api-server-authorized-ip-ranges '0.0.0.0/32'", diff --git a/rules/restrict-access-to-the-control-plane-endpoint/rule.metadata.json b/rules/restrict-access-to-the-control-plane-endpoint/rule.metadata.json index 03184e004..876ad9532 100644 --- a/rules/restrict-access-to-the-control-plane-endpoint/rule.metadata.json +++ b/rules/restrict-access-to-the-control-plane-endpoint/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "restrict-access-to-the-control-plane-endpoint", "attributes": { - "armoBuiltin": true, "hostSensorRule": "false", "imageScanRelated": false }, diff --git a/rules/restrict-access-to-the-control-plane-endpoint/test/failed/expected.json b/rules/restrict-access-to-the-control-plane-endpoint/test/failed/expected.json index e1dbb550c..f24ffbbc6 100644 --- a/rules/restrict-access-to-the-control-plane-endpoint/test/failed/expected.json +++ b/rules/restrict-access-to-the-control-plane-endpoint/test/failed/expected.json @@ -3,6 +3,7 @@ "alertMessage": "Parameter 'authorizedIPRanges' was not set.", "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [], "failedPaths": [], "fixPaths":[], "fixCommand": "az aks update -n '' -g '' --api-server-authorized-ip-ranges '0.0.0.0/32'", diff --git a/rules/review-roles-with-aws-iam-authenticator/rule.metadata.json b/rules/review-roles-with-aws-iam-authenticator/rule.metadata.json index ebc0ee4d8..4a8f6ed9d 100644 --- a/rules/review-roles-with-aws-iam-authenticator/rule.metadata.json +++ b/rules/review-roles-with-aws-iam-authenticator/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "review-roles-with-aws-iam-authenticator", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/role-in-default-namespace/rule.metadata.json b/rules/role-in-default-namespace/rule.metadata.json index 68590ff63..64d738baf 100644 --- a/rules/role-in-default-namespace/rule.metadata.json +++ b/rules/role-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "role-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/role-in-default-namespace/test/role/expected.json b/rules/role-in-default-namespace/test/role/expected.json index 8f796889c..dfd319155 100644 --- a/rules/role-in-default-namespace/test/role/expected.json +++ b/rules/role-in-default-namespace/test/role/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Role: allow-port-forward is in the 'default' namespace", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { diff --git a/rules/rolebinding-in-default-namespace/rule.metadata.json b/rules/rolebinding-in-default-namespace/rule.metadata.json index 2e3ae4185..09fa0ad0c 100644 --- a/rules/rolebinding-in-default-namespace/rule.metadata.json +++ b/rules/rolebinding-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rolebinding-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rolebinding-in-default-namespace/test/rolebinding/expected.json b/rules/rolebinding-in-default-namespace/test/rolebinding/expected.json index ae41833c3..38d0687b1 100644 --- a/rules/rolebinding-in-default-namespace/test/rolebinding/expected.json +++ b/rules/rolebinding-in-default-namespace/test/rolebinding/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "RoleBinding: pod is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/rule-access-dashboard-subject-v1/rule.metadata.json b/rules/rule-access-dashboard-subject-v1/rule.metadata.json index 9201de9a8..1008a5bb0 100644 --- a/rules/rule-access-dashboard-subject-v1/rule.metadata.json +++ b/rules/rule-access-dashboard-subject-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-access-dashboard-subject-v1", "attributes": { "m$K8sThreatMatrix": "Lateral Movement::Access Kubernetes dashboard, Discovery::Access Kubernetes dashboard", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-access-dashboard-subject-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-access-dashboard-subject-v1/test/clusterrole-clusterrolebinding/expected.json index e935b1b80..c9f474816 100644 --- a/rules/rule-access-dashboard-subject-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-access-dashboard-subject-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: Group-manager is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", @@ -46,6 +47,7 @@ } }, { "alertMessage": "Subject: Group-manager is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[1]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[1]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", @@ -92,6 +94,7 @@ } }, { "alertMessage": "Subject: Group-dev is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", @@ -138,6 +141,7 @@ } }, { "alertMessage": "Subject: Group-dev is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[1]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[1]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-access-dashboard-subject-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-access-dashboard-subject-v1/test/clusterrole-rolebinding/expected.json index 2e57893fe..97b9222f4 100644 --- a/rules/rule-access-dashboard-subject-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-access-dashboard-subject-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-access-dashboard-subject-v1/test/role-rolebinding/expected.json b/rules/rule-access-dashboard-subject-v1/test/role-rolebinding/expected.json index 1fb43ff8e..4fe11acf5 100644 --- a/rules/rule-access-dashboard-subject-v1/test/role-rolebinding/expected.json +++ b/rules/rule-access-dashboard-subject-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane is bound to dashboard role/clusterrole", + "reviewPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-access-dashboard-wl-v1/raw.rego b/rules/rule-access-dashboard-wl-v1/raw.rego index d3191a423..48dd06c76 100644 --- a/rules/rule-access-dashboard-wl-v1/raw.rego +++ b/rules/rule-access-dashboard-wl-v1/raw.rego @@ -14,8 +14,8 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], - "deletePaths": ["spec.serviceaccountname"], - "failedPaths": ["spec.serviceaccountname"], + "deletePaths": ["spec.serviceAccountName"], + "failedPaths": ["spec.serviceAccountName"], "alertObject": { "k8sApiObjects": [pod] } @@ -36,8 +36,8 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v is associated with dashboard service account", [wl.kind, wl.metadata.name]), "packagename": "armo_builtins", - "deletePaths": ["spec.template.spec.serviceaccountname"], - "failedPaths": ["spec.template.spec.serviceaccountname"], + "deletePaths": ["spec.template.spec.serviceAccountName"], + "failedPaths": ["spec.template.spec.serviceAccountName"], "alertScore": 7, "fixPaths": [], "alertObject": { @@ -61,8 +61,8 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": [], - "deletePaths": ["spec.jobTemplate.spec.template.spec.serviceaccountname"], - "failedPaths": ["spec.jobTemplate.spec.template.spec.serviceaccountname"], + "deletePaths": ["spec.jobTemplate.spec.template.spec.serviceAccountName"], + "failedPaths": ["spec.jobTemplate.spec.template.spec.serviceAccountName"], "alertObject": { "k8sApiObjects": [wl] } diff --git a/rules/rule-access-dashboard-wl-v1/rule.metadata.json b/rules/rule-access-dashboard-wl-v1/rule.metadata.json index 7f91b502a..f51c33a3f 100644 --- a/rules/rule-access-dashboard-wl-v1/rule.metadata.json +++ b/rules/rule-access-dashboard-wl-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-access-dashboard-wl-v1", "attributes": { "m$K8sThreatMatrix": "Lateral Movement::Access Kubernetes dashboard, Discovery::Access Kubernetes dashboard", - "armoBuiltin": true, "useFromKubescapeVersion": "v1.0.133" }, "ruleLanguage": "Rego", diff --git a/rules/rule-access-dashboard-wl-v1/test/cronjob/expected.json b/rules/rule-access-dashboard-wl-v1/test/cronjob/expected.json index 4e9b7fc03..9819413ae 100644 --- a/rules/rule-access-dashboard-wl-v1/test/cronjob/expected.json +++ b/rules/rule-access-dashboard-wl-v1/test/cronjob/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "the following cronjob: hello is associated with dashboard service account", - "failedPaths": ["spec.jobTemplate.spec.template.spec.serviceaccountname"], + "failedPaths": ["spec.jobTemplate.spec.template.spec.serviceAccountName"], + "deletePaths": ["spec.jobTemplate.spec.template.spec.serviceAccountName"], "fixPaths": [], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/rule-access-dashboard-wl-v1/test/pod/expected.json b/rules/rule-access-dashboard-wl-v1/test/pod/expected.json index 54165477b..f3cea907d 100644 --- a/rules/rule-access-dashboard-wl-v1/test/pod/expected.json +++ b/rules/rule-access-dashboard-wl-v1/test/pod/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "the following pods: frontend are associated with dashboard service account", - "failedPaths": ["spec.serviceaccountname"], + "failedPaths": ["spec.serviceAccountName"], + "deletePaths": ["spec.serviceAccountName"], "fixPaths": [], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/rule-access-dashboard-wl-v1/test/workload/expected.json b/rules/rule-access-dashboard-wl-v1/test/workload/expected.json index facb5b185..7c12fc3b8 100644 --- a/rules/rule-access-dashboard-wl-v1/test/workload/expected.json +++ b/rules/rule-access-dashboard-wl-v1/test/workload/expected.json @@ -1,6 +1,7 @@ [{ "alertMessage": "Deployment: test is associated with dashboard service account", - "failedPaths": ["spec.template.spec.serviceaccountname"], + "deletePaths": ["spec.template.spec.serviceAccountName"], + "failedPaths": ["spec.template.spec.serviceAccountName"], "fixPaths": [], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/rule-access-dashboard/raw.rego b/rules/rule-access-dashboard/raw.rego deleted file mode 100644 index 1b5b94867..000000000 --- a/rules/rule-access-dashboard/raw.rego +++ /dev/null @@ -1,119 +0,0 @@ -package armo_builtins - -# input: roleBinding -# apiversion: v1 -# fails if a subject that is not dashboard service account is bound to dashboard role - -deny[msga] { - roleBinding := input[_] - roleBinding.kind == "RoleBinding" - roleBinding.roleRef.name == "kubernetes-dashboard" - subject := roleBinding.subjects[_] - subject.name != "kubernetes-dashboard" - subject.kind != "ServiceAccount" - - msga := { - "alertMessage": sprintf("the following subjects: %s are bound to dashboard role/clusterrole", [subject.name]), - "alertScore": 9, - "failedPaths": [], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [roleBinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# input: clusterRoleBinding -# apiversion: v1 -# fails if a subject that is not dashboard service account is bound to dashboard role - -deny[msga] { - roleBinding := input[_] - roleBinding.kind == "ClusterRoleBinding" - roleBinding.roleRef.name == "kubernetes-dashboard" - subject := roleBinding.subjects[_] - subject.name != "kubernetes-dashboard" - subject.kind != "ServiceAccount" - - msga := { - "alertMessage": sprintf("the following subjects: %s are bound to dashboard role/clusterrole", [subject.name]), - "alertScore": 9, - "failedPaths": [], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [roleBinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# input: -# apiversion: -# fails if pod that is not dashboard is associated to dashboard service account - -deny[msga] { - pod := input[_] - pod.spec.serviceaccountname == "kubernetes-dashboard" - not startswith(pod.metadata.name, "kubernetes-dashboard") - path := "spec.serviceaccountname" - msga := { - "alertMessage": sprintf("the following pods: %s are associated with dashboard service account", [pod.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "deletePaths": [path], - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [pod] - } - } -} - -# input: -# apiversion: -# fails if workload that is not dashboard is associated to dashboard service account - -deny[msga] { - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - wl.spec.template.spec.serviceaccountname == "kubernetes-dashboard" - not startswith(wl.metadata.name, "kubernetes-dashboard") - path := "spec.template.spec.serviceaccountname" - msga := { - "alertMessage": sprintf("%v: %v is associated with dashboard service account", [wl.kind, wl.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "deletePaths": [path], - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [wl] - } - } -} - -# input: -# apiversion: -# fails if CronJob that is not dashboard is associated to dashboard service account - -deny[msga] { - wl := input[_] - wl.kind == "CronJob" - wl.spec.jobTemplate.spec.template.spec.serviceaccountname == "kubernetes-dashboard" - not startswith(wl.metadata.name, "kubernetes-dashboard") - path := "spec.jobTemplate.spec.template.spec.serviceaccountname" - msga := { - "alertMessage": sprintf("the following cronjob: %s is associated with dashboard service account", [wl.metadata.name]), - "packagename": "armo_builtins", - "alertScore": 7, - "deletePaths": [path], - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [wl] - } - } -} \ No newline at end of file diff --git a/rules/rule-access-dashboard/rule.metadata.json b/rules/rule-access-dashboard/rule.metadata.json deleted file mode 100644 index 9c5b34a68..000000000 --- a/rules/rule-access-dashboard/rule.metadata.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "rule-access-dashboard", - "attributes": { - "m$K8sThreatMatrix": "Lateral Movement::Access Kubernetes dashboard, Discovery::Access Kubernetes dashboard", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "*" - ], - "apiVersions": [ - "*" - ], - "resources": [ - "RoleBinding", - "ClusterRoleBinding" - ] - } - ], - "ruleDependencies": [], - "description": "fails if subject that is not dashboard service account is bound to dashboard role/clusterrole, or- if anyone that is not dashboard pod is associated with its service account.", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego index 41cf0a6f2..47eab807b 100644 --- a/rules/rule-allow-privilege-escalation/raw.rego +++ b/rules/rule-allow-privilege-escalation/raw.rego @@ -7,17 +7,14 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] start_of_path := "spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container: %v in pod: %v allow privilege escalation", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [pod] } @@ -32,17 +29,14 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] start_of_path := "spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [wl] } @@ -56,17 +50,14 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] start_of_path := "spec.jobTemplate.spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [wl] } @@ -75,51 +66,36 @@ deny[msga] { -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 - failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false - failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 - fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } -is_allow_privilege_escalation_container(container, i, start_of_path)= [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false - fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } - get_failed_path(paths) = [paths[0]] { - paths[0] != "" -} else = [] - - -get_fixed_path(paths) = [paths[1]] { - paths[1] != "" -} else = [] - +get_fix_path(i, start_of_path) = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, i]), "value":"false"}, + {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, i]), "value":"false"}] diff --git a/rules/rule-allow-privilege-escalation/rule.metadata.json b/rules/rule-allow-privilege-escalation/rule.metadata.json index 0d18f46af..93cebb4d3 100644 --- a/rules/rule-allow-privilege-escalation/rule.metadata.json +++ b/rules/rule-allow-privilege-escalation/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-allow-privilege-escalation", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rule-allow-privilege-escalation/test/cronjob/expected.json b/rules/rule-allow-privilege-escalation/test/cronjob/expected.json index ffc99d19f..c9ff558a0 100644 --- a/rules/rule-allow-privilege-escalation/test/cronjob/expected.json +++ b/rules/rule-allow-privilege-escalation/test/cronjob/expected.json @@ -1,39 +1,56 @@ -[{ - "alertMessage": "container :mysql in CronJob: hello allow privilege escalation", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", - "value": "false" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" +[ + { + "alertMessage": "container :mysql in CronJob: hello allow privilege escalation", + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged", + "value": "false" } - }] - } -}, { - "alertMessage": "container :php in CronJob: hello allow privilege escalation", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } + }, + { + "alertMessage": "container :php in CronJob: hello allow privilege escalation", + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/test/pod/expected.json b/rules/rule-allow-privilege-escalation/test/pod/expected.json index a14de9c55..98f507449 100644 --- a/rules/rule-allow-privilege-escalation/test/pod/expected.json +++ b/rules/rule-allow-privilege-escalation/test/pod/expected.json @@ -1,20 +1,32 @@ -[{ - "alertMessage": "container: test-container in pod: audit-pod allow privilege escalation", - "failedPaths": ["spec.containers[0].securityContext.allowPrivilegeEscalation"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "labels": { - "app": "audit-pod" - }, - "name": "audit-pod" +[ + { + "alertMessage": "container: test-container in pod: audit-pod allow privilege escalation", + "fixPaths": [ + { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.containers[0].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "app": "audit-pod" + }, + "name": "audit-pod" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/test/workloads/expected.json b/rules/rule-allow-privilege-escalation/test/workloads/expected.json index 286f502a6..065b97d20 100644 --- a/rules/rule-allow-privilege-escalation/test/workloads/expected.json +++ b/rules/rule-allow-privilege-escalation/test/workloads/expected.json @@ -1,42 +1,62 @@ -[{ - "alertMessage": "container :mysql in Deployment: my-deployment allow privilege escalation", - "failedPaths": ["spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "goproxy" - }, - "name": "my-deployment" +[ + { + "alertMessage": "container :mysql in Deployment: my-deployment allow privilege escalation", + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.template.spec.containers[0].securityContext.privileged", + "value": "false" } - }] - } -}, { - "alertMessage": "container :php in Deployment: my-deployment allow privilege escalation", - "failedPaths": [], - "fixPaths": [{ - "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "goproxy" - }, - "name": "my-deployment" + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "goproxy" + }, + "name": "my-deployment" + } + } + ] + } + }, + { + "alertMessage": "container :php in Deployment: my-deployment allow privilege escalation", + "fixPaths": [ + { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.template.spec.containers[1].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "goproxy" + }, + "name": "my-deployment" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/rule-can-bind-escalate/rule.metadata.json b/rules/rule-can-bind-escalate/rule.metadata.json index dcbc9e19f..a69cce772 100644 --- a/rules/rule-can-bind-escalate/rule.metadata.json +++ b/rules/rule-can-bind-escalate/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-can-bind-escalate", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-bind-escalate/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-bind-escalate/test/clusterrole-clusterrolebinding/expected.json index e93d38d4f..c26cc3d6a 100644 --- a/rules/rule-can-bind-escalate/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-bind-escalate/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-dev can bind roles/clusterroles", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", @@ -72,6 +79,13 @@ }, { "alertMessage": "Subject: Group-manager can bind roles/clusterroles", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-bind-escalate/test/role-rolebinding/expected.json b/rules/rule-can-bind-escalate/test/role-rolebinding/expected.json index f849b83f3..eec1da859 100644 --- a/rules/rule-can-bind-escalate/test/role-rolebinding/expected.json +++ b/rules/rule-can-bind-escalate/test/role-rolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: User-jane can bind roles/clusterroles", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", @@ -68,6 +75,14 @@ }, { "alertMessage": "Subject: User-jane can escalate roles/clusterroles", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-create-pod/rule.metadata.json b/rules/rule-can-create-pod/rule.metadata.json index 9527c346e..a8866e00c 100644 --- a/rules/rule-can-create-pod/rule.metadata.json +++ b/rules/rule-can-create-pod/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-can-create-pod", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-create-pod/test/clusterrole-rolebinding/expected.json b/rules/rule-can-create-pod/test/clusterrole-rolebinding/expected.json index 20d237a77..dbc102d71 100644 --- a/rules/rule-can-create-pod/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-create-pod/test/clusterrole-rolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: User-jane can create pods", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-create-pod/test/role-rolebinding/expected.json b/rules/rule-can-create-pod/test/role-rolebinding/expected.json index 3d717ffc0..752922657 100644 --- a/rules/rule-can-create-pod/test/role-rolebinding/expected.json +++ b/rules/rule-can-create-pod/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can create pods", + "reviewPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].verbs[2]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].verbs[2]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-delete-k8s-events-v1/rule.metadata.json b/rules/rule-can-delete-k8s-events-v1/rule.metadata.json index 533373171..fc24a7372 100644 --- a/rules/rule-can-delete-k8s-events-v1/rule.metadata.json +++ b/rules/rule-can-delete-k8s-events-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-can-delete-k8s-events-v1", "attributes": { "microsoftK8sThreatMatrix": "Defense Evasion::Delete K8S events", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-delete-k8s-events-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-delete-k8s-events-v1/test/clusterrole-clusterrolebinding/expected.json index c6cbaabf3..3085ed5cb 100644 --- a/rules/rule-can-delete-k8s-events-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-delete-k8s-events-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-manager can delete events", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[1]", @@ -71,6 +78,13 @@ }, { "alertMessage": "Subject: Group-dev can delete events", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[1]", diff --git a/rules/rule-can-delete-k8s-events-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-can-delete-k8s-events-v1/test/clusterrole-rolebinding/expected.json index c82e769c5..4ecfa4223 100644 --- a/rules/rule-can-delete-k8s-events-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-delete-k8s-events-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can delete events", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-delete-k8s-events-v1/test/role-rolebinding/expected.json b/rules/rule-can-delete-k8s-events-v1/test/role-rolebinding/expected.json index c16e85e7b..66c747e9d 100644 --- a/rules/rule-can-delete-k8s-events-v1/test/role-rolebinding/expected.json +++ b/rules/rule-can-delete-k8s-events-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can delete events", + "reviewPaths": ["relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-delete-k8s-events/raw.rego b/rules/rule-can-delete-k8s-events/raw.rego deleted file mode 100644 index a586984fc..000000000 --- a/rules/rule-can-delete-k8s-events/raw.rego +++ /dev/null @@ -1,137 +0,0 @@ -package armo_builtins - -import data.cautils - -# fails if user can delete events -# RoleBinding to Role -deny [msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canDeleteEventsResource(rule) - canDeleteEventsVerb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), - "alertScore": 6, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# fails if user can delete events -# RoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canDeleteEventsResource(rule) - canDeleteEventsVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), - "alertScore": 6, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# fails if user can delete events -# ClusterRoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - clusterrolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - clusterrolebinding := clusterrolebindings[_] - - rule:= role.rules[_] - canDeleteEventsResource(rule) - canDeleteEventsVerb(rule) - - clusterrolebinding.roleRef.kind == "ClusterRole" - clusterrolebinding.roleRef.name == role.metadata.name - - - subject := clusterrolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete events", [subject.kind, subject.name]), - "alertScore": 6, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,clusterrolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -canDeleteEventsResource(rule) { - cautils.list_contains(rule.resources,"events") -} -canDeleteEventsResource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources,"*") -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} - -canDeleteEventsVerb(rule) { - cautils.list_contains(rule.verbs,"delete") -} - -canDeleteEventsVerb(rule) { - cautils.list_contains(rule.verbs,"deletecollection") -} - -canDeleteEventsVerb(rule) { - cautils.list_contains(rule.verbs,"*") -} \ No newline at end of file diff --git a/rules/rule-can-delete-k8s-events/rule.metadata.json b/rules/rule-can-delete-k8s-events/rule.metadata.json deleted file mode 100644 index 4f3cf14b0..000000000 --- a/rules/rule-can-delete-k8s-events/rule.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "rule-can-delete-k8s-events", - "attributes": { - "microsoftK8sThreatMatrix": "Defense Evasion::Delete K8S events", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users can delete events", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-can-impersonate-users-groups-v1/rule.metadata.json b/rules/rule-can-impersonate-users-groups-v1/rule.metadata.json index 2e7483c5e..49d368545 100644 --- a/rules/rule-can-impersonate-users-groups-v1/rule.metadata.json +++ b/rules/rule-can-impersonate-users-groups-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-can-impersonate-users-groups-v1", "attributes": { "microsoftK8sThreatMatrix": "Discovery::Access the K8s API server", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-clusterrolebinding/expected.json index cc826001a..1cc80c214 100644 --- a/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-dev can impersonate users", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[2]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[1]", @@ -71,6 +78,13 @@ }, { "alertMessage": "Subject: Group-manager can impersonate users", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[2]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].verbs[1]", diff --git a/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-rolebinding/expected.json index eb18bcea0..4a464eee5 100644 --- a/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-impersonate-users-groups-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can impersonate users", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-impersonate-users-groups-v1/test/role-rolebinding/expected.json b/rules/rule-can-impersonate-users-groups-v1/test/role-rolebinding/expected.json index 95ab976fd..7d0a3a772 100644 --- a/rules/rule-can-impersonate-users-groups-v1/test/role-rolebinding/expected.json +++ b/rules/rule-can-impersonate-users-groups-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can impersonate users", + "reviewPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].verbs[2]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].verbs[2]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-impersonate-users-groups/raw.rego b/rules/rule-can-impersonate-users-groups/raw.rego deleted file mode 100644 index 4d2fcceac..000000000 --- a/rules/rule-can-impersonate-users-groups/raw.rego +++ /dev/null @@ -1,137 +0,0 @@ -package armo_builtins - -import data.cautils - -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canImpersonateVerb(rule) - canImpersonateResource(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can impersonate users", [subject.kind, subject.name]), - "alertScore": 9, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canImpersonateVerb(rule) - canImpersonateResource(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can impersonate users", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canImpersonateVerb(rule) - canImpersonateResource(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can impersonate users", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -canImpersonateVerb(rule) { - cautils.list_contains(rule.verbs, "impersonate") -} -canImpersonateVerb(rule) { - cautils.list_contains(rule.verbs, "*") -} - - -canImpersonateResource(rule) { - cautils.list_contains(rule.resources,"users") -} - -canImpersonateResource(rule) { - cautils.list_contains(rule.resources,"serviceaccounts") -} - -canImpersonateResource(rule) { - cautils.list_contains(rule.resources,"groups") -} - -canImpersonateResource(rule) { - cautils.list_contains(rule.resources,"uids") -} - -canImpersonateResource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources,"*") -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} \ No newline at end of file diff --git a/rules/rule-can-impersonate-users-groups/rule.metadata.json b/rules/rule-can-impersonate-users-groups/rule.metadata.json deleted file mode 100644 index 67dfa8481..000000000 --- a/rules/rule-can-impersonate-users-groups/rule.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "rule-can-impersonate-users-groups", - "attributes": { - "microsoftK8sThreatMatrix": "Discovery::Access the K8s API server", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users can impersonate users/groups", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-can-list-get-secrets-v1/rule.metadata.json b/rules/rule-can-list-get-secrets-v1/rule.metadata.json index c0fd2011c..982613f2e 100644 --- a/rules/rule-can-list-get-secrets-v1/rule.metadata.json +++ b/rules/rule-can-list-get-secrets-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-can-list-get-secrets-v1", "attributes": { "microsoftK8sThreatMatrix": "Discovery::Access the K8s API server", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-list-get-secrets-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-list-get-secrets-v1/test/clusterrole-clusterrolebinding/expected.json index 0eb2c4dbf..86858e9b5 100644 --- a/rules/rule-can-list-get-secrets-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-list-get-secrets-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-dev can read secrets", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", @@ -70,6 +77,13 @@ }, { "alertMessage": "Subject: Group-manager can read secrets", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-list-get-secrets-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-can-list-get-secrets-v1/test/clusterrole-rolebinding/expected.json index bbeb3b661..dc8619d90 100644 --- a/rules/rule-can-list-get-secrets-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-list-get-secrets-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can read secrets", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-list-get-secrets-v1/test/role-rolebinding/expected.json b/rules/rule-can-list-get-secrets-v1/test/role-rolebinding/expected.json index df37920cc..2954acbb2 100644 --- a/rules/rule-can-list-get-secrets-v1/test/role-rolebinding/expected.json +++ b/rules/rule-can-list-get-secrets-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can read secrets", + "reviewPaths": ["relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-list-get-secrets/raw.rego b/rules/rule-can-list-get-secrets/raw.rego deleted file mode 100644 index d9a8d65a6..000000000 --- a/rules/rule-can-list-get-secrets/raw.rego +++ /dev/null @@ -1,141 +0,0 @@ -package armo_builtins - -import data.cautils - -# fails if user can list/get secrets -# RoleBinding to Role -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canViewSecretsResource(rule) - canViewSecretsVerb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]), - "alertScore": 9, - "packagename": "armo_builtins", - "deletePaths": [path], - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# fails if user can list/get secrets -# RoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canViewSecretsResource(rule) - canViewSecretsVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]), - "alertScore": 9, - "packagename": "armo_builtins", - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# fails if user can list/get secrets -# ClusterRoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - clusterrolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - clusterrolebinding := clusterrolebindings[_] - - rule:= role.rules[_] - canViewSecretsResource(rule) - canViewSecretsVerb(rule) - - clusterrolebinding.roleRef.kind == "ClusterRole" - clusterrolebinding.roleRef.name == role.metadata.name - - subject := clusterrolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]), - "alertScore": 9, - "packagename": "armo_builtins", - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [role,clusterrolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - - - -canViewSecretsVerb(rule) { - cautils.list_contains(rule.verbs,"get") -} - -canViewSecretsVerb(rule) { - cautils.list_contains(rule.verbs,"list") -} - -canViewSecretsVerb(rule) { - cautils.list_contains(rule.verbs,"watch") -} - - -canViewSecretsVerb(rule) { - cautils.list_contains(rule.verbs,"*") -} - - -canViewSecretsResource(rule) { - cautils.list_contains(rule.resources,"secrets") -} - -canViewSecretsResource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources,"*") -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} \ No newline at end of file diff --git a/rules/rule-can-list-get-secrets/rule.metadata.json b/rules/rule-can-list-get-secrets/rule.metadata.json deleted file mode 100644 index bc30fbc08..000000000 --- a/rules/rule-can-list-get-secrets/rule.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "rule-can-list-get-secrets", - "attributes": { - "microsoftK8sThreatMatrix": "Discovery::Access the K8s API server", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users can list/get secrets", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-can-portforward-v1/rule.metadata.json b/rules/rule-can-portforward-v1/rule.metadata.json index 68e075d5e..9e192d476 100644 --- a/rules/rule-can-portforward-v1/rule.metadata.json +++ b/rules/rule-can-portforward-v1/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-can-portforward-v1", "attributes": { - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-portforward-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-portforward-v1/test/clusterrole-clusterrolebinding/expected.json index 61bc518aa..438b76b61 100644 --- a/rules/rule-can-portforward-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-portforward-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-manager can do port forwarding", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", @@ -70,6 +77,13 @@ }, { "alertMessage": "Subject: Group-dev can do port forwarding", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-portforward-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-can-portforward-v1/test/clusterrole-rolebinding/expected.json index 1efc7a717..c760347e5 100644 --- a/rules/rule-can-portforward-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-portforward-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can do port forwarding", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-portforward-v1/test/role-rolebinding/expected.json b/rules/rule-can-portforward-v1/test/role-rolebinding/expected.json index 2362cb9e8..1e4f304f1 100644 --- a/rules/rule-can-portforward-v1/test/role-rolebinding/expected.json +++ b/rules/rule-can-portforward-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can do port forwarding", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-portforward/raw.rego b/rules/rule-can-portforward/raw.rego deleted file mode 100644 index 69ccb7a1c..000000000 --- a/rules/rule-can-portforward/raw.rego +++ /dev/null @@ -1,129 +0,0 @@ -package armo_builtins - -import data.cautils - -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canForwardToPodResource(rule) - canForwardToPodVerb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]), - "alertScore": 9, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canForwardToPodResource(rule) - canForwardToPodVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canForwardToPodResource(rule) - canForwardToPodVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]), - "alertScore": 9, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role, rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -canForwardToPodVerb(rule) { - cautils.list_contains(rule.verbs, "create") -} - -canForwardToPodVerb(rule) { - cautils.list_contains(rule.verbs, "get") -} -canForwardToPodVerb(rule) { - cautils.list_contains(rule.verbs, "*") -} - -canForwardToPodResource(rule) { - cautils.list_contains(rule.resources,"pods/portforward") -} -canForwardToPodResource(rule) { - cautils.list_contains(rule.resources,"pods/*") -} -canForwardToPodResource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources,"*") -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} diff --git a/rules/rule-can-portforward/rule.metadata.json b/rules/rule-can-portforward/rule.metadata.json deleted file mode 100644 index 03b928883..000000000 --- a/rules/rule-can-portforward/rule.metadata.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "name": "rule-can-portforward", - "attributes": { - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-can-ssh-to-pod-v1/rule.metadata.json b/rules/rule-can-ssh-to-pod-v1/rule.metadata.json index a30a839c4..db4d5f691 100644 --- a/rules/rule-can-ssh-to-pod-v1/rule.metadata.json +++ b/rules/rule-can-ssh-to-pod-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-can-ssh-to-pod-v1", "attributes": { "microsoftK8sThreatMatrix": "Execution::SSH server running inside container", - "armoBuiltin": true, "useFromKubescapeVersion": "v1.0.133" }, "ruleLanguage": "Rego", diff --git a/rules/rule-can-ssh-to-pod-v1/test/pod/expected.json b/rules/rule-can-ssh-to-pod-v1/test/pod/expected.json index 9d49820c9..1b3924152 100644 --- a/rules/rule-can-ssh-to-pod-v1/test/pod/expected.json +++ b/rules/rule-can-ssh-to-pod-v1/test/pod/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "pod default/audit-pod exposed by SSH services: {\"apiVersion\": \"v1\", \"kind\": \"Service\", \"metadata\": {\"name\": \"my-service\", \"namespace\": \"default\"}, \"spec\": {\"ports\": [{\"port\": 2222, \"protocol\": \"TCP\", \"targetPort\": 2222}], \"selector\": {\"app\": \"audit-pod\"}}}", + "reviewPaths": ["metadata.labels"], "failedPaths": ["metadata.labels"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-ssh-to-pod-v1/test/workloads/expected.json b/rules/rule-can-ssh-to-pod-v1/test/workloads/expected.json index 39973b461..539738965 100644 --- a/rules/rule-can-ssh-to-pod-v1/test/workloads/expected.json +++ b/rules/rule-can-ssh-to-pod-v1/test/workloads/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Deployment: test2 is exposed by SSH services: {\"apiVersion\": \"v1\", \"kind\": \"Service\", \"metadata\": {\"name\": \"my-service\", \"namespace\": \"default\"}, \"spec\": {\"ports\": [{\"port\": 2222, \"protocol\": \"TCP\", \"targetPort\": 2222}], \"selector\": {\"app\": \"audit-pod\"}}}", + "reviewPaths": ["spec.template.metadata.labels"], "failedPaths": ["spec.template.metadata.labels"], "fixPaths": null, "ruleStatus": "", diff --git a/rules/rule-can-ssh-to-pod/raw.rego b/rules/rule-can-ssh-to-pod/raw.rego deleted file mode 100644 index 7421aaf05..000000000 --- a/rules/rule-can-ssh-to-pod/raw.rego +++ /dev/null @@ -1,102 +0,0 @@ -package armo_builtins - -# input: pod -# apiversion: v1 -# does: returns the external facing services of that pod - -deny[msga] { - pod := input[_] - pod.kind == "Pod" - podns := pod.metadata.namespace - podname := pod.metadata.name - labels := pod.metadata.labels - filtered_labels := json.remove(labels, ["pod-template-hash"]) - path := "metadata.labels" - service := input[_] - service.kind == "Service" - service.metadata.namespace == podns - service.spec.selector == filtered_labels - - hasSSHPorts(service) - - msga := { - "alertMessage": sprintf("pod %v/%v exposed by SSH services: %v", [podns, podname, service]), - "packagename": "armo_builtins", - "alertScore": 7, - "deletePaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [pod,service] - } - } -} - -deny[msga] { - wl := input[_] - spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - spec_template_spec_patterns[wl.kind] - labels := wl.spec.template.metadata.labels - path := "spec.template.metadata.labels" - service := input[_] - service.kind == "Service" - service.metadata.namespace == wl.metadata.namespace - service.spec.selector == labels - - hasSSHPorts(service) - - msga := { - "alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [wl,service] - } - } -} - -deny[msga] { - wl := input[_] - wl.kind == "CronJob" - labels := wl.spec.jobTemplate.spec.template.metadata.labels - path := "spec.jobTemplate.spec.template.metadata.labels" - service := input[_] - service.kind == "Service" - service.metadata.namespace == wl.metadata.namespace - service.spec.selector == labels - - hasSSHPorts(service) - - msga := { - "alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]), - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [path], - "alertObject": { - "k8sApiObjects": [wl,service] - } - } -} - -hasSSHPorts(service) { - port := service.spec.ports[_] - port.port == 22 -} - - -hasSSHPorts(service) { - port := service.spec.ports[_] - port.port == 2222 -} - -hasSSHPorts(service) { - port := service.spec.ports[_] - port.targetPort == 22 -} - - -hasSSHPorts(service) { - port := service.spec.ports[_] - port.targetPort == 2222 -} diff --git a/rules/rule-can-update-configmap-v1/rule.metadata.json b/rules/rule-can-update-configmap-v1/rule.metadata.json index 083f78b7c..18ec03fbe 100644 --- a/rules/rule-can-update-configmap-v1/rule.metadata.json +++ b/rules/rule-can-update-configmap-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-can-update-configmap-v1", "attributes": { "microsoftK8sThreatMatrix": "Lateral Movement::CoreDNS poisoning", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-can-update-configmap-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-can-update-configmap-v1/test/clusterrole-clusterrolebinding/expected.json index a69892959..dbae45fa3 100644 --- a/rules/rule-can-update-configmap-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-can-update-configmap-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-manager can modify 'coredns' configmap", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", @@ -70,6 +77,13 @@ }, { "alertMessage": "Subject: Group-dev can modify 'coredns' configmap", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].verbs[0]", diff --git a/rules/rule-can-update-configmap-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-can-update-configmap-v1/test/clusterrole-rolebinding/expected.json index c1406ee05..a55b1c712 100644 --- a/rules/rule-can-update-configmap-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-can-update-configmap-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can modify 'coredns' configmap", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-update-configmap-v1/test/role-rolebinding/expected.json b/rules/rule-can-update-configmap-v1/test/role-rolebinding/expected.json index 099ff42b7..7ed1952e4 100644 --- a/rules/rule-can-update-configmap-v1/test/role-rolebinding/expected.json +++ b/rules/rule-can-update-configmap-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can modify 'coredns' configmap", + "reviewPaths": ["relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-can-update-configmap/raw.rego b/rules/rule-can-update-configmap/raw.rego deleted file mode 100644 index 4cb945719..000000000 --- a/rules/rule-can-update-configmap/raw.rego +++ /dev/null @@ -1,168 +0,0 @@ -package armo_builtins - -import data.cautils - -# Fails if user can modify all configmaps, or if he can modify the 'coredns' configmap (default for coredns) -# RoleBinding to Role -deny [msga] { - configmaps := [configmap | configmap = input[_]; configmap.kind == "ConfigMap"] - configmap := configmaps[_] - configmap.metadata.name == "coredns" - - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - - canModifyConfigMapResource(rule) - canModifyConfigMapVerb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - rolebinding.metadata.namespace == "kube-system" - - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can modify 'coredns' configmap", [subject.kind, subject.name]), - "alertScore": 6, - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# Fails if user can modify all configmaps, or if he can modify the 'coredns' configmap (default for coredns) -# RoleBinding to ClusterRole -deny[msga] { - configmaps := [configmap | configmap = input[_]; configmap.kind == "ConfigMap"] - configmap := configmaps[_] - configmap.metadata.name == "coredns" - - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canModifyConfigMapResource(rule) - canModifyConfigMapVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - rolebinding.metadata.namespace == "kube-system" - - - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can modify 'coredns' configmap", [subject.kind, subject.name]), - "alertScore": 6, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } - -} - - -# Fails if user can modify all configmaps, or if he can modify the 'coredns' configmap (default for coredns) -# ClusterRoleBinding to ClusterRole -deny[msga] { - configmaps := [configmap | configmap = input[_]; configmap.kind == "ConfigMap"] - configmap := configmaps[_] - configmap.metadata.name == "coredns" - - roles := [role | role= input[_]; role.kind == "ClusterRole"] - clusterrolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - clusterrolebinding := clusterrolebindings[_] - - rule:= role.rules[_] - canModifyConfigMapResource(rule) - canModifyConfigMapVerb(rule) - - - clusterrolebinding.roleRef.kind == "ClusterRole" - clusterrolebinding.roleRef.name == role.metadata.name - - - - subject := clusterrolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can modify 'coredns' configmap", [subject.kind, subject.name]), - "alertScore": 6, - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,clusterrolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - - - - - canModifyConfigMapResource(rule) { - not rule.resourceNames - cautils.list_contains(rule.resources,"configmaps") - } - - canModifyConfigMapResource(rule) { - not rule.resourceNames - is_api_group(rule) - cautils.list_contains(rule.resources,"*") - } - - canModifyConfigMapResource(rule) { - cautils.list_contains(rule.resources,"configmaps") - cautils.list_contains(rule.resourceNames,"coredns") - } - - canModifyConfigMapVerb(rule) { - cautils.list_contains(rule.verbs,"update") - } - - - canModifyConfigMapVerb(rule) { - cautils.list_contains(rule.verbs,"patch") - } - - canModifyConfigMapVerb(rule) { - cautils.list_contains(rule.verbs,"*") - } - - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} \ No newline at end of file diff --git a/rules/rule-can-update-configmap/rule.metadata.json b/rules/rule-can-update-configmap/rule.metadata.json deleted file mode 100644 index 7ae9f1e5f..000000000 --- a/rules/rule-can-update-configmap/rule.metadata.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "name": "rule-can-update-configmap", - "attributes": { - "microsoftK8sThreatMatrix": "Lateral Movement::CoreDNS poisoning", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "*" - ], - "apiVersions": [ - "*" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding", - "ConfigMap" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users can update/patch the 'coredns' configmap", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-cni-enabled-aks/rule.metadata.json b/rules/rule-cni-enabled-aks/rule.metadata.json index c47a98f31..cefcfe8e4 100644 --- a/rules/rule-cni-enabled-aks/rule.metadata.json +++ b/rules/rule-cni-enabled-aks/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-cni-enabled-aks", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "dynamicMatch": [ diff --git a/rules/rule-credentials-configmap/raw.rego b/rules/rule-credentials-configmap/raw.rego index 7486b62d2..4b0398e48 100644 --- a/rules/rule-credentials-configmap/raw.rego +++ b/rules/rule-credentials-configmap/raw.rego @@ -11,8 +11,10 @@ deny[msga] { map_secret != "" contains(lower(map_key), lower(key_name)) - # check that value wasn't allowed by user + + # check that value or key weren't allowed by user not is_allowed_value(map_secret) + not is_allowed_key_name(map_key) path := sprintf("data[%v]", [map_key]) @@ -20,7 +22,7 @@ deny[msga] { "alertMessage": sprintf("this configmap has sensitive information: %v", [configmap.metadata.name]), "alertScore": 9, "deletePaths": [path], - "failedPaths": [path], + "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", "alertObject": { @@ -41,14 +43,17 @@ deny[msga] { map_secret != "" regex.match(value , map_secret) - # check that value wasn't allowed by user + + # check that value or key weren't allowed by user not is_allowed_value(map_secret) + not is_allowed_key_name(map_key) path := sprintf("data[%v]", [map_key]) msga := { "alertMessage": sprintf("this configmap has sensitive information: %v", [configmap.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", @@ -71,16 +76,18 @@ deny[msga] { decoded_secret := base64.decode(map_secret) - # check that value wasn't allowed by user - not is_allowed_value(map_secret) - regex.match(value , decoded_secret) + # check that value or key weren't allowed by user + not is_allowed_value(map_secret) + not is_allowed_key_name(map_key) + path := sprintf("data[%v]", [map_key]) msga := { "alertMessage": sprintf("this configmap has sensitive information: %v", [configmap.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", @@ -90,8 +97,12 @@ deny[msga] { } } - is_allowed_value(value) { allow_val := data.postureControlInputs.sensitiveValuesAllowed[_] - value == allow_val + regex.match(allow_val , value) +} + +is_allowed_key_name(key_name) { + allow_key := data.postureControlInputs.sensitiveKeyNamesAllowed[_] + contains(lower(key_name), lower(allow_key)) } \ No newline at end of file diff --git a/rules/rule-credentials-configmap/rule.metadata.json b/rules/rule-credentials-configmap/rule.metadata.json index cbd03fb57..d56880a85 100644 --- a/rules/rule-credentials-configmap/rule.metadata.json +++ b/rules/rule-credentials-configmap/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "rule-credentials-configmap", "attributes": { - "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files", - "armoBuiltin": true + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" }, "ruleLanguage": "Rego", "match": [ @@ -22,23 +21,29 @@ "configInputs": [ "settings.postureControlInputs.sensitiveValues", "settings.postureControlInputs.sensitiveKeyNames", - "settings.postureControlInputs.sensitiveValuesAllowed" + "settings.postureControlInputs.sensitiveValuesAllowed", + "settings.postureControlInputs.sensitiveKeyNamesAllowed" ], "controlConfigInputs": [ { "path": "settings.postureControlInputs.sensitiveValues", - "name": "Values", + "name": "Sensitive Values", "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable." }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "Allowed Values", + "description": "Reduce false positives with known values." + }, { "path": "settings.postureControlInputs.sensitiveKeyNames", - "name": "Keys", + "name": "Sensitive Keys", "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { - "path": "settings.postureControlInputs.sensitiveValuesAllowed", - "name": "AllowedValues", - "description": "Explicitly allowed values, which will override sensitiveValues." + "path": "settings.postureControlInputs.sensitiveKeyNamesAllowed", + "name": "Allowed Keys", + "description": "Reduce false positives with known key names." } ], "description": "fails if ConfigMaps have sensitive information in configuration", diff --git a/rules/rule-credentials-configmap/test/test-allowed-values-keys/data.json b/rules/rule-credentials-configmap/test/test-allowed-values-keys/data.json new file mode 100644 index 000000000..31d85a1d4 --- /dev/null +++ b/rules/rule-credentials-configmap/test/test-allowed-values-keys/data.json @@ -0,0 +1,31 @@ +{ + "postureControlInputs": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "_key_", + "_secret_" + ], + "sensitiveKeyNamesAllowed": ["_FILE"], + "sensitiveValuesAllowed": ["my/secret/file/path"] + } +} \ No newline at end of file diff --git a/rules/rule-credentials-configmap/test/test-allowed-values-keys/expected.json b/rules/rule-credentials-configmap/test/test-allowed-values-keys/expected.json new file mode 100644 index 000000000..3726c87e1 --- /dev/null +++ b/rules/rule-credentials-configmap/test/test-allowed-values-keys/expected.json @@ -0,0 +1,35 @@ +[{ + "alertMessage": "this configmap has sensitive information: game-demo", + "deletePaths": ["data[aws_access_key_id]"], + "failedPaths": ["data[aws_access_key_id]"], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "game-demo" + } + }] + } +}, { + "alertMessage": "this configmap has sensitive information: game-demo", + "deletePaths": ["data[pwd]"], + "failedPaths": ["data[pwd]"], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "game-demo" + } + }] + } +}] \ No newline at end of file diff --git a/rules/rule-credentials-configmap/test/test-allowed-values-keys/input/configmap.yaml b/rules/rule-credentials-configmap/test/test-allowed-values-keys/input/configmap.yaml new file mode 100644 index 000000000..e5caa806e --- /dev/null +++ b/rules/rule-credentials-configmap/test/test-allowed-values-keys/input/configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-demo +data: + # property-like keys; each key maps to a simple value + player_initial_lives: "3" + ui_properties_file_name: "user-interface.properties" + aws_access_key_id: "XXXX" + pwd: "hi" + aws_access_key_id_file: "/etc/secret-volume/aws" + aws_secret: "my/secret/file/path" + # file-like keys + game.properties: | + enemy.types=aliens,monsters + player.maximum-lives=5 + user-interface.properties: | + color.good=purple + color.bad=yellow + allow.textmode=true \ No newline at end of file diff --git a/rules/rule-credentials-configmap/test/test-base64/expected.json b/rules/rule-credentials-configmap/test/test-base64/expected.json index a4c43b332..e36d66b2a 100644 --- a/rules/rule-credentials-configmap/test/test-base64/expected.json +++ b/rules/rule-credentials-configmap/test/test-base64/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "this configmap has sensitive information: game-demo", + "deletePaths": ["data[pwd]"], "failedPaths": ["data[pwd]"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-configmap/test/test/expected.json b/rules/rule-credentials-configmap/test/test/expected.json index 2e7598582..3726c87e1 100644 --- a/rules/rule-credentials-configmap/test/test/expected.json +++ b/rules/rule-credentials-configmap/test/test/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "this configmap has sensitive information: game-demo", + "deletePaths": ["data[aws_access_key_id]"], "failedPaths": ["data[aws_access_key_id]"], "fixPaths": [], "ruleStatus": "", @@ -16,6 +17,7 @@ } }, { "alertMessage": "this configmap has sensitive information: game-demo", + "deletePaths": ["data[pwd]"], "failedPaths": ["data[pwd]"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-in-env-var/raw.rego b/rules/rule-credentials-in-env-var/raw.rego index 328efc25a..c9aadc4a1 100644 --- a/rules/rule-credentials-in-env-var/raw.rego +++ b/rules/rule-credentials-in-env-var/raw.rego @@ -11,19 +11,21 @@ contains(lower(env.name), lower(key_name)) env.value != "" - # check that value wasn't allowed by user - not is_allowed_value(env.value) + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]), "alertScore": 9, "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [pod] @@ -44,18 +46,21 @@ contains(lower(env.name), lower(key_name)) env.value != "" - # check that value wasn't allowed by user - not is_allowed_value(env.value) + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.template.spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.template.spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]), "alertScore": 9, "fixPaths": [], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] @@ -73,20 +78,22 @@ env := container.env[j] contains(lower(env.name), lower(key_name)) - env.value != "" - # check that value wasn't allowed by user - not is_allowed_value(env.value) + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]), "alertScore": 9, "fixPaths": [], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] @@ -104,19 +111,22 @@ deny[msga] { container := pod.spec.containers[i] env := container.env[j] - # check that value wasn't allowed by user - not is_allowed_value(env.value) contains(lower(env.value), lower(value)) + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]), "alertScore": 9, "fixPaths": [], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [pod] @@ -135,19 +145,22 @@ deny[msga] { container := wl.spec.template.spec.containers[i] env := container.env[j] - not is_allowed_value(env.value) contains(lower(env.value), lower(value)) - # check that value wasn't allowed by user + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.template.spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.template.spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]), "alertScore": 9, "fixPaths": [], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] @@ -164,19 +177,22 @@ deny[msga] { container := wl.spec.jobTemplate.spec.template.spec.containers[i] env := container.env[j] - # check that value wasn't allowed by user - not is_allowed_value(env.value) contains(lower(env.value), lower(value)) + # check that value or key weren't allowed by user + not is_allowed_value(env.value) + not is_allowed_key_name(env.name) is_not_reference(env) - path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + paths := [sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [i, j]), + sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].value", [i, j])] msga := { "alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]), "alertScore": 9, "fixPaths": [], - "failedPaths": [path], + "deletePaths": paths, + "failedPaths": paths, "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] @@ -193,5 +209,10 @@ is_not_reference(env) is_allowed_value(value) { allow_val := data.postureControlInputs.sensitiveValuesAllowed[_] - value == allow_val + regex.match(allow_val , value) +} + +is_allowed_key_name(key_name) { + allow_key := data.postureControlInputs.sensitiveKeyNamesAllowed[_] + contains(lower(key_name), lower(allow_key)) } \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/rule.metadata.json b/rules/rule-credentials-in-env-var/rule.metadata.json index d5735acfb..fde425123 100644 --- a/rules/rule-credentials-in-env-var/rule.metadata.json +++ b/rules/rule-credentials-in-env-var/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "rule-credentials-in-env-var", "attributes": { - "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files", - "armoBuiltin": true + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" }, "ruleLanguage": "Rego", "match": [ @@ -48,23 +47,29 @@ "configInputs": [ "settings.postureControlInputs.sensitiveValues", "settings.postureControlInputs.sensitiveKeyNames", - "settings.postureControlInputs.sensitiveValuesAllowed" + "settings.postureControlInputs.sensitiveValuesAllowed", + "settings.postureControlInputs.sensitiveKeyNamesAllowed" ], "controlConfigInputs": [ { "path": "settings.postureControlInputs.sensitiveValues", - "name": "Values", + "name": "Sensitive Values", "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable." }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "Allowed Values", + "description": "Reduce false positives with known values." + }, { "path": "settings.postureControlInputs.sensitiveKeyNames", - "name": "Keys", + "name": "Sensitive Keys", "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { - "path": "settings.postureControlInputs.sensitiveValuesAllowed", - "name": "AllowedValues", - "description": "Explicitly allowed values, which will override sensitiveValues." + "path": "settings.postureControlInputs.sensitiveKeyNamesAllowed", + "name": "Allowed Keys", + "description": "Reduce false positives with known key names." } ], "description": "fails if Pods have sensitive information in configuration", diff --git a/rules/rule-credentials-in-env-var/test/cronjob/expected.json b/rules/rule-credentials-in-env-var/test/cronjob/expected.json index 67999043f..375d3fcdf 100644 --- a/rules/rule-credentials-in-env-var/test/cronjob/expected.json +++ b/rules/rule-credentials-in-env-var/test/cronjob/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "Cronjob: hello has sensitive information in environment variables", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].env[0].name", + "spec.jobTemplate.spec.template.spec.containers[0].env[0].value" + ], "failedPaths": [ - "spec.jobTemplate.spec.template.spec.containers[0].env[0].name" + "spec.jobTemplate.spec.template.spec.containers[0].env[0].name", + "spec.jobTemplate.spec.template.spec.containers[0].env[0].value" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-in-env-var/test/deployment/expected.json b/rules/rule-credentials-in-env-var/test/deployment/expected.json index 5895545cc..758a45c14 100644 --- a/rules/rule-credentials-in-env-var/test/deployment/expected.json +++ b/rules/rule-credentials-in-env-var/test/deployment/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "Deployment: test2 has sensitive information in environment variables", + "deletePaths": [ + "spec.template.spec.containers[1].env[1].name", + "spec.template.spec.containers[1].env[1].value" + ], "failedPaths": [ - "spec.template.spec.containers[1].env[1].name" + "spec.template.spec.containers[1].env[1].name", + "spec.template.spec.containers[1].env[1].value" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/data.json b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/data.json new file mode 100644 index 000000000..31d85a1d4 --- /dev/null +++ b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/data.json @@ -0,0 +1,31 @@ +{ + "postureControlInputs": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "_key_", + "_secret_" + ], + "sensitiveKeyNamesAllowed": ["_FILE"], + "sensitiveValuesAllowed": ["my/secret/file/path"] + } +} \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/expected.json b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/expected.json new file mode 100644 index 000000000..5e40ddd37 --- /dev/null +++ b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/expected.json @@ -0,0 +1,31 @@ +[ + { + "alertMessage": "Pod: audit-pod has sensitive information in environment variables", + "deletePaths": [ + "spec.containers[0].env[1].name", + "spec.containers[0].env[1].value" + ], + "failedPaths": [ + "spec.containers[0].env[1].name", + "spec.containers[0].env[1].value" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "app": "audit-pod" + }, + "name": "audit-pod" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/input/pod.yaml b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/input/pod.yaml new file mode 100644 index 000000000..252eeeee6 --- /dev/null +++ b/rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/input/pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: audit-pod + labels: + app: audit-pod +spec: + containers: + - name: test-container + env : + - name : random + value : "Hello from the environment" + - name: some-name + value: my_key_value + image: hashicorp/http-echo:0.2.3 + securityContext: + allowPrivilegeEscalation: true + - name : test-container2 + env : + - name : random + value : "Hello from the environment" + - name: AWS_TOKEN_FILE + value: /etc/secret-volume/aws + - name: my_password + value: my/secret/file/path + image : hashicorp/http-echo:0.2.3 \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/test/pod/expected.json b/rules/rule-credentials-in-env-var/test/pod/expected.json index 9324ba1a3..5e40ddd37 100644 --- a/rules/rule-credentials-in-env-var/test/pod/expected.json +++ b/rules/rule-credentials-in-env-var/test/pod/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "Pod: audit-pod has sensitive information in environment variables", + "deletePaths": [ + "spec.containers[0].env[1].name", + "spec.containers[0].env[1].value" + ], "failedPaths": [ - "spec.containers[0].env[1].name" + "spec.containers[0].env[1].name", + "spec.containers[0].env[1].value" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-in-env-var/test/workloads/expected.json b/rules/rule-credentials-in-env-var/test/workloads/expected.json index 4be61b0ee..38408615a 100644 --- a/rules/rule-credentials-in-env-var/test/workloads/expected.json +++ b/rules/rule-credentials-in-env-var/test/workloads/expected.json @@ -1,8 +1,13 @@ [ { "alertMessage": "Deployment: test2 has sensitive information in environment variables", + "deletePaths": [ + "spec.template.spec.containers[1].env[0].name", + "spec.template.spec.containers[1].env[0].value" + ], "failedPaths": [ - "spec.template.spec.containers[1].env[0].name" + "spec.template.spec.containers[1].env[0].name", + "spec.template.spec.containers[1].env[0].value" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-deny-cronjobs/rule.metadata.json b/rules/rule-deny-cronjobs/rule.metadata.json index 0b8250ab2..c53c1d7b1 100644 --- a/rules/rule-deny-cronjobs/rule.metadata.json +++ b/rules/rule-deny-cronjobs/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "rule-deny-cronjobs", "attributes": { - "m$K8sThreatMatrix": "Persistence::Kubernetes Cronjob", - "armoBuiltin": true + "m$K8sThreatMatrix": "Persistence::Kubernetes Cronjob" }, "ruleLanguage": "rego", "match": [ diff --git a/rules/rule-excessive-delete-rights-v1/rule.metadata.json b/rules/rule-excessive-delete-rights-v1/rule.metadata.json index 6f86e94b0..14138cc0e 100644 --- a/rules/rule-excessive-delete-rights-v1/rule.metadata.json +++ b/rules/rule-excessive-delete-rights-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-excessive-delete-rights-v1", "attributes": { "m$K8sThreatMatrix": "Impact::Data Destruction", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-excessive-delete-rights-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-excessive-delete-rights-v1/test/clusterrole-clusterrolebinding/expected.json index d34f1ed74..34af998ec 100644 --- a/rules/rule-excessive-delete-rights-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-excessive-delete-rights-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,14 @@ [ { "alertMessage": "Subject: Group-manager can delete important resources", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].resources[1]", @@ -72,6 +80,14 @@ }, { "alertMessage": "Subject: Group-dev can delete important resources", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].resources[1]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].resources[1]", diff --git a/rules/rule-excessive-delete-rights-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-excessive-delete-rights-v1/test/clusterrole-rolebinding/expected.json index bb1a096ce..95648c446 100644 --- a/rules/rule-excessive-delete-rights-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-excessive-delete-rights-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can delete important resources", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-excessive-delete-rights-v1/test/role-rolebinding/expected.json b/rules/rule-excessive-delete-rights-v1/test/role-rolebinding/expected.json index d858fe9f2..01d102d31 100644 --- a/rules/rule-excessive-delete-rights-v1/test/role-rolebinding/expected.json +++ b/rules/rule-excessive-delete-rights-v1/test/role-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane can delete important resources", + "reviewPaths": ["relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].resources[3]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[1]", "relatedObjects[1].rules[0].resources[3]", "relatedObjects[1].rules[0].resources[4]", "relatedObjects[1].rules[0].verbs[1]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-excessive-delete-rights/raw.rego b/rules/rule-excessive-delete-rights/raw.rego deleted file mode 100644 index a5560634f..000000000 --- a/rules/rule-excessive-delete-rights/raw.rego +++ /dev/null @@ -1,171 +0,0 @@ -package armo_builtins - -import data.cautils - -# fails if user can can delete important resources -# RoleBinding to Role -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canDeleteResource(rule) - canDeleteVerb(rule) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -# fails if user can can delete important resources -# RoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[_] - canDeleteResource(rule) - canDeleteVerb(rule) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# fails if user can can delete important resources -# ClusterRoleBinding to ClusterRole -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - clusterrolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - clusterrolebinding := clusterrolebindings[_] - - rule:= role.rules[_] - canDeleteResource(rule) - canDeleteVerb(rule) - - clusterrolebinding.roleRef.kind == "ClusterRole" - clusterrolebinding.roleRef.name == role.metadata.name - - - subject := clusterrolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v can delete important resources", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,clusterrolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -canDeleteVerb(rule) { - cautils.list_contains(rule.verbs, "delete") -} - -canDeleteVerb(rule) { - cautils.list_contains(rule.verbs, "deletecollection") -} - -canDeleteVerb(rule) { - cautils.list_contains(rule.verbs, "*") -} - -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "secrets") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "pods") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "services") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "deployments") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "replicasets") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "daemonsets") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "statefulsets") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "jobs") -} -canDeleteResource(rule) { - cautils.list_contains(rule.resources, "cronjobs") -} -canDeleteResource(rule) { - is_api_group(rule) - cautils.list_contains(rule.resources, "*") -} - - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "apps" -} -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "batch" -} - diff --git a/rules/rule-excessive-delete-rights/rule.metadata.json b/rules/rule-excessive-delete-rights/rule.metadata.json deleted file mode 100644 index 937e53927..000000000 --- a/rules/rule-excessive-delete-rights/rule.metadata.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "name": "rule-excessive-delete-rights", - "attributes": { - "m$K8sThreatMatrix": "Impact::Data Destruction", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [], - "description": "fails if user can delete important resources", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" - } \ No newline at end of file diff --git a/rules/rule-hostile-multitenant-workloads/rule.metadata.json b/rules/rule-hostile-multitenant-workloads/rule.metadata.json index ab991b994..efc913134 100644 --- a/rules/rule-hostile-multitenant-workloads/rule.metadata.json +++ b/rules/rule-hostile-multitenant-workloads/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-hostile-multitenant-workloads", "attributes": { - "armoBuiltin": true, "actionRequired": "manual review" }, "ruleLanguage": "Rego", diff --git a/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json index cd97c0ded..5a3221ad4 100644 --- a/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json +++ b/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-identify-blocklisted-image-registries-v1", "attributes": { "m$K8sThreatMatrix": "Initial Access::Compromised images in registry", - "armoBuiltin": true, "useFromKubescapeVersion": "v2.9.0" }, "ruleLanguage": "Rego", diff --git a/rules/rule-identify-blocklisted-image-registries/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries/rule.metadata.json index e52b4765f..7537a8bc1 100644 --- a/rules/rule-identify-blocklisted-image-registries/rule.metadata.json +++ b/rules/rule-identify-blocklisted-image-registries/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-identify-blocklisted-image-registries", "attributes": { "m$K8sThreatMatrix": "Initial Access::Compromised images in registry", - "armoBuiltin": true, "useUntilKubescapeVersion": "v2.3.8" }, "ruleLanguage": "Rego", diff --git a/rules/rule-identify-blocklisted-image-registries/test/cronjob/expected.json b/rules/rule-identify-blocklisted-image-registries/test/cronjob/expected.json index cb77438f2..d8b342287 100644 --- a/rules/rule-identify-blocklisted-image-registries/test/cronjob/expected.json +++ b/rules/rule-identify-blocklisted-image-registries/test/cronjob/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "image 'quay.io/hi:latest' in container 'hello' comes from untrusted registry", + "reviewPaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].image" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].image" ], diff --git a/rules/rule-identify-blocklisted-image-registries/test/workloads/expected.json b/rules/rule-identify-blocklisted-image-registries/test/workloads/expected.json index 716d82434..9e2873142 100644 --- a/rules/rule-identify-blocklisted-image-registries/test/workloads/expected.json +++ b/rules/rule-identify-blocklisted-image-registries/test/workloads/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "image 'registry.hub.docker.com/php:7.0-apache' in container 'php' comes from untrusted registry", + "reviewPaths": [ + "spec.template.spec.containers[1].image" + ], "failedPaths": [ "spec.template.spec.containers[1].image" ], diff --git a/rules/rule-identify-old-k8s-registry/rule.metadata.json b/rules/rule-identify-old-k8s-registry/rule.metadata.json index 985f67387..a2b096893 100644 --- a/rules/rule-identify-old-k8s-registry/rule.metadata.json +++ b/rules/rule-identify-old-k8s-registry/rule.metadata.json @@ -1,8 +1,7 @@ { "name": "rule-identify-old-k8s-registry", "attributes": { - "m$K8sThreatMatrix": "Initial Access::Compromised images in registry", - "armoBuiltin": true + "m$K8sThreatMatrix": "Initial Access::Compromised images in registry" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rule-identify-old-k8s-registry/test/workloads/expected.json b/rules/rule-identify-old-k8s-registry/test/workloads/expected.json index bbe7fa4c3..af3e66e72 100644 --- a/rules/rule-identify-old-k8s-registry/test/workloads/expected.json +++ b/rules/rule-identify-old-k8s-registry/test/workloads/expected.json @@ -1 +1,26 @@ -[{"alertMessage":"image 'k8s.gcr.io/php:7.0-apache' in container 'php' comes from the deprecated k8s.gcr.io","failedPaths":["spec.template.spec.containers[0].image"],"fixPaths":[],"ruleStatus":"","packagename":"armo_builtins","alertScore":2,"alertObject":{"k8sApiObjects":[{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"my-deployment"}}]}}] \ No newline at end of file +[ + { + "alertMessage": "image 'k8s.gcr.io/php:7.0-apache' in container 'php' comes from the deprecated k8s.gcr.io", + "reviewPaths": [ + "spec.template.spec.containers[0].image" + ], + "failedPaths": [ + "spec.template.spec.containers[0].image" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 2, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "my-deployment" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/rule-list-all-cluster-admins-v1/rule.metadata.json b/rules/rule-list-all-cluster-admins-v1/rule.metadata.json index 1bd7d2fb7..7b325dc97 100644 --- a/rules/rule-list-all-cluster-admins-v1/rule.metadata.json +++ b/rules/rule-list-all-cluster-admins-v1/rule.metadata.json @@ -2,7 +2,6 @@ "name": "rule-list-all-cluster-admins-v1", "attributes": { "m$K8sThreatMatrix": "Privilege Escalation::Cluster-admin binding", - "armoBuiltin": true, "resourcesAggregator": "subject-role-rolebinding", "useFromKubescapeVersion": "v1.0.133" }, diff --git a/rules/rule-list-all-cluster-admins-v1/test/clusterrole-clusterrolebinding/expected.json b/rules/rule-list-all-cluster-admins-v1/test/clusterrole-clusterrolebinding/expected.json index 3ccc73bf7..079efef94 100644 --- a/rules/rule-list-all-cluster-admins-v1/test/clusterrole-clusterrolebinding/expected.json +++ b/rules/rule-list-all-cluster-admins-v1/test/clusterrole-clusterrolebinding/expected.json @@ -1,6 +1,13 @@ [ { "alertMessage": "Subject: Group-dev have high privileges, such as cluster-admin", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[1]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[1]", @@ -71,6 +78,13 @@ }, { "alertMessage": "Subject: Group-manager have high privileges, such as cluster-admin", + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[0]", + "relatedObjects[1].rules[0].verbs[1]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[1]", diff --git a/rules/rule-list-all-cluster-admins-v1/test/clusterrole-rolebinding/expected.json b/rules/rule-list-all-cluster-admins-v1/test/clusterrole-rolebinding/expected.json index 954f4664b..9eb2e6024 100644 --- a/rules/rule-list-all-cluster-admins-v1/test/clusterrole-rolebinding/expected.json +++ b/rules/rule-list-all-cluster-admins-v1/test/clusterrole-rolebinding/expected.json @@ -1,5 +1,6 @@ [{ "alertMessage": "Subject: User-jane have high privileges, such as cluster-admin", + "reviewPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "failedPaths": ["relatedObjects[1].rules[0].resources[0]", "relatedObjects[1].rules[0].verbs[0]", "relatedObjects[1].rules[0].apiGroups[0]", "relatedObjects[0].subjects[0]", "relatedObjects[0].roleRef.name"], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-list-all-cluster-admins-v1/test/role-rolebinding/expected.json b/rules/rule-list-all-cluster-admins-v1/test/role-rolebinding/expected.json index 562493564..374300721 100644 --- a/rules/rule-list-all-cluster-admins-v1/test/role-rolebinding/expected.json +++ b/rules/rule-list-all-cluster-admins-v1/test/role-rolebinding/expected.json @@ -2,6 +2,14 @@ { "alertMessage": "Subject: User-jane have high privileges, such as cluster-admin", "fixPaths": [], + "reviewPaths": [ + "relatedObjects[1].rules[0].resources[2]", + "relatedObjects[1].rules[0].resources[4]", + "relatedObjects[1].rules[0].verbs[0]", + "relatedObjects[1].rules[0].apiGroups[0]", + "relatedObjects[0].subjects[0]", + "relatedObjects[0].roleRef.name" + ], "failedPaths": [ "relatedObjects[1].rules[0].resources[2]", "relatedObjects[1].rules[0].resources[4]", diff --git a/rules/rule-list-all-cluster-admins/raw.rego b/rules/rule-list-all-cluster-admins/raw.rego deleted file mode 100644 index fffa8bfa8..000000000 --- a/rules/rule-list-all-cluster-admins/raw.rego +++ /dev/null @@ -1,132 +0,0 @@ -package armo_builtins - -import data.cautils - -# input: roles -# apiversion: v1 -# does: returns roles+ related subjects in rolebinding - -deny[msga] { - roles := [role | role= input[_]; role.kind == "Role"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[i] - canCreate(rule, i) - canCreateResources(rule, i) - - rolebinding.roleRef.kind == "Role" - rolebinding.roleRef.name == role.metadata.name - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# input: ClusterRole -# apiversion: v1 -# does: returns clusterroles+ related subjects in rolebinding - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "RoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[i] - canCreate(rule, i) - canCreateResources(rule, i) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - -# input: ClusterRole -# apiversion: v1 -# does: returns clusterroles+ related subjects in clusterrolebinding - -deny[msga] { - roles := [role | role= input[_]; role.kind == "ClusterRole"] - rolebindings := [rolebinding | rolebinding = input[_]; rolebinding.kind == "ClusterRoleBinding"] - role:= roles[_] - rolebinding := rolebindings[_] - - rule:= role.rules[i] - canCreate(rule, i) - canCreateResources(rule, i) - - rolebinding.roleRef.kind == "ClusterRole" - rolebinding.roleRef.name == role.metadata.name - - subject := rolebinding.subjects[i] - path := sprintf("subjects[%v]", [format_int(i, 10)]) - - msga := { - "alertMessage": sprintf("The following %v: %v have high privileges, such as cluster-admin", [subject.kind, subject.name]), - "alertScore": 9, - "fixPaths": [], - "deletePaths": [path], - "failedPaths": [path], - "packagename": "armo_builtins", - "alertObject": { - "k8sApiObjects": [role,rolebinding], - "externalObjects": { - "subject" : [subject] - } - } - } -} - - -canCreate(rule, i) { - verb := rule.verbs[j] - verb == "*" -} - -canCreateResources(rule, i){ - is_api_group(rule) - resource := rule.resources[j] - resource == "*" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "" -} - -is_api_group(rule) { - apiGroup := rule.apiGroups[_] - apiGroup == "*" -} diff --git a/rules/rule-list-all-cluster-admins/rule.metadata.json b/rules/rule-list-all-cluster-admins/rule.metadata.json deleted file mode 100644 index 54777a54f..000000000 --- a/rules/rule-list-all-cluster-admins/rule.metadata.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "rule-list-all-cluster-admins", - "attributes": { - "m$K8sThreatMatrix": "Privilege Escalation::Cluster-admin binding", - "armoBuiltin": true, - "useUntilKubescapeVersion": "v1.0.133" - }, - "ruleLanguage": "Rego", - "match": [ - { - "apiGroups": [ - "rbac.authorization.k8s.io" - ], - "apiVersions": [ - "v1" - ], - "resources": [ - "Role", - "ClusterRole", - "ClusterRoleBinding", - "RoleBinding" - ] - } - ], - "ruleDependencies": [ - { - "packageName": "cautils" - } - ], - "description": "determines which users have cluster admin permissions", - "remediation": "", - "ruleQuery": "armo_builtins", - "resourceCount": "subjects" -} \ No newline at end of file diff --git a/rules/rule-manual/rule.metadata.json b/rules/rule-manual/rule.metadata.json index fa9f407a5..8dd9fecb5 100644 --- a/rules/rule-manual/rule.metadata.json +++ b/rules/rule-manual/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-manual", "attributes": { - "armoBuiltin": true, "actionRequired": "manual review", "hostSensorRule": false, "imageScanRelated": false diff --git a/rules/rule-privileged-container/rule.metadata.json b/rules/rule-privileged-container/rule.metadata.json index 1cca4e5b6..2de543739 100644 --- a/rules/rule-privileged-container/rule.metadata.json +++ b/rules/rule-privileged-container/rule.metadata.json @@ -3,8 +3,7 @@ "attributes": { "m$K8sThreatMatrix": "Privilege Escalation::privileged container", "mitre": "Privilege Escalation", - "mitreCode": "TA0004", - "armoBuiltin": true + "mitreCode": "TA0004" }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rule-privileged-container/test/cronjob/expected.json b/rules/rule-privileged-container/test/cronjob/expected.json index 5d0c60296..a34a03537 100644 --- a/rules/rule-privileged-container/test/cronjob/expected.json +++ b/rules/rule-privileged-container/test/cronjob/expected.json @@ -2,6 +2,9 @@ { "alertMessage": "the following cronjobs are defined as privileged: hello", "fixPaths": [], + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.add[2]" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.add[2]" ], diff --git a/rules/rule-privileged-container/test/pod/expected.json b/rules/rule-privileged-container/test/pod/expected.json index 9228c3e9b..4406bd4ab 100644 --- a/rules/rule-privileged-container/test/pod/expected.json +++ b/rules/rule-privileged-container/test/pod/expected.json @@ -2,6 +2,9 @@ { "alertMessage": "the following pods are defined as privileged: audit-pod", "fixPaths": [], + "deletePaths": [ + "spec.containers[0].securityContext.capabilities.add[1]" + ], "failedPaths": [ "spec.containers[0].securityContext.capabilities.add[1]" ], diff --git a/rules/rule-privileged-container/test/workloads/expected.json b/rules/rule-privileged-container/test/workloads/expected.json index 13c4b9ff2..b320a882d 100644 --- a/rules/rule-privileged-container/test/workloads/expected.json +++ b/rules/rule-privileged-container/test/workloads/expected.json @@ -2,6 +2,9 @@ { "alertMessage": "Deployment: test2 is defined as privileged:", "fixPaths": [], + "deletePaths": [ + "spec.template.spec.containers[0].securityContext.privileged" + ], "failedPaths": [ "spec.template.spec.containers[0].securityContext.privileged" ], diff --git a/rules/rule-secrets-in-env-var/rule.metadata.json b/rules/rule-secrets-in-env-var/rule.metadata.json index 13dd42259..4d0f371f4 100644 --- a/rules/rule-secrets-in-env-var/rule.metadata.json +++ b/rules/rule-secrets-in-env-var/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "rule-secrets-in-env-var", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/rule-secrets-in-env-var/test/cronjob/expected.json b/rules/rule-secrets-in-env-var/test/cronjob/expected.json index 11314a433..da55814e8 100644 --- a/rules/rule-secrets-in-env-var/test/cronjob/expected.json +++ b/rules/rule-secrets-in-env-var/test/cronjob/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Cronjob: hello has secrets in environment variables", + "deletePaths": [ + "spec.jobTemplate.spec.template.spec.containers[0].env[0].name" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[0].env[0].name" ], diff --git a/rules/rule-secrets-in-env-var/test/pod/expected.json b/rules/rule-secrets-in-env-var/test/pod/expected.json index f489bf575..2c22ead07 100644 --- a/rules/rule-secrets-in-env-var/test/pod/expected.json +++ b/rules/rule-secrets-in-env-var/test/pod/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: audit-pod has secrets in environment variables", + "deletePaths": [ + "spec.containers[1].env[0].name" + ], "failedPaths": [ "spec.containers[1].env[0].name" ], diff --git a/rules/rule-secrets-in-env-var/test/workloads/expected.json b/rules/rule-secrets-in-env-var/test/workloads/expected.json index c430dc185..e1a71fa6f 100644 --- a/rules/rule-secrets-in-env-var/test/workloads/expected.json +++ b/rules/rule-secrets-in-env-var/test/workloads/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Deployment: test2 has secrets in environment variables", + "deletePaths": [ + "spec.template.spec.containers[1].env[1].name" + ], "failedPaths": [ "spec.template.spec.containers[1].env[1].name" ], diff --git a/rules/secret-etcd-encryption-cloud/rule.metadata.json b/rules/secret-etcd-encryption-cloud/rule.metadata.json index 3284d55bb..62c09f478 100644 --- a/rules/secret-etcd-encryption-cloud/rule.metadata.json +++ b/rules/secret-etcd-encryption-cloud/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "secret-etcd-encryption-cloud", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/secret-etcd-encryption-cloud/test/gke/expected.json b/rules/secret-etcd-encryption-cloud/test/gke/expected.json index 5fa3ec1a8..c58eca499 100644 --- a/rules/secret-etcd-encryption-cloud/test/gke/expected.json +++ b/rules/secret-etcd-encryption-cloud/test/gke/expected.json @@ -3,6 +3,7 @@ "fixCommand": "gcloud container clusters update \u003ccluster_name\u003e --region=\u003ccompute_region\u003e --database-encryption-key=\u003ckey_project_id\u003e/locations/\u003clocation\u003e/keyRings/\u003cring_name\u003e/cryptoKeys/\u003ckey_name\u003e --project=\u003ccluster_project_id\u003e", "alertMessage": "etcd/secret encryption is not enabled", "fixPaths": [], + "reviewPaths": ["data.database_encryption.state"], "failedPaths": ["data.database_encryption.state"], "ruleStatus": "", "packagename": "armo_builtins", diff --git a/rules/service-in-default-namespace/rule.metadata.json b/rules/service-in-default-namespace/rule.metadata.json index a7704d894..35b0db8b6 100644 --- a/rules/service-in-default-namespace/rule.metadata.json +++ b/rules/service-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "service-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/service-in-default-namespace/test/service/expected.json b/rules/service-in-default-namespace/test/service/expected.json index 32879c5d2..3b631335a 100644 --- a/rules/service-in-default-namespace/test/service/expected.json +++ b/rules/service-in-default-namespace/test/service/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Service: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/serviceaccount-in-default-namespace/rule.metadata.json b/rules/serviceaccount-in-default-namespace/rule.metadata.json index 1bb661408..b9aeeca92 100644 --- a/rules/serviceaccount-in-default-namespace/rule.metadata.json +++ b/rules/serviceaccount-in-default-namespace/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "serviceaccount-in-default-namespace", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/serviceaccount-in-default-namespace/test/serviceaccount/expected.json b/rules/serviceaccount-in-default-namespace/test/serviceaccount/expected.json index 72f5bcaad..37a2ebe9a 100644 --- a/rules/serviceaccount-in-default-namespace/test/serviceaccount/expected.json +++ b/rules/serviceaccount-in-default-namespace/test/serviceaccount/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "ServiceAccount: kubescape is in the 'default' namespace", + "reviewPaths": [ + "metadata.namespace" + ], "failedPaths": [ "metadata.namespace" ], diff --git a/rules/serviceaccount-token-mount/rule.metadata.json b/rules/serviceaccount-token-mount/rule.metadata.json index c10e5c9f2..ccd71ddb5 100644 --- a/rules/serviceaccount-token-mount/rule.metadata.json +++ b/rules/serviceaccount-token-mount/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "serviceaccount-token-mount", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/serviceaccount-token-mount/test/pod-mount-and-rb-bind/expected.json b/rules/serviceaccount-token-mount/test/pod-mount-and-rb-bind/expected.json index 92a609206..5a67098c1 100644 --- a/rules/serviceaccount-token-mount/test/pod-mount-and-rb-bind/expected.json +++ b/rules/serviceaccount-token-mount/test/pod-mount-and-rb-bind/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: test-pd in the following namespace: default mounts service account tokens by default", + "reviewPaths": [ + "spec.automountServiceAccountToken" + ], "failedPaths": [ "spec.automountServiceAccountToken" ], diff --git a/rules/set-fsgroup-value/raw.rego b/rules/set-fsgroup-value/raw.rego index 9d81b6076..ec90d5f3d 100644 --- a/rules/set-fsgroup-value/raw.rego +++ b/rules/set-fsgroup-value/raw.rego @@ -6,102 +6,75 @@ import future.keywords.if # Fails if securityContext.fsGroup does not have a values >= 0 deny[msga] { - # verify the object kind - pod := input[_] - pod.kind = "Pod" + # verify the object kind + pod := input[_] + pod.kind = "Pod" - # check securityContext has fsGroup set properly - not fsGroupSetProperly(pod.spec.securityContext) + # check securityContext has fsGroup set properly + not fsGroupSetProperly(pod.spec.securityContext) + securityContextPath := "spec.securityContext" - securityContextPath := "spec.securityContext" + fixPaths = [{"path": sprintf("%v.fsGroup", [securityContextPath]), "value": "YOUR_VALUE"}] - paths := get_paths(pod, securityContextPath) - - - msga := { + msga := { "alertMessage": sprintf("Pod: %v does not set 'securityContext.fsGroup' with allowed value", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": paths["failedPaths"], - "failedPaths": paths["failedPaths"], - "fixPaths": paths["fixPaths"], - "alertObject": { - "k8sApiObjects": [pod] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [pod]}, + } } - ### CRONJOB ### # Fails if securityContext.fsGroup does not have a values >= 0 deny[msga] { - # verify the object kind - cj := input[_] - cj.kind == "CronJob" + # verify the object kind + cj := input[_] + cj.kind == "CronJob" + + # check securityContext has fsGroup set properly + not fsGroupSetProperly(cj.spec.jobTemplate.spec.template.spec.securityContext) - # check securityContext has fsGroup set properly - not fsGroupSetProperly(cj.spec.jobTemplate.spec.template.spec.securityContext) + securityContextPath := "spec.jobTemplate.spec.template.spec.securityContext" - securityContextPath := "spec.jobTemplate.spec.template.spec.securityContext" + fixPaths = [{"path": sprintf("%v.fsGroup", [securityContextPath]), "value": "YOUR_VALUE"}] - paths := get_paths(cj, securityContextPath) - - msga := { + msga := { "alertMessage": sprintf("CronJob: %v does not set 'securityContext.fsGroup' with allowed value", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": paths["failedPaths"], - "failedPaths": paths["failedPaths"], - "fixPaths": paths["fixPaths"], - "alertObject": { - "k8sApiObjects": [cj] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [cj]}, + } } - ### WORKLOAD ### # Fails if securityContext.fsGroup does not have a values >= 0 deny[msga] { - # verify the object kind - wl := input[_] - manifest_kind := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - manifest_kind[wl.kind] + # verify the object kind + wl := input[_] + manifest_kind := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + manifest_kind[wl.kind] - # check securityContext has fsGroup set properly - not fsGroupSetProperly(wl.spec.template.spec.securityContext) + # check securityContext has fsGroup set properly + not fsGroupSetProperly(wl.spec.template.spec.securityContext) - path := "spec.template.spec.securityContext" - paths := get_paths(wl, path) + securityContextPath := "spec.template.spec.securityContext" + fixPaths = [{"path": sprintf("%v.fsGroup", [securityContextPath]), "value": "YOUR_VALUE"}] - msga := { + msga := { "alertMessage": sprintf("Workload: %v does not set 'securityContext.fsGroup' with allowed value", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": paths["failedPaths"], - "failedPaths": paths["failedPaths"], - "fixPaths": paths["fixPaths"], - "alertObject": { - "k8sApiObjects": [wl] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [wl]}, + } } # fsGroupSetProperly checks if fsGroup has a value >= 0. -fsGroupSetProperly(securityContext) := true if { - securityContext.fsGroup >= 0 +fsGroupSetProperly(securityContext) if { + securityContext.fsGroup >= 0 } else := false - - -get_paths(resources, securityContextPath) := result { - - objectPath := array.concat(split(securityContextPath, "."), ["fsGroup"]) - object.get(resources, objectPath, false) - - result = {"failedPaths": [], "fixPaths": [{"path":sprintf("%v.fsGroup", [securityContextPath]), "value": "YOUR_VALUE"}]} -} else = result { - result = {"failedPaths": [securityContextPath], "fixPaths": []} -} diff --git a/rules/set-fsgroup-value/rule.metadata.json b/rules/set-fsgroup-value/rule.metadata.json index 7d87dabe6..9273da89b 100644 --- a/rules/set-fsgroup-value/rule.metadata.json +++ b/rules/set-fsgroup-value/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-fsgroup-value", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-fsgroup-value/test/cronjob/expected.json b/rules/set-fsgroup-value/test/cronjob/expected.json index 796182aae..f46d0c7af 100644 --- a/rules/set-fsgroup-value/test/cronjob/expected.json +++ b/rules/set-fsgroup-value/test/cronjob/expected.json @@ -3,8 +3,7 @@ "alertMessage": "CronJob: hello1 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": ["spec.jobTemplate.spec.template.spec.securityContext"], - "fixPaths": [], + "fixPaths": [{"path":"spec.jobTemplate.spec.template.spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { "k8sApiObjects": [ @@ -22,7 +21,6 @@ "alertMessage": "CronJob: hello2 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": [], "fixPaths": [{"path":"spec.jobTemplate.spec.template.spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { diff --git a/rules/set-fsgroup-value/test/pod/expected.json b/rules/set-fsgroup-value/test/pod/expected.json index b3efe8863..853e1d5fd 100644 --- a/rules/set-fsgroup-value/test/pod/expected.json +++ b/rules/set-fsgroup-value/test/pod/expected.json @@ -3,8 +3,7 @@ "alertMessage": "Pod: nginx1 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": ["spec.securityContext"], - "fixPaths": [], + "fixPaths": [{"path":"spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { "k8sApiObjects": [ @@ -22,7 +21,6 @@ "alertMessage": "Pod: nginx2 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": [], "fixPaths": [{"path":"spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { diff --git a/rules/set-fsgroup-value/test/workload/expected.json b/rules/set-fsgroup-value/test/workload/expected.json index e9010839f..45c1fda6f 100644 --- a/rules/set-fsgroup-value/test/workload/expected.json +++ b/rules/set-fsgroup-value/test/workload/expected.json @@ -3,8 +3,7 @@ "alertMessage": "Workload: my-deployment1 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": ["spec.template.spec.securityContext"], - "fixPaths": [], + "fixPaths": [{"path":"spec.template.spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { "k8sApiObjects": [ @@ -25,7 +24,6 @@ "alertMessage": "Workload: my-deployment2 does not set 'securityContext.fsGroup' with allowed value", "packagename": "armo_builtins", "alertScore": 7, - "failedPaths": [], "fixPaths": [{"path":"spec.template.spec.securityContext.fsGroup", "value": "YOUR_VALUE"}], "ruleStatus": "", "alertObject": { diff --git a/rules/set-fsgroupchangepolicy-value/rule.metadata.json b/rules/set-fsgroupchangepolicy-value/rule.metadata.json index 1ccae4723..6838ceb4a 100644 --- a/rules/set-fsgroupchangepolicy-value/rule.metadata.json +++ b/rules/set-fsgroupchangepolicy-value/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-fsgroupchangepolicy-value", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-procmount-default/raw.rego b/rules/set-procmount-default/raw.rego index 71b43255e..d605ae745 100644 --- a/rules/set-procmount-default/raw.rego +++ b/rules/set-procmount-default/raw.rego @@ -1,102 +1,96 @@ package armo_builtins +import future.keywords.if + # Fails if container does not define the "procMount" parameter as "Default" deny[msga] { - # checks at first if we the procMountType feature gate is enabled on the api-server - obj := input[_] - is_control_plane_info(obj) - is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) + # checks at first if we the procMountType feature gate is enabled on the api-server + obj := input[_] + is_control_plane_info(obj) + is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) - # checks if procMount paramenter has the right value in containers - pod := input[_] - pod.kind = "Pod" + # checks if procMount paramenter has the right value in containers + pod := input[_] + pod.kind = "Pod" # retrieve container list - container := pod.spec.containers[i] - container.securityContext.procMount != "Default" + container := pod.spec.containers[i] + not procMountSetProperly(container.securityContext) - path := sprintf("containers[%d].securityContext.procMount", [i]) - msga := { + fixPaths = [{"path": sprintf("spec.containers[%d].securityContext.procMount", [i]), "value": "Default"}] + msga := { "alertMessage": sprintf("Pod: %v has containers that do not set 'securityContext.procMount' to 'Default'", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [pod] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [pod]}, + } } deny[msga] { - # checks at first if we the procMountType feature gate is enabled on the api-server - obj := input[_] - is_control_plane_info(obj) - is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) - - # checks if we are managing the right workload kind - wl := input[_] - manifest_kind := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} - manifest_kind[wl.kind] - - # retrieve container list - container := wl.spec.template.spec.containers[i] - container.securityContext.procMount != "Default" - - path := sprintf("containers[%d].securityContext.procMount", [i]) - msga := { + # checks at first if we the procMountType feature gate is enabled on the api-server + obj := input[_] + is_control_plane_info(obj) + is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) + + # checks if we are managing the right workload kind + wl := input[_] + manifest_kind := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} + manifest_kind[wl.kind] + + # retrieve container list + container := wl.spec.template.spec.containers[i] + not procMountSetProperly(container.securityContext) + + fixPaths = [{"path": sprintf("spec.template.spec.containers[%d].securityContext.procMount", [i]), "value": "Default"}] + msga := { "alertMessage": sprintf("Workload: %v has containers that do not set 'securityContext.procMount' to 'Default'", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [wl] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [wl]}, + } } deny[msga] { - # checks at first if we the procMountType feature gate is enabled on the api-server - obj := input[_] - is_control_plane_info(obj) - is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) + # checks at first if we the procMountType feature gate is enabled on the api-server + obj := input[_] + is_control_plane_info(obj) + is_proc_mount_type_enabled(obj.data.APIServerInfo.cmdLine) - # checks if we are managing the right workload kind - cj := input[_] - cj.kind = "CronJob" + # checks if we are managing the right workload kind + cj := input[_] + cj.kind = "CronJob" - # retrieve container list - container := cj.spec.jobTemplate.spec.template.spec.containers[i] - container.securityContext.procMount != "Default" + # retrieve container list + container := cj.spec.jobTemplate.spec.template.spec.containers[i] + not procMountSetProperly(container.securityContext) - path := sprintf("containers[%d].securityContext.procMount", [i]) - msga := { + fixPaths = [{"path": sprintf("spec.jobTemplate.spec.template.spec.containers[%d].securityContext.procMount", [i]), "value": "Default"}] + msga := { "alertMessage": sprintf("CronJob: %v has containers that do not set 'securityContext.procMount' to 'Default'", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [cj] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [cj]}, + } } - # check if we are managing ControlPlaneInfo -is_control_plane_info(obj) { +is_control_plane_info(obj) if { obj.apiVersion == "hostdata.kubescape.cloud/v1beta0" obj.kind == "ControlPlaneInfo" } # check if ProcMountType feature-gate is enabled -is_proc_mount_type_enabled(command) { +is_proc_mount_type_enabled(command) if { contains(command, "--feature-gates=") args := regex.split(` +`, command) some i regex.match(`ProcMountType=true`, args[i]) } + +# procMountSetProperly checks if procMount has value of "Default". +procMountSetProperly(securityContext) if { + securityContext.procMount == "Default" +} else := false diff --git a/rules/set-procmount-default/rule.metadata.json b/rules/set-procmount-default/rule.metadata.json index 33aa94924..7131eaf96 100644 --- a/rules/set-procmount-default/rule.metadata.json +++ b/rules/set-procmount-default/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-procmount-default", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-procmount-default/test/cronjob/expected.json b/rules/set-procmount-default/test/cronjob/expected.json index bb6addfc4..130dead1f 100644 --- a/rules/set-procmount-default/test/cronjob/expected.json +++ b/rules/set-procmount-default/test/cronjob/expected.json @@ -1,21 +1,25 @@ [ - { - "alertMessage": "CronJob: hello has containers that do not set 'securityContext.procMount' to 'Default'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["containers[0].securityContext.procMount"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" - } - } - ] + { + "alertMessage": "CronJob: hello has containers that do not set 'securityContext.procMount' to 'Default'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.procMount", + "value": "Default" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-procmount-default/test/pod/expected.json b/rules/set-procmount-default/test/pod/expected.json index 2c8aeaf11..bd4f615e5 100644 --- a/rules/set-procmount-default/test/pod/expected.json +++ b/rules/set-procmount-default/test/pod/expected.json @@ -1,21 +1,25 @@ [ - { - "alertMessage": "Pod: nginx has containers that do not set 'securityContext.procMount' to 'Default'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["containers[1].securityContext.procMount"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "nginx" - } - } - ] + { + "alertMessage": "Pod: nginx has containers that do not set 'securityContext.procMount' to 'Default'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.containers[1].securityContext.procMount", + "value": "Default" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "nginx" + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-procmount-default/test/workload/expected.json b/rules/set-procmount-default/test/workload/expected.json index 16ab5f6a3..1a27b5233 100644 --- a/rules/set-procmount-default/test/workload/expected.json +++ b/rules/set-procmount-default/test/workload/expected.json @@ -1,24 +1,28 @@ [ - { - "alertMessage": "Workload: my-deployment has containers that do not set 'securityContext.procMount' to 'Default'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["containers[1].securityContext.procMount"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "name": "my-deployment", - "labels": { - "app": "goproxy" - } - } - } - ] + { + "alertMessage": "Workload: my-deployment has containers that do not set 'securityContext.procMount' to 'Default'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.template.spec.containers[1].securityContext.procMount", + "value": "Default" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "my-deployment", + "labels": { + "app": "goproxy" + } + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-procmount-default/test/workload/input/deployment.yaml b/rules/set-procmount-default/test/workload/input/deployment.yaml index 7604b3acb..a3dc26a23 100644 --- a/rules/set-procmount-default/test/workload/input/deployment.yaml +++ b/rules/set-procmount-default/test/workload/input/deployment.yaml @@ -23,7 +23,6 @@ spec: - name : php image : php:7.0-apache securityContext: - procMount: Unmasked volumeMounts : - name : site-data mountPath : /var/www/html diff --git a/rules/set-seLinuxOptions/rule.metadata.json b/rules/set-seLinuxOptions/rule.metadata.json index 6ad114530..0b2cd07a0 100644 --- a/rules/set-seLinuxOptions/rule.metadata.json +++ b/rules/set-seLinuxOptions/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-seLinuxOptions", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-seccomp-profile-RuntimeDefault/rule.metadata.json b/rules/set-seccomp-profile-RuntimeDefault/rule.metadata.json index 77e921ca9..4bc785163 100644 --- a/rules/set-seccomp-profile-RuntimeDefault/rule.metadata.json +++ b/rules/set-seccomp-profile-RuntimeDefault/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-seccomp-profile-RuntimeDefault", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-seccomp-profile-RuntimeDefault/test/cronjob/expected.json b/rules/set-seccomp-profile-RuntimeDefault/test/cronjob/expected.json index 7a345e6e6..34a2f6f92 100644 --- a/rules/set-seccomp-profile-RuntimeDefault/test/cronjob/expected.json +++ b/rules/set-seccomp-profile-RuntimeDefault/test/cronjob/expected.json @@ -1,6 +1,7 @@ [ { "alertMessage": "Cronjob: hello does not define seccompProfile as RuntimeDefault", + "reviewPaths": [], "failedPaths": [], "fixPaths": [ { @@ -25,6 +26,9 @@ }, { "alertMessage": "Cronjob: hello does not define seccompProfile as RuntimeDefault", + "reviewPaths": [ + "spec.jobTemplate.spec.template.spec.containers[1].securityContext.seccompProfile.type" + ], "failedPaths": [ "spec.jobTemplate.spec.template.spec.containers[1].securityContext.seccompProfile.type" ], diff --git a/rules/set-seccomp-profile-RuntimeDefault/test/pod/expected.json b/rules/set-seccomp-profile-RuntimeDefault/test/pod/expected.json index f4f28c157..daefae833 100644 --- a/rules/set-seccomp-profile-RuntimeDefault/test/pod/expected.json +++ b/rules/set-seccomp-profile-RuntimeDefault/test/pod/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: audit-pod does not define seccompProfile as RuntimeDefault", + "reviewPaths": [ + "spec.containers[1].securityContext.seccompProfile.type" + ], "failedPaths": [ "spec.containers[1].securityContext.seccompProfile.type" ], @@ -25,6 +28,9 @@ }, { "alertMessage": "Pod: audit-pod does not define seccompProfile as RuntimeDefault", + "reviewPaths": [ + "spec.securityContext.seccompProfile.type" + ], "failedPaths": [ "spec.securityContext.seccompProfile.type" ], diff --git a/rules/set-seccomp-profile-RuntimeDefault/test/workloads/expected.json b/rules/set-seccomp-profile-RuntimeDefault/test/workloads/expected.json index 33703e3b9..df562dba8 100644 --- a/rules/set-seccomp-profile-RuntimeDefault/test/workloads/expected.json +++ b/rules/set-seccomp-profile-RuntimeDefault/test/workloads/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Workload: my-deployment does not define seccompProfile as RuntimeDefault", + "reviewPaths": [ + "spec.template.spec.containers[1].securityContext.seccompProfile.type" + ], "failedPaths": [ "spec.template.spec.containers[1].securityContext.seccompProfile.type" ], diff --git a/rules/set-seccomp-profile/rule.metadata.json b/rules/set-seccomp-profile/rule.metadata.json index a40733f05..90a5665dd 100644 --- a/rules/set-seccomp-profile/rule.metadata.json +++ b/rules/set-seccomp-profile/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-seccomp-profile", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-supplementalgroups-values/raw.rego b/rules/set-supplementalgroups-values/raw.rego index caca884db..0b10e491c 100644 --- a/rules/set-supplementalgroups-values/raw.rego +++ b/rules/set-supplementalgroups-values/raw.rego @@ -4,74 +4,62 @@ package armo_builtins # Fails if securityContext.supplementalGroups is not set deny[msga] { - # verify the object kind + # verify the object kind pod := input[_] pod.kind = "Pod" # check securityContext has supplementalGroups set - not pod.spec.securityContext.supplementalGroups + not pod.spec.securityContext.supplementalGroups + fixPaths = [{"path": "spec.securityContext.supplementalGroups", "value": "YOUR_VALUE"}] - path := "spec.securityContext" - msga := { + msga := { "alertMessage": sprintf("Pod: %v does not set 'securityContext.supplementalGroups'", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [pod] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [pod]}, + } } ### WORKLOAD ### # Fails if securityContext.supplementalGroups is not set deny[msga] { - # verify the object kind + # verify the object kind wl := input[_] - manifest_kind := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + manifest_kind := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job"} manifest_kind[wl.kind] # check securityContext has supplementalGroups set - not wl.spec.template.spec.securityContext.supplementalGroups + not wl.spec.template.spec.securityContext.supplementalGroups + fixPaths = [{"path": "spec.template.spec.securityContext.supplementalGroups", "value": "YOUR_VALUE"}] - path := "spec.template.spec.securityContext" - msga := { + msga := { "alertMessage": sprintf("Workload: %v does not set 'securityContext.supplementalGroups'", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [wl] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [wl]}, + } } ### CRONJOB ### # Fails if securityContext.supplementalGroups is not set deny[msga] { - # verify the object kind + # verify the object kind cj := input[_] - cj.kind == "CronJob" + cj.kind == "CronJob" # check securityContext has supplementalGroups set - not cj.spec.jobTemplate.spec.template.spec.securityContext.supplementalGroups + not cj.spec.jobTemplate.spec.template.spec.securityContext.supplementalGroups + fixPaths = [{"path": "spec.jobTemplate.spec.template.spec.securityContext.supplementalGroups", "value": "YOUR_VALUE"}] - path := "spec.jobTemplate.spec.template.spec.securityContext" - msga := { + msga := { "alertMessage": sprintf("CronJob: %v does not set 'securityContext.supplementalGroups'", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": [path], - "failedPaths": [path], - "fixPaths": [], - "alertObject": { - "k8sApiObjects": [cj] - } - } + "fixPaths": fixPaths, + "alertObject": {"k8sApiObjects": [cj]}, + } } diff --git a/rules/set-supplementalgroups-values/rule.metadata.json b/rules/set-supplementalgroups-values/rule.metadata.json index dfa1c6f8d..00f487e9a 100644 --- a/rules/set-supplementalgroups-values/rule.metadata.json +++ b/rules/set-supplementalgroups-values/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-supplementalgroups-values", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-supplementalgroups-values/test/cronjob/expected.json b/rules/set-supplementalgroups-values/test/cronjob/expected.json index b7f838601..0358b32b3 100644 --- a/rules/set-supplementalgroups-values/test/cronjob/expected.json +++ b/rules/set-supplementalgroups-values/test/cronjob/expected.json @@ -1,21 +1,25 @@ [ - { - "alertMessage": "CronJob: hello does not set 'securityContext.supplementalGroups'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["spec.jobTemplate.spec.template.spec.securityContext"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" - } - } - ] + { + "alertMessage": "CronJob: hello does not set 'securityContext.supplementalGroups'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.securityContext.supplementalGroups", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-supplementalgroups-values/test/pod/expected.json b/rules/set-supplementalgroups-values/test/pod/expected.json index aeef057c1..6da488301 100644 --- a/rules/set-supplementalgroups-values/test/pod/expected.json +++ b/rules/set-supplementalgroups-values/test/pod/expected.json @@ -1,21 +1,25 @@ [ - { - "alertMessage": "Pod: nginx does not set 'securityContext.supplementalGroups'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["spec.securityContext"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "nginx" - } - } - ] + { + "alertMessage": "Pod: nginx does not set 'securityContext.supplementalGroups'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.securityContext.supplementalGroups", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "nginx" + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-supplementalgroups-values/test/workload/expected.json b/rules/set-supplementalgroups-values/test/workload/expected.json index 7aa5123fa..1c9a75f85 100644 --- a/rules/set-supplementalgroups-values/test/workload/expected.json +++ b/rules/set-supplementalgroups-values/test/workload/expected.json @@ -1,24 +1,28 @@ [ - { - "alertMessage": "Workload: my-deployment does not set 'securityContext.supplementalGroups'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": ["spec.template.spec.securityContext"], - "fixPaths": [], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "name": "my-deployment", - "labels": { - "app": "goproxy" - } - } - } - ] + { + "alertMessage": "Workload: my-deployment does not set 'securityContext.supplementalGroups'", + "packagename": "armo_builtins", + "alertScore": 7, + "fixPaths": [ + { + "path": "spec.template.spec.securityContext.supplementalGroups", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "my-deployment", + "labels": { + "app": "goproxy" + } + } } + ] } + } ] \ No newline at end of file diff --git a/rules/set-sysctls-params/raw.rego b/rules/set-sysctls-params/raw.rego index 1a9bb898c..d29244a8e 100644 --- a/rules/set-sysctls-params/raw.rego +++ b/rules/set-sysctls-params/raw.rego @@ -12,12 +12,14 @@ deny[msga] { not pod.spec.securityContext.sysctls path := "spec.securityContext.sysctls" + fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"}, + {"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Pod: %v does not set 'securityContext.sysctls'", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, "failedPaths": [], - "fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [pod] } @@ -37,12 +39,14 @@ deny[msga] { not wl.spec.template.spec.securityContext.sysctls path := "spec.template.spec.securityContext.sysctls" + fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"}, + {"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("Workload: %v does not set 'securityContext.sysctls'", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, "failedPaths": [], - "fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [wl] } @@ -61,12 +65,14 @@ deny[msga] { not cj.spec.jobTemplate.spec.template.spec.securityContext.sysctls path := "spec.jobTemplate.spec.template.spec.securityContext.sysctls" + fixPaths := [{"path": sprintf("%s.name", [path]), "value": "YOUR_VALUE"}, + {"path": sprintf("%s.value", [path]), "value": "YOUR_VALUE"}] msga := { "alertMessage": sprintf("CronJob: %v does not set 'securityContext.sysctls'", [cj.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, "failedPaths": [], - "fixPaths": [{"path": path, "name": "net.ipv4.tcp_syncookie", "value": "1"}], + "fixPaths": fixPaths, "alertObject": { "k8sApiObjects": [cj] } diff --git a/rules/set-sysctls-params/rule.metadata.json b/rules/set-sysctls-params/rule.metadata.json index 3fbba969a..82b5ea73e 100644 --- a/rules/set-sysctls-params/rule.metadata.json +++ b/rules/set-sysctls-params/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "set-sysctls-params", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/set-sysctls-params/test/cronjob/expected.json b/rules/set-sysctls-params/test/cronjob/expected.json index 615c089c1..8b11c17bd 100644 --- a/rules/set-sysctls-params/test/cronjob/expected.json +++ b/rules/set-sysctls-params/test/cronjob/expected.json @@ -1,21 +1,30 @@ [ - { - "alertMessage": "CronJob: hello does not set 'securityContext.sysctls'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "fixPaths": [{"path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" - } - } - ] + { + "alertMessage": "CronJob: hello does not set 'securityContext.sysctls'", + "packagename": "armo_builtins", + "alertScore": 7, + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls.name", + "value": "YOUR_VALUE" + }, + { + "path": "spec.jobTemplate.spec.template.spec.securityContext.sysctls.value", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } } + ] } -] + } +] \ No newline at end of file diff --git a/rules/set-sysctls-params/test/pod/expected.json b/rules/set-sysctls-params/test/pod/expected.json index a062e2141..0f29c717f 100644 --- a/rules/set-sysctls-params/test/pod/expected.json +++ b/rules/set-sysctls-params/test/pod/expected.json @@ -1,21 +1,29 @@ [ - { - "alertMessage": "Pod: nginx does not set 'securityContext.sysctls'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "fixPaths": [{"path": "spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "nginx" - } - } - ] + { + "alertMessage": "Pod: nginx does not set 'securityContext.sysctls'", + "packagename": "armo_builtins", + "alertScore": 7, + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.securityContext.sysctls.name", + "value": "YOUR_VALUE" + }, + { + "path": "spec.securityContext.sysctls.value", + "value": "YOUR_VALUE"} + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "nginx" + } } + ] } -] + } +] \ No newline at end of file diff --git a/rules/set-sysctls-params/test/workload/expected.json b/rules/set-sysctls-params/test/workload/expected.json index d7ac3edd2..03485d1df 100644 --- a/rules/set-sysctls-params/test/workload/expected.json +++ b/rules/set-sysctls-params/test/workload/expected.json @@ -1,24 +1,33 @@ [ - { - "alertMessage": "Workload: my-deployment does not set 'securityContext.sysctls'", - "packagename": "armo_builtins", - "alertScore": 7, - "failedPaths": [], - "fixPaths": [{"path": "spec.template.spec.securityContext.sysctls", "name": "net.ipv4.tcp_syncookie", "value": "1"}], - "ruleStatus": "", - "alertObject": { - "k8sApiObjects": [ - { - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "name": "my-deployment", - "labels": { - "app": "goproxy" - } - } - } - ] + { + "alertMessage": "Workload: my-deployment does not set 'securityContext.sysctls'", + "packagename": "armo_builtins", + "alertScore": 7, + "failedPaths": [], + "fixPaths": [ + { + "path": "spec.template.spec.securityContext.sysctls.name", + "value": "YOUR_VALUE" + }, + { + "path": "spec.template.spec.securityContext.sysctls.value", + "value": "YOUR_VALUE" + } + ], + "ruleStatus": "", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "my-deployment", + "labels": { + "app": "goproxy" + } + } } + ] } -] + } +] \ No newline at end of file diff --git a/rules/sudo-in-container-entrypoint/rule.metadata.json b/rules/sudo-in-container-entrypoint/rule.metadata.json index 2167c56c6..8f11108a8 100644 --- a/rules/sudo-in-container-entrypoint/rule.metadata.json +++ b/rules/sudo-in-container-entrypoint/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "sudo-in-container-entrypoint", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/sudo-in-container-entrypoint/test/pod/expected.json b/rules/sudo-in-container-entrypoint/test/pod/expected.json index 9caa17df9..258d4ca67 100644 --- a/rules/sudo-in-container-entrypoint/test/pod/expected.json +++ b/rules/sudo-in-container-entrypoint/test/pod/expected.json @@ -2,6 +2,9 @@ { "alertMessage": "container: command-demo-container in pod: command-demo have sudo in entrypoint", "fixPaths": [], + "reviewPaths": [ + "spec.containers[0].command[0]" + ], "failedPaths": [ "spec.containers[0].command[0]" ], diff --git a/rules/sudo-in-container-entrypoint/test/workloads/expected.json b/rules/sudo-in-container-entrypoint/test/workloads/expected.json index e8a858f26..9dd3bb964 100644 --- a/rules/sudo-in-container-entrypoint/test/workloads/expected.json +++ b/rules/sudo-in-container-entrypoint/test/workloads/expected.json @@ -2,6 +2,9 @@ { "alertMessage": "container: test-container2 in Deployment: test2 have sudo in entrypoint", "fixPaths": [], + "reviewPaths": [ + "spec.template.spec.containers[1].command[0]" + ], "failedPaths": [ "spec.template.spec.containers[1].command[0]" ], diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/raw.rego b/rules/system-authenticated-allowed-to-take-over-cluster/raw.rego new file mode 100644 index 000000000..251abcbe2 --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/raw.rego @@ -0,0 +1,65 @@ +package armo_builtins + +import future.keywords.in + +deny[msga] { + subjectVector := input[_] + + rolebinding := subjectVector.relatedObjects[j] + endswith(rolebinding.kind, "Binding") + + + subject := rolebinding.subjects[k] + # Check if the subject is gourp + subject.kind == "Group" + # Check if the subject is system:authenticated + subject.name == "system:authenticated" + + + # Find the bound roles + role := subjectVector.relatedObjects[i] + endswith(role.kind, "Role") + + # Check if the role and rolebinding bound + is_same_role_and_binding(role, rolebinding) + + + # Check if the role has access to workloads, exec, attach, portforward + rule := role.rules[p] + rule.resources[l] in ["*","pods", "pods/exec", "pods/attach", "pods/portforward","deployments","statefulset","daemonset","jobs","cronjobs","nodes","secrets"] + + finalpath := array.concat([""], [ + sprintf("relatedObjects[%d].subjects[%d]", [j, k]), + sprintf("relatedObjects[%d].roleRef.name", [i]), + ]) + + msga := { + "alertMessage": "system:authenticated has sensitive roles", + "alertScore": 5, + "reviewPaths": finalpath, + "failedPaths": finalpath, + "fixPaths": [], + "packagename": "armo_builtins", + "alertObject": { + "k8sApiObjects": [], + "externalObjects" : subjectVector + }, + } +} + +is_same_role_and_binding(role, rolebinding) { + rolebinding.kind == "RoleBinding" + role.kind == "Role" + rolebinding.metadata.namespace == role.metadata.namespace + rolebinding.roleRef.name == role.metadata.name + rolebinding.roleRef.kind == role.kind + startswith(role.apiVersion, rolebinding.roleRef.apiGroup) +} + +is_same_role_and_binding(role, rolebinding) { + rolebinding.kind == "ClusterRoleBinding" + role.kind == "ClusterRole" + rolebinding.roleRef.name == role.metadata.name + rolebinding.roleRef.kind == role.kind + startswith(role.apiVersion, rolebinding.roleRef.apiGroup) +} \ No newline at end of file diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/rule.metadata.json b/rules/system-authenticated-allowed-to-take-over-cluster/rule.metadata.json new file mode 100644 index 000000000..37a004adc --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/rule.metadata.json @@ -0,0 +1,27 @@ +{ + "name": "system-authenticated-allowed-to-take-over-cluster", + "attributes": { + "resourcesAggregator": "subject-role-rolebinding" + }, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "description": "Fails in system:authenticated user has cluster takeover rbac permissions (is bound by a RoleBinding/ClusterRoleBinding)", + "remediation": "Remove any RBAC rules which allow system:authenticated users to perform actions", + "ruleQuery": "armo_builtins" +} diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/expected.json b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/expected.json new file mode 100644 index 000000000..28ad87b4f --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/expected.json @@ -0,0 +1,74 @@ +[ + { + "alertMessage": "system:authenticated has sensitive roles", + "alertObject": { + "externalObjects": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:authenticated", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "system:viewer" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "system:viewer" + }, + "subjects": [ + { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:authenticated" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "system:viewer" + }, + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "nodes", + "nodes/*", + "namespaces", + "namespaces/*", + "pods", + "pods/*" + ], + "verbs": [ + "get", + "list", + "watch" + ] + } + ] + } + ] + }, + "k8sApiObjects": [] + }, + "alertScore": 5, + "failedPaths": [ + "", + "relatedObjects[0].subjects[0]", + "relatedObjects[1].roleRef.name" + ], + "fixPaths": [], + "packagename": "armo_builtins", + "reviewPaths": [ + "", + "relatedObjects[0].subjects[0]", + "relatedObjects[1].roleRef.name" + ] + } +] \ No newline at end of file diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrole.yaml b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrole.yaml new file mode 100644 index 000000000..a374bc4be --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:viewer +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/* + - namespaces + - namespaces/* + - pods + - pods/* + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrolebinding.yaml b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrolebinding.yaml new file mode 100644 index 000000000..1c989e816 --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:viewer +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated \ No newline at end of file diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/test/success/expected.json b/rules/system-authenticated-allowed-to-take-over-cluster/test/success/expected.json new file mode 100644 index 000000000..fe51488c7 --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/test/success/expected.json @@ -0,0 +1 @@ +[] diff --git a/rules/system-authenticated-allowed-to-take-over-cluster/test/success/input/rolebinding.yaml b/rules/system-authenticated-allowed-to-take-over-cluster/test/success/input/rolebinding.yaml new file mode 100644 index 000000000..3909d713d --- /dev/null +++ b/rules/system-authenticated-allowed-to-take-over-cluster/test/success/input/rolebinding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:viewer +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:viewer +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/rules/unauthenticated-service/raw.rego b/rules/unauthenticated-service/raw.rego new file mode 100644 index 000000000..4ba95ab14 --- /dev/null +++ b/rules/unauthenticated-service/raw.rego @@ -0,0 +1,43 @@ +package armo_builtins + +import future.keywords.contains +import future.keywords.if + +deny contains msga if { + service := input[_] + service.kind == "Service" + + wl := input[_] + spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"} + spec_template_spec_patterns[wl.kind] + wl_connected_to_service(wl, service) + + service_scan_result := input[_] + service_scan_result.kind == "ServiceScanResult" + service_name := service.metadata.name + has_unauthenticated_service(service_name, service.metadata.namespace, service_scan_result) + + msga := { + "alertMessage": sprintf("Unauthenticated service %v exposes %v", [service_name, wl.metadata.name]), + "alertScore": 7, + "fixPaths": [], + "reviewPaths": [], + "failedPaths": [], + "packagename": "armo_builtins", + "alertObject": {"k8sApiObjects": [wl]}, + } +} + +has_unauthenticated_service(service_name, namespace, service_scan_result) if { + service_scan_result.metadata.name == service_name + service_scan_result.metadata.namespace == namespace + service_scan_result.spec.ports[_].authenticated == false +} + +wl_connected_to_service(wl, svc) if { + count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector) +} + +wl_connected_to_service(wl, svc) if { + wl.spec.selector.matchLabels == svc.spec.selector +} diff --git a/rules/CVE-2022-0492/rule.metadata.json b/rules/unauthenticated-service/rule.metadata.json similarity index 60% rename from rules/CVE-2022-0492/rule.metadata.json rename to rules/unauthenticated-service/rule.metadata.json index 58c423695..3ce6e83d8 100644 --- a/rules/CVE-2022-0492/rule.metadata.json +++ b/rules/unauthenticated-service/rule.metadata.json @@ -1,8 +1,5 @@ { - "name": "CVE-2022-0492", - "attributes": { - "armoBuiltin": true - }, + "name": "unauthenticated-service", "ruleLanguage": "Rego", "match": [ { @@ -13,7 +10,8 @@ "v1" ], "resources": [ - "Pod" + "Pod", + "Service" ] }, { @@ -41,11 +39,23 @@ "Job", "CronJob" ] + }, + { + "apiGroups": [ + "kubescape.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "servicesscanresults" + ] } + ], + "dynamicMatch": [ ], - "ruleDependencies": [ - ], - "description": "", - "remediation": "", + "ruleDependencies": [], + "description": "Verifies that the service is authenticated", + "remediation": "Add authentication to the service", "ruleQuery": "armo_builtins" } \ No newline at end of file diff --git a/rules/unauthenticated-service/test/fail_service/expected.json b/rules/unauthenticated-service/test/fail_service/expected.json new file mode 100644 index 000000000..b4e3533a3 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/expected.json @@ -0,0 +1,27 @@ +[ + { + "alertMessage": "Unauthenticated service operator exposes operator", + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "app": "operator" + }, + "name": "operator" + } + } + ] + }, + "alertScore": 7, + "deletePaths": null, + "failedPaths": [], + "fixPaths": [], + "packagename": "armo_builtins", + "relatedObjects": [], + "reviewPaths": [], + "ruleStatus": "" + } +] diff --git a/rules/unauthenticated-service/test/fail_service/input/operator.yaml b/rules/unauthenticated-service/test/fail_service/input/operator.yaml new file mode 100644 index 000000000..2905008e7 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/operator.yaml @@ -0,0 +1,18 @@ +apiVersion: kubescape.io/v1 +kind: ServiceScanResult +metadata: + creationTimestamp: "2024-07-03T04:40:17Z" + generation: 4 + name: operator + namespace: kubescape + resourceVersion: "2772" + uid: 24dc622d-ee78-40c2-8654-2a5604715f95 +spec: + clusterIP: 10.103.207.220 + ports: + - applicationLayer: "" + authenticated: false + port: 4002 + presentationLayer: http + protocol: TCP + sessionLayer: tcp diff --git a/rules/unauthenticated-service/test/fail_service/input/operator2.yaml b/rules/unauthenticated-service/test/fail_service/input/operator2.yaml new file mode 100644 index 000000000..96a495616 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/operator2.yaml @@ -0,0 +1,18 @@ +apiVersion: kubescape.io/v1 +kind: ServiceScanResult +metadata: + creationTimestamp: "2024-07-03T04:40:17Z" + generation: 4 + name: operator2 + namespace: kubescape + resourceVersion: "2772" + uid: 24dc622d-ee78-40c2-8654-2a5604715f95 +spec: + clusterIP: 10.103.207.220 + ports: + - applicationLayer: "" + authenticated: true + port: 4002 + presentationLayer: http + protocol: TCP + sessionLayer: tcp diff --git a/rules/unauthenticated-service/test/fail_service/input/pod.yaml b/rules/unauthenticated-service/test/fail_service/input/pod.yaml new file mode 100644 index 000000000..f91f89733 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/pod.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator + namespace: kubescape + labels: + app: operator +spec: + containers: + - name: operator-container + image: your-operator-image:latest + ports: + - containerPort: 8080 + resources: + limits: + cpu: "1" + memory: "1Gi" \ No newline at end of file diff --git a/rules/unauthenticated-service/test/fail_service/input/pod2.yaml b/rules/unauthenticated-service/test/fail_service/input/pod2.yaml new file mode 100644 index 000000000..160f56455 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/pod2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator2 + namespace: kubescape + labels: + app: operator2 +spec: + containers: + - name: operator-container + image: your-operator-image:latest + ports: + - containerPort: 8080 + resources: + limits: + cpu: "1" + memory: "1Gi" \ No newline at end of file diff --git a/rules/unauthenticated-service/test/fail_service/input/service.yaml b/rules/unauthenticated-service/test/fail_service/input/service.yaml new file mode 100644 index 000000000..9d2ae271e --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: operator + namespace: kubescape +spec: + selector: + app: operator + ports: + - protocol: TCP + port: 4002 + targetPort: 8080 \ No newline at end of file diff --git a/rules/unauthenticated-service/test/fail_service/input/service2.yaml b/rules/unauthenticated-service/test/fail_service/input/service2.yaml new file mode 100644 index 000000000..bcec62922 --- /dev/null +++ b/rules/unauthenticated-service/test/fail_service/input/service2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: operator2 + namespace: kubescape +spec: + selector: + app: operator2 + ports: + - protocol: TCP + port: 4002 + targetPort: 8080 \ No newline at end of file diff --git a/rules/unauthenticated-service/test/pass/expected.json b/rules/unauthenticated-service/test/pass/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/unauthenticated-service/test/pass/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/unauthenticated-service/test/pass/input/deploy.yaml b/rules/unauthenticated-service/test/pass/input/deploy.yaml new file mode 100644 index 000000000..608beba22 --- /dev/null +++ b/rules/unauthenticated-service/test/pass/input/deploy.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"operator-deployment","namespace":"new-namespace"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"operator"}},"template":{"metadata":{"labels":{"app":"operator"}},"spec":{"containers":[{"args":["-c","nc -lnvp 8080"[],"command":["/bin/sh"],"image":"alpine:3.18.2","name":"operator-container","ports":[{"containerPort":8080}],"volumeMounts":[{"mountPath":"/etc/config","name":"config-volume"}]}],"volumes":[{"configMap":{"name":"operator-configmap"},"name":"config-volume"}]}}}} + creationTimestamp: "2024-07-15T11:38:56Z" + generation: 1 + name: operator-deployment + namespace: new-namespace + resourceVersion: "1118651" + uid: d613b9a8-7ed8-4e0c-b80d-b14023b8d346 +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: operator + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: operator + spec: + containers: + - args: + - -c + - nc -lnvp 8080 + command: + - /bin/sh + image: alpine:3.18.2 + imagePullPolicy: IfNotPresent + name: operator-container + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: config-volume + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: operator-configmap + name: config-volume +status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2024-07-15T11:39:01Z" + lastUpdateTime: "2024-07-15T11:39:01Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2024-07-15T11:38:56Z" + lastUpdateTime: "2024-07-15T11:39:01Z" + message: ReplicaSet "operator-deployment-748b6d7d54" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 1 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 \ No newline at end of file diff --git a/rules/unauthenticated-service/test/pass/input/service.yaml b/rules/unauthenticated-service/test/pass/input/service.yaml new file mode 100644 index 000000000..de9e1b93f --- /dev/null +++ b/rules/unauthenticated-service/test/pass/input/service.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"operator","namespace":"new-namespace"},"spec":{"ports":[{"port":4002,"protocol":"TCP","targetPort":8080}],"selector":{"app":"operator"},"type":"NodePort"}} + creationTimestamp: "2024-07-15T11:38:56Z" + name: operator + namespace: new-namespace + resourceVersion: "1118630" + uid: 9cb0d9b9-c4d7-4b48-b456-71229bdc7216 +spec: + clusterIP: 10.105.77.60 + clusterIPs: + - 10.105.77.60 + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - nodePort: 31624 + port: 4002 + protocol: TCP + targetPort: 8080 + selector: + app: operator + sessionAffinity: None + type: NodePort +status: + loadBalancer: {} \ No newline at end of file diff --git a/rules/unauthenticated-service/test/pass/input/service_result.yaml b/rules/unauthenticated-service/test/pass/input/service_result.yaml new file mode 100644 index 000000000..b46f41790 --- /dev/null +++ b/rules/unauthenticated-service/test/pass/input/service_result.yaml @@ -0,0 +1,21 @@ +apiVersion: kubescape.io/v1 +kind: ServiceScanResult +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"kubescape.io/v1","kind":"ServiceScanResult","metadata":{"annotations":{},"name":"operator","namespace":"new-namespace"},"spec":{"clusterIP":"10.103.207.220","ports":[{"applicationLayer":"","authenticated":false,"port":4002,"presentationLayer":"http","protocol":"TCP","sessionLayer":"tcp"}]}} + creationTimestamp: "2024-07-15T11:39:46Z" + generation: 1 + name: operator + namespace: new-namespace + resourceVersion: "1118691" + uid: cd049412-c329-48ce-82b8-dfa56d6e85fd +spec: + clusterIP: 10.103.207.220 + ports: + - applicationLayer: "" + authenticated: true + port: 4002 + presentationLayer: http + protocol: TCP + sessionLayer: tcp \ No newline at end of file diff --git a/rules/validate-kubelet-tls-configuration-updated/rule.metadata.json b/rules/validate-kubelet-tls-configuration-updated/rule.metadata.json index 5aefd730a..187ad5317 100644 --- a/rules/validate-kubelet-tls-configuration-updated/rule.metadata.json +++ b/rules/validate-kubelet-tls-configuration-updated/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "validate-kubelet-tls-configuration-updated", "attributes": { - "armoBuiltin": true, "hostSensorRule": "true" }, "ruleLanguage": "Rego", diff --git a/rules/verify-image-signature/raw.rego b/rules/verify-image-signature/raw.rego index fc74eb05d..d7c5d6038 100644 --- a/rules/verify-image-signature/raw.rego +++ b/rules/verify-image-signature/raw.rego @@ -9,13 +9,14 @@ deny[msga] { verified_keys := [trusted_key | trusted_key = data.postureControlInputs.trustedCosignPublicKeys[_]; cosign.verify(container.image, trusted_key)] count(verified_keys) == 0 + path := sprintf("spec.containers[%v].image", [i]) msga := { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], - "reviewPaths": [container.image], - "failedPaths": [container.image], + "reviewPaths": [path], + "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [pod] @@ -32,12 +33,14 @@ deny[msga] { verified_keys := [trusted_key | trusted_key = data.postureControlInputs.trustedCosignPublicKeys[_]; cosign.verify(container.image, trusted_key)] count(verified_keys) == 0 + path := sprintf("spec.template.spec.containers[%v].image", [i]) + msga := { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], - "reviewPaths": [container.image], - "failedPaths": [container.image], + "reviewPaths": [path], + "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] @@ -54,12 +57,14 @@ deny[msga] { verified_keys := [trusted_key | trusted_key = data.postureControlInputs.trustedCosignPublicKeys[_]; cosign.verify(container.image, trusted_key)] count(verified_keys) == 0 + path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].image", [i]) + msga := { "alertMessage": sprintf("signature not verified for image: %v", [container.image]), "alertScore": 7, "fixPaths": [], - "reviewPaths": [container.image], - "failedPaths": [container.image], + "reviewPaths": [path], + "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/verify-image-signature/rule.metadata.json b/rules/verify-image-signature/rule.metadata.json index 486bab218..3abb3180c 100644 --- a/rules/verify-image-signature/rule.metadata.json +++ b/rules/verify-image-signature/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "verify-image-signature", "attributes": { - "armoBuiltin": true, "useFromKubescapeVersion": "v2.1.3" }, "ruleLanguage": "Rego", diff --git a/rules/workload-mounted-configmap/rule.metadata.json b/rules/workload-mounted-configmap/rule.metadata.json index acef14c9c..1a685ed22 100644 --- a/rules/workload-mounted-configmap/rule.metadata.json +++ b/rules/workload-mounted-configmap/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "workload-mounted-configmap", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/workload-mounted-configmap/test/failed_pod/expected.json b/rules/workload-mounted-configmap/test/failed_pod/expected.json index 1d1c00abf..c4f9a6dc1 100644 --- a/rules/workload-mounted-configmap/test/failed_pod/expected.json +++ b/rules/workload-mounted-configmap/test/failed_pod/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: mypod has mounted configMap", + "deletePaths": [ + "spec.containers[0].volumeMounts[1]" + ], "failedPaths": [ "spec.containers[0].volumeMounts[1]" ], diff --git a/rules/workload-mounted-pvc/rule.metadata.json b/rules/workload-mounted-pvc/rule.metadata.json index dc22b0543..28b3e7e35 100644 --- a/rules/workload-mounted-pvc/rule.metadata.json +++ b/rules/workload-mounted-pvc/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "workload-mounted-pvc", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json b/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json index 9c86b72e6..6a558c3e4 100644 --- a/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json +++ b/rules/workload-mounted-pvc/test/failed_pod_mounted/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: mypod has mounted PVC", + "deletePaths": [ + "spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ "spec.containers[0].volumeMounts[0]" ], diff --git a/rules/workload-mounted-secrets/rule.metadata.json b/rules/workload-mounted-secrets/rule.metadata.json index 8f561c805..0c97783b6 100644 --- a/rules/workload-mounted-secrets/rule.metadata.json +++ b/rules/workload-mounted-secrets/rule.metadata.json @@ -1,7 +1,6 @@ { "name": "workload-mounted-secrets", "attributes": { - "armoBuiltin": true }, "ruleLanguage": "Rego", "match": [ diff --git a/rules/workload-mounted-secrets/test/failed/expected.json b/rules/workload-mounted-secrets/test/failed/expected.json index aa3edc9cf..9f3d77021 100644 --- a/rules/workload-mounted-secrets/test/failed/expected.json +++ b/rules/workload-mounted-secrets/test/failed/expected.json @@ -1,6 +1,9 @@ [ { "alertMessage": "Pod: mypod has mounted secret", + "deletePaths": [ + "spec.containers[0].volumeMounts[0]" + ], "failedPaths": [ "spec.containers[0].volumeMounts[0]" ], diff --git a/rules/workload-with-administrative-roles/filter.rego b/rules/workload-with-administrative-roles/filter.rego new file mode 100644 index 000000000..a0037a65d --- /dev/null +++ b/rules/workload-with-administrative-roles/filter.rego @@ -0,0 +1,32 @@ +package armo_builtins + +deny[msga] { + wl := input[_] + start_of_path := get_beginning_of_path(wl) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + } +} + + +get_beginning_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/raw.rego b/rules/workload-with-administrative-roles/raw.rego new file mode 100644 index 000000000..a760b1cd6 --- /dev/null +++ b/rules/workload-with-administrative-roles/raw.rego @@ -0,0 +1,129 @@ +package armo_builtins + +import future.keywords.in + +deny[msga] { + wl := input[_] + start_of_path := get_start_of_path(wl) + wl_spec := object.get(wl, start_of_path, []) + + # get service account wl is using + sa := input[_] + sa.kind == "ServiceAccount" + is_same_sa(wl_spec, sa.metadata, wl.metadata) + + # check service account token is mounted + is_sa_auto_mounted(wl_spec, sa) + + # check if sa has administrative roles + role := input[_] + role.kind in ["Role", "ClusterRole"] + is_administrative_role(role) + + rolebinding := input[_] + rolebinding.kind in ["RoleBinding", "ClusterRoleBinding"] + rolebinding.roleRef.name == role.metadata.name + rolebinding.subjects[j].kind == "ServiceAccount" + rolebinding.subjects[j].name == sa.metadata.name + rolebinding.subjects[j].namespace == sa.metadata.namespace + + reviewPath := "roleRef" + deletePath := sprintf("subjects[%d]", [j]) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v has administrative roles", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + "relatedObjects": [{ + "object": sa, + }, + { + "object": rolebinding, + "reviewPaths": [reviewPath], + "deletePaths": [deletePath], + }, + { + "object": role, + },] + } +} + + +get_start_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} + + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken not in pod spec + not wl_spec.automountServiceAccountToken == false + not wl_spec.automountServiceAccountToken == true + + not sa.automountServiceAccountToken == false +} + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken set to true in pod spec + wl_spec.automountServiceAccountToken == true +} + + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + wl_spec.serviceAccountName == sa_metadata.name + is_same_namespace(sa_metadata , wl_metadata) +} + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + not wl_spec.serviceAccountName + sa_metadata.name == "default" + is_same_namespace(sa_metadata , wl_metadata) +} + +# is_same_namespace supports cases where ns is not configured in the metadata +# for yaml scans +is_same_namespace(metadata1, metadata2) { + metadata1.namespace == metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + not metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata2.namespace + metadata1.namespace == "default" +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + metadata2.namespace == "default" +} + + +is_administrative_role(role){ + administrative_resources := ["*"] + administrative_verbs := ["*"] + administrative_api_groups := ["", "*"] + + administrative_rule := [rule | rule = role.rules[i] ; + rule.resources[a] in administrative_resources ; + rule.verbs[b] in administrative_verbs ; + rule.apiGroups[c] in administrative_api_groups] + count(administrative_rule) > 0 +} diff --git a/rules/workload-with-administrative-roles/rule.metadata.json b/rules/workload-with-administrative-roles/rule.metadata.json new file mode 100644 index 000000000..60fa9baf0 --- /dev/null +++ b/rules/workload-with-administrative-roles/rule.metadata.json @@ -0,0 +1,63 @@ +{ + "name": "workload-with-administrative-roles", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "ServiceAccount" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json new file mode 100644 index 000000000..2145eb79b --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json @@ -0,0 +1,110 @@ +[ + { + "alertMessage": "Pod: test-pd in the following namespace: default has administrative roles", + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "v1", + "automountServiceAccountToken": true, + "kind": "ServiceAccount", + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "read-secrets-global" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "test" + }, + "subjects": [ + { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "manager" + }, + { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + ] + }, + "failedPaths": null, + "reviewPaths": [ + "roleRef" + ], + "deletePaths": [ + "subjects[1]" + ], + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "test" + }, + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "pods", + "*" + ], + "verbs": [ + "create", + "*" + ] + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + } + ] + } +] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml new file mode 100644 index 000000000..630c8f34f --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["pods", "*"] + verbs: ["create", "*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml new file mode 100644 index 000000000..ba2b69958 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml new file mode 100644 index 000000000..54ca1a619 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["*"] +- apiGroups: [""] + resources: ["*"] + verbs: ["get"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e61c4d450 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: ServiceAccount + name: default + namespace: default +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml new file mode 100644 index 000000000..6ede27070 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["*", "secrets", "users"] + verbs: ["get", "*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e1426bc28 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml new file mode 100644 index 000000000..fd8e287be --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml new file mode 100644 index 000000000..4448be426 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod + namespace: kube-system +subjects: +- kind: User + name: jane + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-cluster-takeover-roles/filter.rego b/rules/workload-with-cluster-takeover-roles/filter.rego new file mode 100644 index 000000000..a0037a65d --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/filter.rego @@ -0,0 +1,32 @@ +package armo_builtins + +deny[msga] { + wl := input[_] + start_of_path := get_beginning_of_path(wl) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + } +} + + +get_beginning_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/raw.rego b/rules/workload-with-cluster-takeover-roles/raw.rego new file mode 100644 index 000000000..c84463cb8 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/raw.rego @@ -0,0 +1,143 @@ +package armo_builtins + +import future.keywords.in + +deny[msga] { + wl := input[_] + start_of_path := get_start_of_path(wl) + wl_spec := object.get(wl, start_of_path, []) + + # get service account wl is using + sa := input[_] + sa.kind == "ServiceAccount" + is_same_sa(wl_spec, sa.metadata, wl.metadata) + + # check service account token is mounted + is_sa_auto_mounted(wl_spec, sa) + + # check if sa has cluster takeover roles + role := input[_] + role.kind in ["Role", "ClusterRole"] + is_takeover_role(role) + + rolebinding := input[_] + rolebinding.kind in ["RoleBinding", "ClusterRoleBinding"] + rolebinding.roleRef.name == role.metadata.name + rolebinding.roleRef.kind == role.kind + rolebinding.subjects[j].kind == "ServiceAccount" + rolebinding.subjects[j].name == sa.metadata.name + rolebinding.subjects[j].namespace == sa.metadata.namespace + + deletePath := sprintf("subjects[%d]", [j]) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v has cluster takeover roles", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + "relatedObjects": [{ + "object": sa, + }, + { + "object": rolebinding, + "deletePaths": [deletePath], + }, + { + "object": role, + },] + } +} + + +get_start_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} + + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken not in pod spec + not wl_spec.automountServiceAccountToken == false + not wl_spec.automountServiceAccountToken == true + + not sa.automountServiceAccountToken == false +} + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken set to true in pod spec + wl_spec.automountServiceAccountToken == true +} + + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + wl_spec.serviceAccountName == sa_metadata.name + is_same_namespace(sa_metadata , wl_metadata) +} + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + not wl_spec.serviceAccountName + sa_metadata.name == "default" + is_same_namespace(sa_metadata , wl_metadata) +} + +# is_same_namespace supports cases where ns is not configured in the metadata +# for yaml scans +is_same_namespace(metadata1, metadata2) { + metadata1.namespace == metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + not metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata2.namespace + metadata1.namespace == "default" +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + metadata2.namespace == "default" +} + + +# look for rule allowing create/update workloads +is_takeover_role(role){ + takeover_resources := ["pods", "*"] + takeover_verbs := ["create", "update", "patch", "*"] + takeover_api_groups := ["", "*"] + + takeover_rule := [rule | rule = role.rules[i] ; + rule.resources[a] in takeover_resources ; + rule.verbs[b] in takeover_verbs ; + rule.apiGroups[c] in takeover_api_groups] + count(takeover_rule) > 0 +} + +# look for rule allowing secret access +is_takeover_role(role){ + rule := role.rules[i] + takeover_resources := ["secrets", "*"] + takeover_verbs := ["get", "list", "watch", "*"] + takeover_api_groups := ["", "*"] + + takeover_rule := [rule | rule = role.rules[i] ; + rule.resources[a] in takeover_resources ; + rule.verbs[b] in takeover_verbs ; + rule.apiGroups[c] in takeover_api_groups] + count(takeover_rule) > 0 +} \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/rule.metadata.json b/rules/workload-with-cluster-takeover-roles/rule.metadata.json new file mode 100644 index 000000000..abaccf99c --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/rule.metadata.json @@ -0,0 +1,63 @@ +{ + "name": "workload-with-cluster-takeover-roles", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "ServiceAccount" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/expected.json b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/expected.json new file mode 100644 index 000000000..664eb4239 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/expected.json @@ -0,0 +1,106 @@ +[ + { + "alertMessage": "Pod: test-pd in the following namespace: default has cluster takeover roles", + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "v1", + "automountServiceAccountToken": true, + "kind": "ServiceAccount", + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "read-secrets-global" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "test" + }, + "subjects": [ + { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "manager" + }, + { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": [ + "subjects[1]" + ], + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "test" + }, + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "pods" + ], + "verbs": [ + "create" + ] + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + } + ] + } +] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrole.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrole.yaml new file mode 100644 index 000000000..a3c7c656d --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["create"] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml new file mode 100644 index 000000000..ba2b69958 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/file.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/sa.json b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-creates-pod/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/expected.json b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/expected.json new file mode 100644 index 000000000..f18ced8a9 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/expected.json @@ -0,0 +1,107 @@ +[ + { + "alertMessage": "Pod: test-pd in the following namespace: default has cluster takeover roles", + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "v1", + "automountServiceAccountToken": true, + "kind": "ServiceAccount", + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "read-secrets-global" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "test" + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + }, + { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "dev" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": [ + "subjects[0]" + ], + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "test" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "secrets", + "users" + ], + "verbs": [ + "get" + ] + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + } + ] + } +] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrole.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrole.yaml new file mode 100644 index 000000000..460d2eedd --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["secrets", "users"] + verbs: ["get"] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrolebinding.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e61c4d450 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: ServiceAccount + name: default + namespace: default +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/file.yaml b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/sa.json b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/fail-wl-gets-secrets/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/expected.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml new file mode 100644 index 000000000..6ede27070 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["*", "secrets", "users"] + verbs: ["get", "*"] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e1426bc28 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/file.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/sa.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-limited-permissions/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/expected.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml new file mode 100644 index 000000000..6ede27070 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["*", "secrets", "users"] + verbs: ["get", "*"] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e1426bc28 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/file.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/sa.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-not-mount-sa-token/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/expected.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/cluterrole.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/cluterrole.yaml new file mode 100644 index 000000000..fd8e287be --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/cluterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/file.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/rolebinding.yaml b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/rolebinding.yaml new file mode 100644 index 000000000..4448be426 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod + namespace: kube-system +subjects: +- kind: User + name: jane + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/sa.json b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-cluster-takeover-roles/test/pass-wl-rolebinding/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/scripts/generate_subsections_ids.py b/scripts/generate_subsections_ids.py index f7e265654..c77043284 100644 --- a/scripts/generate_subsections_ids.py +++ b/scripts/generate_subsections_ids.py @@ -9,26 +9,39 @@ import json import os import re +import logging +import sys + # constants currDir = os.path.abspath(os.getcwd()) frameworks_dir = os.path.join(currDir, 'frameworks') framework_name_to_filename_mapping = {} +logging.basicConfig(level=logging.INFO) + # ================================================ def init_framework_name_to_filename_mapping(): for filename in os.listdir(frameworks_dir): + logging.info(f"Checking file: {filename}") # Load the JSON files if filename.endswith('.json'): - with open(os.path.join(frameworks_dir, filename)) as f1: - framework = json.load(f1) - framework_name_to_filename_mapping[framework['name']] = filename + logging.info(f"file {filename} detected as a JSON") + try: + with open(os.path.join(frameworks_dir, filename)) as f1: + framework = json.load(f1) + framework_name_to_filename_mapping[framework['name']] = filename + except Exception as e: + logging.error(f"Error detected with file {filename}. Error: {e}") + sys.exit(1) + def init_parser(): # Set up the argument parser + logging.info(f"Initializing parser") parser = argparse.ArgumentParser() parser.add_argument("--framework", "-fw", required=True, help="Name of the framework to add the control to") parser.add_argument("--firstCleanList", "-clean", required=False, help="Clean controlIds list before population") @@ -38,13 +51,16 @@ def init_parser(): def restart_controlIDs_list(framework): + logging.info(f"Restarting controls ID list") for subsection1 in framework["subSections"]: if "subSections" in framework["subSections"][subsection1]: for item in framework["subSections"][subsection1]["subSections"]: framework["subSections"][subsection1]["subSections"][item]["controlsIDs"] = [] + logging.info(f"Restarting controls ID completed") def populate_controlIds_list(framework): + logging.info(f"Populating controls ID list") for active_control in framework["activeControls"]: control_id = active_control["controlID"] cis_subsection = active_control["patch"]["name"].split(" ")[0].replace("CIS-", "") @@ -55,11 +71,12 @@ def populate_controlIds_list(framework): tmp_controlIDs.append(control_id) -def main(): - args = init_parser() - framework_name = args.framework - restart_controlIDs_lists = args.firstCleanList - +def main(framework): + # args = init_parser() + # framework_name = args.framework + framework_name = framework + # restart_controlIDs_lists = args.firstCleanList + restart_controlIDs_lists = True init_framework_name_to_filename_mapping() @@ -84,5 +101,10 @@ def main(): if __name__ == "__main__": - # TODO: add comments and python convetion for all document - main() \ No newline at end of file + logging.info("Script started") + frameworks = ["cis-aks-t1.2.0", "cis-eks-t1.2.0", "cis-v1.23-t1.0.1"] + for i in frameworks: + logging.info(f"Running on framework {i}") + main(i) + logging.info("Script ended") + sys.exit(0) \ No newline at end of file diff --git a/scripts/generate_subsections_ids.sh b/scripts/generate_subsections_ids.sh deleted file mode 100755 index 4bfc31799..000000000 --- a/scripts/generate_subsections_ids.sh +++ /dev/null @@ -1,19 +0,0 @@ - - -#!/bin/sh - -frameworksVal="cis-aks-t1.2.0 cis-eks-t1.2.0 cis-v1.23-t1.0.1" -# frameworksVal="cis-v1.23-t1.0.1" - - -for val in $frameworksVal; do - echo "Started updating framework '$val' subscections ids" - python3 scripts/generate_subsections_ids.py -fw $val -clean true - status_code=$? - if [ $status_code -eq 0 ] - then - echo "Completed updating framework '$val' subscections ids" - else - exit 1 - fi -done diff --git a/scripts/init-rule.py b/scripts/init-rule.py index 86a0d9480..279e6b9aa 100644 --- a/scripts/init-rule.py +++ b/scripts/init-rule.py @@ -54,7 +54,6 @@ rule_metadata = """{{ "name": "{rule_name}", "attributes": {{ - "armoBuiltin": true,{use_from_kubescape_version}{use_until_kubescape_version} "hostSensorRule": "{host_sensor_rule}", "imageScanRelated": {image_scan_related} }}, diff --git a/scripts/mk-generator.py b/scripts/mk-generator.py new file mode 100644 index 000000000..7ed0a9ab9 --- /dev/null +++ b/scripts/mk-generator.py @@ -0,0 +1,417 @@ +""" +This script is used to generate a markdown file for each control in the `controls` folder. +The generated markdown files are placed into the `docs/controls` directory. +Each markdown file contains detailed information about a control, +such as its severity, description, related resources, test, remediation, and example. +""" + +import os +import json + +def ignore_framework(framework_name: str): + """ + determines whether or not to ignore a framework based on its name. + + Parameters + ---------- + framework_name: the name of the framework + + Returns + -------- + True if the framework should be ignored, False otherwise + + """ + return framework_name == 'YAML-scanning' or framework_name.startswith('developer') + +def get_frameworks_for_control(control): + """ + returns the frameworks a given control conforms to. + + Parameters + ---------- + control: the control object + + Returns + ------- + a list of framework names + + """ + r = [] + # Loop through all the json files in the 'frameworks' directory + for frameworks_json_file_name in filter(lambda fn: fn.endswith('.json'),os.listdir('frameworks')): + framework = json.load(open(os.path.join('frameworks',frameworks_json_file_name))) + if ignore_framework(framework['name']): + continue + + # Under the active controls the framework has, check if the given control is one of them + if "activeControls" in framework: + for activeControl in framework["activeControls"]: + if control['controlID'].lower() == activeControl["controlID"].lower(): + r.append(framework['name']) + return r + +def create_md_for_control(control): + """ + generates a markdown file for a given control. + + Parameters + ---------- + control: the control object + + Returns + ------- + the markdown text/file + + """ + related_resources = set() + control_config_input = {} + host_sensor = False + cloud_control = False + + # Loop through all the rules of the control + for rule_obj in control['rules']: + # If the rule has a 'match' field, add its resources to the related resources + if 'match' in rule_obj: + for match_obj in rule_obj['match']: + if 'resources' in match_obj: + related_resources.update(set(match_obj['resources'])) + # If the rule has a 'controlConfigInputs' field, add its configuration to the control configuration input + if 'controlConfigInputs' in rule_obj: + for control_config in rule_obj['controlConfigInputs']: + control_config_input[control_config['path']] = control_config + # If the rule has a 'attributes' field and it contains 'hostSensorRule', set host_sensor to True + if 'attributes' in rule_obj: + if 'hostSensorRule' in rule_obj['attributes']: + host_sensor = True + # If the rule has a 'relevantCloudProviders' field and it is not empty, set cloud_control to True + if 'relevantCloudProviders' in rule_obj: + cloud_control = len(rule_obj['relevantCloudProviders']) > 0 + + # Start creating the markdown text + md_text = '' + md_text += '# %s - %s\n' % (control['controlID'], control['name']) + '\n' + + if host_sensor: + md_text += '## Prerequisites\n *Run Kubescape with host sensor (see [here](https://hub.armo.cloud/docs/host-sensor))*\n \n' + if cloud_control: + md_text += '## Prerequisites\n *Integrate with cloud provider (see [here](https://hub.armosec.io/docs/kubescape-integration-with-cloud-providers))*\n \n' + frameworks = get_frameworks_for_control(control) + md_text += '## Framework%s\n' % ('s' if len(frameworks) > 1 else '') + md_text += '\n'.join(['* ' + framework for framework in frameworks]) + '\n \n' + md_text += '## Severity\n' + # severity map: https://github.com/kubescape/opa-utils/blob/master/reporthandling/apis/severity.go#L34 + severity_map = {1:'Low',2:'Low',3:'Low',4:'Medium',5:'Medium',6:'Medium',7:'High',8:'High',9:'Critical',10:'Critical'} + md_text += '%s\n' % severity_map[int(control['baseScore'])] + '\n' + if 'long_description' in control or 'description' in control: + description = control['long_description'] if 'long_description' in control else control['description'] + if description.strip(): + md_text += '## Description of the issue\n' + if len(control_config_input): + description += ' Note, [this control is configurable](#configuration-parameters).' + md_text += description + '\n \n' + if related_resources: + md_text += '## Related resources\n' + md_text += ', '.join(sorted(list(related_resources))) + '\n \n' + + md_text += '## What this control tests \n' + test = control['test'] if 'test' in control else control['description'] + md_text += test + '\n \n' + + if 'manual_test' in control and control['manual_test'].strip(): + md_text += '## How to check it manually \n' + manual_test = control['manual_test'] + md_text += manual_test + '\n \n' + + if 'remediation' in control and control['remediation'].strip(): + md_text += '## Remediation\n' + md_text += control['remediation'] + '\n \n' + if 'impact_statement' in control and control['impact_statement'].strip() and control['impact_statement'] != 'None': + md_text += '### Impact Statement\n' + control['impact_statement'] + '\n \n' + if 'default_value' in control and control['default_value'].strip(): + md_text += '### Default Value\n' + control['default_value'] + '\n \n' + + if len(control_config_input): + configuration_text = '## Configuration parameters \n You can adjust the configuration of this control to suit your specific environment. [Read the documentation on configuring controls](../frameworks-and-controls/configuring-controls.md) to learn more.\n \n' + for control_config_name in control_config_input: + control_config = control_config_input[control_config_name] + # configuration_text += '### ' + control_config['name'] + '\n' + config_name = control_config['path'].split('.')[-1] + configuration_text += '* ' '[' + config_name + '](../frameworks-and-controls/configuring-controls.md#%s)'%config_name.lower() + ':' + '\n' + configuration_text += control_config['description'] + '\n \n' + md_text += configuration_text + + if 'example' in control and control['example'].strip(): + md_text += '## Example\n' + md_text += '```\n' + control['example'] + '\n```' + '\n' + return md_text + +def generate_index_md(controls): + """ + Generates the content for the index.md file based on the provided list of controls. + + Parameters + ---------- + controls: A list of control objects. + + Returns + ------- + str: The generated content for the index.md file. + + """ + # Sort the controls list based on control ID + controls.sort(key=lambda control: convert_control_id_to_doc_order(control['controlID'])) + + index_md = "# Control library\n\nEach control in the Kubescape control library is documented under this page.\n\n" + index_md += "| Control | Name | Framework |\n" + index_md += "| --- | --- | --- |\n" + + for control in controls: + control_id = control['controlID'] + control_name = control['name'] + control_frameworks = get_frameworks_for_control(control) + control_link = control_id.lower().replace(".", "-") + ".md" + index_md += "| [%s](%s) | %s | %s |\n" % (control_id, control_link, control_name, ", ".join(control_frameworks)) + + return index_md + +def generate_slug(control): + """ + Generates a slug for a given control. + + Parameters + ---------- + control: The control object. + + Returns + ------- + str: The generated slug for the control. + + """ + return control['controlID'].lower().replace(".", "-") + +def get_configuration_parameters_info(): + """ + Fetches and obtains the control's configuration parameters information. + + Returns + ------- + tuple: A tuple containing two dictionaries - config_parameters and default_config_inputs. + - config_parameters: A dictionary mapping configuration parameter names to their corresponding configuration objects. + - default_config_inputs: A dictionary containing default configuration inputs. + """ + default_config_inputs = None + with open('default-config-inputs.json','r') as f: + default_config_inputs = json.load(f)['settings']['postureControlInputs'] + + config_parameters = {} + for control_json_file_name in filter(lambda fn: fn.endswith('.json'),os.listdir('controls')): + try: + control_obj = json.load(open(os.path.join('controls',control_json_file_name))) + control_obj['rules'] = [] + for rule_directory_name in os.listdir('rules'): + rule_metadata_file_name = os.path.join('rules',rule_directory_name,'rule.metadata.json') + if os.path.isfile(rule_metadata_file_name): + rule_obj = json.load(open(rule_metadata_file_name)) + if rule_obj['name'] in control_obj['rulesNames']: + control_obj['rules'].append(rule_obj) + if 'controlConfigInputs' in rule_obj: + for config in rule_obj['controlConfigInputs']: + name = config['path'].split('.')[-1] + config_parameters[name] = config + except Exception as e: + print('error processing %s: %s'%(control_json_file_name,e)) + + return config_parameters, default_config_inputs + +# Function to convert a control id to a doc order +def convert_control_id_to_doc_order(control_id: str) -> int: + """get a control_id and returns it's expected order in docs. + control_id is expected to either have "c-" or "cis-" prefix, otherwise raises an error. + + Parameters + ---------- + control_id : str + A string of structure "c-xxx" or "cis-x.y.z" + + Returns + --------- + int + + """ + control_id = control_id.lower() + + + if "c-" in control_id: + return int(control_id.replace("c-", "")) + + if "cis-" in control_id: + return convert_dotted_section_to_int(control_id.replace("cis-", "")) + + raise Exception(f"control_id structure unknown {control_id}") + +# Function to convert a dotted section to an int +def convert_dotted_section_to_int(subsection_id : str, + subsection_digits : int = 2, + n_subsections : int = 3) -> int: + """returns int representation of a dotted separated subsection string. + + Parameters + ---------- + subsection_id : str + A dotted subsection string - examples: 1.2, 2.3.12 + + subsection_digits : int, optional + The number of digits each subsection should have (default is 2) + + n_subsections : int, optional + The number of expected subsections (default is 3) + + Returns + --------- + int + + Examples (with default values): + --------- + convert_dotted_section_to_int("1.1.12", 2, 3) = 01.01.12 = 10112 + convert_dotted_section_to_int("1.1.1", 2, 3)= 01.01.01 = 10101 + convert_dotted_section_to_int("1.2.1", 2, 3) = 01.02.01 = 10201 + + convert_dotted_section_to_int("1.2", 3, 3) = 001.002.000 = 1002000 + + """ + + if subsection_id == "": + raise Exception("subsection_id string is empty") + + subsection_ids = subsection_id.split(".") + + res = "" + + # iterate each subsection + for subsection in subsection_ids: + current_subsection_id = subsection + + # identify the the subsection range and add "0"s to prefix if needed. + for i in range(1, subsection_digits): + if int(subsection) < 10**i: + current_subsection_id = "0"*(subsection_digits-i) + current_subsection_id + break + + res = res + current_subsection_id + + # if there are missing subsections, add "0"s to the right of the int + if n_subsections > len(subsection_ids): + res = res + "0"*subsection_digits*(n_subsections - len(subsection_ids)) + + return int(res) + +# Function to find inactive controls in docs +def find_inactive_controls_in_docs(list_docs : list, list_active: list) -> list: + """returns a list of controls that doesn't exist in rego but exit in docs. + + Parameters + ---------- + list_docs : list + a list of slugs in docs + + list_active: list + a list of active controls from rego + + + Returns + --------- + list - item that exist in list_docs but doesn't exist in list_active + + """ + return list(sorted(set(list_docs)- set(list_active))) + +def main(): + # Define the directory where the Markdown files should be created. + docs_dir = 'docs/controls' + + # Ensure the directory exists, if not create it + if not os.path.exists(docs_dir): + os.makedirs(docs_dir) + + # Fetches the Configuration parameters and related resources per control + config_parameters, default_config_inputs = get_configuration_parameters_info() + + # Processing and obtaining the parameters for each control + i = 0 + for config_parameters_path in sorted(list(config_parameters.keys())): + print('Processing ',config_parameters_path) + # Create md + md = '# %s\n' % config_parameters_path + md += '## Description\n' + md += config_parameters[config_parameters_path]['description'] + '\n' + md += '## Default values\n' + for dvalue in default_config_inputs[config_parameters_path]: + md += '* %s\n' % dvalue + + title = 'Parameter: %s' % config_parameters_path + config_parameter_slug = 'configuration_parameter_' + config_parameters_path.lower() + i = i + 1 + + controls = [] + # Process controls. + for control_json_file_name in filter(lambda fn: fn.endswith('.json'), os.listdir('controls')): + print('processing %s' % control_json_file_name) + control_obj = json.load(open(os.path.join('controls', control_json_file_name))) + + base_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) + if 'controlID' in control_obj: + controlID = control_obj['controlID'] + example_file_name = controlID.replace('C-00','c0') + '.yaml' + example_file_name = os.path.join('controls','examples',example_file_name) + if os.path.isfile(example_file_name): + with open(example_file_name) as f: + control_obj['example'] = f.read() + + if 'example' in control_obj and len(control_obj['example']) > 0 and control_obj['example'][0] == '@': + example_file_name = os.path.join(base_dir,control_obj['example'][1:]) + if os.path.isfile(example_file_name): + with open(example_file_name) as f: + control_obj['example'] = f.read() + else: + print('warning: %s is not a file' % example_file_name) + + control_obj['rules'] = [] + for rule_directory_name in os.listdir('rules'): + rule_metadata_file_name = os.path.join('rules',rule_directory_name,'rule.metadata.json') + if os.path.isfile(rule_metadata_file_name): + rule_obj = json.load(open(rule_metadata_file_name)) + if rule_obj['name'] in control_obj['rulesNames']: + control_obj['rules'].append(rule_obj) + + controls.append(control_obj) + + # Generate a Markdown document for the control. + md = create_md_for_control(control_obj) + + # Generate a slug for the control. + slug = generate_slug(control_obj) + + # Define the path of the Markdown file. + md_file_path = os.path.join(docs_dir, slug + '.md') + + # Write the Markdown document to the file. + with open(md_file_path, 'w') as md_file: + md_file.write(md) + + print('created or updated %s' % md_file_path) + + # Generate the index.md file + index_md = generate_index_md(controls) + + # Define the path of the index.md file. + index_md_file_path = os.path.join(docs_dir, "index.md") + + # Write the index.md file + with open(index_md_file_path, 'w') as index_md_file: + index_md_file.write(index_md) + + print('created or updated %s' % index_md_file_path) + +# Run the main function if the script is run as a standalone program +if __name__ == '__main__': + main() diff --git a/scripts/upload-readme.py b/scripts/upload-readme.py index 4848a813b..289730b0b 100644 --- a/scripts/upload-readme.py +++ b/scripts/upload-readme.py @@ -1,14 +1,37 @@ +""" +This script is used to manage the documentation of controls present in the `controls` folder in a Readme API. +It fetches the controls from the `controls` directory, +processes them, and then creates or updates the corresponding documentation in the Readme API. +It also handles the deletion of inactive controls from the documentation. + +The script uses the Readme API's categories, docs, and versions endpoints. + +The script follows these main steps: +1. Authenticate with the Readme API using an API key. +2. Validate the structure of the Readme documentation. +3. Process configuration parameters and update or create corresponding documentation. +4. Process each control, create its documentation, and update or create it in the Readme API. +5. Delete documentation for inactive controls. +""" + import requests import os import json import re class ReadmeApi(object): + """ + The script uses the ReadmeApi class to interact with the Readme API. This class has methods to authenticate, get categories, + get docs in a category, get a specific doc, delete a doc, create a doc, and update a doc. + """ def __init__(self): super().__init__() self.doc_version = None def authenticate(self, api_key): + """ + Function to authenticate with the Readme API + """ r = requests.get('https://dash.readme.com/api/v1', auth=(api_key, '')) if r.status_code != 200: raise Exception('Failed to authenticate') @@ -18,9 +41,15 @@ def authenticate(self, api_key): self.api_key = api_key def set_version(self, version:str): + """ + Function to set the version of the documentation + """ self.doc_version = version def get_categories(self): + """ + Function to fetch and obtain all categories from the Readme API. + """ url = "https://dash.readme.com/api/v1/categories" querystring = {"perPage":"1000","page":"1"} @@ -33,6 +62,9 @@ def get_categories(self): return r.json() def get_category(self,category_slug : str): + """ + Function to fetch and obtain a specific category from the Readme API using its slug. + """ url = "https://dash.readme.com/api/v1/categories/%s" % category_slug r = requests.request("GET", url,headers={"Accept": "application/json"}, auth=(self.api_key, '')) @@ -43,6 +75,9 @@ def get_category(self,category_slug : str): return r.json() def get_docs_in_category(self, category_slug: str): + """ + Function to fetch and obatin all the docs related to or of a specific category from the Readme API using the category's slug. + """ url = "https://dash.readme.com/api/v1/categories/%s/docs" % category_slug r = requests.request("GET", url, headers={"Accept":"application/json"}, auth=(self.api_key, '')) @@ -53,6 +88,9 @@ def get_docs_in_category(self, category_slug: str): return r.json() def get_doc(self, doc_slug: str): + """ + Function to get a specific document from the Readme API using its slug. + """ url = "https://dash.readme.com/api/v1/docs/%s" % doc_slug r = requests.request("GET", url, headers={"Accept":"application/json"}, auth=(self.api_key, '')) @@ -65,6 +103,9 @@ def get_doc(self, doc_slug: str): return r.json() def delete_doc(self, doc_slug: str): + """ + Function to delete a specific doc from the Readme API using its slug. + """ url = "https://dash.readme.com/api/v1/docs/%s" % doc_slug r = requests.request("DELETE", url, headers={"Accept":"application/json"}, auth=(self.api_key, '')) @@ -73,6 +114,9 @@ def delete_doc(self, doc_slug: str): raise Exception('Failed to delete doc (%d)'%r.status_code) def create_doc(self, slug: str, parent_id: str, order: any, title: str, body: str, category: str): + """ + Function to create a new document in the Readme API. + """ url = "https://dash.readme.com/api/v1/docs" payload = { @@ -97,9 +141,11 @@ def create_doc(self, slug: str, parent_id: str, order: any, title: str, body: st raise Exception('Failed to create doc: %s'%r.text) return r.json() - - def update_doc(self, doc_slug: str, order: any, title: str, body: str, category: str): + def update_doc(self, doc_slug: str, order: any, title: str, body: str, category: str): + """ + Function to update a specific document in the Readme API using its slug. + """ url = "https://dash.readme.com/api/v1/docs/%s" % doc_slug payload = { @@ -121,11 +167,19 @@ def update_doc(self, doc_slug: str, order: any, title: str, body: str, category: return r.json() + def validate_readme_structure(readmeapi : ReadmeApi): + """ + function is validating if the structure is validated and return an error if missing some objects. + NOTE: objects might be changed from time to time, need to update accordingly + """ categories = readmeapi.get_categories() - filtered_categories = list(filter(lambda c: c['title'] == 'Controls',categories)) + filtered_categories = list(filter(lambda c: c['title'] == 'Review Controls',categories)) + print(categories) + if len(filtered_categories) != 1: - raise Exception('Readme structure validation failure: missing "Controls" category (or more than one)') + raise Exception('Readme structure validation failure: missing "Review Controls" category (or more than one)') + controls_category = filtered_categories[0] docs_in_control_category = readmeapi.get_docs_in_category(controls_category['slug']) filtered_docs = list(filter(lambda d: d['title'] == 'Controls',docs_in_control_category)) @@ -133,10 +187,13 @@ def validate_readme_structure(readmeapi : ReadmeApi): raise Exception('Readme structure validation failure: missing "Controls" document') def get_document_for_control(readmeapi : ReadmeApi, control): + """ + Function to get the documentation for a specific control. It checks that there is exactly one "Controls" category and one document that starts with the control's id. + """ categories = readmeapi.get_categories() - filtered_categories = list(filter(lambda c: c['title'] == 'Controls',categories)) + filtered_categories = list(filter(lambda c: c['title'] == 'Review Controls',categories)) if len(filtered_categories) != 1: - raise Exception('Readme structure failure: missing "Controls" category (or more than one)') + raise Exception('Readme structure failure: missing "Review Controls" category (or more than one)') controls_category = filtered_categories[0] docs_in_control_category = readmeapi.get_docs_in_category(controls_category['slug']) filtered_docs = list(filter(lambda d: d['title'].startswith(control['id']),docs_in_control_category)) @@ -146,9 +203,33 @@ def get_document_for_control(readmeapi : ReadmeApi, control): return control_doc def ignore_framework(framework_name: str): + """ + determines whether or not to ignore a framework based on its name. + + Parameters + ---------- + framework_name: the name of the framework + + Returns + -------- + True if the framework should be ignored, False otherwise + + """ return framework_name == 'YAML-scanning' or framework_name.startswith('developer') def get_frameworks_for_control(control): + """ + returns the frameworks a given control conforms to. + + Parameters + ---------- + control: the control object + + Returns + ------- + a list of framework names + + """ r = [] for frameworks_json_file_name in filter(lambda fn: fn.endswith('.json'),os.listdir('frameworks')): framework = json.load(open(os.path.join('frameworks',frameworks_json_file_name))) @@ -161,26 +242,44 @@ def get_frameworks_for_control(control): r.append(framework['name']) return r - def create_md_for_control(control): + """ + generates a markdown file for a given control. + + Parameters + ---------- + control: the control object + + Returns + ------- + the markdown text/file + + """ related_resources = set() control_config_input = {} host_sensor = False cloud_control = False + + # Loop through all the rules of the control for rule_obj in control['rules']: + # If the rule has a 'match' field, add its resources to the related resources if 'match' in rule_obj: for match_obj in rule_obj['match']: if 'resources' in match_obj: related_resources.update(set(match_obj['resources'])) + # If the rule has a 'controlConfigInputs' field, add its configuration to the control configuration input if 'controlConfigInputs' in rule_obj: for control_config in rule_obj['controlConfigInputs']: control_config_input[control_config['path']] = control_config + # If the rule has a 'attributes' field and it contains 'hostSensorRule', set host_sensor to True if 'attributes' in rule_obj: if 'hostSensorRule' in rule_obj['attributes']: host_sensor = True + # If the rule has a 'relevantCloudProviders' field and it is not empty, set cloud_control to True if 'relevantCloudProviders' in rule_obj: cloud_control = len(rule_obj['relevantCloudProviders']) > 0 + # Start creating the markdown text md_text = '' if host_sensor: md_text += '## Prerequisites\n*Run Kubescape with host sensor (see [here](https://hub.armo.cloud/docs/host-sensor))*\n' @@ -228,15 +327,36 @@ def create_md_for_control(control): md_text += '## Example\n' if 'example' in control: - md_text += '```\n' +control['example'] + '\n```' + '\n' + md_text += '```\n' + control['example'] + '\n```' + '\n' else: md_text += 'No example\n' return md_text def generate_slug(control): + """ + Generates a slug for a given control. + + Parameters + ---------- + control: The control object. + + Returns + ------- + str: The generated slug for the control. + + """ return control['controlID'].lower().replace(".", "-") def get_configuration_parameters_info(): + """ + Fetches and obtains the control's configuration parameters information. + + Returns + ------- + tuple: A tuple containing two dictionaries - config_parameters and default_config_inputs. + - config_parameters: A dictionary mapping configuration parameter names to their corresponding configuration objects. + - default_config_inputs: A dictionary containing default configuration inputs. + """ default_config_inputs = None with open('default-config-inputs.json','r') as f: default_config_inputs = json.load(f)['settings']['postureControlInputs'] @@ -271,7 +391,7 @@ def main(): readmeapi.authenticate(API_KEY) print('Authenticated') - # Validated structure + # Validate structure validate_readme_structure(readmeapi) print('Readme structure validated') @@ -383,9 +503,6 @@ def main(): exit(0) - - - def convert_control_id_to_doc_order(control_id: str) -> int: """get a control_id and returns it's expected order in docs. control_id is expected to either have "c-" or "cis-" prefix, otherwise raises an error. @@ -411,8 +528,6 @@ def convert_control_id_to_doc_order(control_id: str) -> int: raise Exception(f"control_id structure unknown {control_id}") - - def convert_dotted_section_to_int(subsection_id : str, subsection_digits : int = 2, n_subsections : int = 3) -> int: @@ -468,7 +583,6 @@ def convert_dotted_section_to_int(subsection_id : str, return int(res) - def find_inactive_controls_in_docs(list_docs : list, list_active: list) -> list: """returns a list of controls that doesn't exist in rego but exit in docs. @@ -487,7 +601,7 @@ def find_inactive_controls_in_docs(list_docs : list, list_active: list) -> list: """ return list(sorted(set(list_docs)- set(list_active))) - + def get_controls_doc_slugs(readmeapi: ReadmeApi) -> list: """returns a list of slugs exist under the "controls" category @@ -511,4 +625,3 @@ def get_controls_doc_slugs(readmeapi: ReadmeApi) -> list: if __name__ == '__main__': main() - diff --git a/scripts/validations.py b/scripts/validations.py index ede55984d..7cdb59721 100644 --- a/scripts/validations.py +++ b/scripts/validations.py @@ -1,6 +1,8 @@ import json +from operator import itemgetter import os import re +import requests FRAMEWORK_DIR = "frameworks" CONTROLS_DIR = "controls" @@ -10,6 +12,7 @@ CONTROLID_TO_FILENAME = {} RULENAME_TO_RULE_DIR = {} ATTACK_TRACKS_DICT = {} +k8s_RELEASE_URL = "https://api.github.com/repos/kubernetes/kubernetes/releases" def ignore_file(file_name: str): return file_name.startswith('__') @@ -152,6 +155,70 @@ def validate_rules(): data = json.load(rule_file) assert data["name"] in RULES_CHECKED, f"rule {data['name']} is not used by any control" +def get_kubernetes_supported_versions(): + try: + response = requests.get(k8s_RELEASE_URL) + response.raise_for_status() + except requests.RequestException as e: + raise Exception("Failed to fetch Kubernetes releases") from e + + releases = response.json() + + # Order the releases by publication date + ordered_releases = sorted(releases, key=itemgetter('created_at'), reverse=True) + + supported_versions = [] + for release in ordered_releases: + if not release['draft'] and not release['prerelease']: + tag_name = release['tag_name'] + if all(x not in tag_name for x in ['alpha', 'beta', 'rc']): + major_minor_version = '.'.join(tag_name.lstrip('v').split('.')[:2]) + if major_minor_version not in supported_versions: + supported_versions.append(major_minor_version) + + # we are taking 5 since smaller versions might have updates after the latest major.minor version + if len(supported_versions) == 5: + break + + if not supported_versions: + raise Exception("No supported Kubernetes versions found.") + + # Sort the versions in descending order as strings + sorted_versions = sorted(supported_versions, reverse=True) + + # Get the top 3 versions + top_3_versions = sorted_versions[:3] + + return top_3_versions + +def validate_k8s_supported_versions_in_rego(): + # Step 1: Get the latest supported Kubernetes versions + api_versions = get_kubernetes_supported_versions() + + # Step 2 & 3: Check the Rego file and compare + # Read the rego file + file_path = os.path.join("rules/outdated-k8s-version/raw.rego") + try: + with open(file_path, 'r') as file: + rego_content = file.read() + except FileNotFoundError: + raise Exception(f"File {file_path} not found.") + + # Extract the currently supported versions from the file + versions_pattern = re.compile(r'supported_k8s_versions := \["(v[0-9]+\.[0-9]+)", "(v[0-9]+\.[0-9]+)", "(v[0-9]+\.[0-9]+)"\]') + match = versions_pattern.search(rego_content) + if not match: + raise Exception("Could not find the supported Kubernetes versions in the Rego file.") + + file_versions = list(match.groups()) + # Format the API versions to match the Rego file format + formatted_api_versions = ['v' + version for version in api_versions] + + # Compare the versions from the API with those in the file + if set(formatted_api_versions) != set(file_versions): + raise Exception(f"The Rego file's (outdated-k8s-version/raw.rego) supported Kubernetes versions: {file_versions} do not match the latest Kubernetes supported versions: {formatted_api_versions} from {k8s_RELEASE_URL}. Please update the Rego file: rules/outdated-k8s-version/raw.rego") + else: + print("The rule: outdated-k8s-version/raw.rego contains the correct latest supported Kubernetes versions.") if __name__ == "__main__": fill_rulename_to_rule_dir() @@ -160,3 +227,4 @@ def validate_rules(): validate_controls_in_framework() validate_controls() validate_rules() + validate_k8s_supported_versions_in_rego() diff --git a/testrunner/go.mod b/testrunner/go.mod index 7fb8d8fef..befc96f80 100644 --- a/testrunner/go.mod +++ b/testrunner/go.mod @@ -3,130 +3,163 @@ module testrunner go 1.19 require ( - github.com/armosec/armoapi-go v0.0.119 - github.com/golang/glog v1.0.0 - github.com/kubescape/k8s-interface v0.0.89 - github.com/kubescape/opa-utils v0.0.204 - github.com/open-policy-agent/opa v0.45.0 - github.com/stretchr/testify v1.8.0 + github.com/armosec/armoapi-go v0.0.256 + github.com/golang/glog v1.1.1 + github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847 + github.com/kubescape/opa-utils v0.0.272 + github.com/open-policy-agent/opa v0.55.0 + github.com/stretchr/testify v1.8.4 gopkg.in/yaml.v3 v3.0.1 ) -require github.com/santhosh-tekuri/jsonschema/v5 v5.1.1 // indirect +require ( + cloud.google.com/go/compute/metadata v0.2.3 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization v1.0.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.1.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/armosec/gojay v1.2.15 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.18.0 // indirect + github.com/aws/aws-sdk-go-v2/service/iam v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.14 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cenkalti/backoff/v4 v4.2.1 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/go-ini/ini v1.67.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/google/s2a-go v0.1.4 // indirect + github.com/gorilla/mux v1.8.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect + github.com/prometheus/client_model v0.4.0 // indirect + github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect + github.com/santhosh-tekuri/jsonschema/v5 v5.1.1 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/stripe/stripe-go/v74 v74.28.0 // indirect + github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2 // indirect + github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 // indirect + github.com/uptrace/uptrace-go v1.16.0 // indirect + go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0 // indirect + go.opentelemetry.io/otel v1.16.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 // indirect + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0 // indirect + go.opentelemetry.io/otel/metric v1.16.0 // indirect + go.opentelemetry.io/otel/sdk v1.16.0 // indirect + go.opentelemetry.io/otel/sdk/metric v0.39.0 // indirect + go.opentelemetry.io/otel/trace v1.16.0 // indirect + go.opentelemetry.io/proto/otlp v0.19.0 // indirect + golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect +) require ( - cloud.google.com/go v0.102.1 // indirect - cloud.google.com/go/compute v1.7.0 // indirect - cloud.google.com/go/container v1.2.0 // indirect - github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect + cloud.google.com/go/compute v1.20.1 // indirect + cloud.google.com/go/container v1.24.0 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect - github.com/armosec/utils-go v0.0.12 // indirect - github.com/armosec/utils-k8s-go v0.0.12 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.7 // indirect - github.com/aws/aws-sdk-go-v2/config v1.15.13 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.12.8 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 // indirect - github.com/aws/aws-sdk-go-v2/service/eks v1.21.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.11 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect - github.com/aws/smithy-go v1.12.0 // indirect + github.com/armosec/utils-go v0.0.20 // indirect + github.com/armosec/utils-k8s-go v0.0.16 // indirect + github.com/aws/aws-sdk-go-v2 v1.19.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.30 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.29 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.6 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.36 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.30 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.37 // indirect + github.com/aws/aws-sdk-go-v2/service/eks v1.28.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.30 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.12.14 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.20.1 // indirect + github.com/aws/smithy-go v1.13.5 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/dimchansky/utfbom v1.1.1 // indirect - github.com/docker/docker v20.10.24+incompatible // indirect + github.com/docker/docker v24.0.5+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect - github.com/docker/go-units v0.4.0 // indirect - github.com/emicklei/go-restful/v3 v3.8.0 // indirect - github.com/fatih/color v1.13.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/fatih/color v1.15.0 // indirect github.com/francoispqt/gojay v1.2.13 // indirect github.com/ghodss/yaml v1.0.0 // indirect - github.com/go-logr/logr v1.2.3 // indirect - github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect - github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/swag v0.22.3 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect - github.com/googleapis/gax-go/v2 v2.4.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect + github.com/googleapis/gax-go/v2 v2.11.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kr/pretty v0.2.1 // indirect - github.com/kubescape/go-logger v0.0.6 // indirect + github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525 // indirect github.com/kubescape/rbac-utils v0.0.20 // indirect - github.com/mailru/easyjson v0.7.6 // indirect - github.com/mattn/go-colorable v0.1.12 // indirect - github.com/mattn/go-isatty v0.0.14 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.17 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect + github.com/opencontainers/image-spec v1.1.0-rc4 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/pquerna/cachecontrol v0.1.0 // indirect + github.com/pquerna/cachecontrol v0.2.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yannh/kubeconform v0.6.2 - github.com/yashtewari/glob-intersection v0.1.0 // indirect - go.opencensus.io v0.23.0 // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.6.0 // indirect - go.uber.org/zap v1.22.0 // indirect - golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect - golang.org/x/net v0.7.0 // indirect - golang.org/x/oauth2 v0.0.0-20220630143837-2104d58473e0 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/term v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect - golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect - google.golang.org/api v0.85.0 // indirect + github.com/yashtewari/glob-intersection v0.2.0 // indirect + go.opencensus.io v0.24.0 // indirect + go.uber.org/atomic v1.11.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.24.0 // indirect + golang.org/x/crypto v0.11.0 // indirect + golang.org/x/net v0.12.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/term v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect + golang.org/x/time v0.3.0 // indirect + google.golang.org/api v0.126.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 // indirect - google.golang.org/grpc v1.49.0 // indirect - google.golang.org/protobuf v1.28.1 // indirect + google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/grpc v1.56.2 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/api v0.25.3 // indirect - k8s.io/apimachinery v0.25.3 // indirect - k8s.io/client-go v0.25.3 // indirect - k8s.io/klog/v2 v2.70.1 // indirect - k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect - sigs.k8s.io/controller-runtime v0.12.3 // indirect - sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + k8s.io/api v0.27.4 // indirect + k8s.io/apimachinery v0.27.4 // indirect + k8s.io/client-go v0.27.4 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + sigs.k8s.io/controller-runtime v0.15.0 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/testrunner/go.sum b/testrunner/go.sum index 60d22354e..1261d01a4 100644 --- a/testrunner/go.sum +++ b/testrunner/go.sum @@ -15,41 +15,21 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= -cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= -cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= -cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= -cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= -cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= -cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= -cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= -cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= -cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= -cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= -cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0= -cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= +cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= -cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= -cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= -cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= -cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk= -cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/container v1.2.0 h1:LPKlQa4XfBTWdaBSDx/KQ/v45l8FDRzSV0tDpU6e/38= -cloud.google.com/go/container v1.2.0/go.mod h1:Cj2AgMsCUfMVfbGh0Fx7u5Ah/qeC0ajLrqqGGiAdCGw= +cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/container v1.24.0 h1:N51t/cgQJFqDD/W7Mb+IvmAPHrf8AbPx7Bb7aF4lROE= +cloud.google.com/go/container v1.24.0/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -59,108 +39,105 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU= dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4= dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU= git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= -github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= -github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= -github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization v1.0.0 h1:qtRcg5Y7jNJ4jEzPq4GpWLfTspHdNe2ZK6LjwGcjgmU= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization v1.0.0/go.mod h1:lPneRe3TwsoDRKY4O6YDLXHhEWrD+TIRa8XrV/3/fqw= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.1.1 h1:6A4M8smF+y8nM/DYsLNQz9n7n2ZGaEVqfz8ZWQirQkI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.1.1/go.mod h1:WqyxV5S0VtXD2+2d6oPqOvyhGubCvzLCKSAKgQ004Uk= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0 h1:1u/K2BFv0MwkG6he8RYuUcbbeK22rkoZbg4lKa/msZU= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0/go.mod h1:U5gpsREQZE6SLk1t/cFfc1eMhYAlYpEzvaYXuDfefy8= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNLjCUeKhgnAJWAKhEUQM+RJQo2H1fuGSw1Ky1E= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= -github.com/armosec/armoapi-go v0.0.119 h1:7XbvBbOKp26Bpp72LQ8Spw4FBpbXu3+qZFQyPEwTPFk= -github.com/armosec/armoapi-go v0.0.119/go.mod h1:2zoNzb3Fy9ZByeczJZ47ftDRLRzTykVdTISS3GTc/JU= -github.com/armosec/utils-go v0.0.12 h1:NXkG/BhbSVAmTVXr0qqsK02CmxEiXuJyPmdTRcZ4jAo= -github.com/armosec/utils-go v0.0.12/go.mod h1:F/K1mI/qcj7fNuJl7xktoCeHM83azOF0Zq6eC2WuPyU= -github.com/armosec/utils-k8s-go v0.0.12 h1:u7kHSUp4PpvPP3hEaRXMbM0Vw23IyLhAzzE+2TW6Jkk= -github.com/armosec/utils-k8s-go v0.0.12/go.mod h1:rPHiOaHefWa9ujspwvYYAp0uEbqGGyAMiNrFa/Gpp/8= -github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns= -github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= -github.com/aws/aws-sdk-go-v2/config v1.15.13 h1:CJH9zn/Enst7lDiGpoguVt0lZr5HcpNVlRJWbJ6qreo= -github.com/aws/aws-sdk-go-v2/config v1.15.13/go.mod h1:AcMu50uhV6wMBUlURnEXhr9b3fX6FLSTlEV89krTEGk= -github.com/aws/aws-sdk-go-v2/credentials v1.12.8 h1:niTa7zc7uyOP2ufri0jPESBt1h9yP3Zc0q+xzih3h8o= -github.com/aws/aws-sdk-go-v2/credentials v1.12.8/go.mod h1:P2Hd4Sy7mXRxPNcQMPBmqszSJoDXexX8XEDaT6lucO0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 h1:VfBdn2AxwMbFyJN/lF/xuT3SakomJ86PZu3rCxb5K0s= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8/go.mod h1:oL1Q3KuCq1D4NykQnIvtRiBGLUXhcpY5pl6QZB2XEPU= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 h1:QquxR7NH3ULBsKC+NoTpilzbKKS+5AELfNREInbhvas= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15/go.mod h1:Tkrthp/0sNBShQQsamR7j/zY4p19tVTAs+nnqhH6R3c= -github.com/aws/aws-sdk-go-v2/service/eks v1.21.4 h1:qmKWieiIiYwD46GRD6nxFc1KsyR0ChGRid8emb7rDEY= -github.com/aws/aws-sdk-go-v2/service/eks v1.21.4/go.mod h1:Th2+t6mwi0bZayXUOFOTuyWR2nwRUVcadDy4WGE8C2E= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 h1:oKnAXxSF2FUvfgw8uzU/v9OTYorJJZ8eBmWhr9TWVVQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8/go.mod h1:rDVhIMAX9N2r8nWxDUlbubvvaFMnfsm+3jAV7q+rpM4= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.11 h1:XOJWXNFXJyapJqQuCIPfftsOf0XZZioM0kK6OPRt9MY= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.11/go.mod h1:MO4qguFjs3wPGcCSpQ7kOFTwRvb+eu+fn+1vKleGHUk= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5vw4CzhbwWIBmimQ= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y= -github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0= -github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/armosec/armoapi-go v0.0.256 h1:eV8WWQ1r+2D0KHhLA6ux6lx67+uqkYe/uVHrOUFqz5c= +github.com/armosec/armoapi-go v0.0.256/go.mod h1:CJT5iH5VF30zjdQYXaQhsAm8IEHtM1T87HcFVXeLX54= +github.com/armosec/gojay v1.2.15 h1:sSB2vnAvacUNkw9nzUYZKcPzhJOyk6/5LK2JCNdmoZY= +github.com/armosec/gojay v1.2.15/go.mod h1:vzVAaay2TWJAngOpxu8aqLbye9jMgoKleuAOK+xsOts= +github.com/armosec/utils-go v0.0.20 h1:bvr+TMumEYdMsGFGSsaQysST7K02nNROFvuajNuKPlw= +github.com/armosec/utils-go v0.0.20/go.mod h1:ZEFiSv8KpTFNT19jHis1IengiF/BGDvg7tHmXo+cwxs= +github.com/armosec/utils-k8s-go v0.0.16 h1:h46PoxAb4OHA2p719PzcAS03lADw4lH4TyRMaZ3ix/g= +github.com/armosec/utils-k8s-go v0.0.16/go.mod h1:QX0QAGlH7KCZq810eO9QjTYqkhjw8cvrr96TZfaUGrk= +github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2 v1.19.1 h1:STs0lbbpXu3byTPcnRLghs2DH0yk9qKDo27TyyJSKsM= +github.com/aws/aws-sdk-go-v2 v1.19.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2/config v1.18.30 h1:TTAXQIn31qYFUQjkW6siVrRTX1ux+sADZDOe3jsZcMg= +github.com/aws/aws-sdk-go-v2/config v1.18.30/go.mod h1:+YogjT7e/t9JVu/sOnZZgxTge1G+bPNk8zOaI0QIQvE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.29 h1:KNgCpThGuZyCjq9EuuqoLDenKKMwO/x1Xx01ckDa7VI= +github.com/aws/aws-sdk-go-v2/credentials v1.13.29/go.mod h1:VMq1LcmSEa9qxBlOCYTjVuGJWEEzhGmgL552jQsmhss= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.6 h1:kortK122LvTU34CGX/F9oJpelXKkEA2j/MW48II+8+8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.6/go.mod h1:k7IPHyHNIASI0m0RwOmCjWOTtgG+J0raqwuHH8WhWJE= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.36 h1:kbk81RlPoC6e4co7cQx2FAvH9TgbzxIqCqiosAFiB+w= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.36/go.mod h1:T8Jsn/uNL/AFOXrVYQ1YQaN1r9gN34JU1855/Lyjv+o= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.30 h1:lMl8S5SB8jNCB+Sty2Em4lnu3IJytceHQd7qbmfqKL0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.30/go.mod h1:v3GSCnFxbHzt9dlWBqvA1K1f9lmWuf4ztupZBCAIVs4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.37 h1:BXiqvN7WuV/pMhz8CivhO8cG8icJcjnjHumif4ukQ0c= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.37/go.mod h1:d4GZ62cjnz/hjKFdAu11gAwK73bdhqaFv2O4J1gaqIs= +github.com/aws/aws-sdk-go-v2/service/ecr v1.18.0 h1:5RVanD+P+L2W9WU07/8J/A52vnQi7F3ClBdWQttgYlg= +github.com/aws/aws-sdk-go-v2/service/ecr v1.18.0/go.mod h1:9yGOFsa2OcdyePojE89xNGtdBusTyc8ocjpiuFtFc0g= +github.com/aws/aws-sdk-go-v2/service/eks v1.28.1 h1:SA+98Rnehl2KXewvGXc2Lw2ns3Y4t9jdMHmEY5hcNws= +github.com/aws/aws-sdk-go-v2/service/eks v1.28.1/go.mod h1:cQRkgJKg6s9AIzFZ+i4pXdm+/3Fw4MuPNqCdMvSaqns= +github.com/aws/aws-sdk-go-v2/service/iam v1.19.0 h1:9vCynoqC+dgxZKrsjvAniyIopsv3RZFsZ6wkQ+yxtj8= +github.com/aws/aws-sdk-go-v2/service/iam v1.19.0/go.mod h1:OyAuvpFeSVNppcSsp1hFOVQcaTRc1LE24YIR7pMbbAA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.30 h1:UcVZxLVNY4yayCmiG94Ge3l2qbc5WEB/oa4RmjoQEi0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.30/go.mod h1:wPffyJiWWtHwvpFyn23WjAjVjMnlQOQrl02+vutBh3Y= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.14 h1:gUjz7trfz9qBm0AlkKTvJHBXELi1wvw+2LA9GfD2AsM= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.14/go.mod h1:9kfRdJgLCbnyeqZ/DpaSwcgj9ZDYLfRpe8Sze+NrYfQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.14 h1:8bEtxV5UT9ucdWGXfZ7CM3caQhSHGjWnTHt0OeF7m7s= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.14/go.mod h1:nd9BG2UnexN2sDx/mk2Jd6pf3d2E61AiA8m8Fdvdx8Y= +github.com/aws/aws-sdk-go-v2/service/sts v1.20.1 h1:U7h9CPoyMfVoN5jUglB0LglCMP10AK4vMBsbsCKM8Yw= +github.com/aws/aws-sdk-go-v2/service/sts v1.20.1/go.mod h1:BUHusg4cOA1TFGegj7x8/eoWrbdHzJfoMrXcbMQAG0k= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= @@ -169,43 +146,39 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= -github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= -github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= -github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= -github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE= -github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/docker/docker v24.0.5+incompatible h1:WmgcE4fxyI6EEXxBRxsHnZXrO1pQ3smi0k/jho4HLeY= +github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= -github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= -github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= -github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= +github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= -github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= +github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk= github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= @@ -213,30 +186,33 @@ github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= +github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/glog v1.1.1 h1:jxpi2eWoU84wbX9iIEyAeeoac3FLuifZpY9tcNUD9kw= +github.com/golang/glog v1.1.1/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -250,8 +226,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= -github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -267,10 +241,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -284,14 +257,12 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -299,8 +270,6 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -308,39 +277,33 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw= -github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= -github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= -github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= -github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= -github.com/googleapis/gax-go/v2 v2.4.0 h1:dS9eYAjhrE2RjmzYw2XAPvcXfmcQLtFEQWn0CR82awk= -github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= -github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= +github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 h1:gDLXvp5S9izjldquuoAhDzccbskOL6tDC5jMSyx3zxE= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2/go.mod h1:7pdNwVWBBHGiCxa9lAszqCJMbfTISJ7oMftp8+UGV08= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= @@ -357,42 +320,40 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kubescape/go-logger v0.0.6 h1:ynhAmwrz0O7Jtqq1CdmCZUrKveji25hVP+B/FAb3QrA= -github.com/kubescape/go-logger v0.0.6/go.mod h1:DnVWEvC90LFY1nNMaNo6nBVOcqkLMK3S0qzXP1fzRvI= -github.com/kubescape/k8s-interface v0.0.89 h1:OtlvZosHpjlbHfsilfQk2wRbuBnxwF0e+WZX6GbkfLU= -github.com/kubescape/k8s-interface v0.0.89/go.mod h1:pgFRs20mHiavf6+fFWY7h/f8HuKlwuZwirvjxiKJlu0= -github.com/kubescape/opa-utils v0.0.204 h1:9O9drjyzjOhI7Xi2S4Px0WKa66U5GFPQqeOLvhDqHnw= -github.com/kubescape/opa-utils v0.0.204/go.mod h1:rDC3PANuk8gU5lSDO/WPFTluypBQ+/6qiuZLye+slYg= +github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525 h1:9wzR38LebiA58cGxRBnsF78k4eJGnk7UetoTPKkyz2A= +github.com/kubescape/go-logger v0.0.14-0.20230730134225-e59751254525/go.mod h1:Al+yTE+vemECb/Myn2G9+2o2uFmMtphbkQmxf4OEHxE= +github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847 h1:GGuS6pE6KGa5q7j9fkRN3p1eQw16/jLUMnPR8FT3O6M= +github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847/go.mod h1:eBd6few7RYplnNNlHoe6d7jMmoE6Kx1emapJ91euBbY= +github.com/kubescape/opa-utils v0.0.272 h1:hqEuYGf/B2HuqbdVUtSsUGJopfXbQOgl3+KvFAu2Gd8= +github.com/kubescape/opa-utils v0.0.272/go.mod h1:VmplJnkhei6mDna+6z183k/HX6GOPgsXiwIlDW8mhKw= github.com/kubescape/rbac-utils v0.0.20 h1:1MMxsCsCZ3ntDi8f9ZYYcY+K7bv50bDW5ZvnGnhMhJw= github.com/kubescape/rbac-utils v0.0.20/go.mod h1:t57AhSrjuNGQ+mpZWQM/hBzrCOeKBDHegFoVo4tbikQ= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= -github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= -github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= +github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= -github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -405,38 +366,42 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo= github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= -github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= -github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= +github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= +github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= +github.com/open-policy-agent/opa v0.55.0 h1:s7Vm4ph6zDqqP/KzvUSw9fsKVsm9lhbTZhYGxxTK7mo= +github.com/open-policy-agent/opa v0.55.0/go.mod h1:2Vh8fj/bXCqSwGMbBiHGrw+O8yrho6T/fdaHt5ROmaQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= -github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= +github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc= -github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= +github.com/pquerna/cachecontrol v0.2.0 h1:vBXSNuE5MYP9IJ5kjsdo8uq+w41jSPgvba2DEnkRx9k= +github.com/pquerna/cachecontrol v0.2.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/santhosh-tekuri/jsonschema/v5 v5.1.1 h1:lEOLY2vyGIqKWUI9nzsOJRV3mb3WC9dXYORsLEUcoeY= github.com/santhosh-tekuri/jsonschema/v5 v5.1.1/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0= @@ -463,16 +428,17 @@ github.com/shurcooL/reactions v0.0.0-20181006231557-f2e0b4ca5b82/go.mod h1:TCR1l github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYEDaXHZDBsXlPCDqdhQuJkuw4NOtaxYe3xii4= github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE= github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -480,11 +446,21 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stripe/stripe-go/v74 v74.28.0 h1:ItzPPy+cjMKbR3Oihknt/8dv6PANp3hTThUGZjhF9lc= +github.com/stripe/stripe-go/v74 v74.28.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw= github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2 h1:CNznWHkrbA6o1q2H/BsH4tIHf4zbKNtndeoV+AH8z0U= +github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2/go.mod h1:7YSrHCmYPHIXjTWnKSU7EGT0TFEcm3WwSeQquwCGg38= +github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 h1:uyrW06oJi4iWvhjPLVfk4qrSP2Zm0AMozKKDmp6i4pE= +github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2/go.mod h1:PMAs2dNxP55lgt6xu0if+Jasm6s+Xpmqn6ev1NyDfnI= +github.com/uptrace/uptrace-go v1.16.0 h1:yB9vt1hBYYoXWExNx0okubLOjd339d7lH+/5o+Lp+MY= +github.com/uptrace/uptrace-go v1.16.0/go.mod h1:Ssc5wLpoL+9V0qkT5FtrIiru9SY4xb7q1UVLjSpxpCg= github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU= github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= @@ -493,30 +469,56 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/yannh/kubeconform v0.6.2 h1:xjUxiCcqTBofTsM3UT6fNb/tKRfqjakNfWvHRa3sGOo= github.com/yannh/kubeconform v0.6.2/go.mod h1:4E6oaL+lh7KgCG2SaOabeeAFBkyKu5D9ab0OEekGcbs= -github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= -github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= +github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 h1:pginetY7+onl4qN1vl0xW/V/v6OBZ0vVdH+esuJgvmM= +go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0 h1:EbmAUG9hEAMXyfWEasIt2kmh/WmXUznUksChApTgBGc= +go.opentelemetry.io/contrib/instrumentation/runtime v0.42.0/go.mod h1:rD9feqRYP24P14t5kmhNMqsqm1jvKmpx2H2rKVw52V8= +go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s= +go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 h1:t4ZwRPU+emrcvM2e9DHd0Fsf0JTPVcbfa/BhTDF03d0= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0/go.mod h1:vLarbg68dH2Wa77g71zmKQqlQ8+8Rq3GRG31uc0WcWI= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 h1:f6BwB2OACc3FCbYVznctQ9V6KK7Vq6CjmYXJ7DeSs4E= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0/go.mod h1:UqL5mZ3qs6XYhDnZaW1Ps4upD+PX6LipH40AoeuIlwU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0 h1:rm+Fizi7lTM2UefJ1TO347fSRcwmIsUAaZmYmIGBRAo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.39.0/go.mod h1:sWFbI3jJ+6JdjOVepA5blpv/TJ20Hw+26561iMbWcwU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 h1:cbsD4cUcviQGXdw8+bo5x2wazq10SKz8hEbtCRPcU78= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0/go.mod h1:JgXSGah17croqhJfhByOLVY719k1emAXC8MVhCIJlRs= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 h1:TVQp/bboR4mhZSav+MdgXB8FaRho1RC8UwVn3T0vjVc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0/go.mod h1:I33vtIe0sR96wfrUcilIzLoA3mLHhRmz9S9Te0S3gDo= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0 h1:+XWJd3jf75RXJq29mxbuXhCXFDG3S3R4vBUeSI2P7tE= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.16.0/go.mod h1:hqgzBPTf4yONMFgdZvL/bK42R/iinTyVQtiWihs3SZc= +go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26Q3hqOo= +go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4= +go.opentelemetry.io/otel/sdk v1.16.0 h1:Z1Ok1YsijYL0CSJpHt4cS3wDDh7p572grzNrBMiMWgE= +go.opentelemetry.io/otel/sdk v1.16.0/go.mod h1:tMsIuKXuuIWPBAOrH+eHtvhTL+SntFtXF9QD68aP6p4= +go.opentelemetry.io/otel/sdk/metric v0.39.0 h1:Kun8i1eYf48kHH83RucG93ffz0zGV1sh46FAScOTuDI= +go.opentelemetry.io/otel/sdk/metric v0.39.0/go.mod h1:piDIRgjcK7u0HCL5pCA4e74qpK/jk3NiUoAHATVAmiI= +go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs= +go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= -go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/zap v1.22.0 h1:Zcye5DUgBloQ9BaT4qc9BnjOFog5TvBSAGkJ3Nf70c0= -go.uber.org/zap v1.22.0/go.mod h1:H4siCOZOrAolnUPJEkfaSjDqyP+BDS0DdDWzwcgt3+U= +go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE= golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw= golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -527,9 +529,9 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -540,6 +542,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691 h1:/yRP+0AN7mf5DkD3BAI6TOFnd51gEoDEb8o35jIFtgw= +golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -553,8 +557,6 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= @@ -563,9 +565,7 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -582,7 +582,6 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -598,24 +597,14 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -623,23 +612,9 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220630143837-2104d58473e0 h1:VnGaRqoLmqZH/3TMLJwYCEWkR4j1nuIU1U9TvbqsDUw= -golang.org/x/oauth2 v0.0.0-20220630143837-2104d58473e0/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -650,9 +625,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -669,7 +643,6 @@ golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -682,64 +655,40 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -783,25 +732,13 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.1.0/go.mod h1:UGEZY7KEX120AnNLIHFMKIo4obdJhkp2tPbaPlQx13Y= @@ -821,31 +758,8 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= -google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= -google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= -google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= -google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= -google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= -google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= -google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= -google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= -google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= -google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= -google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= -google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= -google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= -google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.85.0 h1:8rJoHuRxx+vCmZtAO/3k1dRLvYNVyTJtZ5oaFZvhgvc= -google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= +google.golang.org/api v0.126.0 h1:q4GJq+cAdMAC7XP7njvQ4tvohGLiSlytuL4BQxbIZ+o= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -890,58 +804,14 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= -google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= -google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= -google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= -google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 h1:sdZWfcGN37Dv0QWIhuasQGMzAQJOL2oqnvot4/kPgfQ= -google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -957,28 +827,14 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= -google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= +google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -992,20 +848,18 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1017,7 +871,7 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.3.0 h1:MfDY1b1/0xN1CyMlQDac0ziEy9zJQd9CXBRRDHw2jJo= +gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1027,28 +881,27 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= -k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= -k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= -k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= -k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= -k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= +k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= +k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= +k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= +k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio= -sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= +sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= +sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck= diff --git a/testrunner/opaprocessor/processorutils.go b/testrunner/opaprocessor/processorutils.go index eddb8beb6..c242222bc 100644 --- a/testrunner/opaprocessor/processorutils.go +++ b/testrunner/opaprocessor/processorutils.go @@ -161,6 +161,7 @@ func AssertResponses(t *testing.T, responses []reporthandling.RuleResponse, expe return err } + //fmt.Println("actual:", string(actual)) require.JSONEq(t, string(expected), string(actual)) return nil } diff --git a/testrunner/rego_test.go b/testrunner/rego_test.go index d6e682c06..4add17838 100644 --- a/testrunner/rego_test.go +++ b/testrunner/rego_test.go @@ -52,7 +52,7 @@ func TestSingleRule(t *testing.T) { // To print the output // Change the testDir variable to the directory of the rego you want to test func TestSingleRego(t *testing.T) { - testDir := "ensure-endpointprivateaccess-is-enabled" + testDir := "ensure-that-the-scheduler-profiling-argument-is-set-to-false" dir := fmt.Sprintf("%v/input", testSingleRegoDirectory) mocks, err := os.Open(dir) if err != nil {