From c6fb844b395eb8952b919147d113c85af7d21cf7 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Mon, 2 Oct 2023 16:15:15 +1300 Subject: [PATCH] Write next text for control input help. Signed-off-by: Craig Box --- README.md | 2 +- rules/K8s common labels usage/rule.metadata.json | 2 +- rules/container-image-repository-v1/rule.metadata.json | 2 +- rules/container-image-repository/rule.metadata.json | 2 +- .../rule.metadata.json | 8 ++++---- rules/exposed-sensitive-interfaces-v1/rule.metadata.json | 2 +- rules/exposed-sensitive-interfaces/rule.metadata.json | 2 +- rules/insecure-capabilities/rule.metadata.json | 2 +- rules/label-usage-for-resources/rule.metadata.json | 2 +- rules/resources-cpu-limit-and-request/rule.metadata.json | 8 ++++---- .../resources-memory-limit-and-request/rule.metadata.json | 8 ++++---- rules/rule-credentials-configmap/rule.metadata.json | 6 +++--- rules/rule-credentials-in-env-var/rule.metadata.json | 6 +++--- .../rule.metadata.json | 4 ++-- .../rule.metadata.json | 4 ++-- rules/verify-image-signature/rule.metadata.json | 2 +- 16 files changed, 31 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 149ae8f2b..5ecd9a9cc 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ Example of rule.metadata.json: { "path": "settings.postureControlInputs.cpu_request_max", "name": "cpu_request_max", - "description": "Ensure CPU max requests are set" + "description": "Ensure a CPU resource request is set and is under this defined maximum value." } ], "description": "CPU limits and requests are not set.", diff --git a/rules/K8s common labels usage/rule.metadata.json b/rules/K8s common labels usage/rule.metadata.json index 609c361c7..8cfc734bc 100644 --- a/rules/K8s common labels usage/rule.metadata.json +++ b/rules/K8s common labels usage/rule.metadata.json @@ -51,7 +51,7 @@ { "path": "settings.postureControlInputs.k8sRecommendedLabels", "name": "Kubernetes Recommended Labels", - "description": "Kubescape checks that workloads have at least one of the following kubernetes recommended labels." + "description": "Kubescape checks that workloads have at least one of this list of configurable labels, as recommended in the Kubernetes documentation." } ], "description": "Check if the list of label that start with app.kubernetes.io/ are defined.", diff --git a/rules/container-image-repository-v1/rule.metadata.json b/rules/container-image-repository-v1/rule.metadata.json index c9ff85a30..292c8495d 100644 --- a/rules/container-image-repository-v1/rule.metadata.json +++ b/rules/container-image-repository-v1/rule.metadata.json @@ -53,7 +53,7 @@ { "path": "settings.postureControlInputs.imageRepositoryAllowList", "name": "Allowed image repositories", - "description": "Kubescape checks that all the containers are using images from the allowed repositories provided in the following list." + "description": "Kubescape checks that all container images are from repositories explicitly allowed in this list." } ], "description": "Fails if image is not from allowed repository", diff --git a/rules/container-image-repository/rule.metadata.json b/rules/container-image-repository/rule.metadata.json index 2c7005335..989bceb09 100644 --- a/rules/container-image-repository/rule.metadata.json +++ b/rules/container-image-repository/rule.metadata.json @@ -53,7 +53,7 @@ { "path": "settings.postureControlInputs.imageRepositoryAllowList", "name": "Allowed image repositories", - "description": "Kubescape checks that all the containers are using images from the allowed repositories provided in the following list." + "description": "Kubescape checks that all container images are from repositories explicitly allowed in this list." } ], "description": "Fails if image is not from allowed repository", diff --git a/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json b/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json index 3e4d7de09..f72603726 100644 --- a/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json +++ b/rules/excessive_amount_of_vulnerabilities_pods/rule.metadata.json @@ -41,13 +41,13 @@ "controlConfigInputs": [ { "path": "settings.postureControlInputs.max_critical_vulnerabilities", - "name": "Max critical vulnerabilities", - "description": "Maximum amount of allowed critical risk vulnerabilities" + "name": "Max Critical vulnerabilities", + "description": "The maximum number of Critical severity vulnerabilities permitted." }, { "path": "settings.postureControlInputs.max_high_vulnerabilities", - "name": "Max high vulnerabilities", - "description": "Maximum amount of allowed high risk vulnerabilities" + "name": "Max High vulnerabilities", + "description": "The maximum number of High severity vulnerabilities permitted." } ], "ruleDependencies": [ diff --git a/rules/exposed-sensitive-interfaces-v1/rule.metadata.json b/rules/exposed-sensitive-interfaces-v1/rule.metadata.json index f7c2a13f6..17a5910c0 100644 --- a/rules/exposed-sensitive-interfaces-v1/rule.metadata.json +++ b/rules/exposed-sensitive-interfaces-v1/rule.metadata.json @@ -58,7 +58,7 @@ { "path": "settings.postureControlInputs.sensitiveInterfaces", "name": "Sensitive interfaces", - "description": "The following interfaces were seen exploited. Kubescape checks it they are externally exposed." + "description": "List of known software interfaces that should not generally be exposed to the Internet." } ], "description": "fails if known interfaces have exposed services", diff --git a/rules/exposed-sensitive-interfaces/rule.metadata.json b/rules/exposed-sensitive-interfaces/rule.metadata.json index 65b391160..2f479e9f2 100644 --- a/rules/exposed-sensitive-interfaces/rule.metadata.json +++ b/rules/exposed-sensitive-interfaces/rule.metadata.json @@ -58,7 +58,7 @@ { "path": "settings.postureControlInputs.servicesNames", "name": "Service names", - "description": "Kubescape will look for the following services that exposes sensitive interfaces of common K8s projects/applications" + "description": "List of services relating to known software interfaces that should not generally be exposed to the Internet." } ], "description": "fails if known interfaces have exposed services", diff --git a/rules/insecure-capabilities/rule.metadata.json b/rules/insecure-capabilities/rule.metadata.json index 03ec3a8de..7b1f0160b 100644 --- a/rules/insecure-capabilities/rule.metadata.json +++ b/rules/insecure-capabilities/rule.metadata.json @@ -51,7 +51,7 @@ { "path": "settings.postureControlInputs.insecureCapabilities", "name": "Insecure capabilities", - "description": "You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system." + "description": "Kubescape looks for these capabilities in containers, which might lead to attackers getting elevated privileges in your cluster. You can see the full list of possible capabilities at https://man7.org/linux/man-pages/man7/capabilities.7.html." } ], "description": "fails if container has insecure capabilities", diff --git a/rules/label-usage-for-resources/rule.metadata.json b/rules/label-usage-for-resources/rule.metadata.json index 83817a665..bbcc42e18 100644 --- a/rules/label-usage-for-resources/rule.metadata.json +++ b/rules/label-usage-for-resources/rule.metadata.json @@ -51,7 +51,7 @@ { "path": "settings.postureControlInputs.recommendedLabels", "name": "Recommended Labels", - "description": "Kubescape checks that workloads have at least one of the following labels." + "description": "Kubescape checks that workloads have at least one label that identifies semantic attributes." } ], "description": "check if a certain set of labels is defined, this is a configurable control. Initial list: app, tier, phase, version, owner, env.", diff --git a/rules/resources-cpu-limit-and-request/rule.metadata.json b/rules/resources-cpu-limit-and-request/rule.metadata.json index a17b87f07..26fda2dfe 100644 --- a/rules/resources-cpu-limit-and-request/rule.metadata.json +++ b/rules/resources-cpu-limit-and-request/rule.metadata.json @@ -55,22 +55,22 @@ { "path": "settings.postureControlInputs.cpu_request_max", "name": "cpu_request_max", - "description": "Ensure CPU max requests are set" + "description": "Ensure a CPU resource request is set and is under this defined maximum value." }, { "path": "settings.postureControlInputs.cpu_request_min", "name": "cpu_request_min", - "description": "Ensure CPU min requests are set" + "description": "Ensure a CPU resource request is set and is above this defined minimum value." }, { "path": "settings.postureControlInputs.cpu_limit_max", "name": "cpu_limit_max", - "description": "Ensure CPU max limits are set" + "description": "Ensure a CPU resource limit is set and is under this defined maximum value." }, { "path": "settings.postureControlInputs.cpu_limit_min", "name": "cpu_limit_min", - "description": "Ensure CPU min limits are set" + "description": "Ensure a CPU resource limit is set and is above this defined minimum value." } ], "description": "CPU limits and requests are not set.", diff --git a/rules/resources-memory-limit-and-request/rule.metadata.json b/rules/resources-memory-limit-and-request/rule.metadata.json index 9c3c3aff1..8505c889b 100644 --- a/rules/resources-memory-limit-and-request/rule.metadata.json +++ b/rules/resources-memory-limit-and-request/rule.metadata.json @@ -55,22 +55,22 @@ { "path": "settings.postureControlInputs.memory_request_max", "name": "memory_request_max", - "description": "Ensure memory max requests are set" + "description": "Ensure a memory resource request is set and is under this defined maximum value." }, { "path": "settings.postureControlInputs.memory_request_min", "name": "memory_request_min", - "description": "Ensure memory min requests are set" + "description": "Ensure a memory resource request is set and is above this defined minimum value." }, { "path": "settings.postureControlInputs.memory_limit_max", "name": "memory_limit_max", - "description": "Ensure memory max limits are set" + "description": "Ensure a memory resource limit is set and is under this defined maximum value." }, { "path": "settings.postureControlInputs.memory_limit_min", "name": "memory_limit_min", - "description": "Ensure memory min limits are set" + "description": "Ensure a memory resource limit is set and is under this defined maximum value." } ], "description": "memory limits and requests are not set.", diff --git a/rules/rule-credentials-configmap/rule.metadata.json b/rules/rule-credentials-configmap/rule.metadata.json index 5b27414ee..cbd03fb57 100644 --- a/rules/rule-credentials-configmap/rule.metadata.json +++ b/rules/rule-credentials-configmap/rule.metadata.json @@ -28,17 +28,17 @@ { "path": "settings.postureControlInputs.sensitiveValues", "name": "Values", - "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for" + "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { "path": "settings.postureControlInputs.sensitiveKeyNames", "name": "Keys", - "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { "path": "settings.postureControlInputs.sensitiveValuesAllowed", "name": "AllowedValues", - "description": "Allowed values" + "description": "Explicitly allowed values, which will override sensitiveValues." } ], "description": "fails if ConfigMaps have sensitive information in configuration", diff --git a/rules/rule-credentials-in-env-var/rule.metadata.json b/rules/rule-credentials-in-env-var/rule.metadata.json index 638d529fb..d5735acfb 100644 --- a/rules/rule-credentials-in-env-var/rule.metadata.json +++ b/rules/rule-credentials-in-env-var/rule.metadata.json @@ -54,17 +54,17 @@ { "path": "settings.postureControlInputs.sensitiveValues", "name": "Values", - "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for" + "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { "path": "settings.postureControlInputs.sensitiveKeyNames", "name": "Keys", - "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable." }, { "path": "settings.postureControlInputs.sensitiveValuesAllowed", "name": "AllowedValues", - "description": "Allowed values" + "description": "Explicitly allowed values, which will override sensitiveValues." } ], "description": "fails if Pods have sensitive information in configuration", diff --git a/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json index 30e58efee..cd97c0ded 100644 --- a/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json +++ b/rules/rule-identify-blocklisted-image-registries-v1/rule.metadata.json @@ -54,12 +54,12 @@ { "path": "settings.postureControlInputs.publicRegistries", "name": "Public registries", - "description": "Kubescape checks none of these public registries are in use." + "description": "Kubescape checks none of these public container registries are in use." }, { "path": "settings.postureControlInputs.untrustedRegistries", "name": "Registries block list", - "description": "Kubescape checks none of the following registries are in use." + "description": "Kubescape checks none of these user-provided container registries are in use." } ], "description": "Identifying if pod container images are from unallowed registries", diff --git a/rules/rule-identify-blocklisted-image-registries/rule.metadata.json b/rules/rule-identify-blocklisted-image-registries/rule.metadata.json index b309468dc..e52b4765f 100644 --- a/rules/rule-identify-blocklisted-image-registries/rule.metadata.json +++ b/rules/rule-identify-blocklisted-image-registries/rule.metadata.json @@ -54,12 +54,12 @@ { "path": "settings.postureControlInputs.publicRegistries", "name": "Public registries", - "description": "Kubescape checks none of these public registries are in use." + "description": "Kubescape checks none of these public container registries are in use." }, { "path": "settings.postureControlInputs.untrustedRegistries", "name": "Registries block list", - "description": "Kubescape checks none of the following registries are in use." + "description": "Kubescape checks none of these user-provided container registries are in use." } ], "description": "Identifying if pod container images are from unallowed registries", diff --git a/rules/verify-image-signature/rule.metadata.json b/rules/verify-image-signature/rule.metadata.json index c1307607e..486bab218 100644 --- a/rules/verify-image-signature/rule.metadata.json +++ b/rules/verify-image-signature/rule.metadata.json @@ -54,7 +54,7 @@ { "path": "settings.postureControlInputs.trustedCosignPublicKeys", "name": "Trusted Cosign public keys", - "description": "Trusted Cosign public keys" + "description": "A list of trusted Cosign public keys that are used for validating container image signatures." } ] } \ No newline at end of file