From e54224769a25379644299fb42c699777a6ed07fc Mon Sep 17 00:00:00 2001 From: Meital Rudnitsky Date: Sun, 8 Oct 2023 16:44:31 +0300 Subject: [PATCH] use 1st value in recommended labels for label key --- rules/k8s-common-labels-usage/raw.rego | 12 +++++++++--- rules/k8s-common-labels-usage/test/cronjob/data.json | 8 ++++++++ .../test/cronjob/expected.json | 2 +- rules/k8s-common-labels-usage/test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- rules/label-usage-for-resources/raw.rego | 11 ++++++++--- .../test/cronjob/expected.json | 4 ++-- rules/label-usage-for-resources/test/pod/data.json | 8 ++++++++ .../label-usage-for-resources/test/pod/expected.json | 2 +- .../test/workload-fail/data.json | 8 ++++++++ .../test/workload-fail/expected.json | 2 +- 12 files changed, 56 insertions(+), 13 deletions(-) create mode 100644 rules/k8s-common-labels-usage/test/cronjob/data.json create mode 100644 rules/k8s-common-labels-usage/test/workload-fail/data.json create mode 100644 rules/label-usage-for-resources/test/pod/data.json create mode 100644 rules/label-usage-for-resources/test/workload-fail/data.json diff --git a/rules/k8s-common-labels-usage/raw.rego b/rules/k8s-common-labels-usage/raw.rego index 7ae3bac8f..24eea2d7c 100644 --- a/rules/k8s-common-labels-usage/raw.rego +++ b/rules/k8s-common-labels-usage/raw.rego @@ -86,19 +86,19 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ @@ -106,3 +106,9 @@ all_kubernetes_labels(labels){ recommended_label := recommended_labels[_] labels[recommended_label] } + +get_label_key() = key { + recommended_labels := data.postureControlInputs.k8sRecommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/k8s-common-labels-usage/test/cronjob/data.json b/rules/k8s-common-labels-usage/test/cronjob/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/cronjob/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/k8s-common-labels-usage/test/cronjob/expected.json b/rules/k8s-common-labels-usage/test/cronjob/expected.json index b392487fb..2f9d26829 100644 --- a/rules/k8s-common-labels-usage/test/cronjob/expected.json +++ b/rules/k8s-common-labels-usage/test/cronjob/expected.json @@ -2,7 +2,7 @@ "alertMessage": "the following cronjobs the kubernetes common labels are not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", + "path": "spec.jobTemplate.spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/pod/expected.json b/rules/k8s-common-labels-usage/test/pod/expected.json index 06c6b8361..2a4cac865 100644 --- a/rules/k8s-common-labels-usage/test/pod/expected.json +++ b/rules/k8s-common-labels-usage/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pod the kubernetes common labels are not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/k8s-common-labels-usage/test/workload-fail/data.json b/rules/k8s-common-labels-usage/test/workload-fail/data.json new file mode 100644 index 000000000..3ef3b49d3 --- /dev/null +++ b/rules/k8s-common-labels-usage/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance" + ] + } +} \ No newline at end of file diff --git a/rules/k8s-common-labels-usage/test/workload-fail/expected.json b/rules/k8s-common-labels-usage/test/workload-fail/expected.json index b5035f7d9..3a98cdfa0 100644 --- a/rules/k8s-common-labels-usage/test/workload-fail/expected.json +++ b/rules/k8s-common-labels-usage/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard the kubernetes common labels are is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.YOUR_KEY", + "path": "spec.template.metadata.labels.app.kubernetes.io/name", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 197422fde..85cb2c3c0 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -84,19 +84,19 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ no_label_or_no_label_usage(wl, beggining_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } no_label_or_no_label_usage(wl, beggining_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels.YOUR_KEY", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels.%v", [beggining_of_path, get_label_key()]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { @@ -105,3 +105,8 @@ is_desired_label(labels) { labels[recommended_label] } +get_label_key() = key { + recommended_labels := data.postureControlInputs.recommendedLabels + count(recommended_labels) > 0 + key := recommended_labels[0] +} else = "YOUR_LABEL" diff --git a/rules/label-usage-for-resources/test/cronjob/expected.json b/rules/label-usage-for-resources/test/cronjob/expected.json index c6f1f9a05..595a928d3 100644 --- a/rules/label-usage-for-resources/test/cronjob/expected.json +++ b/rules/label-usage-for-resources/test/cronjob/expected.json @@ -2,10 +2,10 @@ "alertMessage": "the following cronjobs a certain set of labels is not defined: hello", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }, { - "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_KEY", + "path": "spec.jobTemplate.spec.template.metadata.labels.YOUR_LABEL", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/pod/data.json b/rules/label-usage-for-resources/test/pod/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/pod/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/pod/expected.json b/rules/label-usage-for-resources/test/pod/expected.json index 703e96eee..ffcc45464 100644 --- a/rules/label-usage-for-resources/test/pod/expected.json +++ b/rules/label-usage-for-resources/test/pod/expected.json @@ -2,7 +2,7 @@ "alertMessage": "in the following pods a certain set of labels is not defined: command-demo", "failedPaths": [], "fixPaths": [{ - "path": "metadata.labels.YOUR_KEY", + "path": "metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "", diff --git a/rules/label-usage-for-resources/test/workload-fail/data.json b/rules/label-usage-for-resources/test/workload-fail/data.json new file mode 100644 index 000000000..a391fd373 --- /dev/null +++ b/rules/label-usage-for-resources/test/workload-fail/data.json @@ -0,0 +1,8 @@ +{ + "postureControlInputs": { + "recommendedLabels": [ + "app", + "tier" + ] + } +} \ No newline at end of file diff --git a/rules/label-usage-for-resources/test/workload-fail/expected.json b/rules/label-usage-for-resources/test/workload-fail/expected.json index 59bf2fc95..dcf7acfeb 100644 --- a/rules/label-usage-for-resources/test/workload-fail/expected.json +++ b/rules/label-usage-for-resources/test/workload-fail/expected.json @@ -2,7 +2,7 @@ "alertMessage": "Deployment: kubernetes-dashboard a certain set of labels is not defined:", "failedPaths": [], "fixPaths": [{ - "path": "spec.template.metadata.labels.YOUR_KEY", + "path": "spec.template.metadata.labels.app", "value": "YOUR_VALUE" }], "ruleStatus": "",