adding CIS Benchmark controls for 1.2.10-1.2.17 (#22)

* adding CIS Benchmark controls for 1.2.10-1.2.17

Signed-off-by: Michael Fornaro <[email protected]>

* remove redundant lines

Signed-off-by: Michael Fornaro <[email protected]>

* fixing indentation

Signed-off-by: Michael Fornaro <[email protected]>

* refactor policies and standardize violation

Signed-off-by: Michael Fornaro <[email protected]>

* Feature/#20 fix (#23)

* fixed is-in-list test in common functions

Signed-off-by: Saurabh Pandit <[email protected]>

* Tidy up

Signed-off-by: Saurabh Pandit <[email protected]>

Co-authored-by: Saurabh Pandit <[email protected]>

policies/CIS.1.2.10.rego

@@ -0,0 +1,16 @@
+package cis_1_2_10
+
+import data.lib.kubernetes
+
+default_parameters = {
+	"key": "--enable-admission-plugins",
+	"requiredValue": "EventRateLimit"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+	kubernetes.containers[container]
+	not kubernetes.flag_contains_string(container.command, params.key, params.requiredValue)
+	msg = kubernetes.format(sprintf("%s in the %s %s does not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.requiredValue]))
+}

policies/CIS.1.2.10_test.rego

@@ -0,0 +1,37 @@
+package cis_1_2_10
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--enable-admission-plugins=EventRateLimit")
+}
+
+# test_no_violation {
+# 	test.no_violations(violation) with input as policy_input("--example-no-violation")
+# }
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.11.rego

@@ -0,0 +1,16 @@
+package cis_1_2_11
+
+import data.lib.kubernetes
+
+default_parameters = {
+  "key": "--enable-admission-plugins",
+  "deniedValue": "AlwaysAdmit"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+  kubernetes.containers[container]
+  kubernetes.flag_contains_string(container.command, params.key, params.deniedValue)
+  msg = kubernetes.format(sprintf("%s in the %s %s should not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.deniedValue]))
+}

policies/CIS.1.2.11_test.rego

@@ -0,0 +1,37 @@
+package cis_1_2_11
+
+import data.lib.test
+
+test_violation {
+  test.violations(violation) with input as policy_input("--enable-admission-plugins=AlwaysAdmit")
+}
+
+test_no_violation {
+  test.no_violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+}
+
+test_no_violation_2 {
+  test.no_violations(violation) with input as policy_input("")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.12.rego

@@ -0,0 +1,16 @@
+package cis_1_2_12
+
+import data.lib.kubernetes
+
+default_parameters = {
+	"key": "--enable-admission-plugins",
+	"requiredValue": "AlwaysPullImages"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+	kubernetes.containers[container]
+	not kubernetes.flag_contains_string(container.command, params.key, params.requiredValue)
+	msg = kubernetes.format(sprintf("%s in the %s %s does not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.requiredValue]))
+}

policies/CIS.1.2.12_test.rego

@@ -0,0 +1,33 @@
+package cis_1_2_12
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--enable-admission-plugins=AlwaysPullImages")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.13.rego

@@ -0,0 +1,16 @@
+package cis_1_2_13
+
+import data.lib.kubernetes
+
+default_parameters = {
+	"key": "--enable-admission-plugins",
+	"requiredValue": "SecurityContextDeny"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+	kubernetes.containers[container]
+	not kubernetes.flag_contains_string(container.command, params.key, params.requiredValue)
+	msg = kubernetes.format(sprintf("%s in the %s %s does not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.requiredValue]))
+}

policies/CIS.1.2.13_test.rego

@@ -0,0 +1,33 @@
+package cis_1_2_13
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--enable-admission-plugins=SecurityContextDeny")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.14.rego

@@ -0,0 +1,9 @@
+package cis_1_2_14
+
+import data.lib.kubernetes
+
+violation[msg] {
+	kubernetes.containers[container]
+	kubernetes.flag_contains_string(container.command, "--disable-admission-plugins", "ServiceAccount")
+	msg = kubernetes.format(sprintf("%s in the %s %s should not have --disable-admission-plugins ServiceAccount", [container.name, kubernetes.kind, kubernetes.name]))
+}

policies/CIS.1.2.14_test.rego

@@ -0,0 +1,33 @@
+package cis_1_2_14
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--disable-admission-plugins=ServiceAccount")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--disable-admission-plugins=")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.15.rego

@@ -0,0 +1,9 @@
+package cis_1_2_15
+
+import data.lib.kubernetes
+
+violation[msg] {
+	kubernetes.containers[container]
+	kubernetes.flag_contains_string(container.command, "--disable-admission-plugins", "NamespaceLifecycle")
+	msg = kubernetes.format(sprintf("%s in the %s %s should not have --disable-admission-plugins NamespaceLifecycle", [container.name, kubernetes.kind, kubernetes.name]))
+}

policies/CIS.1.2.15_test.rego

@@ -0,0 +1,33 @@
+package cis_1_2_15
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--disable-admission-plugins=NamespaceLifecycle")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--disable-admission-plugins=")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.16.rego

@@ -0,0 +1,16 @@
+package cis_1_2_16
+
+import data.lib.kubernetes
+
+default_parameters = {
+	"key": "--enable-admission-plugins",
+	"requiredValue": "PodSecurityPolicy"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+	kubernetes.containers[container]
+	not kubernetes.flag_contains_string(container.command, params.key, params.requiredValue)
+	msg = kubernetes.format(sprintf("%s in the %s %s does not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.requiredValue]))
+}

policies/CIS.1.2.16_test.rego

@@ -0,0 +1,33 @@
+package cis_1_2_16
+
+import data.lib.test
+
+test_violation {
+	test.violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+}
+
+test_no_violation {
+	test.no_violations(violation) with input as policy_input("--enable-admission-plugins=PodSecurityPolicy")
+}
+
+policy_input(kv) = {
+  "apiVersion": "v1",
+  "kind": "Pod",
+  "metadata": {
+    "name": "kube-apiserver",
+    "namespace": "kube-system"
+  },
+  "spec": {
+    "containers": [
+      {
+        "command": [
+          "kube-apiserver",
+          kv
+        ],
+        "image": "k8s.gcr.io/kube-apiserver:v1.18.3",
+        "imagePullPolicy": "IfNotPresent",
+        "name": "kube-apiserver"
+      }
+    ]
+  }
+}

policies/CIS.1.2.17.rego

@@ -0,0 +1,16 @@
+package cis_1_2_17
+
+import data.lib.kubernetes
+
+default_parameters = {
+	"key": "--enable-admission-plugins",
+	"requiredValue": "NodeRestriction"
+}
+
+params = object.union(default_parameters, kubernetes.parameters)
+
+violation[msg] {
+	kubernetes.containers[container]
+	not kubernetes.flag_contains_string(container.command, params.key, params.requiredValue)
+	msg = kubernetes.format(sprintf("%s in the %s %s does not have %s %s", [container.name, kubernetes.kind, kubernetes.name, params.key, params.requiredValue]))
+}