-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathsecurity_context_deny_plugin.rego
35 lines (32 loc) · 1.56 KB
/
security_context_deny_plugin.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# METADATA
# title: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
# description: "The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster."
# scope: package
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://www.cisecurity.org/benchmark/kubernetes
# custom:
# id: KCV0013
# avd_id: AVD-KCV-0013
# severity: LOW
# short_code: ensure-admission-control-plugin-security-context-deny-is-set-if-pod-security-policy-is-not-used
# recommended_action: "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place."
# input:
# selector:
# - type: kubernetes
package builtin.kubernetes.KCV0013
import data.lib.kubernetes
check_flag[container] {
container := kubernetes.containers[_]
kubernetes.is_apiserver(container)
some i
output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
not regex.match("PodSecurityPolicy", output[0][1])
not regex.match("SecurityContextDeny", output[0][1])
}
deny[res] {
output := check_flag[_]
msg := "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
res := result.new(msg, output)
}