From 636515e0d3bf62eb9b807b91d6f643f144ad3163 Mon Sep 17 00:00:00 2001 From: Harkirat Bhardwaj Date: Wed, 19 May 2021 04:33:59 +1000 Subject: [PATCH] JSON and Rego updated (#787) --- .../kubernetes_pod/AC-K8-OE-PK-M-0155.json | 2 +- .../kubernetes_pod/AC-K8-OE-PK-M-0157.json | 2 +- .../rego/k8s/kubernetes_pod/probeCheck.rego | 31 ------------------- .../kubernetes_pod/securityContextCheck.rego | 2 +- 4 files changed, 3 insertions(+), 34 deletions(-) diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json index 909e35975..67627b4a1 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json @@ -7,7 +7,7 @@ "arg2": "cpu", "name": "CpuRequestsCheck", "not_allowed": "false", - "param": "resources", + "param": "requests", "param1": "resources", "prefix": "", "suffix": "", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json index 92c2c931e..45bd81b8d 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json @@ -7,7 +7,7 @@ "arg2": "memory", "name": "MemoryRequestsCheck", "not_allowed": "false", - "param": "resources", + "param": "requests", "param1": "resources", "prefix": "", "suffix": "", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego index 19eaf1aef..ed1fc7048 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/probeCheck.rego @@ -8,12 +8,6 @@ package accurics not container["{{.argument}}"] } -#rule for pod terraform -{{.prefix}}{{.name}}{{.suffix}}[pod.id] { - pod := input.kubernetes_pod[_] - container := pod.config.spec.containers[_] - not container["{{.argumentTF}}"] -} #rule for deployment, daemonset, job, replica_Set, replication_controller, stateful_set {{.prefix}}{{.name}}{{.suffix}}[kind.id] { @@ -34,35 +28,10 @@ package accurics not container["{{.argument}}"] } -#rule for terraform deployment, daemonset, job, replica_Set, replication_controller, stateful_set -{{.prefix}}{{.name}}{{.suffix}}[kind.id] { - item_list := [ - object.get(input, "kubernetes_daemonset", "undefined"), - object.get(input, "kubernetes_deployment", "undefined"), - object.get(input, "kubernetes_job", "undefined"), - object.get(input, "kubernetes_replica_set", "undefined"), - object.get(input, "kubernetes_replication_controller", "undefined"), - object.get(input, "kubernetes_stateful_set", "undefined") - ] - - item = item_list[_] - item != "undefined" - - kind := item[_] - container := kind.config.spec.template.spec.containers[_] - not container["{{.argumentTF}}"] -} #rule for cronjob {{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { cron_job := input.kubernetes_cron_job[_] container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] not container["{{.argument}}"] -} - -#rule for terraform cronjob -{{.prefix}}{{.name}}{{.suffix}}[cron_job.id] { - cron_job := input.kubernetes_cron_job[_] - container := cron_job.config.spec.jobTemplate.spec.template.spec.containers[_] - not container["{{.argumentTF}}"] } \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego index f76c53966..a6065fda1 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/securityContextCheck.rego @@ -57,7 +57,7 @@ containerSecurityCheck(container) { } containerSecurityCheck(container) { - not container.{{.param1}}.{{.param}} + object.get(container.{{.param1}}, "{{.param}}", "undefined") == "undefined" } containerSecurityCheck(container) {