we introduced three new rego checks to the oss. These checks are curr…

…ently part of the commercial but not included in the oss.

Additionally, there are certain checks in the oss where two checks are combined into a single check.
However, in the commercial, these checks are treated as two separate checks.
Therefore, we will be splitting the combined checks from the oss into two distinct checks to align with the commercial implementation.

avd_docs/kubernetes/general/AVD-KSV-0041/docs.md

@@ -1,5 +1,5 @@
 
-Check whether role permits managing secrets
+Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.
 
 ### Impact
 <!-- Add Impact here -->

avd_docs/kubernetes/general/AVD-KSV-0046/docs.md

@@ -1,5 +1,5 @@
 
-Check whether role permits specific verb on wildcard resources
+Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.
 
 ### Impact
 <!-- Add Impact here -->

avd_docs/kubernetes/general/AVD-KSV-0112/docs.md

@@ -0,0 +1,13 @@
+
+Full control of the resources within a namespace.  In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux)
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0113/docs.md

@@ -0,0 +1,13 @@
+
+Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0114/docs.md

@@ -0,0 +1,13 @@
+
+Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0115/docs.md

@@ -0,0 +1,13 @@
+
+Ability to add AWS IAM to RBAC bindings via special EKS configmap.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0116/docs.md

@@ -0,0 +1,13 @@
+
+According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubesec.io/basics/containers-securitycontext-runasuser/
+
+

rules/kubernetes/policies/general/any_resource.rego → rules/kubernetes/policies/general/manage_all_resources.rego

@@ -1,6 +1,6 @@
 # METADATA
-# title: "No wildcard resource roles"
-# description: "Check whether role permits specific verb on wildcard resources"
+# title: "Manage all resources"
+# description: "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data."
 # scope: package
 # schemas:
 # - input: schema["kubernetes"]
@@ -10,8 +10,8 @@
 #   id: KSV046
 #   avd_id: AVD-KSV-0046
 #   severity: CRITICAL
-#   short_code: no-wildcard-resource-role
-#   recommended_action: "Create a role which does not permit specific verb on wildcard resources"
+#   short_code: no-wildcard-resource-clusterrole
+#   recommended_actions: "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role"
 #   input:
 #     selector:
 #     - type: kubernetes
@@ -22,7 +22,7 @@ import data.lib.utils
 
 readVerbs := ["create", "update", "delete", "deletecollection", "impersonate", "*", "list", "get"]
 
-readKinds := ["Role", "ClusterRole"]
+readKinds := ["ClusterRole"]
 
 resourceAllowSpecificVerbOnAnyResource[input.rules[ru]] {
 	some ru, r, v
@@ -33,6 +33,6 @@ resourceAllowSpecificVerbOnAnyResource[input.rules[ru]] {
 
 deny[res] {
 	badRule := resourceAllowSpecificVerbOnAnyResource[_]
-	msg := "Role permits specific verb on wildcard resource"
+	msg := kubernetes.format(sprintf("%s '%s' shouldn't manage all resources", [kubernetes.kind, kubernetes.name]))
 	res := result.new(msg, badRule)
 }

rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: "Manage all resources at the namespace"
+# description: "Full control of the resources within a namespace.  In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux)"
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+# custom:
+#   id: KSV112
+#   avd_id: AVD-KSV-0112
+#   severity: CRITICAL
+#   short_code: no-wildcard-resource-role
+#   recommended_actions: "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by role in namespace"
+#   input:
+#     selector:
+#     - type: kubernetes
+package builtin.kubernetes.KSV112
+
+import data.lib.kubernetes
+import data.lib.utils
+
+readVerbs := ["create", "update", "delete", "deletecollection", "impersonate", "*", "list", "get"]
+
+readKinds := ["Role"]
+
+managingAllResourcesAtNamespace[input.rules[ru]] {
+	some ru, r, v
+	input.kind == readKinds[_]
+	input.rules[ru].resources[r] == "*"
+	input.rules[ru].verbs[v] == readVerbs[_]
+}
+
+deny[res] {
+	badRule := managingAllResourcesAtNamespace[_]
+	msg := kubernetes.format(sprintf("%s '%s' shouldn't manage all resources at the namespace '%s'", [kubernetes.kind, kubernetes.name, kubernetes.namespace]))
+	res := result.new(msg, badRule)
+}

rules/kubernetes/policies/general/any_resource_test.rego → rules/kubernetes/policies/general/manage_all_resources_at_the_namespace_test.rego

@@ -1,4 +1,4 @@
-package builtin.kubernetes.KSV046
+package builtin.kubernetes.KSV112
 
 test_resource_verb_role_secrets {
 	r := deny with input as {

rules/kubernetes/policies/general/manage_all_resources_test.rego

@@ -0,0 +1,145 @@
+package builtin.kubernetes.KSV046
+
+test_resource_verb_role_secrets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["delete"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_pods {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["deletecollection"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_deployments {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["create"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_daemonsets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["list"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_statefulsets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["get"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_replicationcontrollers {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["impersonate"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_resource_role_no_specific_verb {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["impersonate"],
+			"verbs": ["aaa"],
+		}],
+	}
+
+	count(r) == 0
+}
+
+test_resource_verb_role_no_any_verb {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["*"],
+		}],
+	}
+
+	count(r) > 0
+}

rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego

@@ -0,0 +1,43 @@
+# METADATA
+# title: "Manage EKS IAM Auth ConfigMap"
+# description: "Ability to add AWS IAM to RBAC bindings via special EKS configmap."
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+# custom:
+#   id: KSV115
+#   avd_id: AVD-KSV-0115
+#   severity: CRITICAL
+#   short_code: eks-iam-configmap
+#   recommended_actions: "Remove write permission verbs for resource 'configmaps' named 'aws-auth'"
+#   input:
+#     selector:
+#     - type: kubernetes
+package builtin.kubernetes.KSV115
+
+import data.lib.kubernetes
+import data.lib.utils
+
+readVerbs := ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
+
+readKinds := ["Role", "ClusterRole"]
+
+readResource = "configmaps"
+
+resourceName := "aws-auth"
+
+manageEKSIAMAuthConfigmap[input.rules[ru]] {
+	some ru, r, v
+	input.kind == readKinds[_]
+	input.rules[ru].resources[r] == readResource
+	input.rules[ru].verbs[v] == readVerbs[_]
+	input.rules[ru].resourceNames[rn] == resourceName
+}
+
+deny[res] {
+	badRule := manageEKSIAMAuthConfigmap[_]
+	msg := kubernetes.format(sprintf("%s '%s' should not have access to resource '%s' named '%s' for verbs %s", [kubernetes.kind, kubernetes.name, readResource, resourceName, readVerbs]))
+	res := result.new(msg, badRule)
+}