Skip to content

Commit

Permalink
Modified the Rego policies within Defsec to incorporate subtype selec…
Browse files Browse the repository at this point in the history 
…tors. (#1434)

* Modified the Rego policies within Defsec to incorporate subtype selectors.

* Modified the Rego policies within Defsec to incorporate subtype selectors.
  • Loading branch information
@mjshastha
mjshastha authored Aug 28, 2023
1 parent 480ca84 commit ed97853
Show file tree
Hide file tree
Showing 57 changed files with 411 additions and 2 deletions.
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV110

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV004

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV007

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV032

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV035

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV033

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV034

import data.lib.kubernetes
Expand Down
3 changes: 2 additions & 1 deletion rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
# input:
# selector:
# - type: kubernetes

# subtypes:
# - kind: configmap
package builtin.kubernetes.KSV0109

import data.lib.kubernetes
Expand Down
3 changes: 2 additions & 1 deletion rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
# input:
# selector:
# - type: kubernetes

# subtypes:
# - kind: configmap
package builtin.kubernetes.KSV01010

import data.lib.kubernetes
Expand Down
2 changes: 2 additions & 0 deletions rules/kubernetes/policies/aquacommercial/service_with_externalip.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: service
package builtin.kubernetes.KSV0108

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/CPU_not_limited.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV011

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/CPU_requests_not_specified.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV015

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/SYS_ADMIN_capability.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV005

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/SYS_MODULE_capability.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV120

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV048

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/capabilities_no_drop_all.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV003

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/default_security_context.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV118

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/delete_pod_logs.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV042

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/file_system_not_read_only.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV014

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/get_shell_on_pod.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV053

import data.lib.kubernetes
Expand Down
2 changes: 2 additions & 0 deletions rules/kubernetes/policies/general/manage_all_resources.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
package builtin.kubernetes.KSV046

import data.lib.kubernetes
Expand Down
2 changes: 2 additions & 0 deletions rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: role
package builtin.kubernetes.KSV112

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/manage_configmaps.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV049

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV115

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/manage_kubernetes_networking.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV056

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/manage_kubernetes_rbac_resources.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV050

import data.lib.kubernetes
Expand Down
2 changes: 2 additions & 0 deletions rules/kubernetes/policies/general/manage_namespace_secrets.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: role
package builtin.kubernetes.KSV113

import data.lib.kubernetes
Expand Down
2 changes: 2 additions & 0 deletions rules/kubernetes/policies/general/manage_secrets.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
package builtin.kubernetes.KSV041

import data.lib.kubernetes
Expand Down
3 changes: 3 additions & 0 deletions rules/kubernetes/policies/general/manage_webhook_configurations.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: clusterrole
# - kind: role
package builtin.kubernetes.KSV114

import data.lib.kubernetes
Expand Down
9 changes: 9 additions & 0 deletions rules/kubernetes/policies/general/memory_not_limited.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
# input:
# selector:
# - type: kubernetes
# subtypes:
# - kind: pod
# - kind: replicaset
# - kind: replicationcontroller
# - kind: deployment
# - kind: statefulset
# - kind: daemonset
# - kind: cronjob
# - kind: job
package builtin.kubernetes.KSV018

import data.lib.kubernetes
Expand Down
Loading

0 comments on commit ed97853

Please sign in to comment.