diff --git a/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego b/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego index bccf5bc78..739af7200 100644 --- a/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego +++ b/rules/kubernetes/policies/advanced/default_namespace_should_not_be_used.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV110 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego b/rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego index ca3a78021..58ac3b0cc 100644 --- a/rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego +++ b/rules/kubernetes/policies/advanced/optional/capabilities_no_drop_at_least_one.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV004 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego b/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego index 4ee8c3aa7..0003b672e 100644 --- a/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego +++ b/rules/kubernetes/policies/advanced/optional/manages_etc_hosts.rego @@ -13,6 +13,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV007 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego b/rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego index 005e02f41..04d3fd903 100644 --- a/rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego +++ b/rules/kubernetes/policies/advanced/optional/uses_untrusted_azure_registry.rego @@ -13,6 +13,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV032 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego b/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego index 4b50761af..ac25b9b3c 100644 --- a/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego +++ b/rules/kubernetes/policies/advanced/optional/uses_untrusted_ecr_registry.rego @@ -13,6 +13,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV035 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego b/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego index 7e45707cd..a2d6607fe 100644 --- a/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego +++ b/rules/kubernetes/policies/advanced/optional/uses_untrusted_gcr_registry.rego @@ -13,6 +13,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV033 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego b/rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego index 9fa886ac0..e04248b43 100644 --- a/rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego +++ b/rules/kubernetes/policies/advanced/optional/uses_untrusted_public_registries.rego @@ -13,6 +13,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV034 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego b/rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego index f6cabc971..121734fff 100644 --- a/rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego +++ b/rules/kubernetes/policies/aquacommercial/configMap_with_secrets.rego @@ -13,7 +13,8 @@ # input: # selector: # - type: kubernetes - +# subtypes: +# - kind: configmap package builtin.kubernetes.KSV0109 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego b/rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego index 062d38055..b521f7d4d 100644 --- a/rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego +++ b/rules/kubernetes/policies/aquacommercial/configmap_with_sensitive.rego @@ -13,7 +13,8 @@ # input: # selector: # - type: kubernetes - +# subtypes: +# - kind: configmap package builtin.kubernetes.KSV01010 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/aquacommercial/service_with_externalip.rego b/rules/kubernetes/policies/aquacommercial/service_with_externalip.rego index 15d606247..3ea0f5a7e 100644 --- a/rules/kubernetes/policies/aquacommercial/service_with_externalip.rego +++ b/rules/kubernetes/policies/aquacommercial/service_with_externalip.rego @@ -13,6 +13,8 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: service package builtin.kubernetes.KSV0108 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/CPU_not_limited.rego b/rules/kubernetes/policies/general/CPU_not_limited.rego index dc1c6dbb0..244cfdd4e 100644 --- a/rules/kubernetes/policies/general/CPU_not_limited.rego +++ b/rules/kubernetes/policies/general/CPU_not_limited.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV011 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/CPU_requests_not_specified.rego b/rules/kubernetes/policies/general/CPU_requests_not_specified.rego index f1883d716..d5a7160f1 100644 --- a/rules/kubernetes/policies/general/CPU_requests_not_specified.rego +++ b/rules/kubernetes/policies/general/CPU_requests_not_specified.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV015 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/SYS_ADMIN_capability.rego b/rules/kubernetes/policies/general/SYS_ADMIN_capability.rego index 57377e04e..a1f35a2cc 100644 --- a/rules/kubernetes/policies/general/SYS_ADMIN_capability.rego +++ b/rules/kubernetes/policies/general/SYS_ADMIN_capability.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV005 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/SYS_MODULE_capability.rego b/rules/kubernetes/policies/general/SYS_MODULE_capability.rego index e1cf70677..d7854c623 100644 --- a/rules/kubernetes/policies/general/SYS_MODULE_capability.rego +++ b/rules/kubernetes/policies/general/SYS_MODULE_capability.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV120 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod.rego b/rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod.rego index e3272a18d..0f261e9f9 100644 --- a/rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod.rego +++ b/rules/kubernetes/policies/general/allowing_to_update_a_malicious_pod.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV048 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/capabilities_no_drop_all.rego b/rules/kubernetes/policies/general/capabilities_no_drop_all.rego index cdb9c6502..04d7dbd73 100644 --- a/rules/kubernetes/policies/general/capabilities_no_drop_all.rego +++ b/rules/kubernetes/policies/general/capabilities_no_drop_all.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV003 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/default_security_context.rego b/rules/kubernetes/policies/general/default_security_context.rego index cb33a1638..662d39f37 100644 --- a/rules/kubernetes/policies/general/default_security_context.rego +++ b/rules/kubernetes/policies/general/default_security_context.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV118 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/delete_pod_logs.rego b/rules/kubernetes/policies/general/delete_pod_logs.rego index 6c58e04f5..187a3bec8 100644 --- a/rules/kubernetes/policies/general/delete_pod_logs.rego +++ b/rules/kubernetes/policies/general/delete_pod_logs.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV042 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/file_system_not_read_only.rego b/rules/kubernetes/policies/general/file_system_not_read_only.rego index fceac0718..2ae9566b9 100644 --- a/rules/kubernetes/policies/general/file_system_not_read_only.rego +++ b/rules/kubernetes/policies/general/file_system_not_read_only.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV014 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/get_shell_on_pod.rego b/rules/kubernetes/policies/general/get_shell_on_pod.rego index d88cdc310..f15fbf2fd 100644 --- a/rules/kubernetes/policies/general/get_shell_on_pod.rego +++ b/rules/kubernetes/policies/general/get_shell_on_pod.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV053 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_all_resources.rego b/rules/kubernetes/policies/general/manage_all_resources.rego index e0cfca624..9668b5e4f 100644 --- a/rules/kubernetes/policies/general/manage_all_resources.rego +++ b/rules/kubernetes/policies/general/manage_all_resources.rego @@ -15,6 +15,8 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole package builtin.kubernetes.KSV046 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego b/rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego index a2c5d0a9a..b62c674b3 100644 --- a/rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego +++ b/rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego @@ -15,6 +15,8 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: role package builtin.kubernetes.KSV112 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_configmaps.rego b/rules/kubernetes/policies/general/manage_configmaps.rego index d52f8dbd0..d3c36fc40 100644 --- a/rules/kubernetes/policies/general/manage_configmaps.rego +++ b/rules/kubernetes/policies/general/manage_configmaps.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV049 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego b/rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego index 13f5a35da..3d575f929 100644 --- a/rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego +++ b/rules/kubernetes/policies/general/manage_eks_iam_auth_configmap.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV115 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_kubernetes_networking.rego b/rules/kubernetes/policies/general/manage_kubernetes_networking.rego index 6c8ca5af8..ae9d7e7e7 100644 --- a/rules/kubernetes/policies/general/manage_kubernetes_networking.rego +++ b/rules/kubernetes/policies/general/manage_kubernetes_networking.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV056 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources.rego b/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources.rego index cba4559db..17d61fe37 100644 --- a/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources.rego +++ b/rules/kubernetes/policies/general/manage_kubernetes_rbac_resources.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV050 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_namespace_secrets.rego b/rules/kubernetes/policies/general/manage_namespace_secrets.rego index 46bcbfa97..17170bf66 100644 --- a/rules/kubernetes/policies/general/manage_namespace_secrets.rego +++ b/rules/kubernetes/policies/general/manage_namespace_secrets.rego @@ -15,6 +15,8 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: role package builtin.kubernetes.KSV113 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_secrets.rego b/rules/kubernetes/policies/general/manage_secrets.rego index 0087f0d50..e10fbdba7 100644 --- a/rules/kubernetes/policies/general/manage_secrets.rego +++ b/rules/kubernetes/policies/general/manage_secrets.rego @@ -15,6 +15,8 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole package builtin.kubernetes.KSV041 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/manage_webhook_configurations.rego b/rules/kubernetes/policies/general/manage_webhook_configurations.rego index 43c479d8a..81d28084f 100644 --- a/rules/kubernetes/policies/general/manage_webhook_configurations.rego +++ b/rules/kubernetes/policies/general/manage_webhook_configurations.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: clusterrole +# - kind: role package builtin.kubernetes.KSV114 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/memory_not_limited.rego b/rules/kubernetes/policies/general/memory_not_limited.rego index 163a36dc8..3c3aa12c8 100644 --- a/rules/kubernetes/policies/general/memory_not_limited.rego +++ b/rules/kubernetes/policies/general/memory_not_limited.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV018 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/memory_requests_not_specified.rego b/rules/kubernetes/policies/general/memory_requests_not_specified.rego index 2a8934fdc..95c1ccaf5 100644 --- a/rules/kubernetes/policies/general/memory_requests_not_specified.rego +++ b/rules/kubernetes/policies/general/memory_requests_not_specified.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV016 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/mounts_docker_socket.rego b/rules/kubernetes/policies/general/mounts_docker_socket.rego index a8cec6413..2024dd8ee 100644 --- a/rules/kubernetes/policies/general/mounts_docker_socket.rego +++ b/rules/kubernetes/policies/general/mounts_docker_socket.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV006 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/net_raw_capability.rego b/rules/kubernetes/policies/general/net_raw_capability.rego index 1a97c2005..1d684bc35 100644 --- a/rules/kubernetes/policies/general/net_raw_capability.rego +++ b/rules/kubernetes/policies/general/net_raw_capability.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV119 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/runs_with_GID_le_10000.rego b/rules/kubernetes/policies/general/runs_with_GID_le_10000.rego index 7f1fc49cc..697ea98d4 100644 --- a/rules/kubernetes/policies/general/runs_with_GID_le_10000.rego +++ b/rules/kubernetes/policies/general/runs_with_GID_le_10000.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV021 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/runs_with_UID_le_10000.rego b/rules/kubernetes/policies/general/runs_with_UID_le_10000.rego index 87a82fbb3..fb7a66ba4 100644 --- a/rules/kubernetes/policies/general/runs_with_UID_le_10000.rego +++ b/rules/kubernetes/policies/general/runs_with_UID_le_10000.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV020 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/runs_with_a_root_primary_or_supplementary_GID.rego b/rules/kubernetes/policies/general/runs_with_a_root_primary_or_supplementary_GID.rego index 10b37743e..780139317 100644 --- a/rules/kubernetes/policies/general/runs_with_a_root_primary_or_supplementary_GID.rego +++ b/rules/kubernetes/policies/general/runs_with_a_root_primary_or_supplementary_GID.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV116 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/general/uses_image_tag_latest.rego b/rules/kubernetes/policies/general/uses_image_tag_latest.rego index 1cf0fe107..74cca5e3b 100644 --- a/rules/kubernetes/policies/general/uses_image_tag_latest.rego +++ b/rules/kubernetes/policies/general/uses_image_tag_latest.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV013 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/10_windows_host_process.rego b/rules/kubernetes/policies/pss/baseline/10_windows_host_process.rego index 155377d46..b74eb6e4d 100644 --- a/rules/kubernetes/policies/pss/baseline/10_windows_host_process.rego +++ b/rules/kubernetes/policies/pss/baseline/10_windows_host_process.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV103 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego b/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego index e7dcacc9a..fa16fa87b 100644 --- a/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego +++ b/rules/kubernetes/policies/pss/baseline/11_seccomp_profile_unconfined.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV104 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/12_privileged_ports_binding.rego b/rules/kubernetes/policies/pss/baseline/12_privileged_ports_binding.rego index bea81d9f7..ff102fdd8 100644 --- a/rules/kubernetes/policies/pss/baseline/12_privileged_ports_binding.rego +++ b/rules/kubernetes/policies/pss/baseline/12_privileged_ports_binding.rego @@ -15,6 +15,16 @@ # input: # selector: # - type: kubernetes +# - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV117 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/1_host_ipc.rego b/rules/kubernetes/policies/pss/baseline/1_host_ipc.rego index db46c454e..3fbd31841 100644 --- a/rules/kubernetes/policies/pss/baseline/1_host_ipc.rego +++ b/rules/kubernetes/policies/pss/baseline/1_host_ipc.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV008 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/1_host_network.rego b/rules/kubernetes/policies/pss/baseline/1_host_network.rego index e222db937..1ee297687 100644 --- a/rules/kubernetes/policies/pss/baseline/1_host_network.rego +++ b/rules/kubernetes/policies/pss/baseline/1_host_network.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV009 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/1_host_pid.rego b/rules/kubernetes/policies/pss/baseline/1_host_pid.rego index 3181a2e13..e64739e75 100644 --- a/rules/kubernetes/policies/pss/baseline/1_host_pid.rego +++ b/rules/kubernetes/policies/pss/baseline/1_host_pid.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV010 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/2_privileged.rego b/rules/kubernetes/policies/pss/baseline/2_privileged.rego index 84ea914ff..bab45239b 100644 --- a/rules/kubernetes/policies/pss/baseline/2_privileged.rego +++ b/rules/kubernetes/policies/pss/baseline/2_privileged.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV017 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/3_specific_capabilities_added.rego b/rules/kubernetes/policies/pss/baseline/3_specific_capabilities_added.rego index 026897365..f378d8ab1 100644 --- a/rules/kubernetes/policies/pss/baseline/3_specific_capabilities_added.rego +++ b/rules/kubernetes/policies/pss/baseline/3_specific_capabilities_added.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV022 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted.rego b/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted.rego index cb33d98a1..e6526732b 100644 --- a/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted.rego +++ b/rules/kubernetes/policies/pss/baseline/4_hostpath_volumes_mounted.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV023 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/5_access_to_host_ports.rego b/rules/kubernetes/policies/pss/baseline/5_access_to_host_ports.rego index 67aca226a..55ca6f6b3 100644 --- a/rules/kubernetes/policies/pss/baseline/5_access_to_host_ports.rego +++ b/rules/kubernetes/policies/pss/baseline/5_access_to_host_ports.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV024 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/6_apparmor_policy_disabled.rego b/rules/kubernetes/policies/pss/baseline/6_apparmor_policy_disabled.rego index 5b56e6cec..5b89a842c 100644 --- a/rules/kubernetes/policies/pss/baseline/6_apparmor_policy_disabled.rego +++ b/rules/kubernetes/policies/pss/baseline/6_apparmor_policy_disabled.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV002 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego b/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego index 9cd12f897..9c81235b3 100644 --- a/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego +++ b/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV025 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/8_non_default_proc_masks_set.rego b/rules/kubernetes/policies/pss/baseline/8_non_default_proc_masks_set.rego index d094b0acf..9d7eb9be8 100644 --- a/rules/kubernetes/policies/pss/baseline/8_non_default_proc_masks_set.rego +++ b/rules/kubernetes/policies/pss/baseline/8_non_default_proc_masks_set.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV027 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set.rego b/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set.rego index 90ef7b1f8..b63979624 100644 --- a/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set.rego +++ b/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV026 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/restricted/1_non_core_volume_types.rego b/rules/kubernetes/policies/pss/restricted/1_non_core_volume_types.rego index 195c09cca..88ca1f185 100644 --- a/rules/kubernetes/policies/pss/restricted/1_non_core_volume_types.rego +++ b/rules/kubernetes/policies/pss/restricted/1_non_core_volume_types.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV028 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego b/rules/kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego index 30ba9be21..b358f56ab 100644 --- a/rules/kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego +++ b/rules/kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV001 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego b/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego index 2cf0ad566..a2882be0b 100644 --- a/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego +++ b/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV012 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/rules/kubernetes/policies/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego index f4ca8ba86..238157ab6 100644 --- a/rules/kubernetes/policies/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego +++ b/rules/kubernetes/policies/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV030 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego b/rules/kubernetes/policies/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego index 673da0e7c..ffffec580 100644 --- a/rules/kubernetes/policies/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego +++ b/rules/kubernetes/policies/pss/restricted/7_Kubernetes_resource_with_disallowed_volumes_mounted.rego @@ -15,6 +15,15 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: pod +# - kind: replicaset +# - kind: replicationcontroller +# - kind: deployment +# - kind: statefulset +# - kind: daemonset +# - kind: cronjob +# - kind: job package builtin.kubernetes.KSV121 import data.lib.kubernetes diff --git a/rules/kubernetes/policies/rolebinding/cluster_admin_role_is_only_used_where_required.rego b/rules/kubernetes/policies/rolebinding/cluster_admin_role_is_only_used_where_required.rego index 592f8206c..507c3ee76 100644 --- a/rules/kubernetes/policies/rolebinding/cluster_admin_role_is_only_used_where_required.rego +++ b/rules/kubernetes/policies/rolebinding/cluster_admin_role_is_only_used_where_required.rego @@ -15,6 +15,9 @@ # input: # selector: # - type: kubernetes +# subtypes: +# - kind: rolebinding +# - kind: clusterrolebinding package builtin.kubernetes.KSV111 import data.lib.kubernetes