feat: cis eks spec update

Signed-off-by: chenk <[email protected]>

checks/kubernetes/general/masters_group_bind.rego

@@ -0,0 +1,40 @@
+# METADATA
+# title: "system:authenticate group access binding"
+# description: "Binding to system:authenticate group to any clusterrole or role is a security risk."
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/
+# custom:
+#   id: KSV01011
+#   avd_id: AVD-KSV-0123
+#   severity: CRITICAL
+#   short_code: no-system-authenticated-group-bind
+#   recommended_action: "Remove system:authenticated group binding from clusterrolebinding or rolebinding."
+#   input:
+#     selector:
+#     - type: kubernetes
+#       subtypes:
+#         - kind: rolebinding
+#         - kind: clusterrolebinding
+
+package appshield.kubernetes.KSV0123
+
+import data.k8s
+import data.lib.kubernetes
+
+readRoleRefs := ["system:masters"]
+
+readKinds := ["RoleBinding", "ClusterRolebinding"]
+
+mastersGroupBind(roleBinding) {
+	kubernetes.kind == readKinds[_]
+	kubernetes.object.subjects[_].name == readRoleRefs[_]
+}
+
+deny[res] {
+	mastersGroupBind(input)
+	msg := kubernetes.format(sprintf("%s '%s' should not bind to roles %s", [kubernetes.kind, kubernetes.name, readRoleRefs]))
+	res := result.new(msg, input.metadata)
+}

checks/kubernetes/general/masters_group_bind_test.rego

@@ -0,0 +1,140 @@
+package appshield.kubernetes.KSV0123
+
+# Test case for a RoleBinding with system_masters user binding
+test_role_binding_with_system_masters_group_binding {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "RoleBinding",
+		"metadata": {
+			"name": "roleGroup",
+			"namespace": "default",
+		},
+		"subjects": [
+			{
+				"kind": "Group",
+				"name": "system:masters",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+			{
+				"kind": "User",
+				"name": "system:anonymous",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+		],
+		"roleRef": {
+			"kind": "Role",
+			"name": "some-role",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+	}
+
+	count(r) == 1
+}
+
+#Test case for a ClusterRoleBinding with system:masters group binding
+test_cluster_role_binding_with_system_masters_binding {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRolebinding",
+		"metadata": {
+			"name": "clusterRoleGroup",
+			"namespace": "default",
+		},
+		"subjects": [
+			{
+				"kind": "Group",
+				"name": "system:masters",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+			{
+				"kind": "User",
+				"name": "system:anonymous",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+		],
+		"roleRef": {
+			"kind": "ClusterRole",
+			"name": "clusterrole",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+	}
+	count(r) == 1
+}
+
+# Test case for a RoleBinding with non system_masters group binding
+test_role_binding_with_non_system_masters_binding {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "RoleBinding",
+		"metadata": {
+			"name": "nonRole",
+			"namespace": "default",
+		},
+		"subjects": {
+			"kind": "Group",
+			"name": "system:unauthenticated",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+		"roleRef": {
+			"kind": "Role",
+			"name": "role",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+	}
+
+	count(r) == 0
+}
+
+# Test case for a ClusterRoleBinding with non system_masters group binding
+test_cluster_role_binding_with_non_system_masters_group_binding {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRoleBinding",
+		"metadata": {
+			"name": "non_anonymous_user",
+			"namespace": "default",
+		},
+		"subjects": {
+			"kind": "Group",
+			"name": "system:unauthenticated",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+		"roleRef": {
+			"kind": "ClusterRole",
+			"name": "clusterrole",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+	}
+
+	count(r) == 0
+}
+
+test_role_binding_with_system_masters_group_binding {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "RoleBinding",
+		"metadata": {
+			"name": "roleGroup",
+			"namespace": "default",
+		},
+		"subjects": [
+			{
+				"kind": "Group",
+				"name": "system:masters",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+			{
+				"kind": "User",
+				"name": "system:anonymous",
+				"apiGroup": "rbac.authorization.k8s.io",
+			},
+		],
+		"roleRef": {
+			"kind": "Role",
+			"name": "some-role",
+			"apiGroup": "rbac.authorization.k8s.io",
+		},
+	}
+
+	count(r) == 0
+}

specs/compliance/aws-eks-cis-1.4.yaml → specs/compliance/eks-cis-1.4.yaml

@@ -23,7 +23,10 @@ spec:
 
       Check with the following command: 
       > sudo systemctl status kubelet
-    checks: null
+    checks: 
+      - id: AVD-KCV-0071
+    commands:
+      - id: CMD-0024
     severity: HIGH
   - id: 3.1.2
     name: Ensure that the kubelet service file ownership is set to root:root (Automated)
@@ -202,12 +205,13 @@ spec:
     checks: null
     severity: CRITICAL
   - id: 4.1.8
-    name: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)
+    name: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
     description: |
       The special group system:masters should not be used to grant permissions to any user
       or service account, except where strictly necessary (e.g. bootstrapping access prior to
       RBAC being fully available)
-    checks: null
+    checks:
+      - id: AVD-KSV-0123
     severity: CRITICAL
   - id: 4.2.1
     name: Minimize the admission of privileged containers (Automated)