fix: cis checks validate api-server args

Signed-off-by: chenk <[email protected]>

checks/kubernetes/cisbenchmarks/apiserver/event_rate_limit_plugin.rego

@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0010
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--enable-admission-plugins")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--enable-admission-plugins")
+	some i
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
+	regex.match("EventRateLimit", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--enable-admission-plugins")
 	some i
-	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
-	not regex.match("EventRateLimit", output[0][1])
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.args[i], -1)
+	regex.match("EventRateLimit", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the admission control plugin EventRateLimit is set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/event_rate_limit_plugin_test.rego

@@ -85,3 +85,25 @@ test_event_rate_limit_plugin_is_enabled_with_others {
 
 	count(r) == 0
 }
+
+test_event_rate_limit_plugin_is_enabled_with_others_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--enable-admission-plugins=NamespaceLifecycle,EventRateLimit,ServiceAccount"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/kubelet_certificate_authority.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0006
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--kubelet-certificate-authority")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--kubelet-certificate-authority")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--kubelet-certificate-authority")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --kubelet-certificate-authority argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/kubelet_certificate_authority_test.rego

@@ -21,6 +21,28 @@ test_kubelet_certificate_authority_is_set {
 	count(r) == 0
 }
 
+test_kubelet_certificate_authority_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--kubelet-certificate-authority=<ca-string>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_kubelet_certificate_authority_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/kubelet_client_certificate_and_key.rego

@@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0005
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--kubelet-client-certificate")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--kubelet-client-certificate")
+	kubernetes.command_has_flag(container.command, "--kubelet-client-key")
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--kubelet-client-key")
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--kubelet-client-certificate")
+	kubernetes.command_has_flag(container.args, "--kubelet-client-key")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/kubelet_client_certificate_and_key_test.rego

@@ -65,6 +65,28 @@ test_kubelet_client_key_and_certificate_are_set {
 	count(r) == 0
 }
 
+test_kubelet_client_key_and_certificate_are_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--kubelet-client-certificate=<file>", "--kubelet-client-key=<file>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_kubelet_client_key_and_certificate_are_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/kubelet_https.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0004
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--kubelet-https=false")
+}
+
+check_flag(container) {
 	kubernetes.command_has_flag(container.command, "--kubelet-https=false")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --kubelet-https argument is set to true"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/kubelet_https_test.rego

@@ -43,6 +43,28 @@ test_kubelet_https_is_true {
 	count(r) == 0
 }
 
+test_kubelet_https_is_true_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=AlwaysAllow", "--kubelet-https=true", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_kubelet_https_is_not_configured {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/namespace_lifecycle_plugin.rego

@@ -19,16 +19,22 @@ package builtin.kubernetes.KCV0015
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--disable-admission-plugins=([^\s]+)`, container.command[i], -1)
 	regex.match("NamespaceLifecycle", output[0][1])
 }
 
+check_flag(container) {
+	some i
+	output := regex.find_all_string_submatch_n(`--disable-admission-plugins=([^\s]+)`, container.args[i], -1)
+	regex.match("NamespaceLifecycle", output[0][1])
+}
+
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the admission control plugin NamespaceLifecycle is set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/namespace_lifecycle_plugin_test.rego

@@ -42,3 +42,25 @@ test_namespace_lifecycle_plugin_is_not_disabled {
 
 	count(r) == 0
 }
+
+test_namespace_lifecycle_plugin_is_not_disabled_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--disable-admission-plugins=AlwaysAdmit"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/node_restriction_plugin.rego

@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0016
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--enable-admission-plugins")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--enable-admission-plugins")
+	some i
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
+	regex.match("NodeRestriction", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--enable-admission-plugins")
 	some i
-	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
-	not regex.match("NodeRestriction", output[0][1])
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.args[i], -1)
+	regex.match("NodeRestriction", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the admission control plugin NodeRestriction is set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/node_restriction_plugin_test.rego

@@ -85,3 +85,25 @@ test_node_restriction_plugin_is_enabled_with_others {
 
 	count(r) == 0
 }
+
+test_node_restriction_plugin_is_enabled_with_others_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,ServiceAccount"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/profiling.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0018
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--profiling=false")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--profiling=false")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--profiling=false")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --profiling argument is set to false"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/profiling_test.rego

@@ -21,6 +21,28 @@ test_profiling_is_set_to_false {
 	count(r) == 0
 }
 
+test_profiling_is_set_to_false_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--profiling=false", "--secure-port=0"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_profiling_is_set_to_true {
 	r := deny with input as {
 		"apiVersion": "v1",