fix: cis checks validate api-server args

Signed-off-by: chenk <[email protected]>

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego

@@ -19,16 +19,16 @@ package builtin.kubernetes.KCV0007
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
 	regex.match("AlwaysAllow", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego

@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0008
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--authorization-mode")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--authorization-mode")
+	some i
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
+	regex.match("Node", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--authorization-mode")
 	some i
-	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
-	not regex.match("Node", output[0][1])
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
+	regex.match("Node", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --authorization-mode argument includes Node"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego

@@ -42,6 +42,28 @@ test_authorization_mode_includes_node {
 	count(r) == 0
 }
 
+test_authorization_mode_includes_node_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=RBAC,Node", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_default_value {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego

@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0009
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--authorization-mode")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--authorization-mode")
+	some i
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
+	regex.match("RBAC", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--authorization-mode")
 	some i
-	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
-	not regex.match("RBAC", output[0][1])
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
+	regex.match("RBAC", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --authorization-mode argument includes RBAC"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac_test.rego

@@ -42,6 +42,28 @@ test_authorization_mode_includes_rbac {
 	count(r) == 0
 }
 
+test_authorization_mode_includes_rbac_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=Node,RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_default_value {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_test.rego

@@ -43,6 +43,28 @@ test_authorization_mode_is_set_rbac {
 	count(r) == 0
 }
 
+test_authorization_mode_is_set_rbac_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_with_multiple_values {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/client_ca_file.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0028
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--client-ca-file")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--client-ca-file")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--client-ca-file")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --client-ca-file argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/client_ca_file_test.rego

@@ -21,6 +21,28 @@ test_client_ca_file_is_set {
 	count(r) == 0
 }
 
+test_client_ca_file_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--client-ca-file=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_client_ca_file_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin.rego

@@ -19,15 +19,21 @@ package builtin.kubernetes.KCV0003
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
 	regex.match("DenyServiceExternalIPs", output[0][1])
 }
 
+check_flag(container) {
+	some i
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.args[i], -1)
+	regex.match("DenyServiceExternalIPs", output[0][1])
+}
+
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	check_flag(container)
 	msg := "Ensure that the --DenyServiceExternalIPs is not set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin_test.rego

@@ -43,6 +43,28 @@ test_enable_admission_plugins_is_not_configured {
 	count(r) == 0
 }
 
+test_enable_admission_plugins_is_not_configured_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=Node,RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_deny_service_external_ips_is_not_enabled {
 	r := deny with input as {
 		"apiVersion": "v1",

checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0030
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	kubernetes.command_has_flag(container.command, "--encryption-provider-config")
 }
 
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--encryption-provider-config")
+}
+
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --encryption-provider-config argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego

@@ -42,3 +42,25 @@ test_encryption_provider_config_is_not_set {
 
 	count(r) == 0
 }
+
+test_encryption_provider_config_is_not_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}

checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile.rego

@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0029
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--etcd-cafile")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--etcd-cafile")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--etcd-cafile")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --etcd-cafile argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile_test.rego

@@ -21,6 +21,28 @@ test_etcd_cafile_is_set {
 	count(r) == 0
 }
 
+test_etcd_cafile_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--etcd-cafile=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_etcd_cafile_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",