From c2571696bc6176825f0bfb39be76c55879ab3d7e Mon Sep 17 00:00:00 2001 From: Lucas Teixeira Date: Fri, 8 Dec 2023 16:46:47 -0300 Subject: [PATCH] check for restartPolicy Signed-off-by: Lucas Teixeira --- checks.md | 1 + ..._resource_using_invalid_restartpolicy.yaml | 34 ++++++ ...urce_using_invalid_restartpolicy_test.yaml | 103 ++++++++++++++++++ pkg/loader/builtin_test.go | 2 +- 4 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml create mode 100644 internal/builtins/general/M-410_resource_using_invalid_restartpolicy_test.yaml diff --git a/checks.md b/checks.md index 7af890f..6245dc0 100644 --- a/checks.md +++ b/checks.md @@ -16,6 +16,7 @@ In the table below, you can view all checks present on Marvin. Click on the #ID | | [M-407](/internal/builtins/general/M-407_cpu_limit.yaml) | Medium | CPU not limited | | | [M-408](/internal/builtins/general/M-408_sudo_container_entrypoint.yaml) | Medium | Sudo in container entrypoint | | | [M-409](/internal/builtins/general/M-409_deprecated_image_registry.yaml) | Medium | Deprecated image registry | +| | [M-410](/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml) | Medium| Resource is using an invalid restartPolicy | | NSA-CISA | [M-300](/internal/builtins/nsa/M-300_read_only_root_filesystem.yml) | Low | Root filesystem write allowed | | MITRE ATT&CK | [M-200](/internal/builtins/mitre/M-200_allowed_registries.yml) | Medium | Image registry not allowed | | | [M-201](/internal/builtins/mitre/M-201_app_credentials.yml) | High | Application credentials stored in configuration files | diff --git a/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml b/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml new file mode 100644 index 0000000..8c9c484 --- /dev/null +++ b/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml @@ -0,0 +1,34 @@ +# Copyright 2023 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +id: M-410 +slug: resource using invalid restartPolicy +severity: Medium +message: "Resource is using an invalid restartPolicy" +match: + resources: + - group: apps + version: v1 + resource: deployments + - group: apps + version: v1 + resource: daemonsets + - group: apps + version: v1 + resource: replicasets +validations: + - expression: > + !has(podSpec.restartPolicy) || + has(podSpec.restartPolicy) && + (podSpec.restartPolicy =='Always') \ No newline at end of file diff --git a/internal/builtins/general/M-410_resource_using_invalid_restartpolicy_test.yaml b/internal/builtins/general/M-410_resource_using_invalid_restartpolicy_test.yaml new file mode 100644 index 0000000..485215f --- /dev/null +++ b/internal/builtins/general/M-410_resource_using_invalid_restartpolicy_test.yaml @@ -0,0 +1,103 @@ +# Copyright 2023 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: "restartPolicy set Onfailure" + pass: false + input: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: nginx + spec: + template: + metadata: + name: nginx + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx + restartPolicy: OnFailure + selector: + matchLabels: + app: nginx + + + +- name: "restartPolicy set Always" + pass: true + input: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: nginx + spec: + template: + metadata: + name: nginx + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx + restartPolicy: Always + selector: + matchLabels: + app: nginx + + +- name: "restartPolicy not defined" + pass: true + input: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: nginx + spec: + template: + metadata: + name: nginx + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx + selector: + matchLabels: + app: nginx + +- name: "restartPolicy set Never" + pass: false + input: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: nginx + spec: + template: + metadata: + name: nginx + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx + restartPolicy: Never + selector: + matchLabels: + app: nginx \ No newline at end of file diff --git a/pkg/loader/builtin_test.go b/pkg/loader/builtin_test.go index 4186b8b..1c91682 100644 --- a/pkg/loader/builtin_test.go +++ b/pkg/loader/builtin_test.go @@ -23,5 +23,5 @@ import ( func TestBuiltins(t *testing.T) { assert.NotNil(t, Builtins) assert.Greater(t, len(Builtins), 0) - assert.Equal(t, len(Builtins), 33) + assert.Equal(t, len(Builtins), 34) }