From e3dba9a3f6e5e398ffac7b83e3bbeb95fe3150be Mon Sep 17 00:00:00 2001
From: Tohar <tohar@orca.security>
Date: Wed, 25 Dec 2024 18:07:13 +0200
Subject: [PATCH] Exclude configMap and secret from "Volume Mount With OS
 Directory Write Permissions"

---
 .../query.rego                                | 18 +++++++++
 .../test/negative2.yaml                       | 40 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/negative2.yaml

diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego
index 21cf37f6261..a95b9e88bf8 100644
--- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego
+++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego
@@ -16,6 +16,10 @@ CxPolicy[result] {
 	is_os_dir(volumeMounts[v].mountPath)
 	volumeMounts[v].readOnly == false
 
+    volumes := specInfo.spec["volumes"]
+	not is_configMap(volumeMounts[v].name, volumes)
+	not is_secret(volumeMounts[v].name, volumes)
+
 	result := {
 		"documentId": document.id,
 		"resourceType": document.kind,
@@ -38,6 +42,10 @@ CxPolicy[result] {
 	is_os_dir(volumeMounts[v].mountPath)
 	not common_lib.valid_key(volumeMounts[v], "readOnly")
 
+	volumes := specInfo.spec["volumes"]
+	not is_configMap(volumeMounts[v].name, volumes)
+	not is_secret(volumeMounts[v].name, volumes)
+
 	result := {
 		"documentId": document.id,
 		"resourceType": document.kind,
@@ -55,3 +63,13 @@ is_os_dir(mountPath) {
 } else {
 	mountPath == "/"
 }
+
+is_configMap(mount_name, volumes) {
+    volumes[m].name == mount_name
+    common_lib.valid_key(volumes[m], "configMap")
+}
+
+is_secret(mount_name, volumes) {
+    volumes[m].name == mount_name
+    common_lib.valid_key(volumes[m], "secret")
+}
diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/negative2.yaml b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/negative2.yaml
new file mode 100644
index 00000000000..3ce5a4d181f
--- /dev/null
+++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/negative2.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-dotfiles-pod
+spec:
+  volumes:
+    - name: secret-volume
+      secret:
+        secretName: dotfile-secret
+  containers:
+    - name: dotfile-test-container
+      image: registry.k8s.io/busybox
+      command:
+        - ls
+        - "-l"
+        - "/etc/secret-volume"
+      volumeMounts:
+        - name: secret-volume
+          mountPath: "/etc/secret-volume"
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: configmap-pod
+spec:
+  containers:
+    - name: test
+      image: busybox:1.28
+      command: ['sh', '-c', 'echo "The app is running!" && tail -f /dev/null']
+      volumeMounts:
+        - name: config-vol
+          mountPath: /etc/config
+  volumes:
+    - name: config-vol
+      configMap:
+        name: log-config
+        items:
+          - key: log_level
+            path: log_level.conf