-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: artifact commands failing due to incorrect userAgent formatting
Signed-off-by: Santosh <[email protected]>
- Loading branch information
1 parent
175d746
commit 7b753fd
Showing
6 changed files
with
134 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package main | ||
|
||
deny[msg] { | ||
input.kind == "Deployment" | ||
not input.spec.template.spec.securityContext.runAsNonRoot | ||
|
||
msg := "Containers must not run as root" | ||
} | ||
|
||
deny[msg] { | ||
input.kind == "Deployment" | ||
not input.spec.selector.matchLabels.app | ||
|
||
msg := "Containers must provide app label for pod selectors" | ||
} |
12 changes: 12 additions & 0 deletions
12
templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "DenyLatest", | ||
"policy_file": "k8s.rego", | ||
"policy_name": "deny_latest", | ||
"severity": "High", | ||
"Description": "Ensure Image does not use 'latest' tag", | ||
"Benchmark": "CIS-4.9", | ||
"Category": "Infrastructure security" | ||
} | ||
|
||
|
||
|
48 changes: 48 additions & 0 deletions
48
templates/defaultpolicies/rego/k8s/deny_latest/deny_latest.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package validate_k8s | ||
|
||
import rego.v1 | ||
|
||
|
||
deny_latest contains msg if { | ||
input.kind == "Deployment" | ||
c:= input.spec.template.spec.containers[i].image | ||
not endswith(c, "latest") | ||
msg:= "Image does not use 'latest' tag" | ||
} | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# not container.envFrom | ||
# msg:= "Deployment does not use 'envFrom'" | ||
# } | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# env := container.envFrom[_] | ||
# not env.secretRef | ||
# msg:= "Deployment does not use 'secretRef' in ENV" | ||
# } | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# env := container.env[_] | ||
# env.valueFrom != [] | ||
# msg:= "Deployment does not use 'valueFrom' in ENV" | ||
# } | ||
|
||
# deny_priviliged_pod contains msg if { | ||
# input.kind == "Deployment" | ||
# not input.spec.template.spec.securityContext | ||
# msg:= "Deployment does not use priviliged pod" | ||
# } | ||
|
||
# deny_priviliged_pod contains msg if { | ||
# input.kind == "Deployment" | ||
# podSpec := input.spec.template.spec.securityContext | ||
|
||
# not podSpec.priviliged | ||
# msg:= "Deployment does not use priviliged pod" | ||
# } |
9 changes: 9 additions & 0 deletions
9
templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"name": "DenySecret", | ||
"policy_file": "k8s.rego", | ||
"policy_name": "deny_priviliged_pod", | ||
"severity": "High", | ||
"Description": "Ensure Deployment does not use 'secretRef' in ENV", | ||
"Benchmark": "CIS-4.9", | ||
"Category": "Infrastructure security" | ||
} |
48 changes: 48 additions & 0 deletions
48
templates/defaultpolicies/rego/k8s/deny_secret/deny_secret.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package validate_k8s | ||
|
||
import rego.v1 | ||
|
||
|
||
# deny_latest contains msg if { | ||
# input.kind == "Deployment" | ||
# c:= input.spec.template.spec.containers[i].image | ||
# not endswith(c, "latest") | ||
# msg:= "Image does not use 'latest' tag" | ||
# } | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# not container.envFrom | ||
# msg:= "Deployment does not use 'envFrom'" | ||
# } | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# env := container.envFrom[_] | ||
# not env.secretRef | ||
# msg:= "Deployment does not use 'secretRef' in ENV" | ||
# } | ||
|
||
# deny_secret contains msg if { | ||
# input.kind == "Deployment" | ||
# container := input.spec.template.spec.containers[_] | ||
# env := container.env[_] | ||
# env.valueFrom != [] | ||
# msg:= "Deployment does not use 'valueFrom' in ENV" | ||
# } | ||
|
||
deny_priviliged_pod contains msg if { | ||
input.kind == "Deployment" | ||
not input.spec.template.spec.securityContext | ||
msg:= "Deployment does not use priviliged pod" | ||
} | ||
|
||
# deny_priviliged_pod contains msg if { | ||
# input.kind == "Deployment" | ||
# podSpec := input.spec.template.spec.securityContext | ||
|
||
# not podSpec.priviliged | ||
# msg:= "Deployment does not use priviliged pod" | ||
# } |