add related object

Signed-off-by: YiscahLevySilas1 <[email protected]>
kubescape · Jul 17, 2023 · 3782b3d · 3782b3d
1 parent 266d8ec
commit 3782b3d
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 56 deletions.
diff --git a/rules/workload-mounted-configmap/raw.rego b/rules/workload-mounted-configmap/raw.rego
@@ -30,7 +30,10 @@ deny[msga] {
 		"fixPaths":[],
 		"alertObject": {
 			"k8sApiObjects": [resource]
-}
+		},
+        "relatedObjects": [{
+            "object": configMap
+        }]
 	}
 }
 

diff --git a/rules/workload-mounted-pvc/raw.rego b/rules/workload-mounted-pvc/raw.rego
@@ -29,7 +29,10 @@ deny[msga] {
 		"fixPaths":[],
 		"alertObject": {
 			"k8sApiObjects": [resource]
-}
+		},
+        "relatedObjects": [{
+            "object": PVC
+        }]
 	}
 }
 

diff --git a/rules/workload-mounted-secrets/raw.rego b/rules/workload-mounted-secrets/raw.rego
@@ -12,10 +12,6 @@ deny[msga] {
 	secret.metadata.name == volume.secret.secretName
 	is_same_namespace(secret.metadata, resource.metadata)
 
-	# add related ressource
-	resource_vector := json.patch(resource, [{"op": "add", "path": "relatedObjects", "value": [secret]}])
-
-
 	containers_path := get_containers_path(resource)
 	containers := object.get(resource, containers_path, [])
 	container := containers[j]
@@ -32,9 +28,11 @@ deny[msga] {
 		"failedPaths": [failedPaths],
 		"fixPaths":[],
 		"alertObject": {
-			"k8sApiObjects": [resource],
-			"externalObjects": resource_vector
-		}
+			"k8sApiObjects": [resource]
+		},
+        "relatedObjects": [{
+            "object": secret
+        }]
 	}
 }
 

diff --git a/rules/workload-mounted-secrets/test/failed/expected.json b/rules/workload-mounted-secrets/test/failed/expected.json
@@ -17,53 +17,7 @@
 						"name": "mypod"
 					}
 				}
-			],
-			"externalObjects": {
-				"apiVersion": "v1",
-				"kind": "Pod",
-				"metadata": {
-					"name": "mypod",
-					"namespace": "default"
-				},
-				"relatedObjects": [
-					{
-						"apiVersion": "v1",
-						"data": {
-							"password": "MWYyZDFlMmU2N2Rm",
-							"username": "YWRtaW4="
-						},
-						"kind": "Secret",
-						"metadata": {
-							"name": "mysecret"
-						},
-						"type": "Opaque"
-					}
-				],
-				"spec": {
-					"containers": [
-						{
-							"image": "redis",
-							"name": "mypod",
-							"volumeMounts": [
-								{
-									"mountPath": "/etc/foo",
-									"name": "foo",
-									"readOnly": true
-								}
-							]
-						}
-					],
-					"volumes": [
-						{
-							"name": "foo",
-							"secret": {
-								"optional": true,
-								"secretName": "mysecret"
-							}
-						}
-					]
-				}
-			}
+			]
 		}
 	}
 ]