From 513f73f6156d4507b75a9c5a4e69fbe5bce1e240 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Wed, 9 Aug 2023 10:56:30 +0300 Subject: [PATCH 1/4] Fixing c-0048 to alert on all hostPaths --- rules/alert-any-hostpath/raw.rego | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index def2a1566..d9af26af1 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -7,7 +7,7 @@ deny[msga] { volumes := pod.spec.volumes volume := volumes[i] beggining_of_path := "spec." - result := is_dangerous_host_path(volume, beggining_of_path, i) + result := is_dangerous_volume(volume, beggining_of_path, i) podname := pod.metadata.name @@ -31,7 +31,7 @@ deny[msga] { volumes := wl.spec.template.spec.volumes volume := volumes[i] beggining_of_path := "spec.template.spec." - result := is_dangerous_host_path(volume, beggining_of_path, i) + result := is_dangerous_volume(volume, beggining_of_path, i) msga := { @@ -53,7 +53,7 @@ deny[msga] { volumes := wl.spec.jobTemplate.spec.template.spec.volumes volume := volumes[i] beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_dangerous_host_path(volume, beggining_of_path, i) + result := is_dangerous_volume(volume, beggining_of_path, i) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", @@ -66,14 +66,7 @@ deny[msga] { } } - - -is_dangerous_host_path(volume, beggining_of_path, i) = path { - startswith(volume.hostPath.path, "/etc") - path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) -} - -is_dangerous_host_path(volume, beggining_of_path, i) = path { - startswith(volume.hostPath.path, "/var") +is_dangerous_volume(volume, beggining_of_path, i) = path { + volume.hostPath.path path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) } \ No newline at end of file From 3a09b6882da31cd7f40f816fbb8bdfc9ce675c78 Mon Sep 17 00:00:00 2001 From: Amit Schendel <58078857+amitschendel@users.noreply.github.com> Date: Wed, 9 Aug 2023 11:48:11 +0300 Subject: [PATCH 2/4] Update rules/alert-any-hostpath/raw.rego Co-authored-by: codiumai-pr-agent[bot] <138128286+codiumai-pr-agent[bot]@users.noreply.github.com> --- rules/alert-any-hostpath/raw.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index d9af26af1..7f4bcb502 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -68,5 +68,5 @@ deny[msga] { is_dangerous_volume(volume, beggining_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) + path = volume.hostPath.path != null ? sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) : null } \ No newline at end of file From 3e3d4eb196dd194af6c8e9ab033c6701a9aef2fb Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Wed, 9 Aug 2023 12:31:22 +0300 Subject: [PATCH 3/4] Fixing AI --- rules/alert-any-hostpath/raw.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 7f4bcb502..38b0a2aa3 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -68,5 +68,5 @@ deny[msga] { is_dangerous_volume(volume, beggining_of_path, i) = path { volume.hostPath.path - path = volume.hostPath.path != null ? sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) : null + path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) : null } \ No newline at end of file From 4a41096f6297f793fdd91517462de1339db92d0c Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Wed, 9 Aug 2023 14:11:02 +0300 Subject: [PATCH 4/4] Fixing AI --- rules/alert-any-hostpath/raw.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 38b0a2aa3..89c30c2ca 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -68,5 +68,5 @@ deny[msga] { is_dangerous_volume(volume, beggining_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) : null + path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) } \ No newline at end of file