Merge pull request #14 from suhasgumma/C-0050

slashben · web-flow · commit 11c172e6e2cb · 2023-01-12T10:54:44.000+02:00
ValidatingAdmissionPolicy for C-0050
diff --git a/configuration/policy-configuration-definition.yaml b/configuration/policy-configuration-definition.yaml
@@ -16,21 +16,13 @@ spec:
               type: object
               properties:
                 cpuLimitMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuLimitMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuRequestMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuRequestMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 imageRepositoryAllowList:
                   items:
                     type: string
@@ -56,21 +48,13 @@ spec:
                     type: integer
                   type: array
                 memoryLimitMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryLimitMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryRequestMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryRequestMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 publicRegistries:
                   items:
                     type: string
diff --git a/controls/C-0004/policy.yaml b/controls/C-0004/policy.yaml
@@ -24,27 +24,27 @@ spec:
   validations:
     - expression: > 
         object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "Pods contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "Workloads contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "CronJob contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
diff --git a/controls/C-0050/policy.yaml b/controls/C-0050/policy.yaml
@@ -0,0 +1,50 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0050-deny-resources-with-cpu-limit-or-request-not-set"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: > 
+        object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Pods contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Workloads contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "CronJob contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
diff --git a/controls/C-0050/tests.json b/controls/C-0050/tests.json
@@ -0,0 +1,51 @@
+[
+    {
+        "name": "Pod with container having cpu-request and limits not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request set and limits not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=2"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request and limits set and both values in the limit is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=3",
+            "spec.containers.[0].resources.limits.cpu=3"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request and limits set and values not in the limit is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=1",
+            "spec.containers.[0].resources.limits.cpu=6"
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu-request and limits not set is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu request and limits set and both values in the limit is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].resources.requests.cpu=3",
+            "spec.template.spec.containers.[0].resources.limits.cpu=3"
+        ]
+    }
+]
diff --git a/test-resources/default-control-configuration.yaml b/test-resources/default-control-configuration.yaml
@@ -3,14 +3,10 @@ kind: ControlConfiguration
 metadata:
   name: placeholder
 settings:
-  cpuLimitMax:
-  - 0
-  cpuLimitMin:
-  - 0
-  cpuRequestMax:
-  - 0
-  cpuRequestMin:
-  - 0
+  cpuLimitMax: 5
+  cpuLimitMin: 1
+  cpuRequestMax: 5
+  cpuRequestMin: 1
   imageRepositoryAllowList:
   - gcr.io
   insecureCapabilities:
@@ -49,14 +45,10 @@ settings:
   - 5
   maxHighVulnerabilities:
   - 10
-  memoryLimitMax:
-  - 256
-  memoryLimitMin:
-  - 32
-  memoryRequestMax:
-  - 256
-  memoryRequestMin:
-  - 32
+  memoryLimitMax: 256
+  memoryLimitMin: 32
+  memoryRequestMax: 256
+  memoryRequestMin: 32
   publicRegistries:
   - docker.io
   - gcr.io
