Fixing CronJob support accross all controls

slashben · slashben · commit 2841287f6546 · 2025-03-12T09:15:04.000+02:00
Signed-off-by: Ben &lt;ben@armosec.io&gt;
diff --git a/controls/C-0001/policy.yaml b/controls/C-0001/policy.yaml
@@ -30,5 +30,5 @@ spec:
       message: "Pods uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
     - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
       message: "Workloads uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
-    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
+    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
       message: "CronJob uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
diff --git a/controls/C-0001/tests.json b/controls/C-0001/tests.json
@@ -4,7 +4,7 @@
         "template": "pod.yaml",
         "expected": "fail",
         "field_change_list": [
-            "spec.containers.[0].image=quay.io/openshift/origin-cli:latest"    
+            "spec.containers.[0].image=quay.io/openshift/origin-cli:latest"
         ]
     },
     {
@@ -13,5 +13,20 @@
         "expected": "pass",
         "field_change_list": [
         ]
+    },
+    {
+        "name": "CronJob with image from quay.io is blocked",
+        "template": "cronjob.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.jobTemplate.spec.template.spec.containers.[0].image=quay.io/openshift/origin-cli:latest"
+        ]
+    },
+    {
+        "name": "CronJob without image from quay.io is allowed",
+        "template": "cronjob.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
     }
 ]
diff --git a/controls/C-0004/policy.yaml b/controls/C-0004/policy.yaml
@@ -45,7 +45,7 @@ spec:
       message: "Workloads contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
         params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
         params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
diff --git a/controls/C-0004/tests.json b/controls/C-0004/tests.json
@@ -3,7 +3,7 @@
         "name": "Pod with container having memory-request and limits not set is blocked",
         "template": "pod.yaml",
         "expected": "fail",
-        "field_change_list": [ 
+        "field_change_list": [
         ]
     },
     {
@@ -36,7 +36,7 @@
         "name": "Deployment with container having memory-request and limits not set is blocked",
         "template": "deployment.yaml",
         "expected": "fail",
-        "field_change_list": [ 
+        "field_change_list": [
         ]
     },
     {
@@ -47,5 +47,12 @@
             "spec.template.spec.containers.[0].resources.requests.memory=128",
             "spec.template.spec.containers.[0].resources.limits.memory=128"
         ]
+    },
+    {
+        "name": "CronJob with container having memory request and limits set and both values in the limit is allowed",
+        "template": "cronjob.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
     }
 ]
diff --git a/controls/C-0009/policy.yaml b/controls/C-0009/policy.yaml
@@ -43,7 +43,7 @@ spec:
       message: "Workloads contains container/s with memory limit and/or cpu limit not set! (see more at https://hub.armosec.io/docs/c-0009)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
         has(container.resources) &&
         has(container.resources.limits) &&
         has(container.resources.limits.memory) &&
diff --git a/controls/C-0012/policy.yaml b/controls/C-0012/policy.yaml
@@ -27,28 +27,28 @@ spec:
       resources:   ["configmaps"]
   validations:
     # Note that if the value is mounted using a secret or a configMap, this policy will allow the resource to be deployed in the cluster.
-    - expression: > 
-        object.kind != 'Pod' || object.spec.containers.all(container, !has(container.env) || container.env.all(envVariable, 
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
         !params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
         !has(envVariable.value) || (envVariable.value == "") ||
         params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
         ))
       message: "Pods has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
-    - expression: > 
-        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable, 
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
         !params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
         !has(envVariable.value) || (envVariable.value == "") ||
         params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
         ))
       message: "Workloads has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
-    - expression: > 
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !has(container.env) || container.env.all(envVariable, 
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
         !params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
         !has(envVariable.value) || (envVariable.value == "") ||
         params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
         ))
       message: "CronJob has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
-    - expression: > 
+    - expression: >
         object.kind != 'ConfigMap' || object.data.all(key,
         (
           (
diff --git a/controls/C-0013/policy.yaml b/controls/C-0013/policy.yaml
@@ -136,7 +136,7 @@ spec:
       message: "Workloads contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
           (
             (
               has(container.securityContext) &&
diff --git a/controls/C-0020/policy.yaml b/controls/C-0020/policy.yaml
@@ -111,7 +111,7 @@ spec:
       message: "Workload contains volumes with potential access to known cloud credentials! (see more at https://hub.armosec.io/docs/c-0020)"
 
     - expression: >
-        object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.volumes.all(vol,
+        object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.template.spec.volumes.all(vol,
         !has(vol.hostPath) || !has(vol.hostPath.path) ||
         (
           (params.settings.cloudProvider != 'eks' ||
diff --git a/controls/C-0044/policy.yaml b/controls/C-0044/policy.yaml
@@ -27,5 +27,5 @@ spec:
       message: "One or more containers in the Pod has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
     - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !object.spec.template.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
       message: "One or more containers in the Workload has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
-    - expression: "object.kind != 'CronJob' || !object.spec.jobTemplate.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
+    - expression: "object.kind != 'CronJob' || !object.spec.jobTemplate.spec.template.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
       message: "One or more containers in the CronJob has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
diff --git a/controls/C-0044/tests.json b/controls/C-0044/tests.json
@@ -4,7 +4,7 @@
         "template": "pod.yaml",
         "expected": "fail",
         "field_change_list": [
-            "spec.containers.[0].ports.[0].hostPort=2023"    
+            "spec.containers.[0].ports.[0].hostPort=2023"
         ]
     },
     {
@@ -19,7 +19,7 @@
         "template": "deployment.yaml",
         "expected": "fail",
         "field_change_list": [
-            "spec.template.spec.containers.[0].ports.[0].hostPort=2023"    
+            "spec.template.spec.containers.[0].ports.[0].hostPort=2023"
         ]
     },
     {
@@ -28,5 +28,20 @@
         "expected": "pass",
         "field_change_list": [
         ]
+    },
+    {
+        "name": "CronJob with container not having hostPort allowed",
+        "template": "cronjob.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "CronJob with container having hostPort blocked",
+        "template": "cronjob.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.jobTemplate.spec.template.spec.containers.[0].ports.[0].hostPort=2023"
+        ]
     }
 ]
diff --git a/controls/C-0045/policy.yaml b/controls/C-0045/policy.yaml
@@ -38,8 +38,8 @@ spec:
         )))
       message: "One or more hostPath Volumes in the Workload has readOnly not set to false! (see more at https://hub.armosec.io/docs/c-0045)"
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) ||
-        object.spec.jobTemplate.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) ||
+        object.spec.jobTemplate.spec.template.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
           containerVol, containerVol.name != vol.name ||
           (has(containerVol.readOnly) && containerVol.readOnly == true)
         )))
diff --git a/controls/C-0046/policy.yaml b/controls/C-0046/policy.yaml
@@ -42,7 +42,7 @@ spec:
       message: "Workload has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
     - expression: >
         object.kind != 'CronJob' ||
-        object.spec.jobTemplate.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
         !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
         container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
         ))
diff --git a/controls/C-0048/policy.yaml b/controls/C-0048/policy.yaml
@@ -27,5 +27,5 @@ spec:
       message: "There are one or more hostPath mounts in the Pod! (see more at https://hub.armosec.io/docs/c-0048)"
     - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
       message: "There are one or more hostPath mounts in the Workload! (see more at https://hub.armosec.io/docs/c-0048)"
-    - expression: "object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
+    - expression: "object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
       message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)"
diff --git a/controls/C-0050/policy.yaml b/controls/C-0050/policy.yaml
@@ -45,7 +45,7 @@ spec:
       message: "Workloads contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
         params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
         params.settings.cpuRequestMax >= int(container.resources.requests.cpu)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
diff --git a/controls/C-0055/policy.yaml b/controls/C-0055/policy.yaml
@@ -43,7 +43,7 @@ spec:
         object.kind != 'CronJob' ||
         (has(object.spec.jobTemplate.metadata.annotations) && object.spec.jobTemplate.metadata.annotations.exists(annotation, annotation.startsWith("container.apparmor.security.beta.kubernetes.io"))) ||
         (has(object.spec.jobTemplate.spec.securityContext) && (has(object.spec.jobTemplate.spec.securityContext.seccompProfile) || has(object.spec.jobTemplate.spec.securityContext.seLinuxOptions))) ||
-        object.spec.jobTemplate.spec.containers.all(container, has(container.securityContext) && (has(container.securityContext.seccompProfile) ||
+        object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.securityContext) && (has(container.securityContext.seccompProfile) ||
         has(container.securityContext.seLinuxOptions) ||
         (has(container.securityContext.capabilities) && has(container.securityContext.capabilities.drop))))
       message: "CronJob could have more security hardening! (see more at https://hub.armosec.io/docs/c-0055)"
diff --git a/controls/C-0062/policy.yaml b/controls/C-0062/policy.yaml
@@ -27,5 +27,5 @@ spec:
       message: "Pod has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
     - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
       message: "Workload has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
-    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
+    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
       message: "CronJob has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
diff --git a/controls/C-0062/tests.json b/controls/C-0062/tests.json
@@ -3,7 +3,7 @@
         "name": "Pod with container having sudo in command is blocked",
         "template": "pod-for-list-items.yaml",
         "expected": "fail",
-        "field_change_list": [   
+        "field_change_list": [
         ]
     },
     {
@@ -17,7 +17,7 @@
         "name": "Deployment with container having sudo in command is blocked",
         "template": "deployment-for-list-items.yaml",
         "expected": "fail",
-        "field_change_list": [   
+        "field_change_list": [
         ]
     },
     {
@@ -26,5 +26,20 @@
         "expected": "pass",
         "field_change_list": [
         ]
+    },
+    {
+        "name": "CronJob with container having sudo in command is blocked",
+        "template": "cronjob.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.jobTemplate.spec.template.spec.containers.[0].command.[0]=sudo"
+        ]
+    },
+    {
+        "name": "CronJob with container not having sudo in command is allowed",
+        "template": "cronjob.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
     }
 ]
diff --git a/controls/C-0074/policy.yaml b/controls/C-0074/policy.yaml
@@ -43,7 +43,7 @@ spec:
       message: "Workload has one or more containers mounting Docker socket! (see more at https://hub.armosec.io/docs/c-0074)"
     - expression: >
         object.kind != 'CronJob' || !(has(object.spec.jobTemplate.spec.volumes)) ||
-        object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) ||
+        object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) ||
         !(has(vol.hostPath.path)) ||
         (
           vol.hostPath.path != '/var/run/docker.sock' &&
diff --git a/controls/C-0075/policy.yaml b/controls/C-0075/policy.yaml
@@ -46,7 +46,7 @@ spec:
       message: "Workloads contains container/s image with latest tag and imagePullPolicy not set to Always! (see more at https://hub.armosec.io/docs/c-0075)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
         !(
           container.image.findAll(":[\\w][\\w.-]{0,127}(\\/)?").all(substring, substring.endsWith("/")) ||
           container.image.findAll(":[\\w][\\w.-]{0,127}(\\/)?").exists(substring, substring == ":latest" || substring.matches("^:[a-zA-Z]{1,127}$"))
diff --git a/controls/C-0078/policy.yaml b/controls/C-0078/policy.yaml
@@ -44,7 +44,7 @@ spec:
       message: "Workloads uses an image from a registry that is not in the allow list! (see more at https://hub.armosec.io/docs/c-0078)"
     - expression: >
         object.kind != 'CronJob' ||
-        object.spec.jobTemplate.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,
+        object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,
         (
           (registry == 'docker.io' && !container.image.contains('/')) ||
           (container.image.startsWith(registry))
diff --git a/controls/C-0268/policy.yaml b/controls/C-0268/policy.yaml
@@ -41,7 +41,7 @@ spec:
       message: "Workloads contains container/s with cpu request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0268)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
         (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
         params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
         params.settings.cpuRequestMax >= int(container.resources.requests.cpu)))
diff --git a/controls/C-0269/policy.yaml b/controls/C-0269/policy.yaml
@@ -41,7 +41,7 @@ spec:
       message: "Workloads contains container/s with memory request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0269)"
 
     - expression: >
-        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
         (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
         params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
         params.settings.memoryRequestMax >= int(container.resources.requests.memory)))
diff --git a/controls/C-0270/policy.yaml b/controls/C-0270/policy.yaml
diff --git a/controls/C-0271/policy.yaml b/controls/C-0271/policy.yaml
diff --git a/runtime-policies/hostmount/policy.yaml b/runtime-policies/hostmount/policy.yaml
diff --git a/runtime-policies/insecure-capabilities/policy.yaml b/runtime-policies/insecure-capabilities/policy.yaml
diff --git a/scripts/change-yaml-field.py b/scripts/change-yaml-field.py
diff --git a/scripts/run-control-tests.py b/scripts/run-control-tests.py
diff --git a/test-resources/cronjob.yaml b/test-resources/cronjob.yaml

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`"template": "pod.yaml",`
`5`	`5`	`"expected": "fail",`
`6`	`6`	`"field_change_list": [`
`7`		`- "spec.containers.[0].image=quay.io/openshift/origin-cli:latest"`
	`7`	`+ "spec.containers.[0].image=quay.io/openshift/origin-cli:latest"`
`8`	`8`	`]`
`9`	`9`	`},`
`10`	`10`	`{`
`@@ -13,5 +13,20 @@`
`13`	`13`	`"expected": "pass",`
`14`	`14`	`"field_change_list": [`
`15`	`15`	`]`
	`16`	`+ },`
	`17`	`+ {`
	`18`	`+ "name": "CronJob with image from quay.io is blocked",`
	`19`	`+ "template": "cronjob.yaml",`
	`20`	`+ "expected": "fail",`
	`21`	`+ "field_change_list": [`
	`22`	`+ "spec.jobTemplate.spec.template.spec.containers.[0].image=quay.io/openshift/origin-cli:latest"`
	`23`	`+ ]`
	`24`	`+ },`
	`25`	`+ {`
	`26`	`+ "name": "CronJob without image from quay.io is allowed",`
	`27`	`+ "template": "cronjob.yaml",`
	`28`	`+ "expected": "pass",`
	`29`	`+ "field_change_list": [`
	`30`	`+ ]`
`16`	`31`	`}`
`17`	`32`	`]`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"name": "Pod with container having memory-request and limits not set is blocked",`
`4`	`4`	`"template": "pod.yaml",`
`5`	`5`	`"expected": "fail",`
`6`		`- "field_change_list": [`
	`6`	`+ "field_change_list": [`
`7`	`7`	`]`
`8`	`8`	`},`
`9`	`9`	`{`
`@@ -36,7 +36,7 @@`
`36`	`36`	`"name": "Deployment with container having memory-request and limits not set is blocked",`
`37`	`37`	`"template": "deployment.yaml",`
`38`	`38`	`"expected": "fail",`
`39`		`- "field_change_list": [`
	`39`	`+ "field_change_list": [`
`40`	`40`	`]`
`41`	`41`	`},`
`42`	`42`	`{`
`@@ -47,5 +47,12 @@`
`47`	`47`	`"spec.template.spec.containers.[0].resources.requests.memory=128",`
`48`	`48`	`"spec.template.spec.containers.[0].resources.limits.memory=128"`
`49`	`49`	`]`
	`50`	`+ },`
	`51`	`+ {`
	`52`	`+ "name": "CronJob with container having memory request and limits set and both values in the limit is allowed",`
	`53`	`+ "template": "cronjob.yaml",`
	`54`	`+ "expected": "pass",`
	`55`	`+ "field_change_list": [`
	`56`	`+ ]`
`50`	`57`	`}`
`51`	`58`	`]`
Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ spec:`
`136`	`136`	`message: "Workloads contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"`
`137`	`137`
`138`	`138`	`- expression: >`
`139`		`- object.kind != 'CronJob' \|\| object.spec.jobTemplate.spec.containers.all(container,`
	`139`	`+ object.kind != 'CronJob' \|\| object.spec.jobTemplate.spec.template.spec.containers.all(container,`
`140`	`140`	`(`
`141`	`141`	`(`
`142`	`142`	`has(container.securityContext) &&`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ spec:`
`111`	`111`	`message: "Workload contains volumes with potential access to known cloud credentials! (see more at https://hub.armosec.io/docs/c-0020)"`
`112`	`112`
`113`	`113`	`- expression: >`
`114`		`- object.kind != 'CronJob' \|\| !has(object.spec.jobTemplate.spec.volumes) \|\| object.spec.jobTemplate.spec.volumes.all(vol,`
	`114`	`+ object.kind != 'CronJob' \|\| !has(object.spec.jobTemplate.spec.volumes) \|\| object.spec.jobTemplate.spec.template.spec.volumes.all(vol,`
`115`	`115`	`!has(vol.hostPath) \|\| !has(vol.hostPath.path) \|\|`
`116`	`116`	`(`
`117`	`117`	`(params.settings.cloudProvider != 'eks' \|\|`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"name": "Pod with container having sudo in command is blocked",`
`4`	`4`	`"template": "pod-for-list-items.yaml",`
`5`	`5`	`"expected": "fail",`
`6`		`- "field_change_list": [`
	`6`	`+ "field_change_list": [`
`7`	`7`	`]`
`8`	`8`	`},`
`9`	`9`	`{`
`@@ -17,7 +17,7 @@`
`17`	`17`	`"name": "Deployment with container having sudo in command is blocked",`
`18`	`18`	`"template": "deployment-for-list-items.yaml",`
`19`	`19`	`"expected": "fail",`
`20`		`- "field_change_list": [`
	`20`	`+ "field_change_list": [`
`21`	`21`	`]`
`22`	`22`	`},`
`23`	`23`	`{`
`@@ -26,5 +26,20 @@`
`26`	`26`	`"expected": "pass",`
`27`	`27`	`"field_change_list": [`
`28`	`28`	`]`
	`29`	`+ },`
	`30`	`+ {`
	`31`	`+ "name": "CronJob with container having sudo in command is blocked",`
	`32`	`+ "template": "cronjob.yaml",`
	`33`	`+ "expected": "fail",`
	`34`	`+ "field_change_list": [`
	`35`	`+ "spec.jobTemplate.spec.template.spec.containers.[0].command.[0]=sudo"`
	`36`	`+ ]`
	`37`	`+ },`
	`38`	`+ {`
	`39`	`+ "name": "CronJob with container not having sudo in command is allowed",`
	`40`	`+ "template": "cronjob.yaml",`
	`41`	`+ "expected": "pass",`
	`42`	`+ "field_change_list": [`
	`43`	`+ ]`
`29`	`44`	`}`
`30`	`45`	`]`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ spec:`
`43`	`43`	`message: "Workload has one or more containers mounting Docker socket! (see more at https://hub.armosec.io/docs/c-0074)"`
`44`	`44`	`- expression: >`
`45`	`45`	`object.kind != 'CronJob' \|\| !(has(object.spec.jobTemplate.spec.volumes)) \|\|`
`46`		`- object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) \|\|`
	`46`	`+ object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) \|\|`
`47`	`47`	`!(has(vol.hostPath.path)) \|\|`
`48`	`48`	`(`
`49`	`49`	`vol.hostPath.path != '/var/run/docker.sock' &&`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ spec:`
`44`	`44`	`message: "Workloads uses an image from a registry that is not in the allow list! (see more at https://hub.armosec.io/docs/c-0078)"`
`45`	`45`	`- expression: >`
`46`	`46`	`object.kind != 'CronJob' \|\|`
`47`		`- object.spec.jobTemplate.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,`
	`47`	`+ object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,`
`48`	`48`	`(`
`49`	`49`	`(registry == 'docker.io' && !container.image.contains('/')) \|\|`
`50`	`50`	`(container.image.startsWith(registry))`