Add missing C-0012, C-0013 description

Signed-off-by: Florian Pöhler <[email protected]>

Author: poehlerflorian

README.md

@@ -52,6 +52,8 @@ kubectl -n policy-example run nginx --image=nginx --restart=Never
 | [C-0001](https://hub.armosec.io/docs/c-0001) | Forbidden Container Registries | [kubescape-c-0001-deny-forbidden-container-registries](/docs/policies-based-on-kubescape-controls/kubescape-c-0001-deny-forbidden-container-registries.md) | [untrustedRegistries](https://hub.armosec.io/docs/configuration_parameter_untrustedregistries) |
 | [C-0004](https://hub.armosec.io/docs/c-0004) | Resources memory limit and request | [kubescape-c-0004-deny-resources-with-memory-limit-or-request-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0004-deny-resources-with-memory-limit-or-request-not-set.md) | [memoryRequestMin](https://hub.armosec.io/docs/configuration_parameter_memoryrequestmin) |
 | [C-0009](https://hub.armosec.io/docs/c-0009) | Resource limits | [kubescape-c-0009-deny-resources-with-memory-or-cpu-limit-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0009-deny-resources-with-memory-or-cpu-limit-not-set.md) | not configurable |
+| [C-0012](https://hub.armosec.io/docs/c-0012) | Applications credentials in configuration files | [kubescape-c-0012-deny-resources-with-sensitive-information-in-environment-variables](/docs/policies-based-on-kubescape-controls/kubescape-c-0012-deny-resources-with-sensitive-information-in-environment-variables.md) | [sensitiveValues](https://hub.armosec.io/docs/configuration_parameter_sensitivevalues), [sensitiveValuesAllowed](https://hub.armosec.io/docs/configuration_parameter_sensitivevaluesallowed), [sensitiveKeyNames](https://hub.armosec.io/docs/configuration_parameter_sensitivekeynames), [sensitiveKeyNamesAllowed](https://hub.armosec.io/docs/configuration_parameter_sensitivekeynames) |
+| [C-0013](https://hub.armosec.io/docs/c-0013) | Non-root containers | [kubescape-c-0013-deny-if-container-runs-as-root](/docs/policies-based-on-kubescape-controls/kubescape-c-0013-deny-if-container-runs-as-root.md) | not configurable |
 | [C-0016](https://hub.armosec.io/docs/c-0016) | Allow privilege escalation | [kubescape-c-0016-allow-privilege-escalation](/docs/policies-based-on-kubescape-controls/kubescape-c-0016-allow-privilege-escalation.md) | not configurable |
 | [C-0017](https://hub.armosec.io/docs/c-0017) | Immutable container filesystem | [kubescape-c-0017-deny-resources-with-mutable-container-filesystem](/docs/policies-based-on-kubescape-controls/kubescape-c-0017-deny-resources-with-mutable-container-filesystem.md) | not configurable |
 | [C-0018](https://hub.armosec.io/docs/c-0018) | Configured readiness probe | [kubescape-c-0018-deny-resources-without-configured-readiness-probes](/docs/policies-based-on-kubescape-controls/kubescape-c-0018-deny-resources-without-configured-readiness-probes.md) | not configurable |

controls/kustomization.yaml

@@ -2,6 +2,8 @@ resources:
 - C-0001/policy.yaml
 - C-0004/policy.yaml
 - C-0009/policy.yaml
+- C-0012/policy.yaml
+- C-0013/policy.yaml
 - C-0016/policy.yaml
 - C-0017/policy.yaml
 - C-0018/policy.yaml

docs/policies-based-on-kubescape-controls/kubescape-c-0012-deny-resources-with-sensitive-information-in-environment-variables.md

@@ -0,0 +1,32 @@
+# Kubescape C-0012: Deny if application credentials found in configuration files
+
+## Why this policy is required:
+Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.Note, this control is configurable. See below the details.
+
+## Severity Level: High
+
+## Configuration Parameters:
+* [sensitiveValues](https://hub.armosec.io/docs/configuration_parameter_sensitivevalues)
+* [sensitiveValuesAllowed](https://hub.armosec.io/docs/configuration_parameter_sensitivevaluesallowed)
+* [sensitiveKeyNames](https://hub.armosec.io/docs/configuration_parameter_sensitivekeynames)
+* [sensitiveKeyNamesAllowed](https://hub.armosec.io/docs/configuration_parameter_sensitivekeynames)
+
+## Resources this policy could be applied to:
+* ConfigMap
+* CronJob
+* DaemonSet
+* Deployment
+* Job
+* Pod
+* ReplicaSet
+* StatefulSet
+
+## What does this policy do:
+### This Policy checks for every container in the resource:
+* If pod has sensitive information in environment variables, by using list of known sensitive key names and values.
+
+### This Policy checks for every configMap in the resource:
+* If configMap contains sensitive information.
+
+## Implementing this policy in the Cluster:
+[Refer here for using the policy in the cluster](https://github.com/kubescape/cel-admission-library#using-the-library)

docs/policies-based-on-kubescape-controls/kubescape-c-0013-deny-if-container-runs-as-root.md

@@ -0,0 +1,25 @@
+# Kubescape C-0017: Deny resources with mutable container filesystem
+
+## Why this policy is required:
+By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container.
+
+## Severity Level: Low
+
+## Configuration Parameters:
+* Not Configurable
+
+## Resources this policy could be applied to:
+* CronJob
+* DaemonSet
+* Deployment
+* Job
+* Pod
+* ReplicaSet
+* StatefulSet
+
+## What does this policy do:
+### This Policy checks for every container in the resource:
+* If `securityContext.readOnlyRootFilesystem` is set to `true`. If not, the resource is denied from being deployed in the cluster.
+
+## Implementing this policy in the Cluster:
+[Refer here for using the policy in the cluster](https://github.com/kubescape/cel-admission-library#using-the-library)