Merge pull request #12 from suhasgumma/C-0045

slashben · web-flow · commit 31311bfee5ba · 2023-01-11T22:21:15.000+02:00
ValidatingAdmissionPolicy for C-0045
diff --git a/controls/C-0045/policy.yaml b/controls/C-0045/policy.yaml
@@ -0,0 +1,42 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0045-deny-workloads-with-hostpath-volumes-readonly-not-false"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: > 
+        object.kind != 'Pod' || object.spec.volumes.all(vol, !(has(vol.hostPath)) ||
+        object.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
+          containerVol, containerVol.name != vol.name ||
+          (has(containerVol.readOnly) && containerVol.readOnly == true)
+        )))
+      message: "One or more hostPath Volumes in the Pod has readOnly not set to false! (see more at https://hub.armosec.io/docs/c-0045)"
+    - expression: > 
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) ||
+        object.spec.template.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
+          containerVol, containerVol.name != vol.name ||
+          (has(containerVol.readOnly) && containerVol.readOnly == true)
+        )))
+      message: "One or more hostPath Volumes in the Workload has readOnly not set to false! (see more at https://hub.armosec.io/docs/c-0045)"
+    - expression: > 
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) ||
+        object.spec.jobTemplate.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
+          containerVol, containerVol.name != vol.name ||
+          (has(containerVol.readOnly) && containerVol.readOnly == true)
+        )))
+      message: "One or more hostPath Volumes in the CronJob has readOnly not set to false! (see more at https://hub.armosec.io/docs/c-0045)"
diff --git a/controls/C-0045/tests.json b/controls/C-0045/tests.json
@@ -0,0 +1,68 @@
+[
+    {
+        "name": "Pod with no hostPath Volumes allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Pod with hostPath volume and readOnly is not set for corresponding volumeMount is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.volumes.[0].hostPath.path=/var"
+        ]
+    },
+    {
+        "name": "Pod with hostPath volume and readOnly is set to false for corresponding volumeMount is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.volumes.[0].hostPath.path=/var",
+            "spec.containers.[0].volumeMounts.[0].readOnly=false"    
+        ]
+    },
+    {
+        "name": "Pod with hostPath volume and readOnly is set to true for corresponding volumeMount is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.volumes.[0].hostPath.path=/var",
+            "spec.containers.[0].volumeMounts.[0].readOnly=true"    
+        ]
+    },
+    {
+        "name": "Deployment with no hostPath Volumes allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Deployment with hostPath volume and readOnly is not set for corresponding volumeMount is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.volumes.[0].hostPath.path=/var"
+        ]
+    },
+    {
+        "name": "Deployment with hostPath volume and readOnly is set to false for corresponding volumeMount is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.volumes.[0].hostPath.path=/var",
+            "spec.template.spec.containers.[0].volumeMounts.[0].readOnly=false"    
+        ]
+    },
+    {
+        "name": "Deployment with hostPath volume and readOnly is set to true for corresponding volumeMount is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.volumes.[0].hostPath.path=/var",
+            "spec.template.spec.containers.[0].volumeMounts.[0].readOnly=true"    
+        ]
+    }
+]
