Merge pull request #19 from suhasgumma/C-0062

ValidatingAdmissionPolicy for C-0062

Author: slashben

controls/C-0062/policy.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0062-deny-resources-having-containers-with-sudo-in-entrypoint"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: "object.kind != 'Pod' || object.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
+      message: "Pod has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
+    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
+      message: "Workload has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
+    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
+      message: "CronJob has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"

controls/C-0062/tests.json

@@ -0,0 +1,30 @@
+[
+    {
+        "name": "Pod with container having sudo in command is blocked",
+        "template": "pod-for-list-items.yaml",
+        "expected": "fail",
+        "field_change_list": [   
+        ]
+    },
+    {
+        "name": "Pod with container not having sudo in command is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Deployment with container having sudo in command is blocked",
+        "template": "deployment-for-list-items.yaml",
+        "expected": "fail",
+        "field_change_list": [   
+        ]
+    },
+    {
+        "name": "Deployment with container not having sudo in command is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    }
+]

test-resources/deployment-for-list-items.yaml

@@ -17,7 +17,7 @@ spec:
       containers:
       - name: sleep
         image: alpine
-        command: ["sh"]
+        command: ["sudo","sh"]
         args: ["-c", "while true; do sleep 1; done"]
         securityContext:
           capabilities:

test-resources/pod-for-list-items.yaml

@@ -8,7 +8,7 @@ spec:
   containers:
   - name: sleep
     image: alpine
-    command: ["sh"]
+    command: ["sudo", sh"]
     args: ["-c", "while true; do sleep 1; done"]
     securityContext:
       capabilities: