Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing CronJob support accross all controls #65

Merged
merged 4 commits into from
Mar 12, 2025
Merged

Fixing CronJob support accross all controls #65

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2841287
Fixing CronJob support accross all controls
slashben Mar 12, 2025
c5bd9ca
Update memory resource validation in C-0004 control
slashben Mar 12, 2025
7fd6bd6
Fixing 271
slashben Mar 12, 2025
03884cf
Fixing 269
slashben Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion controls/C-0001/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,5 @@ spec:
message: "Pods uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
- expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
message: "Workloads uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
- expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
- expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
message: "CronJob uses an image from a forbidden registry! (see more at https://hub.armosec.io/docs/c-0001)"
17 changes: 16 additions & 1 deletion controls/C-0001/tests.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"template": "pod.yaml",
"expected": "fail",
"field_change_list": [
"spec.containers.[0].image=quay.io/openshift/origin-cli:latest"
"spec.containers.[0].image=quay.io/openshift/origin-cli:latest"
]
},
{
Expand All @@ -13,5 +13,20 @@
"expected": "pass",
"field_change_list": [
]
},
{
"name": "CronJob with image from quay.io is blocked",
"template": "cronjob.yaml",
"expected": "fail",
"field_change_list": [
"spec.jobTemplate.spec.template.spec.containers.[0].image=quay.io/openshift/origin-cli:latest"
]
},
{
"name": "CronJob without image from quay.io is allowed",
"template": "cronjob.yaml",
"expected": "pass",
"field_change_list": [
]
}
]
2 changes: 1 addition & 1 deletion controls/C-0004/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ spec:
message: "Workloads contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
(!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
Expand Down
11 changes: 9 additions & 2 deletions controls/C-0004/tests.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"name": "Pod with container having memory-request and limits not set is blocked",
"template": "pod.yaml",
"expected": "fail",
"field_change_list": [
"field_change_list": [
]
},
{
Expand Down Expand Up @@ -36,7 +36,7 @@
"name": "Deployment with container having memory-request and limits not set is blocked",
"template": "deployment.yaml",
"expected": "fail",
"field_change_list": [
"field_change_list": [
]
},
{
Expand All @@ -47,5 +47,12 @@
"spec.template.spec.containers.[0].resources.requests.memory=128",
"spec.template.spec.containers.[0].resources.limits.memory=128"
]
},
{
"name": "CronJob with container having memory request and limits set and both values in the limit is allowed",
"template": "cronjob.yaml",
"expected": "pass",
"field_change_list": [
]
}
]
2 changes: 1 addition & 1 deletion controls/C-0009/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
message: "Workloads contains container/s with memory limit and/or cpu limit not set! (see more at https://hub.armosec.io/docs/c-0009)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
has(container.resources) &&
has(container.resources.limits) &&
has(container.resources.limits.memory) &&
Expand Down
14 changes: 7 additions & 7 deletions controls/C-0012/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,28 +27,28 @@ spec:
resources: ["configmaps"]
validations:
# Note that if the value is mounted using a secret or a configMap, this policy will allow the resource to be deployed in the cluster.
- expression: >
object.kind != 'Pod' || object.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
- expression: >
object.kind != 'Pod' || object.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
!params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
!has(envVariable.value) || (envVariable.value == "") ||
params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
))
message: "Pods has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
- expression: >
['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
- expression: >
['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
!params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
!has(envVariable.value) || (envVariable.value == "") ||
params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
))
message: "Workloads has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, !has(container.env) || container.env.all(envVariable,
!params.settings.sensitiveKeyNames.exists(sensitiveKey, envVariable.name.lowerAscii().contains(sensitiveKey)) ||
!has(envVariable.value) || (envVariable.value == "") ||
params.settings.sensitiveValuesAllowed.exists(allowedVal, envVariable.value == allowedVal)
))
message: "CronJob has one or more containers with sensitive information in environment variables! (see more at https://hub.armosec.io/docs/c-0012)"
- expression: >
- expression: >
object.kind != 'ConfigMap' || object.data.all(key,
(
(
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0013/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ spec:
message: "Workloads contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
(
(
has(container.securityContext) &&
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0020/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ spec:
message: "Workload contains volumes with potential access to known cloud credentials! (see more at https://hub.armosec.io/docs/c-0020)"

- expression: >
object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.volumes.all(vol,
object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.template.spec.volumes.all(vol,
!has(vol.hostPath) || !has(vol.hostPath.path) ||
(
(params.settings.cloudProvider != 'eks' ||
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0044/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,5 @@ spec:
message: "One or more containers in the Pod has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
- expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !object.spec.template.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
message: "One or more containers in the Workload has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
- expression: "object.kind != 'CronJob' || !object.spec.jobTemplate.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
- expression: "object.kind != 'CronJob' || !object.spec.jobTemplate.spec.template.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
message: "One or more containers in the CronJob has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
19 changes: 17 additions & 2 deletions controls/C-0044/tests.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"template": "pod.yaml",
"expected": "fail",
"field_change_list": [
"spec.containers.[0].ports.[0].hostPort=2023"
"spec.containers.[0].ports.[0].hostPort=2023"
]
},
{
Expand All @@ -19,7 +19,7 @@
"template": "deployment.yaml",
"expected": "fail",
"field_change_list": [
"spec.template.spec.containers.[0].ports.[0].hostPort=2023"
"spec.template.spec.containers.[0].ports.[0].hostPort=2023"
]
},
{
Expand All @@ -28,5 +28,20 @@
"expected": "pass",
"field_change_list": [
]
},
{
"name": "CronJob with container not having hostPort allowed",
"template": "cronjob.yaml",
"expected": "pass",
"field_change_list": [
]
},
{
"name": "CronJob with container having hostPort blocked",
"template": "cronjob.yaml",
"expected": "fail",
"field_change_list": [
"spec.jobTemplate.spec.template.spec.containers.[0].ports.[0].hostPort=2023"
]
}
]
4 changes: 2 additions & 2 deletions controls/C-0045/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ spec:
)))
message: "One or more hostPath Volumes in the Workload has readOnly not set to false! (see more at https://hub.armosec.io/docs/c-0045)"
- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) ||
object.spec.jobTemplate.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) ||
object.spec.jobTemplate.spec.template.spec.containers.all(container, !(has(container.volumeMounts)) || container.volumeMounts.all(
containerVol, containerVol.name != vol.name ||
(has(containerVol.readOnly) && containerVol.readOnly == true)
)))
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0046/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ spec:
message: "Workload has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
- expression: >
object.kind != 'CronJob' ||
object.spec.jobTemplate.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
!has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
))
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0048/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,5 @@ spec:
message: "There are one or more hostPath mounts in the Pod! (see more at https://hub.armosec.io/docs/c-0048)"
- expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
message: "There are one or more hostPath mounts in the Workload! (see more at https://hub.armosec.io/docs/c-0048)"
- expression: "object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
- expression: "object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)"
2 changes: 1 addition & 1 deletion controls/C-0050/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ spec:
message: "Workloads contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
params.settings.cpuRequestMax >= int(container.resources.requests.cpu)) &&
(!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0055/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
object.kind != 'CronJob' ||
(has(object.spec.jobTemplate.metadata.annotations) && object.spec.jobTemplate.metadata.annotations.exists(annotation, annotation.startsWith("container.apparmor.security.beta.kubernetes.io"))) ||
(has(object.spec.jobTemplate.spec.securityContext) && (has(object.spec.jobTemplate.spec.securityContext.seccompProfile) || has(object.spec.jobTemplate.spec.securityContext.seLinuxOptions))) ||
object.spec.jobTemplate.spec.containers.all(container, has(container.securityContext) && (has(container.securityContext.seccompProfile) ||
object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.securityContext) && (has(container.securityContext.seccompProfile) ||
has(container.securityContext.seLinuxOptions) ||
(has(container.securityContext.capabilities) && has(container.securityContext.capabilities.drop))))
message: "CronJob could have more security hardening! (see more at https://hub.armosec.io/docs/c-0055)"
2 changes: 1 addition & 1 deletion controls/C-0062/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,5 @@ spec:
message: "Pod has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
- expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
message: "Workload has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
- expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
- expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, !(has(container.command)) || container.command.all(cmd, cmd != 'sudo'))"
message: "CronJob has a container/s having sudo in entrypoint! (see more at https://hub.armosec.io/docs/c-0062)"
19 changes: 17 additions & 2 deletions controls/C-0062/tests.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"name": "Pod with container having sudo in command is blocked",
"template": "pod-for-list-items.yaml",
"expected": "fail",
"field_change_list": [
"field_change_list": [
]
},
{
Expand All @@ -17,7 +17,7 @@
"name": "Deployment with container having sudo in command is blocked",
"template": "deployment-for-list-items.yaml",
"expected": "fail",
"field_change_list": [
"field_change_list": [
]
},
{
Expand All @@ -26,5 +26,20 @@
"expected": "pass",
"field_change_list": [
]
},
{
"name": "CronJob with container having sudo in command is blocked",
"template": "cronjob.yaml",
"expected": "fail",
"field_change_list": [
"spec.jobTemplate.spec.template.spec.containers.[0].command.[0]=sudo"
]
},
{
"name": "CronJob with container not having sudo in command is allowed",
"template": "cronjob.yaml",
"expected": "pass",
"field_change_list": [
]
}
]
2 changes: 1 addition & 1 deletion controls/C-0074/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
message: "Workload has one or more containers mounting Docker socket! (see more at https://hub.armosec.io/docs/c-0074)"
- expression: >
object.kind != 'CronJob' || !(has(object.spec.jobTemplate.spec.volumes)) ||
object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)) ||
object.spec.jobTemplate.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)) ||
!(has(vol.hostPath.path)) ||
(
vol.hostPath.path != '/var/run/docker.sock' &&
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0075/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
message: "Workloads contains container/s image with latest tag and imagePullPolicy not set to Always! (see more at https://hub.armosec.io/docs/c-0075)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
!(
container.image.findAll(":[\\w][\\w.-]{0,127}(\\/)?").all(substring, substring.endsWith("/")) ||
container.image.findAll(":[\\w][\\w.-]{0,127}(\\/)?").exists(substring, substring == ":latest" || substring.matches("^:[a-zA-Z]{1,127}$"))
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0078/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ spec:
message: "Workloads uses an image from a registry that is not in the allow list! (see more at https://hub.armosec.io/docs/c-0078)"
- expression: >
object.kind != 'CronJob' ||
object.spec.jobTemplate.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,
object.spec.jobTemplate.spec.template.spec.containers.all(container, params.settings.imageRepositoryAllowList.exists(registry,
(
(registry == 'docker.io' && !container.image.contains('/')) ||
(container.image.startsWith(registry))
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0268/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
message: "Workloads contains container/s with cpu request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0268)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
(!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
params.settings.cpuRequestMax >= int(container.resources.requests.cpu)))
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0269/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
message: "Workloads contains container/s with memory request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0269)"

- expression: >
object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
(!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
params.settings.memoryRequestMax >= int(container.resources.requests.memory)))
Expand Down
Loading
Loading