Adding iteration over workloads

amitschendel · amitschendel · commit 9d5c581df5a9 · 2024-01-31T13:05:03.000+02:00
Signed-off-by: Amit Schendel &lt;amitschendel@gmail.com&gt;
diff --git a/rules/unauthenticated-service/raw.rego b/rules/unauthenticated-service/raw.rego
@@ -1,30 +1,48 @@
 package armo_builtins
 
 deny[msga] {
-    service := input[_]
+
+	service := input[_]
     service.kind == "Service"
 
+	wl := input[_]
+    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
+    spec_template_spec_patterns[wl.kind]
+    wl_connected_to_service(wl, service)
+
     specificPort := service.spec.ports[i]
     portNumber := specificPort.port
     service_name := service.metadata.name
 	namespace := service.metadata.namespace
     hasUnauthenticatedService(service_name, portNumber, namespace)
     
-    path := sprintf("spec.ports[%v].port", [i])
+	# Path to the pod spec
+    path := "spec"
 
 	msga := {
-		"alertMessage": sprintf("Unauthenticated service %v", [service_name]),
+		"alertMessage": sprintf("Unauthenticated service %v which exposes %v", [service_name, wl.metadata.name]),
 		"alertScore": 7,
 		"fixPaths": [],
 		"reviewPaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
 		"alertObject": {
-			"k8sApiObjects": [service]
+			"k8sApiObjects": [wl]
 		},
+		"relatedObjects": [{
+            "object": service
+        }]
 	}
 }
 
 hasUnauthenticatedService(service_name, port, namespace) {
     networkscanner.isUnauthenticatedService(service_name, port, namespace)
-}
+}
+
+wl_connected_to_service(wl, svc) {
+    count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)
+}
+
+wl_connected_to_service(wl, svc) {
+    wl.spec.selector.matchLabels == svc.spec.selector
+}
diff --git a/rules/unauthenticated-service/rule.metadata.json b/rules/unauthenticated-service/rule.metadata.json
@@ -2,17 +2,44 @@
     "name": "unauthenticated-service",
     "ruleLanguage": "Rego",
     "match": [
-        {
-            "apiGroups": [
-              ""
-            ],
-            "apiVersions": [
-              "v1"
-            ],
-            "resources": [
-              "Service"
-            ]
-        }
+      {
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "Pod",
+          "Service"
+        ]
+      },
+      {
+        "apiGroups": [
+          "apps"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+            "Deployment",
+            "ReplicaSet",
+            "DaemonSet",
+            "StatefulSet"
+        ]
+      },
+      {
+        "apiGroups": [
+          "batch"
+        ],
+        "apiVersions": [
+          "*"
+        ],
+        "resources": [
+            "Job",
+            "CronJob"
+        ]
+      }
       ],
       "dynamicMatch": [
     ],
