Separating the new functionality to a new control

Signed-off-by: Ben <[email protected]>

Author: slashben

controls/C-0266-exposuretointernet-gateway.json

@@ -0,0 +1,33 @@
+{
+    "name": "Exposure to internet via Gateway API",
+    "attributes": {
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Initial Access"
+                ]
+            },
+            {
+                "attackTrack": "service-destruction",
+                "categories": [
+                    "Initial Access"
+                ]
+            }
+        ]
+    },
+    "description": "This control detect workloads that are exposed on Internet through a Gateway API (HTTPRoute,TCPRoute, UDPRoute). It fails in case it find workloads connected with these resources.",
+    "remediation": "The user can evaluate its exposed resources and apply relevant changes wherever needed.",
+    "rulesNames": ["exposure-to-internet-via-gateway-api"],
+    "test": "Checks if workloads are exposed through the use of Gateway API (HTTPRoute, TCPRoute, UDPRoute).",
+    "controlID": "C-0266",
+    "baseScore": 7.0,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
+}

rules/exposure-to-internet-via-gateway-api/raw.rego

@@ -0,0 +1,77 @@
+package armo_builtins
+
+
+deny[msga] {
+    httproute := input[_]
+    httproute.kind == "HTTPRoute"
+
+    svc := input[_]
+    svc.kind == "Service"
+
+    # Make sure that they belong to the same namespace
+    svc.metadata.namespace == httproute.metadata.namespace
+
+    # avoid duplicate alerts
+    # if service is already exposed through NodePort or LoadBalancer workload will fail on that
+    not is_exposed_service(svc)
+
+    wl := input[_]
+    wl.metadata.namespace == svc.metadata.namespace
+    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
+    spec_template_spec_patterns[wl.kind]
+    wl_connected_to_service(wl, svc)
+
+    result := svc_connected_to_httproute(svc, httproute)
+
+    msga := {
+        "alertMessage": sprintf("workload '%v' is exposed through httproute '%v'", [wl.metadata.name, httproute.metadata.name]),
+        "packagename": "armo_builtins",
+        "failedPaths": [],
+        "fixPaths": [],
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [wl]
+        },
+        "relatedObjects": [
+		{
+	            "object": httproute,
+		    "reviewPaths": result,
+	            "failedPaths": result,
+	        },
+		{
+	            "object": svc,
+		}
+        ]
+    }
+}
+
+# ====================================================================================
+
+is_exposed_service(svc) {
+    svc.spec.type == "NodePort"
+}
+
+is_exposed_service(svc) {
+    svc.spec.type == "LoadBalancer"
+}
+
+wl_connected_to_service(wl, svc) {
+    count({x | svc.spec.selector[x] == wl.metadata.labels[x]}) == count(svc.spec.selector)
+}
+
+wl_connected_to_service(wl, svc) {
+    wl.spec.selector.matchLabels == svc.spec.selector
+}
+
+wl_connected_to_service(wl, svc) {
+    count({x | svc.spec.selector[x] == wl.spec.template.metadata.labels[x]}) == count(svc.spec.selector)
+}
+
+svc_connected_to_httproute(svc, httproute) = result {
+    rule := httproute.spec.rules[i]
+    ref := rule.backendRefs[j]
+    ref.kind == "Service"
+    svc.metadata.name == ref.name
+    result := [sprintf("spec.rules[%d].backendRefs[%d].name", [i,j])]
+}
+

rules/exposure-to-internet-via-gateway-api/rule.metadata.json

@@ -0,0 +1,60 @@
+{
+  "name": "exposure-to-internet-via-gateway-api",
+  "attributes": {
+  },
+  "ruleLanguage": "Rego",
+  "match": [
+    {
+      "apiGroups": [
+        ""
+      ],
+      "apiVersions": [
+        "v1"
+      ],
+      "resources": [
+        "Pod",
+        "Service"
+      ]
+    },
+    {
+      "apiGroups": [
+        "apps"
+      ],
+      "apiVersions": [
+        "v1"
+      ],
+      "resources": [
+          "Deployment",
+          "ReplicaSet",
+          "DaemonSet",
+          "StatefulSet"
+      ]
+    },
+    {
+      "apiGroups": [
+        "batch"
+      ],
+      "apiVersions": [
+        "*"
+      ],
+      "resources": [
+          "Job",
+          "CronJob"
+      ]
+    },
+    {
+      "apiGroups": [
+        "gateway.networking.k8s.io"
+      ],
+      "apiVersions": [
+        "v1"
+      ],
+      "resources": [
+        "HTTPRoute"
+      ]
+    }
+  ],
+  "description": "fails in case the running workload has binded Service and Gateway that are exposing it on Internet.",
+  "remediation": "",
+  "ruleQuery": "armo_builtins"
+}

rules/exposure-to-internet/test/failed_with_httproute/expected.json rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/expected.json

@@ -72,50 +72,6 @@ deny[msga] {
     }
 }
 
-deny[msga] {
-    httproute := input[_]
-    httproute.kind == "HTTPRoute"
-
-    svc := input[_]
-    svc.kind == "Service"
-
-    # Make sure that they belong to the same namespace
-    svc.metadata.namespace == httproute.metadata.namespace
-
-    # avoid duplicate alerts
-    # if service is already exposed through NodePort or LoadBalancer workload will fail on that
-    not is_exposed_service(svc)
-
-    wl := input[_]
-    wl.metadata.namespace == svc.metadata.namespace
-    spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
-    spec_template_spec_patterns[wl.kind]
-    wl_connected_to_service(wl, svc)
-
-    result := svc_connected_to_httproute(svc, httproute)
-
-    msga := {
-        "alertMessage": sprintf("workload '%v' is exposed through httproute '%v'", [wl.metadata.name, httproute.metadata.name]),
-        "packagename": "armo_builtins",
-        "failedPaths": [],
-        "fixPaths": [],
-        "alertScore": 7,
-        "alertObject": {
-            "k8sApiObjects": [wl]
-        },
-        "relatedObjects": [
-		{
-	            "object": httproute,
-		    "reviewPaths": result,
-	            "failedPaths": result,
-	        },
-		{
-	            "object": svc,
-		}
-        ]
-    }
-}
-
 # ====================================================================================
 
 is_exposed_service(svc) {
@@ -146,11 +102,4 @@ svc_connected_to_ingress(svc, ingress) = result {
     result := [sprintf("spec.rules[%d].http.paths[%d].backend.service.name", [i,j])]
 }
 
-svc_connected_to_httproute(svc, httproute) = result {
-    rule := httproute.spec.rules[i]
-    ref := rule.backendRefs[j]
-    ref.kind == "Service"
-    svc.metadata.name == ref.name
-    result := [sprintf("spec.rules[%d].backendRefs[%d].name", [i,j])]
-}
 

rules/exposure-to-internet/test/failed_with_httproute/input/deployment.yaml rules/exposure-to-internet-via-gateway-api/test/failed_with_httproute/input/deployment.yaml

@@ -52,17 +52,6 @@
         "resources": [
           "Ingress"
         ]
-    },
-    {
-      "apiGroups": [
-        "gateway.networking.k8s.io"
-      ],
-      "apiVersions": [
-        "v1"
-      ],
-      "resources": [
-        "HTTPRoute"
-      ]
     }
   ],
   "description": "fails in case the running workload has binded Service or Ingress that are exposing it on Internet.",