Merge branch 'master' of github.com:kubescape/regolibrary into cis-1.10-yiscah

Signed-off-by: YiscahLevySilas1 <[email protected]>

Author: YiscahLevySilas1

controls/C-0283-ensurethattheapiserverdenyserviceexternalipsisset.json

@@ -0,0 +1,27 @@
+{
+    "controlID": "C-0283",
+    "name": "Ensure that the API Server --DenyServiceExternalIPs is set",
+    "description": "This admission controller rejects all net-new usage of the Service field externalIPs.",
+    "long_description": "This admission controller rejects all net-new usage of the Service field externalIPs. This feature is very powerful (allows network traffic interception) and not well controlled by policy. When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects. Existing uses of externalIPs are not affected, and users may remove values from externalIPs on existing Service objects.\n\n Most users do not need this feature at all, and cluster admins should consider disabling it. Clusters that do need to use this feature should consider using some custom policy to manage usage of it.",
+    "remediation": "Edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and add the `--enable-admission-plugins=DenyServiceExternalIPs` parameter\n\n or\n\n The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.\n\n `kube-apiserver --disable-admission-plugins=DenyServiceExternalIPs,AlwaysDeny ...`",
+    "manual_test": "Run the following command on the Control Plane node:\n\n \n```\nps -ef | grep kube-apiserver\n\n```\n Verify that the `--enable-admission-plugins=DenyServiceExternalIPs argument exists.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633389/recommendations/4261958"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "ensure-that-the-api-server-DenyServiceExternalIPs-is-set"
+    ],
+    "baseScore": 4,
+    "impact_statement": "When not enabled, users of the cluster may create new Services which use externalIPs and may add new values to externalIPs on existing Service objects.",
+    "default_value": "By default, `--enable-admission-plugins=DenyServiceExternalIPs` argument is not set.",
+    "category": {
+        "name" : "Control plane"
+   },
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
+}

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/filter.rego

@@ -0,0 +1,16 @@
+package armo_builtins
+
+deny[msg] {
+	obj = input[_]
+	is_api_server(obj)
+	msg := {"alertObject": {"k8sApiObjects": [obj]}}
+}
+
+is_api_server(obj) {
+	obj.apiVersion == "v1"
+	obj.kind == "Pod"
+	obj.metadata.namespace == "kube-system"
+	count(obj.spec.containers) == 1
+	count(obj.spec.containers[0].command) > 0
+	endswith(obj.spec.containers[0].command[0], "kube-apiserver")
+}

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/raw.rego

@@ -0,0 +1,57 @@
+package armo_builtins
+
+import future.keywords.in
+
+deny[msg] {
+	obj = input[_]
+	is_api_server(obj)
+	result = invalid_flag(obj.spec.containers[0].command)
+	msg := {
+		"alertMessage": "admission control plugin DenyServiceExternalIPs is not enabled.",
+		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
+		"failedPaths": result.failed_paths,
+		"fixPaths": result.fix_paths,
+		"packagename": "armo_builtins",
+		"alertObject": {"k8sApiObjects": [obj]},
+	}
+}
+
+is_api_server(obj) {
+	obj.apiVersion == "v1"
+	obj.kind == "Pod"
+	obj.metadata.namespace == "kube-system"
+	count(obj.spec.containers) == 1
+	count(obj.spec.containers[0].command) > 0
+	endswith(obj.spec.containers[0].command[0], "kube-apiserver")
+}
+
+get_flag_values(cmd) = {"origin": origin, "values": values} {
+	re := " ?--enable-admission-plugins=(.+?)(?: |$)"
+	matchs := regex.find_all_string_submatch_n(re, cmd, -1)
+	count(matchs) == 1
+	values := [val | val := split(matchs[0][1], ",")[j]; val != ""]
+	origin := matchs[0][0]
+}
+
+# Assume flag set only once
+invalid_flag(cmd) = result {
+	flag := get_flag_values(cmd[i])
+
+	# value check
+	not "DenyServiceExternalIPs" in flag.values
+
+	# get fixed and failed paths
+	result = get_retsult(i)
+}
+
+get_retsult(i) = result {
+	path = sprintf("spec.containers[0].command[%v]", [i])
+	result = {
+		"failed_paths": [path],
+		"fix_paths": [{
+			"path": path,
+			"value": sprintf("--enable-admission-plugins=%v", ["DenyServiceExternalIPs"]),
+		}],
+	}
+}

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/rule.metadata.json

@@ -0,0 +1,24 @@
+{
+    "name": "ensure-that-the-api-server-DenyServiceExternalIPs-is-set",
+    "attributes": {
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+        {
+            "apiGroups": [
+                ""
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "resources": [
+                "Pod"
+            ]
+        }
+    ],
+    "dynamicMatch": [],
+    "ruleDependencies": [],
+    "description": "This admission controller rejects all net-new usage of the Service field externalIPs.",
+    "remediation": "Edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and add the `--enable-admission-plugins=DenyServiceExternalIPs` parameter\n\n or\n\n The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.\n\n `kube-apiserver --disable-admission-plugins=DenyServiceExternalIPs,AlwaysDeny ...`\n\n#### Impact Statement\nWhen enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects.\n\n#### Default Value\nBy default, `--token-auth-file` argument is not set.",
+    "ruleQuery": ""
+}

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/failed/expected.json

@@ -0,0 +1,36 @@
+[
+    {
+        "alertMessage": "admission control plugin DenyServiceExternalIPs is not enabled.",
+        "failedPaths": [
+            "spec.containers[0].command[5]"
+        ],
+        "reviewPaths": [
+            "spec.containers[0].command[5]"
+        ],
+        "deletePaths": null,
+        "fixPaths": [
+            {
+                "path": "spec.containers[0].command[5]",
+                "value": "--enable-admission-plugins=DenyServiceExternalIPs"
+            }
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 2,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "v1",
+                    "kind": "Pod",
+                    "metadata": {
+                        "labels": {
+                            "component": "kube-apiserver",
+                            "tier": "control-plane"
+                        },
+                        "name": "kube-apiserver-minikube"
+                    }
+                }
+            ]
+        }
+    }
+]

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/failed/input/1.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.49.2:8443
+    kubernetes.io/config.hash: 6580cebb2d04c6c59385cf58e278b0a6
+    kubernetes.io/config.mirror: 6580cebb2d04c6c59385cf58e278b0a6
+    kubernetes.io/config.seen: '2022-07-04T06:44:17.243525710Z'
+    kubernetes.io/config.source: file
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  creationTimestamp: '2022-07-04T06:44:17Z'
+  labels:
+    component: kube-apiserver
+    tier: control-plane
+  name: kube-apiserver-minikube
+  namespace: kube-system
+  ownerReferences:
+    - apiVersion: v1
+      controller: true
+      kind: Node
+      name: minikube
+      uid: 8bb39b2c-8cb0-4390-94e6-74d5e3fe7c16
+  resourceVersion: '257649'
+  uid: 2ca73741-b550-4d0d-94f3-4b8838d55637
+spec:
+  containers:
+    - command:
+        - kube-apiserver
+        - '--advertise-address=192.168.49.2'
+        - '--allow-privileged=true'
+        - '--authorization-mode=Node,RBAC'
+        - '--client-ca-file=/var/lib/minikube/certs/ca.crt'
+        - >-
+          --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
+        - '--enable-bootstrap-token-auth=true'
+        - '--etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt'
+        - '--etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt'
+        - '--etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key'
+        - '--etcd-servers=https://127.0.0.1:2379'
+        - >-
+          --kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt
+        - >-
+          --kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key
+        - '--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname'
+        - >-
+          --proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt
+        - '--proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key'
+        - '--requestheader-allowed-names=front-proxy-client'
+        - >-
+          --requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt
+        - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
+        - '--requestheader-group-headers=X-Remote-Group'
+        - '--requestheader-username-headers=X-Remote-User'
+        - '--secure-port=8443'
+        - '--service-account-issuer=https://kubernetes.default.svc.cluster.local'
+        - '--service-account-key-file=/var/lib/minikube/certs/sa.pub'
+        - '--service-account-signing-key-file=/var/lib/minikube/certs/sa.key'
+        - '--service-cluster-ip-range=10.96.0.0/12'
+        - '--tls-cert-file=/var/lib/minikube/certs/apiserver.crt'
+        - '--tls-private-key-file=/var/lib/minikube/certs/apiserver.key'
+      image: k8s.gcr.io/kube-apiserver:v1.24.1
+      imagePullPolicy: IfNotPresent
+      livenessProbe:
+        failureThreshold: 8
+        httpGet:
+          host: 192.168.49.2
+          path: /livez
+          port: 8443
+          scheme: HTTPS
+        initialDelaySeconds: 10
+        periodSeconds: 10
+        successThreshold: 1
+        timeoutSeconds: 15
+      name: kube-apiserver
+      readinessProbe:
+        failureThreshold: 3
+        httpGet:
+          host: 192.168.49.2
+          path: /readyz
+          port: 8443
+          scheme: HTTPS
+        periodSeconds: 1
+        successThreshold: 1
+        timeoutSeconds: 15
+      resources:
+        requests:
+          cpu: 250m
+      startupProbe:
+        failureThreshold: 24
+        httpGet:
+          host: 192.168.49.2
+          path: /livez
+          port: 8443
+          scheme: HTTPS
+        initialDelaySeconds: 10
+        periodSeconds: 10
+        successThreshold: 1
+        timeoutSeconds: 15
+      terminationMessagePath: /dev/termination-log
+      terminationMessagePolicy: File
+      volumeMounts:
+        - mountPath: /etc/ssl/certs
+          name: ca-certs
+          readOnly: true
+        - mountPath: /etc/ca-certificates
+          name: etc-ca-certificates
+          readOnly: true
+        - mountPath: /var/lib/minikube/certs
+          name: k8s-certs
+          readOnly: true
+        - mountPath: /usr/local/share/ca-certificates
+          name: usr-local-share-ca-certificates
+          readOnly: true
+        - mountPath: /usr/share/ca-certificates
+          name: usr-share-ca-certificates
+          readOnly: true
+  dnsPolicy: ClusterFirst
+  enableServiceLinks: true
+  hostNetwork: true
+  nodeName: minikube
+  preemptionPolicy: PreemptLowerPriority
+  priority: 2000001000
+  priorityClassName: system-node-critical
+  restartPolicy: Always
+  schedulerName: default-scheduler
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  terminationGracePeriodSeconds: 30
+  tolerations:
+    - effect: NoExecute
+      operator: Exists
+  volumes:
+    - hostPath:
+        path: /etc/ssl/certs
+        type: DirectoryOrCreate
+      name: ca-certs
+    - hostPath:
+        path: /etc/ca-certificates
+        type: DirectoryOrCreate
+      name: etc-ca-certificates
+    - hostPath:
+        path: /var/lib/minikube/certs
+        type: DirectoryOrCreate
+      name: k8s-certs
+    - hostPath:
+        path: /usr/local/share/ca-certificates
+        type: DirectoryOrCreate
+      name: usr-local-share-ca-certificates
+    - hostPath:
+        path: /usr/share/ca-certificates
+        type: DirectoryOrCreate
+      name: usr-share-ca-certificates

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/passed/expected.json

@@ -0,0 +1 @@
+[]