add rules host-pid-privileges and host-ipc-privileges

Signed-off-by: YiscahLevySilas1 <[email protected]>

Author: YiscahLevySilas1

rules/host-ipc-privileges/raw.rego

@@ -0,0 +1,68 @@
+package armo_builtins
+
+
+# Fails if pod has hostIPC enabled
+deny[msga] {
+    pod := input[_]
+    pod.kind == "Pod"
+	is_host_ipc(pod.spec)
+	path := "spec.hostIPC"
+	msga := {
+		"alertMessage": sprintf("Pod: %v has hostIPC enabled", [pod.metadata.name]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"alertObject": {
+			"k8sApiObjects": [pod]
+		}
+	}
+}
+
+
+# Fails if workload has hostIPC enabled
+deny[msga] {
+    wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	is_host_ipc(wl.spec.template.spec)
+	path := "spec.template.spec.hostIPC"
+    msga := {
+	"alertMessage": sprintf("%v: %v has a pod with hostIPC enabled", [wl.kind, wl.metadata.name]),
+		"alertScore": 9,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"packagename": "armo_builtins",
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+
+# Fails if cronjob has hostIPC enabled
+deny[msga] {
+	wl := input[_]
+	wl.kind == "CronJob"
+	is_host_ipc(wl.spec.jobTemplate.spec.template.spec)
+	path := "spec.jobTemplate.spec.template.spec.hostIPC"
+    msga := {
+	"alertMessage": sprintf("CronJob: %v has a pod with hostIPC enabled", [wl.metadata.name]),
+		"alertScore": 9,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"packagename": "armo_builtins",
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+# Check that hostIPC is set to false. Default is false. Only in pod spec
+
+
+is_host_ipc(podspec){
+     podspec.hostIPC == true
+}

rules/host-ipc-privileges/rule.metadata.json

@@ -0,0 +1,50 @@
+{
+    "name": "host-ipc-privileges",
+    "attributes": {
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "Pod"
+        ]
+      },
+      {
+        "apiGroups": [
+          "apps"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+            "Deployment",
+            "ReplicaSet",
+            "DaemonSet",
+            "StatefulSet"
+        ]
+      },
+      {
+        "apiGroups": [
+          "batch"
+        ],
+        "apiVersions": [
+          "*"
+        ],
+        "resources": [
+            "Job",
+            "CronJob"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "Containers should be as isolated as possible from the host machine. The hostIPC field in Kubernetes may excessively expose the host to potentially malicious actions.",
+    "remediation": "Make sure that the field hostIPC in the pod spec is not set to true (set to false or not present)",
+    "ruleQuery": "armo_builtins"
+}

rules/host-ipc-privileges/test/cronjob/expected.json

@@ -0,0 +1,18 @@
+[{
+    "alertMessage": "CronJob: hello has a pod with hostIPC enabled",
+    "deletePaths": ["spec.jobTemplate.spec.template.spec.hostIPC"],
+    "failedPaths": ["spec.jobTemplate.spec.template.spec.hostIPC"],
+    "fixPaths": [],
+    "ruleStatus": "",
+    "packagename": "armo_builtins",
+    "alertScore": 9,
+    "alertObject": {
+        "k8sApiObjects": [{
+            "apiVersion": "batch/v1beta1",
+            "kind": "CronJob",
+            "metadata": {
+                "name": "hello"
+            }
+        }]
+    }
+}]

rules/host-ipc-privileges/test/cronjob/input/cronjob.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: hello
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec :
+          hostIPC: true
+          hostPID: false
+          containers :
+            -
+              name : mysql
+              image : mysql
+              env :
+                -
+                  name : MYSQL_ROOT_PASSWORD
+                  value : "rootpasswd"
+              volumeMounts :
+                -
+                  mountPath : /var/lib/mysql
+                  name : site-data
+                  subPath : mysql
+            -
+              name : php
+              image : php:7.0-apache
+              volumeMounts :
+                -
+                  mountPath : /var/www/html
+                  name : site-data
+                  subPath : html
+          volumes :
+            -
+              name : site-data
+              persistentVolumeClaim :
+                claimName : my-lamp-site-data
+          restartPolicy: OnFailure
+          

rules/host-ipc-privileges/test/pod/expected.json

@@ -0,0 +1,18 @@
+[{
+    "alertMessage": "Pod: test has hostIPC enabled",
+    "deletePaths": ["spec.hostIPC"],
+    "failedPaths": ["spec.hostIPC"],
+    "fixPaths": [],
+    "ruleStatus": "",
+    "packagename": "armo_builtins",
+    "alertScore": 7,
+    "alertObject": {
+        "k8sApiObjects": [{
+            "apiVersion": "v1",
+            "kind": "Pod",
+            "metadata": {
+                "name": "test"
+            }
+        }]
+    }
+}]

rules/host-ipc-privileges/test/pod/input/pod.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: test
+spec:
+      containers:
+      - args:
+        - server
+        env:
+          - name: BASE_HREF
+            value: /argo/
+        image: test:latest
+        name: test
+      - name : test2
+        image : test
+      hostNetwork: true
+      hostIPC: true

rules/host-ipc-privileges/test/workload/expected.json

@@ -0,0 +1,21 @@
+[ {
+    "alertMessage": "Deployment: my-deployment has a pod with hostIPC enabled",
+    "deletePaths": ["spec.template.spec.hostIPC"],
+    "failedPaths": ["spec.template.spec.hostIPC"],
+    "fixPaths": [],
+    "ruleStatus": "",
+    "packagename": "armo_builtins",
+    "alertScore": 9,
+    "alertObject": {
+        "k8sApiObjects": [{
+            "apiVersion": "apps/v1",
+            "kind": "Deployment",
+            "metadata": {
+                "labels": {
+                    "app": "goproxy"
+                },
+                "name": "my-deployment"
+            }
+        }]
+    }
+}]

rules/host-ipc-privileges/test/workload/input/deployment.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deployment
+  labels:
+    app : goproxy
+spec:
+  selector:
+    matchLabels:
+      app : goproxy
+  template:
+    metadata :
+      name : goproxy
+      labels :
+        app : goproxy
+    spec :
+      hostIPC: true
+      hostPID: true
+      containers :
+        -
+          name : mysql
+          image : mysql
+          env :
+            -
+              name : MYSQL_ROOT_PASSWORD
+              value : "rootpasswd"
+        -
+          name : php
+          image : php:7.0-apache
+          volumeMounts :
+            -
+              mountPath : /var/www/html
+              name : site-data
+              subPath : html
+      volumes :
+        -
+          name : site-data
+          persistentVolumeClaim :
+            claimName : my-lamp-site-data

rules/host-pid-privileges/raw.rego

@@ -0,0 +1,70 @@
+package armo_builtins
+
+
+# Fails if pod has hostPID enabled
+deny[msga] {
+    pod := input[_]
+    pod.kind == "Pod"
+	is_host_pid(pod.spec)
+	path := "spec.hostPID"
+	msga := {
+		"alertMessage": sprintf("Pod: %v has hostPID enabled", [pod.metadata.name]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"alertObject": {
+			"k8sApiObjects": [pod]
+		}
+	}
+}
+
+
+# Fails if workload has hostPID enabled
+deny[msga] {
+    wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	is_host_pid(wl.spec.template.spec)
+	path := "spec.template.spec.hostPID"
+    msga := {
+	"alertMessage": sprintf("%v: %v has a pod with hostPID enabled", [wl.kind, wl.metadata.name]),
+		"alertScore": 9,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"packagename": "armo_builtins",
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+
+# Fails if cronjob has hostPID enabled
+deny[msga] {
+	wl := input[_]
+	wl.kind == "CronJob"
+	is_host_pid(wl.spec.jobTemplate.spec.template.spec)
+	path := "spec.jobTemplate.spec.template.spec.hostPID"
+    msga := {
+	"alertMessage": sprintf("CronJob: %v has a pod with hostPID enabled", [wl.metadata.name]),
+		"alertScore": 9,
+		"deletePaths": [path],
+		"failedPaths": [path],
+		"fixPaths": [],
+		"packagename": "armo_builtins",
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+
+
+# Check that hostPID and are set to false. Default is false. Only in pod spec
+
+
+is_host_pid(podspec){
+    podspec.hostPID == true
+}