Fixing two issues (CIS 1.2.3 and C-0030 were implemented incorrectly) #664
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new control to ensure that the Kubernetes API server is configured to deny external IPs in services that fix CIS 1.2.3 check in version 1.10. Is also includes a fix on C-0030.
This should fix #656 and #660
New Control Addition
controls/C-0283-ensurethattheapiserverdenyserviceexternalipsisset.json
: Added a new control to ensure that the API server is configured with the--enable-admission-plugins=DenyServiceExternalIPs
parameter.Rego Rules Implementation
rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/filter.rego
: Implemented a Rego rule to detect if the API server is configured correctly.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/raw.rego
: Added logic to check for the presence of theDenyServiceExternalIPs
plugin in the API server command.Metadata and Test Cases
rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/rule.metadata.json
: Added metadata for the new control rule.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/failed/expected.json
: Added expected output for a failing test case.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/failed/input/1.yaml
: Added input for a failing test case where theDenyServiceExternalIPs
plugin is not enabled.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/passed/expected.json
: Added expected output for a passing test case.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/passed/input/1.yaml
: Added input for a passing test case where theDenyServiceExternalIPs
plugin is enabled.rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-set/test/passed/input/2.yaml
: Added another input for a passing test case with theDenyServiceExternalIPs
plugin enabled.Minor Fixes
rules/ingress-and-egress-blocked/raw.rego
: Fixed a function name typo in theis_ingerss_egress_policy
function.rules/ingress-and-egress-blocked/test/only-egress-policy/expected.json
: Added an empty expected output for the egress policy test.