From 5cbb202f11c82fd4ef531e068d89f0343503b075 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 19 Feb 2024 11:21:52 +0000 Subject: [PATCH 1/6] update query Container Memory Requests Not Equal To Its Limits --- .../metadata.json | 4 ++-- .../query.rego | 7 +++++++ .../test/negative1.yaml | 20 +++++++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json index a625a0dd2eb..8a08d4a9654 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json @@ -1,6 +1,6 @@ { "id": "aafa7d94-62de-4fbf-8838-b69ee217b0e6", - "queryName": "Container Memory Requests Not Equal To It's Limits", + "queryName": "Container Memory Requests Not Equal To Its Limits", "severity": "LOW", "category": "Resource Management", "descriptionText": "A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.", @@ -8,4 +8,4 @@ "platform": "Kubernetes", "descriptionID": "0c15063c", "cwe": "" -} \ No newline at end of file +} diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego index b15b0725b3f..81a94966ab0 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego @@ -12,6 +12,7 @@ CxPolicy[result] { container := specInfo.spec[types[x]][c] rec := {"requests", "limits"} + has_request_or_limits(container) not common_lib.valid_key(container.resources[rec[t]], "memory") result := { @@ -48,3 +49,9 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"]) } } + +has_request_or_limits(x){ + valid_key(x.resources[rec["requests"]],"memory") +}else{ + valid_key(x.resources[rec["limits"]],"memory") +} diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml new file mode 100644 index 00000000000..23c4aca5619 --- /dev/null +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + cpu: "500m" + limits: + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + cpu: "500m" + limits: + cpu: "500m" From 1616239e33d1ff35c43a9c06f1fd57bb10b86974 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 19 Feb 2024 11:45:36 +0000 Subject: [PATCH 2/6] change the severity --- .../metadata.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json index 0e77c1f5eb5..afa59e73f50 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json @@ -1,11 +1,11 @@ { "id": "9d43040e-e703-4e16-8bfe-8d4da10fa7e6", - "queryName": "Container CPU Requests Not Equal To It's Limits", - "severity": "LOW", + "queryName": "Container CPU Requests Not Equal To Its Limits", + "severity": "Best Practices", "category": "Resource Management", "descriptionText": "A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", "descriptionID": "3e1c6d16", "cwe": "" -} \ No newline at end of file +} From 68331e614d6e2761ef06069b48b4d61171d6e4db Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 19 Feb 2024 12:31:54 +0000 Subject: [PATCH 3/6] check for cpu limits --- .../query.rego | 9 +++++++- .../test/negative1.yaml | 21 +++++++++++++++++++ .../query.rego | 6 +++--- 3 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego index 5485a32f6cb..b539d26fc71 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego @@ -4,14 +4,15 @@ import data.generic.common as common_lib import data.generic.k8s as k8sLib types := {"initContainers", "containers"} +rec := {"requests", "limits"} CxPolicy[result] { document := input.document[i] document.kind == k8sLib.valid_pod_spec_kind_list[_] specInfo := k8sLib.getSpecInfo(document) container := specInfo.spec[types[x]][c] - rec := {"requests", "limits"} + has_request_or_limits(container) not common_lib.valid_key(container.resources[rec[t]], "cpu") result := { @@ -45,3 +46,9 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"]), } } + +has_request_or_limits(x){ + common_lib.valid_key(x.resources[rec["requests"]],"cpu") +}else{ + common_lib.valid_key(x.resources[rec["limits"]],"cpu") +} diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml new file mode 100644 index 00000000000..17b3ca99f22 --- /dev/null +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml @@ -0,0 +1,21 @@ +#this code is a correct code for which the query should not find any result +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + limits: + memory: "128Mi" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + limits: + memory: "128Mi" diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego index 81a94966ab0..dc2b504268a 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego @@ -4,13 +4,13 @@ import data.generic.common as common_lib import data.generic.k8s as k8sLib types := {"initContainers", "containers"} +rec := {"requests", "limits"} CxPolicy[result] { document := input.document[i] document.kind == k8sLib.valid_pod_spec_kind_list[_] specInfo := k8sLib.getSpecInfo(document) container := specInfo.spec[types[x]][c] - rec := {"requests", "limits"} has_request_or_limits(container) not common_lib.valid_key(container.resources[rec[t]], "memory") @@ -51,7 +51,7 @@ CxPolicy[result] { } has_request_or_limits(x){ - valid_key(x.resources[rec["requests"]],"memory") + common_lib.valid_key(x.resources[rec["requests"]],"memory") }else{ - valid_key(x.resources[rec["limits"]],"memory") + common_lib.valid_key(x.resources[rec["limits"]],"memory") } From 16d4d788ef2e25df44c7c69f5f30dce9df132b56 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 19 Feb 2024 12:43:17 +0000 Subject: [PATCH 4/6] fix --- .../metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json index afa59e73f50..c25235b526b 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json @@ -1,8 +1,8 @@ { "id": "9d43040e-e703-4e16-8bfe-8d4da10fa7e6", "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "Best Practices", - "category": "Resource Management", + "severity": "LOW", + "category": "Best Practices", "descriptionText": "A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", From ba99c4acdb3fb865fd6ab7c2e002c459aa547d7a Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 20 Mar 2024 09:44:16 +0000 Subject: [PATCH 5/6] fix test --- .../test/positive_expected_result.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json index da1fdb798d0..61a80c2247e 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Container CPU Requests Not Equal To It's Limits", + "queryName": "Container CPU Requests Not Equal To Its Limits", "severity": "LOW", "line": 11, "fileName": "positive.yaml" }, { - "queryName": "Container CPU Requests Not Equal To It's Limits", + "queryName": "Container CPU Requests Not Equal To Its Limits", "severity": "LOW", "line": 22, "fileName": "positive.yaml" }, { - "queryName": "Container CPU Requests Not Equal To It's Limits", + "queryName": "Container CPU Requests Not Equal To Its Limits", "severity": "LOW", "line": 26, "fileName": "positive.yaml" }, { - "queryName": "Container CPU Requests Not Equal To It's Limits", + "queryName": "Container CPU Requests Not Equal To Its Limits", "severity": "LOW", "line": 10, "fileName": "positive2.yaml" From 4c3a71d77cd71b3ff080c84ecec1549c3f334985 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 20 Mar 2024 10:11:26 +0000 Subject: [PATCH 6/6] fix --- .../test/positive_expected_result.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json index d44c60edec2..998df986586 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Container Memory Requests Not Equal To It's Limits", + "queryName": "Container Memory Requests Not Equal To Its Limits", "severity": "LOW", "line": 11, "fileName": "positive.yaml" }, { - "queryName": "Container Memory Requests Not Equal To It's Limits", + "queryName": "Container Memory Requests Not Equal To Its Limits", "severity": "LOW", "line": 22, "fileName": "positive.yaml" }, { - "queryName": "Container Memory Requests Not Equal To It's Limits", + "queryName": "Container Memory Requests Not Equal To Its Limits", "severity": "LOW", "line": 26, "fileName": "positive.yaml" }, { - "queryName": "Container Memory Requests Not Equal To It's Limits", + "queryName": "Container Memory Requests Not Equal To Its Limits", "severity": "LOW", "line": 11, "fileName": "positive2.yaml"