-
Notifications
You must be signed in to change notification settings - Fork 496
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: apple <avanti@accurics.com>
- Loading branch information
Showing
25 changed files
with
351 additions
and
351 deletions.
There are no files selected for viewing
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "noHttps", | ||
"file": "noHttps.rego", | ||
"template_args": { | ||
"name": "noHttps", | ||
"file": "noHttps.rego", | ||
"template_args": { | ||
"name": "noHttps", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "TLS disabled can affect the confidentiality of the data in transit", | ||
"reference_id": "AC-K8-NS-IN-H-0020", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "TLS disabled can affect the confidentiality of the data in transit", | ||
"reference_id": "AC-K8-NS-IN-H-0020", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "noOwnerLabel", | ||
"file": "noOwnerLabel.rego", | ||
"template_args": { | ||
"name": "noOwnerLabel", | ||
"file": "noOwnerLabel.rego", | ||
"template_args": { | ||
"name": "noOwnerLabel", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "LOW", | ||
"description": "No owner for namespace affects the operations", | ||
"reference_id": "AC-K8-OE-NS-L-0128", | ||
"category": "Operational Efficiency", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "LOW", | ||
"description": "No owner for namespace affects the operations", | ||
"reference_id": "AC-K8-OE-NS-L-0128", | ||
"category": "Security Best Practices", | ||
"version": 1 | ||
} |
38 changes: 19 additions & 19 deletions
38
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,21 @@ | ||
{ | ||
"name": "privilegeEscalationCheck", | ||
"file": "securityContextCheck.rego", | ||
"template_args": { | ||
"allowed": "false", | ||
"arg1": "cpu", | ||
"arg2": "limits", | ||
"name": "privilegeEscalationCheck", | ||
"file": "securityContextCheck.rego", | ||
"template_args": { | ||
"allowed": "false", | ||
"arg1": "cpu", | ||
"arg2": "limits", | ||
"name": "privilegeEscalationCheck", | ||
"not_allowed": "true", | ||
"param": "allowPrivilegeEscalation", | ||
"param1": "securityContext", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Containers Should Not Run with AllowPrivilegeEscalation", | ||
"reference_id": "AC-K8-CA-PO-H-0165", | ||
"category": "Cloud Assets Management", | ||
"version": 1 | ||
} | ||
"not_allowed": "true", | ||
"param": "allowPrivilegeEscalation", | ||
"param1": "securityContext", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Containers Should Not Run with AllowPrivilegeEscalation", | ||
"reference_id": "AC-K8-CA-PO-H-0165", | ||
"category": "Compliance Validation", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "kubeDashboardEnabled", | ||
"file": "kubeDashboardEnabled.rego", | ||
"template_args": { | ||
"name": "kubeDashboardEnabled", | ||
"file": "kubeDashboardEnabled.rego", | ||
"template_args": { | ||
"name": "kubeDashboardEnabled", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure Kubernetes Dashboard Is Not Deployed", | ||
"reference_id": "AC-K8-DS-PO-M-0176", | ||
"category": "Data Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure Kubernetes Dashboard Is Not Deployed", | ||
"reference_id": "AC-K8-DS-PO-M-0176", | ||
"category": "Data Protection", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "tillerDeployed", | ||
"file": "tillerDeployed.rego", | ||
"template_args": { | ||
"name": "tillerDeployed", | ||
"file": "tillerDeployed.rego", | ||
"template_args": { | ||
"name": "tillerDeployed", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure That Tiller (Helm V2) Is Not Deployed", | ||
"reference_id": "AC-K8-DS-PO-M-0177", | ||
"category": "Data Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure That Tiller (Helm V2) Is Not Deployed", | ||
"reference_id": "AC-K8-DS-PO-M-0177", | ||
"category": "Data Protection", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "secretsAsEnvVariables", | ||
"file": "secretsAsEnvVariables.rego", | ||
"template_args": { | ||
"name": "secretsAsEnvVariables", | ||
"file": "secretsAsEnvVariables.rego", | ||
"template_args": { | ||
"name": "secretsAsEnvVariables", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Prefer using secrets as files over secrets as environment variables", | ||
"reference_id": "AC-K8-NS-PO-H-0117", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Prefer using secrets as files over secrets as environment variables", | ||
"reference_id": "AC-K8-NS-PO-H-0117", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "capSysAdminUsed", | ||
"file": "capSysAdminUsed.rego", | ||
"template_args": { | ||
"name": "capSysAdminUsed", | ||
"file": "capSysAdminUsed.rego", | ||
"template_args": { | ||
"name": "capSysAdminUsed", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Do Not Use CAP_SYS_ADMIN Linux Capability", | ||
"reference_id": "AC-K8-NS-PO-H-0170", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "HIGH", | ||
"description": "Do Not Use CAP_SYS_ADMIN Linux Capability", | ||
"reference_id": "AC-K8-NS-PO-H-0170", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "securityContextUsed", | ||
"file": "securityContextUsed.rego", | ||
"template_args": { | ||
"name": "securityContextUsed", | ||
"file": "securityContextUsed.rego", | ||
"template_args": { | ||
"name": "securityContextUsed", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Apply Security Context to Your Pods and Containers", | ||
"reference_id": "AC-K8-NS-PO-M-0122", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Apply Security Context to Your Pods and Containers", | ||
"reference_id": "AC-K8-NS-PO-M-0122", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "imageWithoutDigest", | ||
"file": "imageWithoutDigest.rego", | ||
"template_args": { | ||
"name": "imageWithoutDigest", | ||
"file": "imageWithoutDigest.rego", | ||
"template_args": { | ||
"name": "imageWithoutDigest", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Image without digest affects the integrity principle of image security", | ||
"reference_id": "AC-K8-NS-PO-M-0133", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Image without digest affects the integrity principle of image security", | ||
"reference_id": "AC-K8-NS-PO-M-0133", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
28 changes: 14 additions & 14 deletions
28
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
{ | ||
"name": "falseHostIPC", | ||
"file": "specBoolCheck.rego", | ||
"template_args": { | ||
"name": "falseHostIPC", | ||
"file": "specBoolCheck.rego", | ||
"template_args": { | ||
"name": "falseHostIPC", | ||
"param": "hostIPC", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Not Share Host IPC Namespace", | ||
"reference_id": "AC-K8-NS-PO-M-0163", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"param": "hostIPC", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Not Share Host IPC Namespace", | ||
"reference_id": "AC-K8-NS-PO-M-0163", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
28 changes: 14 additions & 14 deletions
28
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
{ | ||
"name": "falseHostNetwork", | ||
"file": "specBoolCheck.rego", | ||
"template_args": { | ||
"name": "falseHostNetwork", | ||
"file": "specBoolCheck.rego", | ||
"template_args": { | ||
"name": "falseHostNetwork", | ||
"param": "hostNetwork", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Not Share the Host Network Namespace", | ||
"reference_id": "AC-K8-NS-PO-M-0164", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"param": "hostNetwork", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "true" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Not Share the Host Network Namespace", | ||
"reference_id": "AC-K8-NS-PO-M-0164", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
30 changes: 15 additions & 15 deletions
30
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,17 @@ | ||
{ | ||
"name": "dontConnectDockerSock", | ||
"file": "dockerSockCheck.rego", | ||
"template_args": { | ||
"attrib": "spec.volumes[_].hostPath", | ||
"name": "dontConnectDockerSock", | ||
"file": "dockerSockCheck.rego", | ||
"template_args": { | ||
"attrib": "spec.volumes[_].hostPath", | ||
"name": "dontConnectDockerSock", | ||
"param": "path", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "/var/run/docker" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Restrict Mounting Docker Socket in a Container", | ||
"reference_id": "AC-K8-NS-PO-M-0171", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"param": "path", | ||
"prefix": "", | ||
"suffix": "", | ||
"value": "/var/run/docker" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Restrict Mounting Docker Socket in a Container", | ||
"reference_id": "AC-K8-NS-PO-M-0171", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
24 changes: 12 additions & 12 deletions
24
pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
{ | ||
"name": "containersAsHighUID", | ||
"file": "containersAsHighUID.rego", | ||
"template_args": { | ||
"name": "containersAsHighUID", | ||
"file": "containersAsHighUID.rego", | ||
"template_args": { | ||
"name": "containersAsHighUID", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Run as a High UID to Avoid Host Conflict", | ||
"reference_id": "AC-K8-NS-PO-M-0182", | ||
"category": "Network Security", | ||
"version": 1 | ||
} | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Containers Should Run as a High UID to Avoid Host Conflict", | ||
"reference_id": "AC-K8-NS-PO-M-0182", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
Oops, something went wrong.