diff --git a/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json b/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json old mode 100755 new mode 100644 index 30181cec1..c77459078 --- a/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_ingress/AC-K8-NS-IN-H-0020.json @@ -1,14 +1,14 @@ { + "name": "noHttps", + "file": "noHttps.rego", + "template_args": { "name": "noHttps", - "file": "noHttps.rego", - "template_args": { - "name": "noHttps", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "TLS disabled can affect the confidentiality of the data in transit", - "reference_id": "AC-K8-NS-IN-H-0020", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "reference_id": "AC-K8-NS-IN-H-0020", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json old mode 100755 new mode 100644 index 2cff9d315..c65383777 --- a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json @@ -1,14 +1,14 @@ { + "name": "noOwnerLabel", + "file": "noOwnerLabel.rego", + "template_args": { "name": "noOwnerLabel", - "file": "noOwnerLabel.rego", - "template_args": { - "name": "noOwnerLabel", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "No owner for namespace affects the operations", - "reference_id": "AC-K8-OE-NS-L-0128", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No owner for namespace affects the operations", + "reference_id": "AC-K8-OE-NS-L-0128", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json old mode 100755 new mode 100644 index 24409fb1c..22f1f091e --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json @@ -1,21 +1,21 @@ { + "name": "privilegeEscalationCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "false", + "arg1": "cpu", + "arg2": "limits", "name": "privilegeEscalationCheck", - "file": "securityContextCheck.rego", - "template_args": { - "allowed": "false", - "arg1": "cpu", - "arg2": "limits", - "name": "privilegeEscalationCheck", - "not_allowed": "true", - "param": "allowPrivilegeEscalation", - "param1": "securityContext", - "prefix": "", - "suffix": "", - "value": "true" - }, - "severity": "HIGH", - "description": "Containers Should Not Run with AllowPrivilegeEscalation", - "reference_id": "AC-K8-CA-PO-H-0165", - "category": "Cloud Assets Management", - "version": 1 -} \ No newline at end of file + "not_allowed": "true", + "param": "allowPrivilegeEscalation", + "param1": "securityContext", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "HIGH", + "description": "Containers Should Not Run with AllowPrivilegeEscalation", + "reference_id": "AC-K8-CA-PO-H-0165", + "category": "Compliance Validation", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json old mode 100755 new mode 100644 index d0bff541c..dbd0095c7 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json @@ -1,14 +1,14 @@ { + "name": "kubeDashboardEnabled", + "file": "kubeDashboardEnabled.rego", + "template_args": { "name": "kubeDashboardEnabled", - "file": "kubeDashboardEnabled.rego", - "template_args": { - "name": "kubeDashboardEnabled", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Kubernetes Dashboard Is Not Deployed", - "reference_id": "AC-K8-DS-PO-M-0176", - "category": "Data Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Kubernetes Dashboard Is Not Deployed", + "reference_id": "AC-K8-DS-PO-M-0176", + "category": "Data Protection", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json old mode 100755 new mode 100644 index d8a40cc5e..33f46d807 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json @@ -1,14 +1,14 @@ { + "name": "tillerDeployed", + "file": "tillerDeployed.rego", + "template_args": { "name": "tillerDeployed", - "file": "tillerDeployed.rego", - "template_args": { - "name": "tillerDeployed", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure That Tiller (Helm V2) Is Not Deployed", - "reference_id": "AC-K8-DS-PO-M-0177", - "category": "Data Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure That Tiller (Helm V2) Is Not Deployed", + "reference_id": "AC-K8-DS-PO-M-0177", + "category": "Data Protection", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json old mode 100755 new mode 100644 index 23c8d904d..8f0f4146e --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json @@ -1,14 +1,14 @@ { + "name": "secretsAsEnvVariables", + "file": "secretsAsEnvVariables.rego", + "template_args": { "name": "secretsAsEnvVariables", - "file": "secretsAsEnvVariables.rego", - "template_args": { - "name": "secretsAsEnvVariables", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Prefer using secrets as files over secrets as environment variables", - "reference_id": "AC-K8-NS-PO-H-0117", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Prefer using secrets as files over secrets as environment variables", + "reference_id": "AC-K8-NS-PO-H-0117", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json old mode 100755 new mode 100644 index b211361a6..d23c19cba --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json @@ -1,14 +1,14 @@ { + "name": "capSysAdminUsed", + "file": "capSysAdminUsed.rego", + "template_args": { "name": "capSysAdminUsed", - "file": "capSysAdminUsed.rego", - "template_args": { - "name": "capSysAdminUsed", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Do Not Use CAP_SYS_ADMIN Linux Capability", - "reference_id": "AC-K8-NS-PO-H-0170", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Do Not Use CAP_SYS_ADMIN Linux Capability", + "reference_id": "AC-K8-NS-PO-H-0170", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json old mode 100755 new mode 100644 index 43ba2432f..38c4a9726 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json @@ -1,14 +1,14 @@ { + "name": "securityContextUsed", + "file": "securityContextUsed.rego", + "template_args": { "name": "securityContextUsed", - "file": "securityContextUsed.rego", - "template_args": { - "name": "securityContextUsed", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Apply Security Context to Your Pods and Containers", - "reference_id": "AC-K8-NS-PO-M-0122", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Apply Security Context to Your Pods and Containers", + "reference_id": "AC-K8-NS-PO-M-0122", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json old mode 100755 new mode 100644 index 804a12ed4..f175fe826 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json @@ -1,14 +1,14 @@ { + "name": "imageWithoutDigest", + "file": "imageWithoutDigest.rego", + "template_args": { "name": "imageWithoutDigest", - "file": "imageWithoutDigest.rego", - "template_args": { - "name": "imageWithoutDigest", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Image without digest affects the integrity principle of image security", - "reference_id": "AC-K8-NS-PO-M-0133", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Image without digest affects the integrity principle of image security", + "reference_id": "AC-K8-NS-PO-M-0133", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json old mode 100755 new mode 100644 index e96b364da..e7c09301f --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json @@ -1,16 +1,16 @@ { + "name": "falseHostIPC", + "file": "specBoolCheck.rego", + "template_args": { "name": "falseHostIPC", - "file": "specBoolCheck.rego", - "template_args": { - "name": "falseHostIPC", - "param": "hostIPC", - "prefix": "", - "suffix": "", - "value": "true" - }, - "severity": "MEDIUM", - "description": "Containers Should Not Share Host IPC Namespace", - "reference_id": "AC-K8-NS-PO-M-0163", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "param": "hostIPC", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "MEDIUM", + "description": "Containers Should Not Share Host IPC Namespace", + "reference_id": "AC-K8-NS-PO-M-0163", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json old mode 100755 new mode 100644 index 5c893ce0b..26ac119cc --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json @@ -1,16 +1,16 @@ { + "name": "falseHostNetwork", + "file": "specBoolCheck.rego", + "template_args": { "name": "falseHostNetwork", - "file": "specBoolCheck.rego", - "template_args": { - "name": "falseHostNetwork", - "param": "hostNetwork", - "prefix": "", - "suffix": "", - "value": "true" - }, - "severity": "MEDIUM", - "description": "Containers Should Not Share the Host Network Namespace", - "reference_id": "AC-K8-NS-PO-M-0164", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "param": "hostNetwork", + "prefix": "", + "suffix": "", + "value": "true" + }, + "severity": "MEDIUM", + "description": "Containers Should Not Share the Host Network Namespace", + "reference_id": "AC-K8-NS-PO-M-0164", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json old mode 100755 new mode 100644 index df493d82c..551d7d54e --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json @@ -1,17 +1,17 @@ { + "name": "dontConnectDockerSock", + "file": "dockerSockCheck.rego", + "template_args": { + "attrib": "spec.volumes[_].hostPath", "name": "dontConnectDockerSock", - "file": "dockerSockCheck.rego", - "template_args": { - "attrib": "spec.volumes[_].hostPath", - "name": "dontConnectDockerSock", - "param": "path", - "prefix": "", - "suffix": "", - "value": "/var/run/docker" - }, - "severity": "MEDIUM", - "description": "Restrict Mounting Docker Socket in a Container", - "reference_id": "AC-K8-NS-PO-M-0171", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "param": "path", + "prefix": "", + "suffix": "", + "value": "/var/run/docker" + }, + "severity": "MEDIUM", + "description": "Restrict Mounting Docker Socket in a Container", + "reference_id": "AC-K8-NS-PO-M-0171", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json old mode 100755 new mode 100644 index 224310674..62022693a --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json @@ -1,14 +1,14 @@ { + "name": "containersAsHighUID", + "file": "containersAsHighUID.rego", + "template_args": { "name": "containersAsHighUID", - "file": "containersAsHighUID.rego", - "template_args": { - "name": "containersAsHighUID", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Containers Should Run as a High UID to Avoid Host Conflict", - "reference_id": "AC-K8-NS-PO-M-0182", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Containers Should Run as a High UID to Avoid Host Conflict", + "reference_id": "AC-K8-NS-PO-M-0182", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json old mode 100755 new mode 100644 index 6340d311e..3ada13de5 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json @@ -1,19 +1,19 @@ { + "name": "alwaysPullImages", + "file": "commandCheck.rego", + "template_args": { + "argument": "--enable-admission-plugins", "name": "alwaysPullImages", - "file": "commandCheck.rego", - "template_args": { - "argument": "--enable-admission-plugins", - "name": "alwaysPullImages", - "negation": "", - "optional": "", - "param": "AlwaysPullImages", - "prefix": "", - "presence": "not", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "AlwaysPullImages plugin is not set", - "reference_id": "AC-K8-OE-PK-M-0034", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "negation": "", + "optional": "", + "param": "AlwaysPullImages", + "prefix": "", + "presence": "not", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "AlwaysPullImages plugin is not set", + "reference_id": "AC-K8-OE-PK-M-0034", + "category": "Compliance Validation", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json old mode 100755 new mode 100644 index aebef8612..909e35975 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json @@ -1,21 +1,21 @@ { + "name": "CpuRequestsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "requests", + "arg2": "cpu", "name": "CpuRequestsCheck", - "file": "securityContextCheck.rego", - "template_args": { - "allowed": "true", - "arg1": "requests", - "arg2": "cpu", - "name": "CpuRequestsCheck", - "not_allowed": "false", - "param": "resources", - "param1": "resources", - "prefix": "", - "suffix": "", - "value": "false" - }, - "severity": "Medium", - "description": "CPU Request Not Set in config file.", - "reference_id": "AC-K8-OE-PK-M-0155", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "not_allowed": "false", + "param": "resources", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "CPU Request Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0155", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json old mode 100755 new mode 100644 index c74835c6e..507873081 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json @@ -1,21 +1,21 @@ { + "name": "CpulimitsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "limits", + "arg2": "cpu", "name": "CpulimitsCheck", - "file": "securityContextCheck.rego", - "template_args": { - "allowed": "true", - "arg1": "limits", - "arg2": "cpu", - "name": "CpulimitsCheck", - "not_allowed": "false", - "param": "limits", - "param1": "resources", - "prefix": "", - "suffix": "", - "value": "false" - }, - "severity": "Medium", - "description": "CPU Limits Not Set in config file.", - "reference_id": "AC-K8-OE-PK-M-0156", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "not_allowed": "false", + "param": "limits", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "CPU Limits Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0156", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json old mode 100755 new mode 100644 index 691b58895..92c2c931e --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json @@ -1,21 +1,21 @@ { + "name": "MemoryRequestsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "requests", + "arg2": "memory", "name": "MemoryRequestsCheck", - "file": "securityContextCheck.rego", - "template_args": { - "allowed": "true", - "arg1": "requests", - "arg2": "memory", - "name": "MemoryRequestsCheck", - "not_allowed": "false", - "param": "resources", - "param1": "resources", - "prefix": "", - "suffix": "", - "value": "false" - }, - "severity": "Medium", - "description": "Memory Request Not Set in config file.", - "reference_id": "AC-K8-OE-PK-M-0157", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "not_allowed": "false", + "param": "resources", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "Memory Request Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0157", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json old mode 100755 new mode 100644 index 7ab678c76..bcf31c7e0 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json @@ -1,21 +1,21 @@ { + "name": "MemorylimitsCheck", + "file": "securityContextCheck.rego", + "template_args": { + "allowed": "true", + "arg1": "limits", + "arg2": "memory", "name": "MemorylimitsCheck", - "file": "securityContextCheck.rego", - "template_args": { - "allowed": "true", - "arg1": "limits", - "arg2": "memory", - "name": "MemorylimitsCheck", - "not_allowed": "false", - "param": "limits", - "param1": "resources", - "prefix": "", - "suffix": "", - "value": "false" - }, - "severity": "Medium", - "description": "Memory Limits Not Set in config file.", - "reference_id": "AC-K8-OE-PK-M-0158", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "not_allowed": "false", + "param": "limits", + "param1": "resources", + "prefix": "", + "suffix": "", + "value": "false" + }, + "severity": "Medium", + "description": "Memory Limits Not Set in config file.", + "reference_id": "AC-K8-OE-PK-M-0158", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json old mode 100755 new mode 100644 index 9ce09380f..9e00c33ef --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json @@ -1,16 +1,16 @@ { + "name": "nolivenessProbe", + "file": "probeCheck.rego", + "template_args": { + "argument": "livenessProbe", + "argumentTF": "liveness_probe", "name": "nolivenessProbe", - "file": "probeCheck.rego", - "template_args": { - "argument": "livenessProbe", - "argumentTF": "liveness_probe", - "name": "nolivenessProbe", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "No liveness probe will ensure there is no recovery in case of unexpected errors", - "reference_id": "AC-K8-OE-PO-L-0129", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No liveness probe will ensure there is no recovery in case of unexpected errors", + "reference_id": "AC-K8-OE-PO-L-0129", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json old mode 100755 new mode 100644 index a0e4058fd..9bc818a4c --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json @@ -1,16 +1,16 @@ { + "name": "noReadinessProbe", + "file": "probeCheck.rego", + "template_args": { + "argument": "readinessProbe", + "argumentTF": "readiness_probe", "name": "noReadinessProbe", - "file": "probeCheck.rego", - "template_args": { - "argument": "readinessProbe", - "argumentTF": "readiness_probe", - "name": "noReadinessProbe", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "No readiness probe will affect automatic recovery in case of unexpected errors", - "reference_id": "AC-K8-OE-PO-L-0130", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No readiness probe will affect automatic recovery in case of unexpected errors", + "reference_id": "AC-K8-OE-PO-L-0130", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json old mode 100755 new mode 100644 index 83eec4e4d..ce4baf67e --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json @@ -1,14 +1,14 @@ { + "name": "imageWithLatestTag", + "file": "imageWithLatestTag.rego", + "template_args": { "name": "imageWithLatestTag", - "file": "imageWithLatestTag.rego", - "template_args": { - "name": "imageWithLatestTag", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "No tag or container image with :Latest tag makes difficult to rollback and track", - "reference_id": "AC-K8-OE-PO-L-0134", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "No tag or container image with :Latest tag makes difficult to rollback and track", + "reference_id": "AC-K8-OE-PO-L-0134", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json old mode 100755 new mode 100644 index 6e0c8fd97..4c48ca2f7 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json @@ -1,14 +1,14 @@ { + "name": "otherNamespace", + "file": "otherNamespace.rego", + "template_args": { "name": "otherNamespace", - "file": "otherNamespace.rego", - "template_args": { - "name": "otherNamespace", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Default Namespace Should Not be Used", - "reference_id": "AC-K8-OE-PO-M-0166", - "category": "Operational Efficiency", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Default Namespace Should Not be Used", + "reference_id": "AC-K8-OE-PO-M-0166", + "category": "Security Best Practices", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json old mode 100755 new mode 100644 index aa41b50a5..88ae06715 --- a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0185.json @@ -1,14 +1,14 @@ { + "name": "tillerServiceDeleted", + "file": "tillerServiceDeleted.rego", + "template_args": { "name": "tillerServiceDeleted", - "file": "tillerServiceDeleted.rego", - "template_args": { - "name": "tillerServiceDeleted", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure that the Tiller Service (Helm v2) is deleted", - "reference_id": "AC-K8-NS-SE-M-0185", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure that the Tiller Service (Helm v2) is deleted", + "reference_id": "AC-K8-NS-SE-M-0185", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json old mode 100755 new mode 100644 index bb063812d..7eaa8c48d --- a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SE-M-0188.json @@ -1,14 +1,14 @@ { + "name": "ensurePrivateIP", + "file": "ensurePrivateIP.rego", + "template_args": { "name": "ensurePrivateIP", - "file": "ensurePrivateIP.rego", - "template_args": { - "name": "ensurePrivateIP", - "prefix": "", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Restrict the use of externalIPs", - "reference_id": "AC-K8-NS-SE-M-0188", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Restrict the use of externalIPs", + "reference_id": "AC-K8-NS-SE-M-0188", + "category": "Infrastructure Security", + "version": 1 +} diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json old mode 100755 new mode 100644 index ac5daf9e4..e9e028b4d --- a/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/AC-K8-NS-SV-L-0132.json @@ -1,14 +1,14 @@ { + "name": "nodePort", + "file": "nodePort.rego", + "template_args": { "name": "nodePort", - "file": "nodePort.rego", - "template_args": { - "name": "nodePort", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "Nodeport service can expose the worker nodes as they have public interface", - "reference_id": "AC-K8-NS-SV-L-0132", - "category": "Network Security", - "version": 1 -} \ No newline at end of file + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "Nodeport service can expose the worker nodes as they have public interface", + "reference_id": "AC-K8-NS-SV-L-0132", + "category": "Infrastructure Security", + "version": 1 +}