Skip to content

Commit

Permalink
Merge pull request #86 from nikpivkin/fix-ksv001
Browse files Browse the repository at this point in the history
fix(kubernetes): fix the KSV001 check
  • Loading branch information
simar7 authored Mar 1, 2024
2 parents 0c4cf07 + fadec94 commit 0935e1e
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,8 @@ getNoPrivilegeEscalationContainers[container] {
# getPrivilegeEscalationContainers returns the names of all containers which have
# securityContext.allowPrivilegeEscalation set to true or not set.
getPrivilegeEscalationContainers[container] {
containerName := kubernetes.containers[_].name
not getNoPrivilegeEscalationContainers[containerName]
container := kubernetes.containers[_]
not getNoPrivilegeEscalationContainers[container.name]
}

deny[res] {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,34 @@ test_allow_privilege_escalation_set_to_true_denied {
count(r) == 1
r[_].msg == "Container 'hello' of Pod 'hello-privilege-escalation' should set 'securityContext.allowPrivilegeEscalation' to false"
}

test_allow_privilege_escalation_multiple_containers {
r := deny with input as {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {"name": "hello-privilege-escalation"},
"spec": {"containers": [
{
"command": [
"sh",
"-c",
"echo 'Hello' && sleep 1h",
],
"image": "busybox",
"name": "hello",
"securityContext": {"allowPrivilegeEscalation": true},
},
{
"command": [
"sh",
"-c",
"echo 'Hello' && sleep 1h",
],
"image": "busybox",
"name": "hello2",
"securityContext": {"allowPrivilegeEscalation": false},
},
]},
}
count(r) == 1
}

0 comments on commit 0935e1e

Please sign in to comment.