-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: gatekeeper repo ambiguous prefix
- Loading branch information
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # METADATA | ||
| # title: Gatekeeper repo reference is ambiguously open-ended | ||
| # description: A Gatekeeper policy that references image repositories for prefix-matching is using open-ended and ambiguous pattern, and can potentially match unintended repositories. | ||
| # schemas: | ||
| # - input: schema["kubernetes"] | ||
| # custom: | ||
| # id: KSV-0124 | ||
| # avdid: AVD-KSV-0124 | ||
| # severity: HIGH | ||
| package builtin.kubernetes.KSV0124 | ||
| import rego.v1 | ||
|
|
||
| relevan_resource if { | ||
| input.apiVersion == "constraints.gatekeeper.sh/v1beta1" | ||
| input.kind == "K8sAllowedRepos" | ||
| } | ||
|
|
||
| deny contains res if { | ||
| relevan_resource | ||
| some repo in input.spec.parameters.repos | ||
| not contains(repo,"/") | ||
| not contains(repo,":") | ||
| res := result.new( | ||
| "open-ended repository reference in prefix match", | ||
| repo | ||
| ) | ||
| } | ||
|
|
||
| deny contains res if { | ||
| relevan_resource | ||
| some repo in input.spec.parameters.repos | ||
| parts:=split(repo,"/") | ||
| parts[0] == "docker.io" | ||
| count(parts) <= 2 | ||
| res := result.new( | ||
| "open-ended repository reference in prefix match", | ||
| repo | ||
| ) | ||
| } | ||
|
|
||
|
|
70 changes: 70 additions & 0 deletions
70
checks/kubernetes/gatekeeper/repo_ambiguous_prefix_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| package builtin.kubernetes.TBD001 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| bad_repos := { | ||
| "myregistry.io", # circumvented by: myregistry.io.attacker.com | ||
| "myusername", # circumvented by: myusernameattacker | ||
| "ubuntu", # circumvented by: ubuntu.attacker.com/evil, ubuntuevil | ||
| "docker.io/ubuntu", # circumvented by: docker.io/ubuntuattacker/evil | ||
| } | ||
|
|
||
| good_repos := { | ||
| "myregistry.azurecr.io/", | ||
| "myusername/", | ||
| "myimage:", | ||
| "docker.io/library/ubuntu", | ||
| } | ||
|
|
||
| test_bad_repos if { | ||
| cases := [ | ||
| { | ||
| "apiVersion": "constraints.gatekeeper.sh/v1beta1", | ||
| "kind": "K8sAllowedRepos", | ||
| "metadata": {"name": "allowedrepos"}, | ||
| "spec": { | ||
| "match": { | ||
| "kinds": [{ | ||
| "apiGroups": [""], | ||
| "kinds": ["Pod"], | ||
| }], | ||
| "namespaces": ["default"], | ||
| }, | ||
| "parameters": {"repos": [repo]}, | ||
| }, | ||
| } | | ||
| some repo in bad_repos | ||
| ] | ||
| every case in cases { | ||
| r := deny with input as case | ||
| count(r) > 0 | ||
| } | ||
| } | ||
|
|
||
| test_good_repos if { | ||
| cases := [ | ||
| { | ||
| "apiVersion": "constraints.gatekeeper.sh/v1beta1", | ||
| "kind": "K8sAllowedRepos", | ||
| "metadata": {"name": "allowedrepos"}, | ||
| "spec": { | ||
| "match": { | ||
| "kinds": [{ | ||
| "apiGroups": [""], | ||
| "kinds": ["Pod"], | ||
| }], | ||
| "namespaces": ["default"], | ||
| }, | ||
| "parameters": {"repos": [repo]}, | ||
| }, | ||
| } | | ||
| some repo in good_repos | ||
| ] | ||
|
|
||
| every case in cases { | ||
| r := deny with input as case | ||
| count(r) == 0 | ||
| } | ||
| } | ||
|
|
||
|
|