diff --git a/checks/docker/add_instead_of_copy.rego b/checks/docker/add_instead_of_copy.rego index c7de94d6..6df1cfbc 100644 --- a/checks/docker/add_instead_of_copy.rego +++ b/checks/docker/add_instead_of_copy.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/add_instead_of_copy.yaml package builtin.dockerfile.DS005 import rego.v1 diff --git a/checks/docker/add_instead_of_copy.yaml b/checks/docker/add_instead_of_copy.yaml new file mode 100644 index 00000000..adab27b6 --- /dev/null +++ b/checks/docker/add_instead_of_copy.yaml @@ -0,0 +1,12 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources" + bad: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources.jar" + ADD "/target/app.jar" "app.jar" diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego index 0bff59bc..9309caca 100644 --- a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego @@ -16,6 +16,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml package builtin.dockerfile.DS021 import rego.v1 diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml new file mode 100644 index 00000000..f49d6a45 --- /dev/null +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM node:12 + USER mike + RUN apt-get -fmy install apt-utils && apt-get clean + bad: + - |- + FROM node:12 + USER mike + RUN apt-get install apt-utils && apt-get clean diff --git a/checks/docker/copy_from_references_current_from_alias.rego b/checks/docker/copy_from_references_current_from_alias.rego index b8a5f1af..d9c7dfe0 100644 --- a/checks/docker/copy_from_references_current_from_alias.rego +++ b/checks/docker/copy_from_references_current_from_alias.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_from_references_current_from_alias.yaml package builtin.dockerfile.DS006 import rego.v1 diff --git a/checks/docker/copy_from_references_current_from_alias.yaml b/checks/docker/copy_from_references_current_from_alias.yaml new file mode 100644 index 00000000..78a25bc5 --- /dev/null +++ b/checks/docker/copy_from_references_current_from_alias.yaml @@ -0,0 +1,17 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY --from=dep /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego index dab239b6..d946ee99 100644 --- a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml package builtin.dockerfile.DS011 import rego.v1 diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml new file mode 100644 index 00000000..9833de32 --- /dev/null +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp/"] + bad: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp"] diff --git a/checks/docker/latest_tag.rego b/checks/docker/latest_tag.rego index c0179af5..ed8fbea9 100644 --- a/checks/docker/latest_tag.rego +++ b/checks/docker/latest_tag.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/latest_tag.yaml package builtin.dockerfile.DS001 import rego.v1 diff --git a/checks/docker/latest_tag.yaml b/checks/docker/latest_tag.yaml new file mode 100644 index 00000000..af254a3c --- /dev/null +++ b/checks/docker/latest_tag.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:latest + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo diff --git a/checks/docker/maintainer_is_deprecated.rego b/checks/docker/maintainer_is_deprecated.rego index a294dd5d..4d9a35ee 100644 --- a/checks/docker/maintainer_is_deprecated.rego +++ b/checks/docker/maintainer_is_deprecated.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/maintainer_is_deprecated.yaml package builtin.dockerfile.DS022 import rego.v1 diff --git a/checks/docker/maintainer_is_deprecated.yaml b/checks/docker/maintainer_is_deprecated.yaml new file mode 100644 index 00000000..4b1dcc35 --- /dev/null +++ b/checks/docker/maintainer_is_deprecated.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + USER mike + bad: + - |- + FROM busybox:1.33.1 + USER mike + MAINTAINER Lukas Martinelli diff --git a/checks/docker/missing_dnf_clean_all.rego b/checks/docker/missing_dnf_clean_all.rego index d0420982..d5e77d37 100644 --- a/checks/docker/missing_dnf_clean_all.rego +++ b/checks/docker/missing_dnf_clean_all.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_dnf_clean_all.yaml package builtin.dockerfile.DS019 import rego.v1 diff --git a/checks/docker/missing_dnf_clean_all.yaml b/checks/docker/missing_dnf_clean_all.yaml new file mode 100644 index 00000000..a62fd7b2 --- /dev/null +++ b/checks/docker/missing_dnf_clean_all.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + bad: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/checks/docker/missing_zypper_clean.rego b/checks/docker/missing_zypper_clean.rego index 5947713f..a0a4ca75 100644 --- a/checks/docker/missing_zypper_clean.rego +++ b/checks/docker/missing_zypper_clean.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_zypper_clean.yaml package builtin.dockerfile.DS020 import rego.v1 diff --git a/checks/docker/missing_zypper_clean.yaml b/checks/docker/missing_zypper_clean.yaml new file mode 100644 index 00000000..73d5f292 --- /dev/null +++ b/checks/docker/missing_zypper_clean.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN zypper install bash && zypper clean + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN zypper install bash + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/multiple_cmd_instructions_listed.rego b/checks/docker/multiple_cmd_instructions_listed.rego index ac6dd8e4..267f45ef 100644 --- a/checks/docker/multiple_cmd_instructions_listed.rego +++ b/checks/docker/multiple_cmd_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_cmd_instructions_listed.yaml package builtin.dockerfile.DS016 import rego.v1 diff --git a/checks/docker/multiple_cmd_instructions_listed.yaml b/checks/docker/multiple_cmd_instructions_listed.yaml new file mode 100644 index 00000000..2447b40e --- /dev/null +++ b/checks/docker/multiple_cmd_instructions_listed.yaml @@ -0,0 +1,16 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 + USER mike + CMD ./apps + FROM alpine:3.13 + CMD ./app + bad: + - |- + FROM golang:1.7.3 + USER mike + CMD ./app + CMD ./apps + FROM alpine:3.13 + CMD ./app diff --git a/checks/docker/multiple_entrypoint_instructions_listed.rego b/checks/docker/multiple_entrypoint_instructions_listed.rego index 1a6f88e4..73ac46e6 100644 --- a/checks/docker/multiple_entrypoint_instructions_listed.rego +++ b/checks/docker/multiple_entrypoint_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_entrypoint_instructions_listed.yaml package builtin.dockerfile.DS007 import rego.v1 diff --git a/checks/docker/multiple_entrypoint_instructions_listed.yaml b/checks/docker/multiple_entrypoint_instructions_listed.yaml new file mode 100644 index 00000000..e8f5e665 --- /dev/null +++ b/checks/docker/multiple_entrypoint_instructions_listed.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY dep /binary / + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/multiple_healthcheck_instructions.rego b/checks/docker/multiple_healthcheck_instructions.rego index 90d197f9..3b67bb4c 100644 --- a/checks/docker/multiple_healthcheck_instructions.rego +++ b/checks/docker/multiple_healthcheck_instructions.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_healthcheck_instructions.yaml package builtin.dockerfile.DS023 import rego.v1 diff --git a/checks/docker/multiple_healthcheck_instructions.yaml b/checks/docker/multiple_healthcheck_instructions.yaml new file mode 100644 index 00000000..978f6ff6 --- /dev/null +++ b/checks/docker/multiple_healthcheck_instructions.yaml @@ -0,0 +1,20 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app + bad: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD curl http://localhost:8080 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app diff --git a/checks/docker/port22.rego b/checks/docker/port22.rego index 9e89e5df..b9291c2b 100644 --- a/checks/docker/port22.rego +++ b/checks/docker/port22.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/port22.yaml package builtin.dockerfile.DS004 import rego.v1 diff --git a/checks/docker/port22.yaml b/checks/docker/port22.yaml new file mode 100644 index 00000000..14fdd880 --- /dev/null +++ b/checks/docker/port22.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 22 diff --git a/checks/docker/root_user.rego b/checks/docker/root_user.rego index 0392d863..7231ba46 100644 --- a/checks/docker/root_user.rego +++ b/checks/docker/root_user.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/root_user.yaml package builtin.dockerfile.DS002 import rego.v1 diff --git a/checks/docker/root_user.yaml b/checks/docker/root_user.yaml new file mode 100644 index 00000000..92fa0ff2 --- /dev/null +++ b/checks/docker/root_user.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/checks/docker/run_apt_get_dist_upgrade.rego b/checks/docker/run_apt_get_dist_upgrade.rego index 9fd251fd..2e72a08e 100644 --- a/checks/docker/run_apt_get_dist_upgrade.rego +++ b/checks/docker/run_apt_get_dist_upgrade.rego @@ -14,6 +14,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_apt_get_dist_upgrade.yaml package builtin.dockerfile.DS024 import rego.v1 diff --git a/checks/docker/run_apt_get_dist_upgrade.yaml b/checks/docker/run_apt_get_dist_upgrade.yaml new file mode 100644 index 00000000..58b85c59 --- /dev/null +++ b/checks/docker/run_apt_get_dist_upgrade.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get install -y curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/run_command_cd_instead_of_workdir.rego b/checks/docker/run_command_cd_instead_of_workdir.rego index f776c8fd..0c68d8f2 100644 --- a/checks/docker/run_command_cd_instead_of_workdir.rego +++ b/checks/docker/run_command_cd_instead_of_workdir.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_command_cd_instead_of_workdir.yaml package builtin.dockerfile.DS013 import rego.v1 diff --git a/checks/docker/run_command_cd_instead_of_workdir.yaml b/checks/docker/run_command_cd_instead_of_workdir.yaml new file mode 100644 index 00000000..b96df1bc --- /dev/null +++ b/checks/docker/run_command_cd_instead_of_workdir.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM nginx:2.2 + WORKDIR /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + bad: + - |- + FROM nginx:2.2 + RUN cd /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' diff --git a/checks/docker/run_using_sudo.rego b/checks/docker/run_using_sudo.rego index c8edea64..fbbf0526 100644 --- a/checks/docker/run_using_sudo.rego +++ b/checks/docker/run_using_sudo.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_sudo.yaml package builtin.dockerfile.DS010 import rego.v1 diff --git a/checks/docker/run_using_sudo.yaml b/checks/docker/run_using_sudo.yaml new file mode 100644 index 00000000..01c45339 --- /dev/null +++ b/checks/docker/run_using_sudo.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + RUN pip install --upgrade pip + USER mike + bad: + - |- + FROM alpine:3.13 + RUN sudo pip install --upgrade pip + USER mike diff --git a/checks/docker/run_using_wget_and_curl.rego b/checks/docker/run_using_wget_and_curl.rego index 856b3140..4e6ea7c1 100644 --- a/checks/docker/run_using_wget_and_curl.rego +++ b/checks/docker/run_using_wget_and_curl.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_wget_and_curl.yaml package builtin.dockerfile.DS014 import rego.v1 diff --git a/checks/docker/run_using_wget_and_curl.yaml b/checks/docker/run_using_wget_and_curl.yaml new file mode 100644 index 00000000..50d317d2 --- /dev/null +++ b/checks/docker/run_using_wget_and_curl.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM debian:stable-20210621 + RUN curl http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com + bad: + - |- + FROM debian:stable-20210621 + RUN wget http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com diff --git a/checks/docker/same_alias_in_different_froms.rego b/checks/docker/same_alias_in_different_froms.rego index 309761f6..d0c6e31f 100644 --- a/checks/docker/same_alias_in_different_froms.rego +++ b/checks/docker/same_alias_in_different_froms.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/same_alias_in_different_froms.yaml package builtin.dockerfile.DS012 import rego.v1 diff --git a/checks/docker/same_alias_in_different_froms.yaml b/checks/docker/same_alias_in_different_froms.yaml new file mode 100644 index 00000000..2449c00f --- /dev/null +++ b/checks/docker/same_alias_in_different_froms.yaml @@ -0,0 +1,25 @@ +dockerfile: + good: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build2 + USER mike + RUN stuff + + FROM debian:jesse1 as build1 + USER mike + RUN more_stuff + bad: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build + USER mike + RUN stuff + + FROM debian:jesse1 as build + USER mike + RUN more_stuff diff --git a/checks/docker/unix_ports_out_of_range.rego b/checks/docker/unix_ports_out_of_range.rego index 6e94994a..2ab4c968 100644 --- a/checks/docker/unix_ports_out_of_range.rego +++ b/checks/docker/unix_ports_out_of_range.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/unix_ports_out_of_range.yaml package builtin.dockerfile.DS008 import rego.v1 diff --git a/checks/docker/unix_ports_out_of_range.yaml b/checks/docker/unix_ports_out_of_range.yaml new file mode 100644 index 00000000..d6a20e25 --- /dev/null +++ b/checks/docker/unix_ports_out_of_range.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65530 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65536 8080 diff --git a/checks/docker/update_instruction_alone.rego b/checks/docker/update_instruction_alone.rego index 883b48c4..448911ce 100644 --- a/checks/docker/update_instruction_alone.rego +++ b/checks/docker/update_instruction_alone.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/update_instruction_alone.yaml package builtin.dockerfile.DS017 import rego.v1 diff --git a/checks/docker/update_instruction_alone.yaml b/checks/docker/update_instruction_alone.yaml new file mode 100644 index 00000000..60bed496 --- /dev/null +++ b/checks/docker/update_instruction_alone.yaml @@ -0,0 +1,14 @@ +dockerfile: + good: + - |- + FROM ubuntu:18.04 + RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql + bad: + - |- + FROM ubuntu:18.04 + RUN apt-get update + RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql diff --git a/checks/docker/workdir_path_not_absolute.rego b/checks/docker/workdir_path_not_absolute.rego index 45f73d2b..78ba7c68 100644 --- a/checks/docker/workdir_path_not_absolute.rego +++ b/checks/docker/workdir_path_not_absolute.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/workdir_path_not_absolute.yaml package builtin.dockerfile.DS009 import rego.v1 diff --git a/checks/docker/workdir_path_not_absolute.yaml b/checks/docker/workdir_path_not_absolute.yaml new file mode 100644 index 00000000..29f663fe --- /dev/null +++ b/checks/docker/workdir_path_not_absolute.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + WORKDIR /path/to/workdir + bad: + - |- + FROM alpine:3.13 + USER mike + WORKDIR path/to/workdir diff --git a/checks/docker/yum_clean_all_missing.rego b/checks/docker/yum_clean_all_missing.rego index 0352bf95..4e1b4964 100644 --- a/checks/docker/yum_clean_all_missing.rego +++ b/checks/docker/yum_clean_all_missing.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/yum_clean_all_missing.yaml package builtin.dockerfile.DS015 import rego.v1 diff --git a/checks/docker/yum_clean_all_missing.yaml b/checks/docker/yum_clean_all_missing.yaml new file mode 100644 index 00000000..462fae7f --- /dev/null +++ b/checks/docker/yum_clean_all_missing.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN yum install && yum clean all + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN yum install vim + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.rego b/checks/kubernetes/advanced/protect_core_components_namespace.rego index 225dc49e..8470d66d 100644 --- a/checks/kubernetes/advanced/protect_core_components_namespace.rego +++ b/checks/kubernetes/advanced/protect_core_components_namespace.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protect_core_components_namespace.yaml package builtin.kubernetes.KSV037 import rego.v1 diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.yaml b/checks/kubernetes/advanced/protect_core_components_namespace.yaml new file mode 100644 index 00000000..69db1e90 --- /dev/null +++ b/checks/kubernetes/advanced/protect_core_components_namespace.yaml @@ -0,0 +1,28 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: test + spec: + automountServiceAccountToken: true + containers: + - image: nginx + name: mypod + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: kube-system + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego index 1a01e541..c47fef17 100644 --- a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml package builtin.kubernetes.KSV036 import rego.v1 diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml new file mode 100644 index 00000000..c8bd592b --- /dev/null +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml @@ -0,0 +1,14 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: test + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego index 431493c7..b521c6b3 100644 --- a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/selector_usage_in_network_policies.yaml package builtin.kubernetes.KSV038 import rego.v1 diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml new file mode 100644 index 00000000..c5bebdd2 --- /dev/null +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml @@ -0,0 +1,19 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + podSelector: + matchLabels: + role: db + bad: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + something: true diff --git a/checks/kubernetes/general/CPU_not_limited.yaml b/checks/kubernetes/general/CPU_not_limited.yaml new file mode 100644 index 00000000..bda3e67d --- /dev/null +++ b/checks/kubernetes/general/CPU_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + cpu: 500m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/CPU_requests_not_specified.yaml b/checks/kubernetes/general/CPU_requests_not_specified.yaml new file mode 100644 index 00000000..d7415254 --- /dev/null +++ b/checks/kubernetes/general/CPU_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + cpu: 250m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/SYS_ADMIN_capability.yaml b/checks/kubernetes/general/SYS_ADMIN_capability.yaml new file mode 100644 index 00000000..893b38d9 --- /dev/null +++ b/checks/kubernetes/general/SYS_ADMIN_capability.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - SYS_ADMIN diff --git a/checks/kubernetes/general/capabilities_no_drop_all.yaml b/checks/kubernetes/general/capabilities_no_drop_all.yaml new file mode 100644 index 00000000..4b4f9eb2 --- /dev/null +++ b/checks/kubernetes/general/capabilities_no_drop_all.yaml @@ -0,0 +1,27 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello diff --git a/checks/kubernetes/general/file_system_not_read_only.yaml b/checks/kubernetes/general/file_system_not_read_only.yaml new file mode 100644 index 00000000..6321542f --- /dev/null +++ b/checks/kubernetes/general/file_system_not_read_only.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: false diff --git a/checks/kubernetes/general/memory_not_limited.yaml b/checks/kubernetes/general/memory_not_limited.yaml new file mode 100644 index 00000000..b8bfc3eb --- /dev/null +++ b/checks/kubernetes/general/memory_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + memory: 128Mi + bad: + - | + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/memory_requests_not_specified.yaml b/checks/kubernetes/general/memory_requests_not_specified.yaml new file mode 100644 index 00000000..11db8a51 --- /dev/null +++ b/checks/kubernetes/general/memory_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + memory: 64Mi + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/mounts_docker_socket.yaml b/checks/kubernetes/general/mounts_docker_socket.yaml new file mode 100644 index 00000000..ae080f07 --- /dev/null +++ b/checks/kubernetes/general/mounts_docker_socket.yaml @@ -0,0 +1,36 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + hostPath: + path: "/var/run/docker.sock" + type: Directory diff --git a/checks/kubernetes/general/runs_with_GID_le_10000.yaml b/checks/kubernetes/general/runs_with_GID_le_10000.yaml new file mode 100644 index 00000000..738f7762 --- /dev/null +++ b/checks/kubernetes/general/runs_with_GID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsGroup: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/runs_with_UID_le_10000.yaml b/checks/kubernetes/general/runs_with_UID_le_10000.yaml new file mode 100644 index 00000000..3b77bbb7 --- /dev/null +++ b/checks/kubernetes/general/runs_with_UID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsUser: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/tiller_is_deployed.yaml b/checks/kubernetes/general/tiller_is_deployed.yaml new file mode 100644 index 00000000..369f81b5 --- /dev/null +++ b/checks/kubernetes/general/tiller_is_deployed.yaml @@ -0,0 +1,46 @@ +kubernetes: + good: + - |- + apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: Onga + spec: + template: + spec: + containers: + - name: carts-db + image: mongo + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false + metadata: + name: None + labels: + app: example + tier: backend + bad: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mongo-deployment + spec: + template: + spec: + containers: + - name: carts-db + image: tiller + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false diff --git a/checks/kubernetes/general/uses_image_tag_latest.yaml b/checks/kubernetes/general/uses_image_tag_latest.yaml new file mode 100644 index 00000000..23e7b2e2 --- /dev/null +++ b/checks/kubernetes/general/uses_image_tag_latest.yaml @@ -0,0 +1,29 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:1.33.1 + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:latest + name: hello diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego index 0f1185a1..de0f8a79 100644 --- a/checks/kubernetes/network/no_public_egress.rego +++ b/checks/kubernetes/network/no_public_egress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_egress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr +# examples: checks/kubernetes/network/no_public_egress.yaml package builtin.kube.network.kube0002 import rego.v1 diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego index 29f3c51b..69e3e062 100644 --- a/checks/kubernetes/network/no_public_ingress.rego +++ b/checks/kubernetes/network/no_public_ingress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_ingress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr +# examples: checks/kubernetes/network/no_public_ingress.yaml package builtin.kube.network.kube0001 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.rego b/checks/kubernetes/pss/baseline/1_host_ipc.rego index eaf87f26..da259b8b 100644 --- a/checks/kubernetes/pss/baseline/1_host_ipc.rego +++ b/checks/kubernetes/pss/baseline/1_host_ipc.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_ipc.yaml package builtin.kubernetes.KSV008 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.yaml b/checks/kubernetes/pss/baseline/1_host_ipc.yaml new file mode 100644 index 00000000..efc137dd --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_ipc.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostIPC: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostIPC: true diff --git a/checks/kubernetes/pss/baseline/1_host_network.rego b/checks/kubernetes/pss/baseline/1_host_network.rego index 7f115820..a65ec6db 100644 --- a/checks/kubernetes/pss/baseline/1_host_network.rego +++ b/checks/kubernetes/pss/baseline/1_host_network.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_network.yaml package builtin.kubernetes.KSV009 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_network.yaml b/checks/kubernetes/pss/baseline/1_host_network.yaml new file mode 100644 index 00000000..2d66331e --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_network.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostNetwork: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostNetwork: true diff --git a/checks/kubernetes/pss/baseline/1_host_pid.rego b/checks/kubernetes/pss/baseline/1_host_pid.rego index 1a297230..71c2d9b1 100644 --- a/checks/kubernetes/pss/baseline/1_host_pid.rego +++ b/checks/kubernetes/pss/baseline/1_host_pid.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_pid.yaml package builtin.kubernetes.KSV010 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_pid.yaml b/checks/kubernetes/pss/baseline/1_host_pid.yaml new file mode 100644 index 00000000..438ae676 --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_pid.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostPID: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostPID: true diff --git a/checks/kubernetes/pss/baseline/2_privileged.rego b/checks/kubernetes/pss/baseline/2_privileged.rego index 5ff8f5f8..d2ffabe3 100644 --- a/checks/kubernetes/pss/baseline/2_privileged.rego +++ b/checks/kubernetes/pss/baseline/2_privileged.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/2_privileged.yaml package builtin.kubernetes.KSV017 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/2_privileged.yaml b/checks/kubernetes/pss/baseline/2_privileged.yaml new file mode 100644 index 00000000..0f900936 --- /dev/null +++ b/checks/kubernetes/pss/baseline/2_privileged.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + privileged: true diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego index d69a3e08..aa80a583 100644 --- a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml package builtin.kubernetes.KSV022 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml new file mode 100644 index 00000000..0659959c --- /dev/null +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - NET_BIND_SERVICE diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego index cbdcd51d..5d0d3837 100644 --- a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml package builtin.kubernetes.KSV023 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml new file mode 100644 index 00000000..52786426 --- /dev/null +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - hostPath: + path: /sys + type: "" diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego index f3d5f2d2..ef75ead9 100644 --- a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml package builtin.kubernetes.KSV024 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml new file mode 100644 index 00000000..c31bf1d3 --- /dev/null +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego index db2538ed..19dc5fb4 100644 --- a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml package builtin.kubernetes.KSV002 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml new file mode 100644 index 00000000..4b08274d --- /dev/null +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: runtime/default + name: hello-apparmor + spec: + containers: + - command: + - sh + - -c + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: custom + name: hello-apparmor + spec: + containers: + - command: + - sh + - -c + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego index 270bb2be..4a51af40 100644 --- a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml package builtin.kubernetes.KSV025 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml new file mode 100644 index 00000000..70d13a27 --- /dev/null +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: null + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seLinuxOptions: + type: custom diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego index d0af9362..1caeebc4 100644 --- a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml package builtin.kubernetes.KSV027 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml new file mode 100644 index 00000000..1f333db1 --- /dev/null +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml @@ -0,0 +1,35 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + securityContext: + procMount: Unmasked diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego index 87316555..a7590d9a 100644 --- a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml package builtin.kubernetes.KSV026 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml new file mode 100644 index 00000000..36540060 --- /dev/null +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml @@ -0,0 +1,39 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" + - name: kernel.msgmax + value: "65536" diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego index 2eca33fb..751ff0c6 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml package builtin.kubernetes.KSV028 import rego.v1 diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml new file mode 100644 index 00000000..45f5a362 --- /dev/null +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml @@ -0,0 +1,42 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + scaleIO: + fsType: xfs + gateway: https://localhost:443/api + protectionDomain: sd0 + secretRef: + name: sio-secret + storagePool: sp1 + system: scaleio + volumeName: vol-a diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego index 96934fa4..17189bf9 100644 --- a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml package builtin.kubernetes.KSV001 import rego.v1 diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml new file mode 100644 index 00000000..93204199 --- /dev/null +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml @@ -0,0 +1,35 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + allowPrivilegeEscalation: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.rego b/checks/kubernetes/pss/restricted/3_runs_as_root.rego index 18098752..abaa832e 100644 --- a/checks/kubernetes/pss/restricted/3_runs_as_root.rego +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/3_runs_as_root.yaml package builtin.kubernetes.KSV012 import rego.v1 diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.yaml b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml new file mode 100644 index 00000000..b0b0d6b1 --- /dev/null +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsNonRoot: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego index 59d406d7..e1488557 100644 --- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml package builtin.kubernetes.KSV030 import rego.v1 diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml new file mode 100644 index 00000000..ba0c5c34 --- /dev/null +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml @@ -0,0 +1,37 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seccompProfile: + localhostProfile: profiles/audit.json + type: RuntimeDefault + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seccompProfile: + localhostProfile: profiles/audit.json + type: LocalPort diff --git a/go.mod b/go.mod index 418b332a..9b8d5a85 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy-checks go 1.23.4 require ( - github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722 + github.com/aquasecurity/trivy v0.58.1-0.20250117000135-6d84e0cc0d48 github.com/aws-cloudformation/rain v1.21.0 github.com/hashicorp/hcl/v2 v2.23.0 github.com/liamg/iamgo v0.0.9 diff --git a/go.sum b/go.sum index 92349797..718ff12f 100644 --- a/go.sum +++ b/go.sum @@ -355,8 +355,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722 h1:+YTyne1Ge2I8bpbqkClvMKCdK0U1qmQySjlS3cC4ih4= -github.com/aquasecurity/trivy v0.58.1-0.20250109050215-f9a6a7192722/go.mod h1:pDTEekX8yWaSI094UO3dTBnwI2xSZhwekFCbTSog8Jk= +github.com/aquasecurity/trivy v0.58.1-0.20250117000135-6d84e0cc0d48 h1:kJXBAL9eUE8QooECmED/65+UPBsJg9K3l6dyQOivbVg= +github.com/aquasecurity/trivy v0.58.1-0.20250117000135-6d84e0cc0d48/go.mod h1:pDTEekX8yWaSI094UO3dTBnwI2xSZhwekFCbTSog8Jk= github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E= github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= diff --git a/integration/check_examples_test.go b/integration/check_examples_test.go index 7824ee43..ec169a55 100644 --- a/integration/check_examples_test.go +++ b/integration/check_examples_test.go @@ -107,7 +107,7 @@ func setupTarget(t *testing.T) string { func writeExamples(t *testing.T, examples []string, provider, cacheDir string, id string, typ string) { for i, example := range examples { - name := "test" + extensionByProvider(provider) + name := fileNameByProvider(provider) file := filepath.Join(cacheDir, id, provider, typ, strconv.Itoa(i), name) require.NoError(t, os.MkdirAll(filepath.Dir(file), fs.ModePerm)) require.NoError(t, os.WriteFile(file, []byte(example), fs.ModePerm)) @@ -167,12 +167,16 @@ func getFailureIDs(report types.Report) map[string][]string { return ids } -func extensionByProvider(provider string) string { +func fileNameByProvider(provider string) string { switch provider { case "terraform": - return ".tf" + return "main.tf" case "cloudformation": - return ".yaml" + return "template.yaml" + case "dockerfile": + return "Dockerfile" + case "kubernetes": + return "test.yaml" } - panic("unreachable") + panic("unreachable: " + provider) } diff --git a/internal/examples/examples.go b/internal/examples/examples.go index 999e63b0..a634b859 100644 --- a/internal/examples/examples.go +++ b/internal/examples/examples.go @@ -33,6 +33,10 @@ func GetCheckExamples(r scan.Rule) (CheckExamples, string, error) { // TODO: use `examples` field after adding func getCheckExamplesPath(r scan.Rule) string { + if r.Examples != "" { + return r.Examples + } + for _, eng := range []*scan.EngineMetadata{r.Terraform, r.CloudFormation} { if eng == nil { continue @@ -100,6 +104,7 @@ func (b blocks) format(fn func(blockString) blockString) { var formatters = map[string]func(blockString) blockString{ "terraform": formatHCL, "cloudformation": formatCFT, + "kubernetes": formatYAML, } func formatHCL(b blockString) blockString { @@ -114,3 +119,15 @@ func formatCFT(b blockString) blockString { return blockString(format.CftToYaml(tmpl)) } + +func formatYAML(b blockString) blockString { + var v any + if err := yaml.Unmarshal([]byte(b), &v); err != nil { + panic(err) + } + ret, err := yaml.Marshal(v) + if err != nil { + panic(err) + } + return blockString(ret) +} diff --git a/test/docker_test.go b/test/docker_test.go deleted file mode 100644 index 8ba6e263..00000000 --- a/test/docker_test.go +++ /dev/null @@ -1,80 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scanners/dockerfile" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/require" - - builtinrego "github.com/aquasecurity/trivy-checks/pkg/rego" -) - -func init() { - builtinrego.RegisterBuiltins() -} - -func Test_Dockerfile(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/docker")), - rego.WithPolicyDirs("."), - rego.WithIncludeDeprecatedChecks(false), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - rego.WithIncludeDeprecatedChecks(false), - }, - }, - } - - testdata := "./testdata/dockerfile" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - } - opts = append(opts, tt.opts...) - - scanner := dockerfile.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/Dockerfile.denied", dirName), - fmt.Sprintf("%s/Dockerfile.allowed", dirName), - results, - ) - }) - } - }) - } -} diff --git a/test/kubernetes_test.go b/test/kubernetes_test.go deleted file mode 100644 index 0d6f197b..00000000 --- a/test/kubernetes_test.go +++ /dev/null @@ -1,116 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/scanners/kubernetes" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_Kubenetes(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/kubernetes")), - rego.WithPolicyDirs("."), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - }, - }, - } - - testdata := "./testdata/kubernetes" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(t.Name(), func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - rego.WithIncludeDeprecatedChecks(false), - } - opts = append(opts, tt.opts...) - - scanner := kubernetes.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - if entry.Name() == "optional" { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/denied.yaml", dirName), - fmt.Sprintf("%s/allowed.yaml", dirName), - results, - ) - }) - } - }) - } -} - -func assertChecks(t *testing.T, fileName, failCase, passCase string, results scan.Results) { - t.Helper() - - var matched bool - - for _, result := range results { - if !result.Rule().HasID(fileName) { - continue - } - - t.Run(result.Rule().AVDID, func(t *testing.T) { - switch result.Range().GetFilename() { - case failCase: - assert.Equal(t, scan.StatusFailed, result.Status(), "Rule should have failed, but didn't.") - if result.Rule().AVDID != "AVD-DS-0002" { - assert.Greater(t, result.Range().GetStartLine(), 0, "We should have line numbers for a failure") - assert.Greater(t, result.Range().GetEndLine(), 0, "We should have line numbers for a failure") - } - matched = true - case passCase: - assert.Equal(t, scan.StatusPassed, result.Status(), "Rule should have passed, but didn't.") - matched = true - default: - return - } - - if t.Failed() { - fmt.Println("Test failed - rego trace follows:") - for _, trace := range result.Traces() { - fmt.Println(trace) - } - } - }) - } - - assert.True(t, matched, "Rule should be matched once") -} diff --git a/test/testdata/dockerfile/DS001/Dockerfile.allowed b/test/testdata/dockerfile/DS001/Dockerfile.allowed deleted file mode 100644 index ee5c6cc9..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS001/Dockerfile.denied b/test/testdata/dockerfile/DS001/Dockerfile.denied deleted file mode 100644 index 5e2b193a..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:latest -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS002/Dockerfile.allowed b/test/testdata/dockerfile/DS002/Dockerfile.allowed deleted file mode 100644 index 8bb3de30..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo \ No newline at end of file diff --git a/test/testdata/dockerfile/DS002/Dockerfile.denied b/test/testdata/dockerfile/DS002/Dockerfile.denied deleted file mode 100644 index 9b996cc7..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.denied +++ /dev/null @@ -1,2 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/test/testdata/dockerfile/DS004/Dockerfile.allowed b/test/testdata/dockerfile/DS004/Dockerfile.allowed deleted file mode 100644 index 8af97be7..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 8080 diff --git a/test/testdata/dockerfile/DS004/Dockerfile.denied b/test/testdata/dockerfile/DS004/Dockerfile.denied deleted file mode 100644 index 91016100..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 22 \ No newline at end of file diff --git a/test/testdata/dockerfile/DS005/Dockerfile.allowed b/test/testdata/dockerfile/DS005/Dockerfile.allowed deleted file mode 100644 index 28d89b43..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources" diff --git a/test/testdata/dockerfile/DS005/Dockerfile.denied b/test/testdata/dockerfile/DS005/Dockerfile.denied deleted file mode 100644 index 98c1249f..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources.jar" -ADD "/target/app.jar" "app.jar" \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.allowed b/test/testdata/dockerfile/DS006/Dockerfile.allowed deleted file mode 100644 index 529198ac..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.denied b/test/testdata/dockerfile/DS006/Dockerfile.denied deleted file mode 100644 index cdb11213..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY --from=dep /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.allowed b/test/testdata/dockerfile/DS007/Dockerfile.allowed deleted file mode 100644 index 37b3bb39..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.denied b/test/testdata/dockerfile/DS007/Dockerfile.denied deleted file mode 100644 index 228966f1..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM golang:1.7.3 as dep -COPY dep /binary / -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS008/Dockerfile.allowed b/test/testdata/dockerfile/DS008/Dockerfile.allowed deleted file mode 100644 index f66bb31d..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65530 8080 diff --git a/test/testdata/dockerfile/DS008/Dockerfile.denied b/test/testdata/dockerfile/DS008/Dockerfile.denied deleted file mode 100644 index 89c465a6..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65536 8080 diff --git a/test/testdata/dockerfile/DS009/Dockerfile.allowed b/test/testdata/dockerfile/DS009/Dockerfile.allowed deleted file mode 100644 index 1db32e18..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR /path/to/workdir diff --git a/test/testdata/dockerfile/DS009/Dockerfile.denied b/test/testdata/dockerfile/DS009/Dockerfile.denied deleted file mode 100644 index 422d65f0..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR path/to/workdir diff --git a/test/testdata/dockerfile/DS010/Dockerfile.allowed b/test/testdata/dockerfile/DS010/Dockerfile.allowed deleted file mode 100644 index 67232624..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS010/Dockerfile.denied b/test/testdata/dockerfile/DS010/Dockerfile.denied deleted file mode 100644 index cd63e40e..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN sudo pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS011/Dockerfile.allowed b/test/testdata/dockerfile/DS011/Dockerfile.allowed deleted file mode 100644 index c5d7133a..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp/"] diff --git a/test/testdata/dockerfile/DS011/Dockerfile.denied b/test/testdata/dockerfile/DS011/Dockerfile.denied deleted file mode 100644 index 72df0188..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp"] diff --git a/test/testdata/dockerfile/DS012/Dockerfile.allowed b/test/testdata/dockerfile/DS012/Dockerfile.allowed deleted file mode 100644 index a3eeb0f4..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.allowed +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build2 -USER mike -RUN stuff - -FROM debian:jesse1 as build1 -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS012/Dockerfile.denied b/test/testdata/dockerfile/DS012/Dockerfile.denied deleted file mode 100644 index 86e7882d..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.denied +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build -USER mike -RUN stuff - -FROM debian:jesse1 as build -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.allowed b/test/testdata/dockerfile/DS013/Dockerfile.allowed deleted file mode 100644 index c1426226..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -WORKDIR /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.denied b/test/testdata/dockerfile/DS013/Dockerfile.denied deleted file mode 100644 index e5a769aa..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -RUN cd /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS014/Dockerfile.allowed b/test/testdata/dockerfile/DS014/Dockerfile.allowed deleted file mode 100644 index b46d24c9..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN curl http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS014/Dockerfile.denied b/test/testdata/dockerfile/DS014/Dockerfile.denied deleted file mode 100644 index c5ec6eff..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.denied +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN wget http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS015/Dockerfile.allowed b/test/testdata/dockerfile/DS015/Dockerfile.allowed deleted file mode 100644 index 5ab6a656..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install && yum clean all -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS015/Dockerfile.denied b/test/testdata/dockerfile/DS015/Dockerfile.denied deleted file mode 100644 index e1ba5704..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install vim -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS016/Dockerfile.allowed b/test/testdata/dockerfile/DS016/Dockerfile.allowed deleted file mode 100644 index 46f07fda..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS016/Dockerfile.denied b/test/testdata/dockerfile/DS016/Dockerfile.denied deleted file mode 100644 index e861f0a0..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./app -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS017/Dockerfile.allowed b/test/testdata/dockerfile/DS017/Dockerfile.allowed deleted file mode 100644 index d92984d7..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS017/Dockerfile.denied b/test/testdata/dockerfile/DS017/Dockerfile.denied deleted file mode 100644 index e9bf2a9a..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update -RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS019/Dockerfile.allowed b/test/testdata/dockerfile/DS019/Dockerfile.allowed deleted file mode 100644 index 0b975046..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 - diff --git a/test/testdata/dockerfile/DS019/Dockerfile.denied b/test/testdata/dockerfile/DS019/Dockerfile.denied deleted file mode 100644 index 47c2c25f..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/test/testdata/dockerfile/DS020/Dockerfile.allowed b/test/testdata/dockerfile/DS020/Dockerfile.allowed deleted file mode 100644 index b76d238a..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash && zypper clean -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS020/Dockerfile.denied b/test/testdata/dockerfile/DS020/Dockerfile.denied deleted file mode 100644 index 22235094..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.allowed b/test/testdata/dockerfile/DS021/Dockerfile.allowed deleted file mode 100644 index 84d2c559..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get -fmy install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.denied b/test/testdata/dockerfile/DS021/Dockerfile.denied deleted file mode 100644 index 988e111d..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.allowed b/test/testdata/dockerfile/DS022/Dockerfile.allowed deleted file mode 100644 index eaa7e488..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.allowed +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox:1.33.1 -USER mike \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.denied b/test/testdata/dockerfile/DS022/Dockerfile.denied deleted file mode 100644 index aebd38f0..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox:1.33.1 -USER mike -MAINTAINER Lukas Martinelli \ No newline at end of file diff --git a/test/testdata/dockerfile/DS023/Dockerfile.allowed b/test/testdata/dockerfile/DS023/Dockerfile.allowed deleted file mode 100644 index 29c48f20..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS023/Dockerfile.denied b/test/testdata/dockerfile/DS023/Dockerfile.denied deleted file mode 100644 index 6dc49ab5..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD curl http://localhost:8080 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS024/Dockerfile.allowed b/test/testdata/dockerfile/DS024/Dockerfile.allowed deleted file mode 100644 index b5512870..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get install -y curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py diff --git a/test/testdata/dockerfile/DS024/Dockerfile.denied b/test/testdata/dockerfile/DS024/Dockerfile.denied deleted file mode 100644 index 7bc3ae89..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py diff --git a/test/testdata/kubernetes/KSV001/allowed.yaml b/test/testdata/kubernetes/KSV001/allowed.yaml deleted file mode 100644 index f40d17d2..00000000 --- a/test/testdata/kubernetes/KSV001/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/KSV001/denied.yaml b/test/testdata/kubernetes/KSV001/denied.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV001/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV002/allowed.yaml b/test/testdata/kubernetes/KSV002/allowed.yaml deleted file mode 100644 index c98da678..00000000 --- a/test/testdata/kubernetes/KSV002/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: runtime/default - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV002/denied.yaml b/test/testdata/kubernetes/KSV002/denied.yaml deleted file mode 100644 index a127b4b4..00000000 --- a/test/testdata/kubernetes/KSV002/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: custom - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV003/allowed.yaml b/test/testdata/kubernetes/KSV003/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV003/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV003/denied.yaml b/test/testdata/kubernetes/KSV003/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV003/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/allowed.yaml b/test/testdata/kubernetes/KSV005/allowed.yaml deleted file mode 100644 index ff08b26f..00000000 --- a/test/testdata/kubernetes/KSV005/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/denied.yaml b/test/testdata/kubernetes/KSV005/denied.yaml deleted file mode 100644 index c34e9fad..00000000 --- a/test/testdata/kubernetes/KSV005/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - SYS_ADMIN diff --git a/test/testdata/kubernetes/KSV006/allowed.yaml b/test/testdata/kubernetes/KSV006/allowed.yaml deleted file mode 100644 index 04f1710d..00000000 --- a/test/testdata/kubernetes/KSV006/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume diff --git a/test/testdata/kubernetes/KSV006/denied.yaml b/test/testdata/kubernetes/KSV006/denied.yaml deleted file mode 100644 index d7335ac9..00000000 --- a/test/testdata/kubernetes/KSV006/denied.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume - hostPath: - path: "/var/run/docker.sock" - type: Directory diff --git a/test/testdata/kubernetes/KSV008/allowed.yaml b/test/testdata/kubernetes/KSV008/allowed.yaml deleted file mode 100644 index 6dd4513d..00000000 --- a/test/testdata/kubernetes/KSV008/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV008/denied.yaml b/test/testdata/kubernetes/KSV008/denied.yaml deleted file mode 100644 index 826f58a6..00000000 --- a/test/testdata/kubernetes/KSV008/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV009/allowed.yaml b/test/testdata/kubernetes/KSV009/allowed.yaml deleted file mode 100644 index 61d615b1..00000000 --- a/test/testdata/kubernetes/KSV009/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV009/denied.yaml b/test/testdata/kubernetes/KSV009/denied.yaml deleted file mode 100644 index 2b862ca5..00000000 --- a/test/testdata/kubernetes/KSV009/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/allowed.yaml b/test/testdata/kubernetes/KSV010/allowed.yaml deleted file mode 100644 index b215b5c7..00000000 --- a/test/testdata/kubernetes/KSV010/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/denied.yaml b/test/testdata/kubernetes/KSV010/denied.yaml deleted file mode 100644 index 69acff1a..00000000 --- a/test/testdata/kubernetes/KSV010/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV011/allowed.yaml b/test/testdata/kubernetes/KSV011/allowed.yaml deleted file mode 100644 index f271ed67..00000000 --- a/test/testdata/kubernetes/KSV011/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - cpu: 500m diff --git a/test/testdata/kubernetes/KSV011/denied.yaml b/test/testdata/kubernetes/KSV011/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV011/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV012/allowed.yaml b/test/testdata/kubernetes/KSV012/allowed.yaml deleted file mode 100644 index 0811a40e..00000000 --- a/test/testdata/kubernetes/KSV012/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - runAsNonRoot: true diff --git a/test/testdata/kubernetes/KSV012/denied.yaml b/test/testdata/kubernetes/KSV012/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV012/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV013/allowed.yaml b/test/testdata/kubernetes/KSV013/allowed.yaml deleted file mode 100644 index f46dae03..00000000 --- a/test/testdata/kubernetes/KSV013/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:1.33.1 - name: hello diff --git a/test/testdata/kubernetes/KSV013/denied.yaml b/test/testdata/kubernetes/KSV013/denied.yaml deleted file mode 100644 index d6fd1939..00000000 --- a/test/testdata/kubernetes/KSV013/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:latest - name: hello diff --git a/test/testdata/kubernetes/KSV014/allowed.yaml b/test/testdata/kubernetes/KSV014/allowed.yaml deleted file mode 100644 index 0ff96a44..00000000 --- a/test/testdata/kubernetes/KSV014/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: true diff --git a/test/testdata/kubernetes/KSV014/denied.yaml b/test/testdata/kubernetes/KSV014/denied.yaml deleted file mode 100644 index c15b769f..00000000 --- a/test/testdata/kubernetes/KSV014/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: false diff --git a/test/testdata/kubernetes/KSV015/allowed.yaml b/test/testdata/kubernetes/KSV015/allowed.yaml deleted file mode 100644 index fd552363..00000000 --- a/test/testdata/kubernetes/KSV015/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - cpu: 250m diff --git a/test/testdata/kubernetes/KSV015/denied.yaml b/test/testdata/kubernetes/KSV015/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV015/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV016/allowed.yaml b/test/testdata/kubernetes/KSV016/allowed.yaml deleted file mode 100644 index c43f990f..00000000 --- a/test/testdata/kubernetes/KSV016/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - memory: 64Mi diff --git a/test/testdata/kubernetes/KSV016/denied.yaml b/test/testdata/kubernetes/KSV016/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV016/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/allowed.yaml b/test/testdata/kubernetes/KSV017/allowed.yaml deleted file mode 100644 index b608e5c7..00000000 --- a/test/testdata/kubernetes/KSV017/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/denied.yaml b/test/testdata/kubernetes/KSV017/denied.yaml deleted file mode 100644 index 620f6497..00000000 --- a/test/testdata/kubernetes/KSV017/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - privileged: true diff --git a/test/testdata/kubernetes/KSV018/allowed.yaml b/test/testdata/kubernetes/KSV018/allowed.yaml deleted file mode 100644 index eb00e56e..00000000 --- a/test/testdata/kubernetes/KSV018/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - memory: 128Mi diff --git a/test/testdata/kubernetes/KSV018/denied.yaml b/test/testdata/kubernetes/KSV018/denied.yaml deleted file mode 100644 index 6bf001e3..00000000 --- a/test/testdata/kubernetes/KSV018/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - diff --git a/test/testdata/kubernetes/KSV020/allowed.yaml b/test/testdata/kubernetes/KSV020/allowed.yaml deleted file mode 100644 index 36f7916b..00000000 --- a/test/testdata/kubernetes/KSV020/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsUser: 10004 diff --git a/test/testdata/kubernetes/KSV020/denied.yaml b/test/testdata/kubernetes/KSV020/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV020/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV021/allowed.yaml b/test/testdata/kubernetes/KSV021/allowed.yaml deleted file mode 100644 index f176cb07..00000000 --- a/test/testdata/kubernetes/KSV021/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsGroup: 10004 diff --git a/test/testdata/kubernetes/KSV021/denied.yaml b/test/testdata/kubernetes/KSV021/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV021/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/allowed.yaml b/test/testdata/kubernetes/KSV022/allowed.yaml deleted file mode 100644 index 1e4b014e..00000000 --- a/test/testdata/kubernetes/KSV022/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/denied.yaml b/test/testdata/kubernetes/KSV022/denied.yaml deleted file mode 100644 index 3e5b7aec..00000000 --- a/test/testdata/kubernetes/KSV022/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - NET_BIND_SERVICE \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV023/allowed.yaml b/test/testdata/kubernetes/KSV023/allowed.yaml deleted file mode 100644 index 8c198274..00000000 --- a/test/testdata/kubernetes/KSV023/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV023/denied.yaml b/test/testdata/kubernetes/KSV023/denied.yaml deleted file mode 100644 index da474eb9..00000000 --- a/test/testdata/kubernetes/KSV023/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - hostPath: - path: "/sys" - type: '' diff --git a/test/testdata/kubernetes/KSV024/allowed.yaml b/test/testdata/kubernetes/KSV024/allowed.yaml deleted file mode 100644 index 24b1c975..00000000 --- a/test/testdata/kubernetes/KSV024/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV024/denied.yaml b/test/testdata/kubernetes/KSV024/denied.yaml deleted file mode 100644 index f23d66ed..00000000 --- a/test/testdata/kubernetes/KSV024/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/allowed.yaml b/test/testdata/kubernetes/KSV025/allowed.yaml deleted file mode 100644 index 508ad7b2..00000000 --- a/test/testdata/kubernetes/KSV025/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/denied.yaml b/test/testdata/kubernetes/KSV025/denied.yaml deleted file mode 100644 index 9fbaa41d..00000000 --- a/test/testdata/kubernetes/KSV025/denied.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - seLinuxOptions: - type: custom - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV026/allowed.yaml b/test/testdata/kubernetes/KSV026/allowed.yaml deleted file mode 100644 index 9ff2d7bc..00000000 --- a/test/testdata/kubernetes/KSV026/allowed.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: '0' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV026/denied.yaml b/test/testdata/kubernetes/KSV026/denied.yaml deleted file mode 100644 index 69eed5d6..00000000 --- a/test/testdata/kubernetes/KSV026/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: net.core.somaxconn - value: '1024' - - name: kernel.msgmax - value: '65536' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV027/allowed.yaml b/test/testdata/kubernetes/KSV027/allowed.yaml deleted file mode 100644 index 40b8c24a..00000000 --- a/test/testdata/kubernetes/KSV027/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 diff --git a/test/testdata/kubernetes/KSV027/denied.yaml b/test/testdata/kubernetes/KSV027/denied.yaml deleted file mode 100644 index 40354e4e..00000000 --- a/test/testdata/kubernetes/KSV027/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 - securityContext: - procMount: Unmasked diff --git a/test/testdata/kubernetes/KSV028/allowed.yaml b/test/testdata/kubernetes/KSV028/allowed.yaml deleted file mode 100644 index a2f93da0..00000000 --- a/test/testdata/kubernetes/KSV028/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a diff --git a/test/testdata/kubernetes/KSV028/denied.yaml b/test/testdata/kubernetes/KSV028/denied.yaml deleted file mode 100644 index 57fc35cf..00000000 --- a/test/testdata/kubernetes/KSV028/denied.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a - scaleIO: - gateway: https://localhost:443/api - system: scaleio - protectionDomain: sd0 - storagePool: sp1 - volumeName: vol-a - secretRef: - name: sio-secret - fsType: xfs diff --git a/test/testdata/kubernetes/KSV030/allowed.yaml b/test/testdata/kubernetes/KSV030/allowed.yaml deleted file mode 100644 index 48b8c1d4..00000000 --- a/test/testdata/kubernetes/KSV030/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: RuntimeDefault - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV030/denied.yaml b/test/testdata/kubernetes/KSV030/denied.yaml deleted file mode 100644 index 45b3bd31..00000000 --- a/test/testdata/kubernetes/KSV030/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: LocalPort - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV036/allowed.yaml b/test/testdata/kubernetes/KSV036/allowed.yaml deleted file mode 100644 index 42a9ded8..00000000 --- a/test/testdata/kubernetes/KSV036/allowed.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV036/denied.yaml b/test/testdata/kubernetes/KSV036/denied.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/test/testdata/kubernetes/KSV037/allowed.yaml b/test/testdata/kubernetes/KSV037/allowed.yaml deleted file mode 100644 index 99c22f0a..00000000 --- a/test/testdata/kubernetes/KSV037/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - automountServiceAccountToken: true - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV037/denied.yaml b/test/testdata/kubernetes/KSV037/denied.yaml deleted file mode 100644 index c42d41e0..00000000 --- a/test/testdata/kubernetes/KSV037/denied.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: kube-system - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV038/allowed.yaml b/test/testdata/kubernetes/KSV038/allowed.yaml deleted file mode 100644 index ccdac794..00000000 --- a/test/testdata/kubernetes/KSV038/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - podSelector: - matchLabels: - role: db diff --git a/test/testdata/kubernetes/KSV038/denied.yaml b/test/testdata/kubernetes/KSV038/denied.yaml deleted file mode 100644 index ed554dac..00000000 --- a/test/testdata/kubernetes/KSV038/denied.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - something: true diff --git a/test/testdata/kubernetes/KSV102/allowed.yaml b/test/testdata/kubernetes/KSV102/allowed.yaml deleted file mode 100644 index 3b6b9f49..00000000 --- a/test/testdata/kubernetes/KSV102/allowed.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: Onga -spec: - template: - spec: - containers: - - name: carts-db - image: mongo - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false - metadata: - name: None - labels: - app: example - tier: backend diff --git a/test/testdata/kubernetes/KSV102/denied.yaml b/test/testdata/kubernetes/KSV102/denied.yaml deleted file mode 100644 index c760bc68..00000000 --- a/test/testdata/kubernetes/KSV102/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongo-deployment -spec: - template: - spec: - containers: - - name: carts-db - image: tiller - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/optional/KSV004/allowed.yaml b/test/testdata/kubernetes/optional/KSV004/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/optional/KSV004/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/optional/KSV004/denied.yaml b/test/testdata/kubernetes/optional/KSV004/denied.yaml deleted file mode 100644 index dc02a266..00000000 --- a/test/testdata/kubernetes/optional/KSV004/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: diff --git a/test/testdata/kubernetes/optional/KSV007/allowed.yaml b/test/testdata/kubernetes/optional/KSV007/allowed.yaml deleted file mode 100644 index 86b25607..00000000 --- a/test/testdata/kubernetes/optional/KSV007/allowed.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: diff --git a/test/testdata/kubernetes/optional/KSV007/denied.yaml b/test/testdata/kubernetes/optional/KSV007/denied.yaml deleted file mode 100644 index a9480234..00000000 --- a/test/testdata/kubernetes/optional/KSV007/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "foo.local" - - "bar.local" diff --git a/test/testdata/kubernetes/optional/KSV032/allowed.yaml b/test/testdata/kubernetes/optional/KSV032/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV032/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV032/denied.yaml b/test/testdata/kubernetes/optional/KSV032/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV032/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV033/allowed.yaml b/test/testdata/kubernetes/optional/KSV033/allowed.yaml deleted file mode 100644 index 4c8bfa57..00000000 --- a/test/testdata/kubernetes/optional/KSV033/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: gcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV033/denied.yaml b/test/testdata/kubernetes/optional/KSV033/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV033/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV034/allowed.yaml b/test/testdata/kubernetes/optional/KSV034/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV034/denied.yaml b/test/testdata/kubernetes/optional/KSV034/denied.yaml deleted file mode 100644 index b7f7eef0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ghcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV035/allowed.yaml b/test/testdata/kubernetes/optional/KSV035/allowed.yaml deleted file mode 100644 index feaa3199..00000000 --- a/test/testdata/kubernetes/optional/KSV035/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ecr.us-east-2.amazonaws.com/something diff --git a/test/testdata/kubernetes/optional/KSV035/denied.yaml b/test/testdata/kubernetes/optional/KSV035/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV035/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV039/allowed.yaml b/test/testdata/kubernetes/optional/KSV039/allowed.yaml deleted file mode 100644 index 7844f5db..00000000 --- a/test/testdata/kubernetes/optional/KSV039/allowed.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: core-resource-limits -spec: - limits: - - type: Pod - default: - cpu: '2' - memory: 1Gi - defaultRequest: - cpu: '2' - memory: 1Gi - max: - cpu: '2' - memory: 1Gi - min: - cpu: 200m - memory: 6Mi - - type: Container - max: - cpu: '2' - memory: 1Gi - min: - cpu: 100m - memory: 4Mi - default: - cpu: 300m - memory: 200Mi - defaultRequest: - cpu: 200m - memory: 100Mi - maxLimitRequestRatio: - cpu: '10' \ No newline at end of file diff --git a/test/testdata/kubernetes/optional/KSV039/denied.yaml b/test/testdata/kubernetes/optional/KSV039/denied.yaml deleted file mode 100644 index b53d2971..00000000 --- a/test/testdata/kubernetes/optional/KSV039/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - name: cpu-limit-range -spec: - limits: - - default: - cpu: 1 - defaultRequest: - cpu: 0.5 - type: Container diff --git a/test/testdata/kubernetes/optional/KSV040/allowed.yaml b/test/testdata/kubernetes/optional/KSV040/allowed.yaml deleted file mode 100644 index cf9bbf2d..00000000 --- a/test/testdata/kubernetes/optional/KSV040/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2' - limits.memory: 2Gi diff --git a/test/testdata/kubernetes/optional/KSV040/denied.yaml b/test/testdata/kubernetes/optional/KSV040/denied.yaml deleted file mode 100644 index b73d6e67..00000000 --- a/test/testdata/kubernetes/optional/KSV040/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2'