diff --git a/checks/docker/add_instead_of_copy.rego b/checks/docker/add_instead_of_copy.rego index 7e9d135c..b5bd9795 100644 --- a/checks/docker/add_instead_of_copy.rego +++ b/checks/docker/add_instead_of_copy.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/add_instead_of_copy.yaml package builtin.dockerfile.DS005 import data.lib.docker diff --git a/checks/docker/add_instead_of_copy.yaml b/checks/docker/add_instead_of_copy.yaml new file mode 100644 index 00000000..adab27b6 --- /dev/null +++ b/checks/docker/add_instead_of_copy.yaml @@ -0,0 +1,12 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources" + bad: + - |- + FROM alpine:3.13 + USER mike + ADD "/target/resources.tar.gz" "resources.jar" + ADD "/target/app.jar" "app.jar" diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego index 7645f11a..d3b317c9 100644 --- a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego @@ -16,6 +16,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml package builtin.dockerfile.DS021 import data.lib.docker diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml new file mode 100644 index 00000000..f49d6a45 --- /dev/null +++ b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM node:12 + USER mike + RUN apt-get -fmy install apt-utils && apt-get clean + bad: + - |- + FROM node:12 + USER mike + RUN apt-get install apt-utils && apt-get clean diff --git a/checks/docker/copy_from_references_current_from_alias.rego b/checks/docker/copy_from_references_current_from_alias.rego index c80f444d..d442ed52 100644 --- a/checks/docker/copy_from_references_current_from_alias.rego +++ b/checks/docker/copy_from_references_current_from_alias.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_from_references_current_from_alias.yaml package builtin.dockerfile.DS006 import data.lib.docker diff --git a/checks/docker/copy_from_references_current_from_alias.yaml b/checks/docker/copy_from_references_current_from_alias.yaml new file mode 100644 index 00000000..78a25bc5 --- /dev/null +++ b/checks/docker/copy_from_references_current_from_alias.yaml @@ -0,0 +1,17 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY --from=dep /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego index 50dca814..5f1956fd 100644 --- a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml package builtin.dockerfile.DS011 import data.lib.docker diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml new file mode 100644 index 00000000..9833de32 --- /dev/null +++ b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp/"] + bad: + - |- + FROM alpine:3.13 + USER mike + COPY ["package.json", "yarn.lock", "myapp"] diff --git a/checks/docker/latest_tag.rego b/checks/docker/latest_tag.rego index 3aff03d6..a605eae7 100644 --- a/checks/docker/latest_tag.rego +++ b/checks/docker/latest_tag.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/latest_tag.yaml package builtin.dockerfile.DS001 import data.lib.docker diff --git a/checks/docker/latest_tag.yaml b/checks/docker/latest_tag.yaml new file mode 100644 index 00000000..af254a3c --- /dev/null +++ b/checks/docker/latest_tag.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:latest + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo diff --git a/checks/docker/maintainer_is_deprecated.rego b/checks/docker/maintainer_is_deprecated.rego index 762f05fc..095892ef 100644 --- a/checks/docker/maintainer_is_deprecated.rego +++ b/checks/docker/maintainer_is_deprecated.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/maintainer_is_deprecated.yaml package builtin.dockerfile.DS022 import data.lib.docker diff --git a/checks/docker/maintainer_is_deprecated.yaml b/checks/docker/maintainer_is_deprecated.yaml new file mode 100644 index 00000000..4b1dcc35 --- /dev/null +++ b/checks/docker/maintainer_is_deprecated.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + USER mike + bad: + - |- + FROM busybox:1.33.1 + USER mike + MAINTAINER Lukas Martinelli diff --git a/checks/docker/missing_dnf_clean_all.rego b/checks/docker/missing_dnf_clean_all.rego index 182c6806..268e3e08 100644 --- a/checks/docker/missing_dnf_clean_all.rego +++ b/checks/docker/missing_dnf_clean_all.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_dnf_clean_all.yaml package builtin.dockerfile.DS019 import data.lib.docker diff --git a/checks/docker/missing_dnf_clean_all.yaml b/checks/docker/missing_dnf_clean_all.yaml new file mode 100644 index 00000000..a62fd7b2 --- /dev/null +++ b/checks/docker/missing_dnf_clean_all.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + bad: + - |- + FROM fedora:27 + USER mike + RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce + HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/checks/docker/missing_zypper_clean.rego b/checks/docker/missing_zypper_clean.rego index 657f2004..b6ebd41d 100644 --- a/checks/docker/missing_zypper_clean.rego +++ b/checks/docker/missing_zypper_clean.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/missing_zypper_clean.yaml package builtin.dockerfile.DS020 import data.lib.docker diff --git a/checks/docker/missing_zypper_clean.yaml b/checks/docker/missing_zypper_clean.yaml new file mode 100644 index 00000000..73d5f292 --- /dev/null +++ b/checks/docker/missing_zypper_clean.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN zypper install bash && zypper clean + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN zypper install bash + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/multiple_cmd_instructions_listed.rego b/checks/docker/multiple_cmd_instructions_listed.rego index 2712590f..b81e5a81 100644 --- a/checks/docker/multiple_cmd_instructions_listed.rego +++ b/checks/docker/multiple_cmd_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_cmd_instructions_listed.yaml package builtin.dockerfile.DS016 import data.lib.docker diff --git a/checks/docker/multiple_cmd_instructions_listed.yaml b/checks/docker/multiple_cmd_instructions_listed.yaml new file mode 100644 index 00000000..2447b40e --- /dev/null +++ b/checks/docker/multiple_cmd_instructions_listed.yaml @@ -0,0 +1,16 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 + USER mike + CMD ./apps + FROM alpine:3.13 + CMD ./app + bad: + - |- + FROM golang:1.7.3 + USER mike + CMD ./app + CMD ./apps + FROM alpine:3.13 + CMD ./app diff --git a/checks/docker/multiple_entrypoint_instructions_listed.rego b/checks/docker/multiple_entrypoint_instructions_listed.rego index 89783d3d..979fc43f 100644 --- a/checks/docker/multiple_entrypoint_instructions_listed.rego +++ b/checks/docker/multiple_entrypoint_instructions_listed.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_entrypoint_instructions_listed.yaml package builtin.dockerfile.DS007 import data.lib.docker diff --git a/checks/docker/multiple_entrypoint_instructions_listed.yaml b/checks/docker/multiple_entrypoint_instructions_listed.yaml new file mode 100644 index 00000000..e8f5e665 --- /dev/null +++ b/checks/docker/multiple_entrypoint_instructions_listed.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM golang:1.7.3 as dep + COPY /binary / + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + bad: + - |- + FROM golang:1.7.3 as dep + COPY dep /binary / + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] + + FROM alpine:3.13 + USER mike + ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] diff --git a/checks/docker/multiple_healthcheck_instructions.rego b/checks/docker/multiple_healthcheck_instructions.rego index bb916d5c..ba9ea162 100644 --- a/checks/docker/multiple_healthcheck_instructions.rego +++ b/checks/docker/multiple_healthcheck_instructions.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/multiple_healthcheck_instructions.yaml package builtin.dockerfile.DS023 import data.lib.docker diff --git a/checks/docker/multiple_healthcheck_instructions.yaml b/checks/docker/multiple_healthcheck_instructions.yaml new file mode 100644 index 00000000..978f6ff6 --- /dev/null +++ b/checks/docker/multiple_healthcheck_instructions.yaml @@ -0,0 +1,20 @@ +dockerfile: + good: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app + bad: + - |- + FROM busybox:1.33.1 + HEALTHCHECK CMD curl http://localhost:8080 + HEALTHCHECK CMD /bin/healthcheck + + FROM alpine:3.13 + HEALTHCHECK CMD /bin/healthcheck + USER mike + CMD ./app diff --git a/checks/docker/port22.rego b/checks/docker/port22.rego index 106866ac..46a9d7e8 100644 --- a/checks/docker/port22.rego +++ b/checks/docker/port22.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/port22.yaml package builtin.dockerfile.DS004 import data.lib.docker diff --git a/checks/docker/port22.yaml b/checks/docker/port22.yaml new file mode 100644 index 00000000..14fdd880 --- /dev/null +++ b/checks/docker/port22.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 22 diff --git a/checks/docker/root_user.rego b/checks/docker/root_user.rego index 71eeb085..17156f34 100644 --- a/checks/docker/root_user.rego +++ b/checks/docker/root_user.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/root_user.yaml package builtin.dockerfile.DS002 import data.lib.docker diff --git a/checks/docker/root_user.yaml b/checks/docker/root_user.yaml new file mode 100644 index 00000000..92fa0ff2 --- /dev/null +++ b/checks/docker/root_user.yaml @@ -0,0 +1,10 @@ +dockerfile: + good: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean + USER foo + bad: + - |- + FROM debian:9 + RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/checks/docker/run_apt_get_dist_upgrade.rego b/checks/docker/run_apt_get_dist_upgrade.rego index d92163f9..5bded83d 100644 --- a/checks/docker/run_apt_get_dist_upgrade.rego +++ b/checks/docker/run_apt_get_dist_upgrade.rego @@ -13,6 +13,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_apt_get_dist_upgrade.yaml package builtin.dockerfile.DS024 import data.lib.docker diff --git a/checks/docker/run_apt_get_dist_upgrade.yaml b/checks/docker/run_apt_get_dist_upgrade.yaml new file mode 100644 index 00000000..58b85c59 --- /dev/null +++ b/checks/docker/run_apt_get_dist_upgrade.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get install -y curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM debian:9.13 + RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/docker/run_command_cd_instead_of_workdir.rego b/checks/docker/run_command_cd_instead_of_workdir.rego index e9012490..859f6b78 100644 --- a/checks/docker/run_command_cd_instead_of_workdir.rego +++ b/checks/docker/run_command_cd_instead_of_workdir.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_command_cd_instead_of_workdir.yaml package builtin.dockerfile.DS013 import data.lib.docker diff --git a/checks/docker/run_command_cd_instead_of_workdir.yaml b/checks/docker/run_command_cd_instead_of_workdir.yaml new file mode 100644 index 00000000..b96df1bc --- /dev/null +++ b/checks/docker/run_command_cd_instead_of_workdir.yaml @@ -0,0 +1,13 @@ +dockerfile: + good: + - |- + FROM nginx:2.2 + WORKDIR /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + bad: + - |- + FROM nginx:2.2 + RUN cd /usr/share/nginx/html + USER mike + CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' diff --git a/checks/docker/run_using_sudo.rego b/checks/docker/run_using_sudo.rego index d4710013..6ec882d1 100644 --- a/checks/docker/run_using_sudo.rego +++ b/checks/docker/run_using_sudo.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_sudo.yaml package builtin.dockerfile.DS010 import data.lib.docker diff --git a/checks/docker/run_using_sudo.yaml b/checks/docker/run_using_sudo.yaml new file mode 100644 index 00000000..01c45339 --- /dev/null +++ b/checks/docker/run_using_sudo.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + RUN pip install --upgrade pip + USER mike + bad: + - |- + FROM alpine:3.13 + RUN sudo pip install --upgrade pip + USER mike diff --git a/checks/docker/run_using_wget_and_curl.rego b/checks/docker/run_using_wget_and_curl.rego index 2838de9a..66e170ec 100644 --- a/checks/docker/run_using_wget_and_curl.rego +++ b/checks/docker/run_using_wget_and_curl.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/run_using_wget_and_curl.yaml package builtin.dockerfile.DS014 import data.lib.docker diff --git a/checks/docker/run_using_wget_and_curl.yaml b/checks/docker/run_using_wget_and_curl.yaml new file mode 100644 index 00000000..50d317d2 --- /dev/null +++ b/checks/docker/run_using_wget_and_curl.yaml @@ -0,0 +1,19 @@ +dockerfile: + good: + - |- + FROM debian:stable-20210621 + RUN curl http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com + bad: + - |- + FROM debian:stable-20210621 + RUN wget http://bing.com + RUN curl http://google.com + + FROM baseimage:1.0 + USER mike + RUN curl http://bing.com diff --git a/checks/docker/same_alias_in_different_froms.rego b/checks/docker/same_alias_in_different_froms.rego index a573dea8..1053cb00 100644 --- a/checks/docker/same_alias_in_different_froms.rego +++ b/checks/docker/same_alias_in_different_froms.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/same_alias_in_different_froms.yaml package builtin.dockerfile.DS012 import data.lib.docker diff --git a/checks/docker/same_alias_in_different_froms.yaml b/checks/docker/same_alias_in_different_froms.yaml new file mode 100644 index 00000000..2449c00f --- /dev/null +++ b/checks/docker/same_alias_in_different_froms.yaml @@ -0,0 +1,25 @@ +dockerfile: + good: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build2 + USER mike + RUN stuff + + FROM debian:jesse1 as build1 + USER mike + RUN more_stuff + bad: + - |- + FROM baseImage:1.1 + RUN test + + FROM debian:jesse2 as build + USER mike + RUN stuff + + FROM debian:jesse1 as build + USER mike + RUN more_stuff diff --git a/checks/docker/unix_ports_out_of_range.rego b/checks/docker/unix_ports_out_of_range.rego index 0235406f..bc5da560 100644 --- a/checks/docker/unix_ports_out_of_range.rego +++ b/checks/docker/unix_ports_out_of_range.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/unix_ports_out_of_range.yaml package builtin.dockerfile.DS008 import data.lib.docker diff --git a/checks/docker/unix_ports_out_of_range.yaml b/checks/docker/unix_ports_out_of_range.yaml new file mode 100644 index 00000000..d6a20e25 --- /dev/null +++ b/checks/docker/unix_ports_out_of_range.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65530 8080 + bad: + - |- + FROM alpine:3.13 + USER mike + EXPOSE 65536 8080 diff --git a/checks/docker/update_instruction_alone.rego b/checks/docker/update_instruction_alone.rego index fb59257b..1c0bac19 100644 --- a/checks/docker/update_instruction_alone.rego +++ b/checks/docker/update_instruction_alone.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/update_instruction_alone.yaml package builtin.dockerfile.DS017 import data.lib.docker diff --git a/checks/docker/update_instruction_alone.yaml b/checks/docker/update_instruction_alone.yaml new file mode 100644 index 00000000..60bed496 --- /dev/null +++ b/checks/docker/update_instruction_alone.yaml @@ -0,0 +1,14 @@ +dockerfile: + good: + - |- + FROM ubuntu:18.04 + RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql + bad: + - |- + FROM ubuntu:18.04 + RUN apt-get update + RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean + USER mike + ENTRYPOINT mysql diff --git a/checks/docker/workdir_path_not_absolute.rego b/checks/docker/workdir_path_not_absolute.rego index 4cabe688..83ac2ff4 100644 --- a/checks/docker/workdir_path_not_absolute.rego +++ b/checks/docker/workdir_path_not_absolute.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/workdir_path_not_absolute.yaml package builtin.dockerfile.DS009 import data.lib.docker diff --git a/checks/docker/workdir_path_not_absolute.yaml b/checks/docker/workdir_path_not_absolute.yaml new file mode 100644 index 00000000..29f663fe --- /dev/null +++ b/checks/docker/workdir_path_not_absolute.yaml @@ -0,0 +1,11 @@ +dockerfile: + good: + - |- + FROM alpine:3.13 + USER mike + WORKDIR /path/to/workdir + bad: + - |- + FROM alpine:3.13 + USER mike + WORKDIR path/to/workdir diff --git a/checks/docker/yum_clean_all_missing.rego b/checks/docker/yum_clean_all_missing.rego index fbe5937a..e272f719 100644 --- a/checks/docker/yum_clean_all_missing.rego +++ b/checks/docker/yum_clean_all_missing.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: dockerfile +# examples: checks/docker/yum_clean_all_missing.yaml package builtin.dockerfile.DS015 import future.keywords.in diff --git a/checks/docker/yum_clean_all_missing.yaml b/checks/docker/yum_clean_all_missing.yaml new file mode 100644 index 00000000..462fae7f --- /dev/null +++ b/checks/docker/yum_clean_all_missing.yaml @@ -0,0 +1,15 @@ +dockerfile: + good: + - |- + FROM alpine:3.5 + RUN yum install && yum clean all + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py + bad: + - |- + FROM alpine:3.5 + RUN yum install vim + RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt + USER mike + CMD python /usr/src/app/app.py diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.rego b/checks/kubernetes/advanced/protect_core_components_namespace.rego index 0a7284e0..7bde2ddb 100644 --- a/checks/kubernetes/advanced/protect_core_components_namespace.rego +++ b/checks/kubernetes/advanced/protect_core_components_namespace.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protect_core_components_namespace.yaml package builtin.kubernetes.KSV037 import data.lib.kubernetes diff --git a/checks/kubernetes/advanced/protect_core_components_namespace.yaml b/checks/kubernetes/advanced/protect_core_components_namespace.yaml new file mode 100644 index 00000000..69db1e90 --- /dev/null +++ b/checks/kubernetes/advanced/protect_core_components_namespace.yaml @@ -0,0 +1,28 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: test + spec: + automountServiceAccountToken: true + containers: + - image: nginx + name: mypod + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: kube-system + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego index a72c9560..fa05a93d 100644 --- a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml package builtin.kubernetes.KSV036 import data.lib.kubernetes diff --git a/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml new file mode 100644 index 00000000..c8bd592b --- /dev/null +++ b/checks/kubernetes/advanced/protecting_pod_service_account_tokens.yaml @@ -0,0 +1,14 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + labels: + name: mypod + name: mypod + namespace: test + spec: + containers: + - image: nginx + name: mypod diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego index 92347fa6..8c0e4811 100644 --- a/checks/kubernetes/advanced/selector_usage_in_network_policies.rego +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.rego @@ -15,6 +15,7 @@ # input: # selector: # - type: kubernetes +# examples: checks/kubernetes/advanced/selector_usage_in_network_policies.yaml package builtin.kubernetes.KSV038 import data.lib.kubernetes diff --git a/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml new file mode 100644 index 00000000..c5bebdd2 --- /dev/null +++ b/checks/kubernetes/advanced/selector_usage_in_network_policies.yaml @@ -0,0 +1,19 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + podSelector: + matchLabels: + role: db + bad: + - |- + apiVersion: v1 + kind: NetworkPolicy + metadata: + name: hello-cpu-limit + spec: + something: true diff --git a/checks/kubernetes/general/CPU_not_limited.yaml b/checks/kubernetes/general/CPU_not_limited.yaml new file mode 100644 index 00000000..bda3e67d --- /dev/null +++ b/checks/kubernetes/general/CPU_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + cpu: 500m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/CPU_requests_not_specified.yaml b/checks/kubernetes/general/CPU_requests_not_specified.yaml new file mode 100644 index 00000000..d7415254 --- /dev/null +++ b/checks/kubernetes/general/CPU_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + cpu: 250m + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/SYS_ADMIN_capability.yaml b/checks/kubernetes/general/SYS_ADMIN_capability.yaml new file mode 100644 index 00000000..893b38d9 --- /dev/null +++ b/checks/kubernetes/general/SYS_ADMIN_capability.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sys-admin-capabilities + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - SYS_ADMIN diff --git a/checks/kubernetes/general/capabilities_no_drop_all.yaml b/checks/kubernetes/general/capabilities_no_drop_all.yaml new file mode 100644 index 00000000..4b4f9eb2 --- /dev/null +++ b/checks/kubernetes/general/capabilities_no_drop_all.yaml @@ -0,0 +1,27 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] + image: busybox + name: hello diff --git a/checks/kubernetes/general/file_system_not_read_only.yaml b/checks/kubernetes/general/file_system_not_read_only.yaml new file mode 100644 index 00000000..6321542f --- /dev/null +++ b/checks/kubernetes/general/file_system_not_read_only.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-fs-not-readonly + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + readOnlyRootFilesystem: false diff --git a/checks/kubernetes/general/memory_not_limited.yaml b/checks/kubernetes/general/memory_not_limited.yaml new file mode 100644 index 00000000..b8bfc3eb --- /dev/null +++ b/checks/kubernetes/general/memory_not_limited.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + limits: + memory: 128Mi + bad: + - | + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/memory_requests_not_specified.yaml b/checks/kubernetes/general/memory_requests_not_specified.yaml new file mode 100644 index 00000000..11db8a51 --- /dev/null +++ b/checks/kubernetes/general/memory_requests_not_specified.yaml @@ -0,0 +1,32 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + resources: + requests: + memory: 64Mi + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/mounts_docker_socket.yaml b/checks/kubernetes/general/mounts_docker_socket.yaml new file mode 100644 index 00000000..ae080f07 --- /dev/null +++ b/checks/kubernetes/general/mounts_docker_socket.yaml @@ -0,0 +1,36 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-docker-socket + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: test-volume + hostPath: + path: "/var/run/docker.sock" + type: Directory diff --git a/checks/kubernetes/general/runs_with_GID_le_10000.yaml b/checks/kubernetes/general/runs_with_GID_le_10000.yaml new file mode 100644 index 00000000..738f7762 --- /dev/null +++ b/checks/kubernetes/general/runs_with_GID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsGroup: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/runs_with_UID_le_10000.yaml b/checks/kubernetes/general/runs_with_UID_le_10000.yaml new file mode 100644 index 00000000..3b77bbb7 --- /dev/null +++ b/checks/kubernetes/general/runs_with_UID_le_10000.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsUser: 10004 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-gid + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/general/tiller_is_deployed.yaml b/checks/kubernetes/general/tiller_is_deployed.yaml new file mode 100644 index 00000000..369f81b5 --- /dev/null +++ b/checks/kubernetes/general/tiller_is_deployed.yaml @@ -0,0 +1,46 @@ +kubernetes: + good: + - |- + apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: Onga + spec: + template: + spec: + containers: + - name: carts-db + image: mongo + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false + metadata: + name: None + labels: + app: example + tier: backend + bad: + - |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mongo-deployment + spec: + template: + spec: + containers: + - name: carts-db + image: tiller + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true + initContainers: + - name: init-svc + image: busybox:1.28 + securityContext: + allowPrivilegeEscalation: false diff --git a/checks/kubernetes/general/uses_image_tag_latest.yaml b/checks/kubernetes/general/uses_image_tag_latest.yaml new file mode 100644 index 00000000..23e7b2e2 --- /dev/null +++ b/checks/kubernetes/general/uses_image_tag_latest.yaml @@ -0,0 +1,29 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:1.33.1 + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-tag + spec: + containers: + - command: + - sh + - "-c" + - echo 'Hello' && sleep 1h + image: busybox:latest + name: hello diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego index 0f1185a1..de0f8a79 100644 --- a/checks/kubernetes/network/no_public_egress.rego +++ b/checks/kubernetes/network/no_public_egress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_egress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.egress.to.ip_block.cidr +# examples: checks/kubernetes/network/no_public_egress.yaml package builtin.kube.network.kube0002 import rego.v1 diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego index 29f3c51b..69e3e062 100644 --- a/checks/kubernetes/network/no_public_ingress.rego +++ b/checks/kubernetes/network/no_public_ingress.rego @@ -22,6 +22,7 @@ # good_examples: checks/kubernetes/network/no_public_ingress.yaml # links: # - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr +# examples: checks/kubernetes/network/no_public_ingress.yaml package builtin.kube.network.kube0001 import rego.v1 diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.rego b/checks/kubernetes/pss/baseline/1_host_ipc.rego index b482b749..0a7ae572 100644 --- a/checks/kubernetes/pss/baseline/1_host_ipc.rego +++ b/checks/kubernetes/pss/baseline/1_host_ipc.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_ipc.yaml package builtin.kubernetes.KSV008 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/1_host_ipc.yaml b/checks/kubernetes/pss/baseline/1_host_ipc.yaml new file mode 100644 index 00000000..efc137dd --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_ipc.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostIPC: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-ipc + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostIPC: true diff --git a/checks/kubernetes/pss/baseline/1_host_network.rego b/checks/kubernetes/pss/baseline/1_host_network.rego index df2e05de..d214c17d 100644 --- a/checks/kubernetes/pss/baseline/1_host_network.rego +++ b/checks/kubernetes/pss/baseline/1_host_network.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_network.yaml package builtin.kubernetes.KSV009 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/1_host_network.yaml b/checks/kubernetes/pss/baseline/1_host_network.yaml new file mode 100644 index 00000000..2d66331e --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_network.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostNetwork: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostNetwork: true diff --git a/checks/kubernetes/pss/baseline/1_host_pid.rego b/checks/kubernetes/pss/baseline/1_host_pid.rego index 1972f037..2b16b207 100644 --- a/checks/kubernetes/pss/baseline/1_host_pid.rego +++ b/checks/kubernetes/pss/baseline/1_host_pid.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/1_host_pid.yaml package builtin.kubernetes.KSV010 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/1_host_pid.yaml b/checks/kubernetes/pss/baseline/1_host_pid.yaml new file mode 100644 index 00000000..438ae676 --- /dev/null +++ b/checks/kubernetes/pss/baseline/1_host_pid.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostPID: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-network + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + hostPID: true diff --git a/checks/kubernetes/pss/baseline/2_privileged.rego b/checks/kubernetes/pss/baseline/2_privileged.rego index dcb0c648..d69cae58 100644 --- a/checks/kubernetes/pss/baseline/2_privileged.rego +++ b/checks/kubernetes/pss/baseline/2_privileged.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/2_privileged.yaml package builtin.kubernetes.KSV017 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/2_privileged.yaml b/checks/kubernetes/pss/baseline/2_privileged.yaml new file mode 100644 index 00000000..0f900936 --- /dev/null +++ b/checks/kubernetes/pss/baseline/2_privileged.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-privileged + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + privileged: true diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego index b5ebf057..a6c60909 100644 --- a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml package builtin.kubernetes.KSV022 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml new file mode 100644 index 00000000..0659959c --- /dev/null +++ b/checks/kubernetes/pss/baseline/3_specific_capabilities_added.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-add-capabilities + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + add: + - NET_BIND_SERVICE diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego index 206d4ca9..6bac024f 100644 --- a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml package builtin.kubernetes.KSV023 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml new file mode 100644 index 00000000..52786426 --- /dev/null +++ b/checks/kubernetes/pss/baseline/4_hostpath_volumes_mounted.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-path + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - hostPath: + path: /sys + type: "" diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego index a04878aa..7c968749 100644 --- a/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml package builtin.kubernetes.KSV024 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml new file mode 100644 index 00000000..c31bf1d3 --- /dev/null +++ b/checks/kubernetes/pss/baseline/5_access_to_host_ports.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-host-ports + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego index 52293ee1..dd5b516d 100644 --- a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml package builtin.kubernetes.KSV002 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml new file mode 100644 index 00000000..4b08274d --- /dev/null +++ b/checks/kubernetes/pss/baseline/6_apparmor_policy_disabled.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: runtime/default + name: hello-apparmor + spec: + containers: + - command: + - sh + - -c + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/hello: custom + name: hello-apparmor + spec: + containers: + - command: + - sh + - -c + - echo 'Hello AppArmor!' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego index 7333101f..95150776 100644 --- a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml package builtin.kubernetes.KSV025 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml new file mode 100644 index 00000000..70d13a27 --- /dev/null +++ b/checks/kubernetes/pss/baseline/7_selinux_custom_options_set.yaml @@ -0,0 +1,33 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: null + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-selinux + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seLinuxOptions: + type: custom diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego index 7e63550e..56724575 100644 --- a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml package builtin.kubernetes.KSV027 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml new file mode 100644 index 00000000..1f333db1 --- /dev/null +++ b/checks/kubernetes/pss/baseline/8_non_default_proc_masks_set.yaml @@ -0,0 +1,35 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-proc-mount + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + ports: + - hostPort: 8080 + securityContext: + procMount: Unmasked diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego index b4442c36..9fbb2e8a 100644 --- a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml package builtin.kubernetes.KSV026 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml new file mode 100644 index 00000000..36540060 --- /dev/null +++ b/checks/kubernetes/pss/baseline/9_unsafe_sysctl_options_set.yaml @@ -0,0 +1,39 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-sysctls + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" + - name: kernel.msgmax + value: "65536" diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego index 504a55e8..66f1dfe3 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml package builtin.kubernetes.KSV028 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml new file mode 100644 index 00000000..45f5a362 --- /dev/null +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.yaml @@ -0,0 +1,42 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-volume-types + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + volumes: + - name: volume-a + scaleIO: + fsType: xfs + gateway: https://localhost:443/api + protectionDomain: sd0 + secretRef: + name: sio-secret + storagePool: sp1 + system: scaleio + volumeName: vol-a diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego index 7a9685f6..fa614ff8 100644 --- a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml package builtin.kubernetes.KSV001 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml new file mode 100644 index 00000000..93204199 --- /dev/null +++ b/checks/kubernetes/pss/restricted/2_can_elevate_its_own_privileges.yaml @@ -0,0 +1,35 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + allowPrivilegeEscalation: false + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + capabilities: + drop: + - all diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.rego b/checks/kubernetes/pss/restricted/3_runs_as_root.rego index ce27c7de..74b8b06d 100644 --- a/checks/kubernetes/pss/restricted/3_runs_as_root.rego +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/3_runs_as_root.yaml package builtin.kubernetes.KSV012 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/3_runs_as_root.yaml b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml new file mode 100644 index 00000000..b0b0d6b1 --- /dev/null +++ b/checks/kubernetes/pss/restricted/3_runs_as_root.yaml @@ -0,0 +1,31 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + runAsNonRoot: true + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego index e534daf9..c1509ad2 100644 --- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego @@ -25,6 +25,7 @@ # - kind: daemonset # - kind: cronjob # - kind: job +# examples: checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml package builtin.kubernetes.KSV030 import data.lib.kubernetes diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml new file mode 100644 index 00000000..ba0c5c34 --- /dev/null +++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.yaml @@ -0,0 +1,37 @@ +kubernetes: + good: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seccompProfile: + localhostProfile: profiles/audit.json + type: RuntimeDefault + bad: + - |- + apiVersion: v1 + kind: Pod + metadata: + name: hello-cpu-limit + spec: + containers: + - command: + - sh + - -c + - echo 'Hello' && sleep 1h + image: busybox + name: hello + securityContext: + seccompProfile: + localhostProfile: profiles/audit.json + type: LocalPort diff --git a/go.mod b/go.mod index 77b61f7c..defb9dce 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,8 @@ go 1.22.9 toolchain go1.23.0 +replace github.com/aquasecurity/trivy => github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6 + require ( github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77 github.com/aws-cloudformation/rain v1.19.0 @@ -105,10 +107,10 @@ require ( github.com/chzyer/readline v1.5.1 // indirect github.com/cloudflare/circl v1.3.8 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.23 // indirect + github.com/containerd/containerd v1.7.24 // indirect github.com/containerd/containerd/api v1.8.0 // indirect github.com/containerd/containerd/v2 v2.0.0 // indirect - github.com/containerd/continuity v0.4.4 // indirect + github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/fifo v1.1.0 // indirect @@ -117,7 +119,7 @@ require ( github.com/containerd/plugin v1.0.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect github.com/containerd/ttrpc v1.2.6 // indirect - github.com/containerd/typeurl/v2 v2.2.2 // indirect + github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect @@ -128,9 +130,9 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/dlclark/regexp2 v1.4.0 // indirect - github.com/docker/cli v27.3.1+incompatible // indirect + github.com/docker/cli v27.4.0-rc.2+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.3.1+incompatible // indirect + github.com/docker/docker v27.4.0-rc.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect @@ -252,7 +254,7 @@ require ( github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect - github.com/moby/buildkit v0.17.2 // indirect + github.com/moby/buildkit v0.18.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.4.0 // indirect diff --git a/go.sum b/go.sum index 9bd6c626..6f6b44b6 100644 --- a/go.sum +++ b/go.sum @@ -349,10 +349,6 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831 h1:Ol9LT6V3KXCwaJE6lyeOR+3NGgDyA0HOXvPtumz/dxA= -github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831/go.mod h1:fURPZjqUDH08tYy/2EhU4k0uAOzXcPAJeM2O0Z6k0nU= -github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77 h1:asWezOVucyj/9U+XUYgp/T952z1rpS1o1Kd+KyZD1C0= -github.com/aquasecurity/trivy v0.57.1-0.20241202232542-54130dcc1d77/go.mod h1:ZFPGXENLDMCKV7uXY3G1dloqMki9SZBHZldFo2aqupA= github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw= github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= @@ -493,14 +489,14 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= -github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= +github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA= +github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= github.com/containerd/containerd/v2 v2.0.0 h1:qLDdFaAykQrIyLiqwQrNLLz95wiC36bAZVwioUwqShM= github.com/containerd/containerd/v2 v2.0.0/go.mod h1:j25kDy9P48/ngb1sxWIFfK6GsnqOHoSqo1EpAod20VQ= -github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= -github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= +github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= +github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= @@ -517,8 +513,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4= github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= -github.com/containerd/typeurl/v2 v2.2.2 h1:3jN/k2ysKuPCsln5Qv8bzR9cxal8XjkxPogJfSNO31k= -github.com/containerd/typeurl/v2 v2.2.2/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= +github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= +github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= @@ -566,12 +562,12 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= -github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= -github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.0-rc.2+incompatible h1:A0GZwegDlt2wdt3tpmrUzkVOZmbhvd7i05wPSf7Oo74= +github.com/docker/cli v27.4.0-rc.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= -github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.4.0-rc.2+incompatible h1:9OJjVGtelk/zGC3TyKweJ29b9Axzh0s/0vtU4mneumE= +github.com/docker/docker v27.4.0-rc.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -1064,8 +1060,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= -github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U= -github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg= +github.com/moby/buildkit v0.18.0 h1:KSelhNINJcNA3FCWBbGCytvicjP+kjU5kZlZhkTUkVo= +github.com/moby/buildkit v0.18.0/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -1111,6 +1107,8 @@ github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdh github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/nikpivkin/opa v0.0.0-20240829080621-16999fcb5464 h1:jhZ8nLVxOAslgzmPdKTyctfDJkMfRgksCypFriHzf4E= github.com/nikpivkin/opa v0.0.0-20240829080621-16999fcb5464/go.mod h1:cvSIxY0dexL39hOPqXSZKdBYFNx2Rv8Fu5n3MmTjqtE= +github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6 h1:nEtgpPXEaOR8/TOBipl6Qd4ohR+kee93Q72oMGXmSt4= +github.com/nikpivkin/trivy v0.0.0-20241208122347-678e7af74ed6/go.mod h1:YM25zfuLoB1FVYGrW5LpcY2VpU5/RGPKvxGB/OhvS8c= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= diff --git a/integration/check_examples_test.go b/integration/check_examples_test.go index f92141a2..11d26dee 100644 --- a/integration/check_examples_test.go +++ b/integration/check_examples_test.go @@ -94,7 +94,7 @@ func setupTarget(t *testing.T) string { func writeExamples(t *testing.T, examples []string, provider, cacheDir string, id string, typ string) { for i, example := range examples { - name := "test" + extensionByProvider(provider) + name := fileNameByProvider(provider) file := filepath.Join(cacheDir, id, provider, typ, strconv.Itoa(i), name) require.NoError(t, os.MkdirAll(filepath.Dir(file), fs.ModePerm)) require.NoError(t, os.WriteFile(file, []byte(example), fs.ModePerm)) @@ -154,12 +154,16 @@ func getFailureIDs(report types.Report) map[string][]string { return ids } -func extensionByProvider(provider string) string { +func fileNameByProvider(provider string) string { switch provider { case "terraform": - return ".tf" + return "main.tf" case "cloudformation": - return ".yaml" + return "template.yaml" + case "dockerfile": + return "Dockerfile" + case "kubernetes": + return "test.yaml" } - panic("unreachable") + panic("unreachable: " + provider) } diff --git a/internal/examples/examples.go b/internal/examples/examples.go index 999e63b0..a634b859 100644 --- a/internal/examples/examples.go +++ b/internal/examples/examples.go @@ -33,6 +33,10 @@ func GetCheckExamples(r scan.Rule) (CheckExamples, string, error) { // TODO: use `examples` field after adding func getCheckExamplesPath(r scan.Rule) string { + if r.Examples != "" { + return r.Examples + } + for _, eng := range []*scan.EngineMetadata{r.Terraform, r.CloudFormation} { if eng == nil { continue @@ -100,6 +104,7 @@ func (b blocks) format(fn func(blockString) blockString) { var formatters = map[string]func(blockString) blockString{ "terraform": formatHCL, "cloudformation": formatCFT, + "kubernetes": formatYAML, } func formatHCL(b blockString) blockString { @@ -114,3 +119,15 @@ func formatCFT(b blockString) blockString { return blockString(format.CftToYaml(tmpl)) } + +func formatYAML(b blockString) blockString { + var v any + if err := yaml.Unmarshal([]byte(b), &v); err != nil { + panic(err) + } + ret, err := yaml.Marshal(v) + if err != nil { + panic(err) + } + return blockString(ret) +} diff --git a/test/docker_test.go b/test/docker_test.go deleted file mode 100644 index cc19bdb6..00000000 --- a/test/docker_test.go +++ /dev/null @@ -1,78 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scanners/dockerfile" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/require" - - builtinrego "github.com/aquasecurity/trivy-checks/pkg/rego" -) - -func init() { - builtinrego.RegisterBuiltins() -} - -func Test_Dockerfile(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/docker")), - rego.WithPolicyDirs("."), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - }, - }, - } - - testdata := "./testdata/dockerfile" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - } - opts = append(opts, tt.opts...) - - scanner := dockerfile.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/Dockerfile.denied", dirName), - fmt.Sprintf("%s/Dockerfile.allowed", dirName), - results, - ) - }) - } - }) - } -} diff --git a/test/kubernetes_test.go b/test/kubernetes_test.go deleted file mode 100644 index 7a126661..00000000 --- a/test/kubernetes_test.go +++ /dev/null @@ -1,115 +0,0 @@ -package test - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/aquasecurity/trivy/pkg/iac/rego" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/scanners/kubernetes" - "github.com/aquasecurity/trivy/pkg/iac/scanners/options" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_Kubenetes(t *testing.T) { - tests := []struct { - name string - opts []options.ScannerOption - }{ - { - name: "checks from disk", - opts: []options.ScannerOption{ - rego.WithPolicyFilesystem(os.DirFS("../checks/kubernetes")), - rego.WithPolicyDirs("."), - }, - }, - { - name: "embedded checks", - opts: []options.ScannerOption{ - rego.WithEmbeddedPolicies(true), - }, - }, - } - - testdata := "./testdata/kubernetes" - - entries, err := os.ReadDir(testdata) - require.NoError(t, err) - - for _, tt := range tests { - t.Run(t.Name(), func(t *testing.T) { - t.Parallel() - - opts := []options.ScannerOption{ - rego.WithPerResultTracing(true), - rego.WithEmbeddedLibraries(true), - } - opts = append(opts, tt.opts...) - - scanner := kubernetes.NewScanner(opts...) - - results, err := scanner.ScanFS(context.TODO(), os.DirFS(testdata), ".") - require.NoError(t, err) - - for _, entry := range entries { - if !entry.IsDir() { - continue - } - if entry.Name() == "optional" { - continue - } - - dirName := entry.Name() - - t.Run(entry.Name(), func(t *testing.T) { - assertChecks(t, dirName, - fmt.Sprintf("%s/denied.yaml", dirName), - fmt.Sprintf("%s/allowed.yaml", dirName), - results, - ) - }) - } - }) - } -} - -func assertChecks(t *testing.T, fileName, failCase, passCase string, results scan.Results) { - t.Helper() - - var matched bool - - for _, result := range results { - if !result.Rule().HasID(fileName) { - continue - } - - t.Run(result.Rule().AVDID, func(t *testing.T) { - switch result.Range().GetFilename() { - case failCase: - assert.Equal(t, scan.StatusFailed, result.Status(), "Rule should have failed, but didn't.") - if result.Rule().AVDID != "AVD-DS-0002" { - assert.Greater(t, result.Range().GetStartLine(), 0, "We should have line numbers for a failure") - assert.Greater(t, result.Range().GetEndLine(), 0, "We should have line numbers for a failure") - } - matched = true - case passCase: - assert.Equal(t, scan.StatusPassed, result.Status(), "Rule should have passed, but didn't.") - matched = true - default: - return - } - - if t.Failed() { - fmt.Println("Test failed - rego trace follows:") - for _, trace := range result.Traces() { - fmt.Println(trace) - } - } - }) - } - - assert.True(t, matched, "Rule should be matched once") -} diff --git a/test/testdata/dockerfile/DS001/Dockerfile.allowed b/test/testdata/dockerfile/DS001/Dockerfile.allowed deleted file mode 100644 index ee5c6cc9..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS001/Dockerfile.denied b/test/testdata/dockerfile/DS001/Dockerfile.denied deleted file mode 100644 index 5e2b193a..00000000 --- a/test/testdata/dockerfile/DS001/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:latest -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo diff --git a/test/testdata/dockerfile/DS002/Dockerfile.allowed b/test/testdata/dockerfile/DS002/Dockerfile.allowed deleted file mode 100644 index 8bb3de30..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean -USER foo \ No newline at end of file diff --git a/test/testdata/dockerfile/DS002/Dockerfile.denied b/test/testdata/dockerfile/DS002/Dockerfile.denied deleted file mode 100644 index 9b996cc7..00000000 --- a/test/testdata/dockerfile/DS002/Dockerfile.denied +++ /dev/null @@ -1,2 +0,0 @@ -FROM debian:9 -RUN apt-get update && apt-get -y install vim && apt-get clean diff --git a/test/testdata/dockerfile/DS004/Dockerfile.allowed b/test/testdata/dockerfile/DS004/Dockerfile.allowed deleted file mode 100644 index 8af97be7..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 8080 diff --git a/test/testdata/dockerfile/DS004/Dockerfile.denied b/test/testdata/dockerfile/DS004/Dockerfile.denied deleted file mode 100644 index 91016100..00000000 --- a/test/testdata/dockerfile/DS004/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 22 \ No newline at end of file diff --git a/test/testdata/dockerfile/DS005/Dockerfile.allowed b/test/testdata/dockerfile/DS005/Dockerfile.allowed deleted file mode 100644 index 28d89b43..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources" diff --git a/test/testdata/dockerfile/DS005/Dockerfile.denied b/test/testdata/dockerfile/DS005/Dockerfile.denied deleted file mode 100644 index 98c1249f..00000000 --- a/test/testdata/dockerfile/DS005/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM alpine:3.13 -USER mike -ADD "/target/resources.tar.gz" "resources.jar" -ADD "/target/app.jar" "app.jar" \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.allowed b/test/testdata/dockerfile/DS006/Dockerfile.allowed deleted file mode 100644 index 529198ac..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS006/Dockerfile.denied b/test/testdata/dockerfile/DS006/Dockerfile.denied deleted file mode 100644 index cdb11213..00000000 --- a/test/testdata/dockerfile/DS006/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY --from=dep /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.allowed b/test/testdata/dockerfile/DS007/Dockerfile.allowed deleted file mode 100644 index 37b3bb39..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.allowed +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 as dep -COPY /binary / - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS007/Dockerfile.denied b/test/testdata/dockerfile/DS007/Dockerfile.denied deleted file mode 100644 index 228966f1..00000000 --- a/test/testdata/dockerfile/DS007/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM golang:1.7.3 as dep -COPY dep /binary / -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] - -FROM alpine:3.13 -USER mike -ENTRYPOINT [ "/opt/app/run.sh --port 8080" ] \ No newline at end of file diff --git a/test/testdata/dockerfile/DS008/Dockerfile.allowed b/test/testdata/dockerfile/DS008/Dockerfile.allowed deleted file mode 100644 index f66bb31d..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65530 8080 diff --git a/test/testdata/dockerfile/DS008/Dockerfile.denied b/test/testdata/dockerfile/DS008/Dockerfile.denied deleted file mode 100644 index 89c465a6..00000000 --- a/test/testdata/dockerfile/DS008/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -EXPOSE 65536 8080 diff --git a/test/testdata/dockerfile/DS009/Dockerfile.allowed b/test/testdata/dockerfile/DS009/Dockerfile.allowed deleted file mode 100644 index 1db32e18..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR /path/to/workdir diff --git a/test/testdata/dockerfile/DS009/Dockerfile.denied b/test/testdata/dockerfile/DS009/Dockerfile.denied deleted file mode 100644 index 422d65f0..00000000 --- a/test/testdata/dockerfile/DS009/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -WORKDIR path/to/workdir diff --git a/test/testdata/dockerfile/DS010/Dockerfile.allowed b/test/testdata/dockerfile/DS010/Dockerfile.allowed deleted file mode 100644 index 67232624..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS010/Dockerfile.denied b/test/testdata/dockerfile/DS010/Dockerfile.denied deleted file mode 100644 index cd63e40e..00000000 --- a/test/testdata/dockerfile/DS010/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -RUN sudo pip install --upgrade pip -USER mike diff --git a/test/testdata/dockerfile/DS011/Dockerfile.allowed b/test/testdata/dockerfile/DS011/Dockerfile.allowed deleted file mode 100644 index c5d7133a..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp/"] diff --git a/test/testdata/dockerfile/DS011/Dockerfile.denied b/test/testdata/dockerfile/DS011/Dockerfile.denied deleted file mode 100644 index 72df0188..00000000 --- a/test/testdata/dockerfile/DS011/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.13 -USER mike -COPY ["package.json", "yarn.lock", "myapp"] diff --git a/test/testdata/dockerfile/DS012/Dockerfile.allowed b/test/testdata/dockerfile/DS012/Dockerfile.allowed deleted file mode 100644 index a3eeb0f4..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.allowed +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build2 -USER mike -RUN stuff - -FROM debian:jesse1 as build1 -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS012/Dockerfile.denied b/test/testdata/dockerfile/DS012/Dockerfile.denied deleted file mode 100644 index 86e7882d..00000000 --- a/test/testdata/dockerfile/DS012/Dockerfile.denied +++ /dev/null @@ -1,10 +0,0 @@ -FROM baseImage:1.1 -RUN test - -FROM debian:jesse2 as build -USER mike -RUN stuff - -FROM debian:jesse1 as build -USER mike -RUN more_stuff \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.allowed b/test/testdata/dockerfile/DS013/Dockerfile.allowed deleted file mode 100644 index c1426226..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -WORKDIR /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS013/Dockerfile.denied b/test/testdata/dockerfile/DS013/Dockerfile.denied deleted file mode 100644 index e5a769aa..00000000 --- a/test/testdata/dockerfile/DS013/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:2.2 -RUN cd /usr/share/nginx/html -USER mike -CMD cd /usr/share/nginx/html && sed -e s/Docker/\"$AUTHOR\"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/test/testdata/dockerfile/DS014/Dockerfile.allowed b/test/testdata/dockerfile/DS014/Dockerfile.allowed deleted file mode 100644 index b46d24c9..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN curl http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS014/Dockerfile.denied b/test/testdata/dockerfile/DS014/Dockerfile.denied deleted file mode 100644 index c5ec6eff..00000000 --- a/test/testdata/dockerfile/DS014/Dockerfile.denied +++ /dev/null @@ -1,7 +0,0 @@ -FROM debian:stable-20210621 -RUN wget http://bing.com -RUN curl http://google.com - -FROM baseimage:1.0 -USER mike -RUN curl http://bing.com diff --git a/test/testdata/dockerfile/DS015/Dockerfile.allowed b/test/testdata/dockerfile/DS015/Dockerfile.allowed deleted file mode 100644 index 5ab6a656..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install && yum clean all -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS015/Dockerfile.denied b/test/testdata/dockerfile/DS015/Dockerfile.denied deleted file mode 100644 index e1ba5704..00000000 --- a/test/testdata/dockerfile/DS015/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN yum install vim -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS016/Dockerfile.allowed b/test/testdata/dockerfile/DS016/Dockerfile.allowed deleted file mode 100644 index 46f07fda..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS016/Dockerfile.denied b/test/testdata/dockerfile/DS016/Dockerfile.denied deleted file mode 100644 index e861f0a0..00000000 --- a/test/testdata/dockerfile/DS016/Dockerfile.denied +++ /dev/null @@ -1,6 +0,0 @@ -FROM golang:1.7.3 -USER mike -CMD ./app -CMD ./apps -FROM alpine:3.13 -CMD ./app diff --git a/test/testdata/dockerfile/DS017/Dockerfile.allowed b/test/testdata/dockerfile/DS017/Dockerfile.allowed deleted file mode 100644 index d92984d7..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS017/Dockerfile.denied b/test/testdata/dockerfile/DS017/Dockerfile.denied deleted file mode 100644 index e9bf2a9a..00000000 --- a/test/testdata/dockerfile/DS017/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update -RUN apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/* && apt-get clean -USER mike -ENTRYPOINT mysql \ No newline at end of file diff --git a/test/testdata/dockerfile/DS019/Dockerfile.allowed b/test/testdata/dockerfile/DS019/Dockerfile.allowed deleted file mode 100644 index 0b975046..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce && dnf clean all -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 - diff --git a/test/testdata/dockerfile/DS019/Dockerfile.denied b/test/testdata/dockerfile/DS019/Dockerfile.denied deleted file mode 100644 index 47c2c25f..00000000 --- a/test/testdata/dockerfile/DS019/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM fedora:27 -USER mike -RUN set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce -HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/test/testdata/dockerfile/DS020/Dockerfile.allowed b/test/testdata/dockerfile/DS020/Dockerfile.allowed deleted file mode 100644 index b76d238a..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.allowed +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash && zypper clean -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS020/Dockerfile.denied b/test/testdata/dockerfile/DS020/Dockerfile.denied deleted file mode 100644 index 22235094..00000000 --- a/test/testdata/dockerfile/DS020/Dockerfile.denied +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.5 -RUN zypper install bash -RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt -USER mike -CMD python /usr/src/app/app.py \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.allowed b/test/testdata/dockerfile/DS021/Dockerfile.allowed deleted file mode 100644 index 84d2c559..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.allowed +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get -fmy install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS021/Dockerfile.denied b/test/testdata/dockerfile/DS021/Dockerfile.denied deleted file mode 100644 index 988e111d..00000000 --- a/test/testdata/dockerfile/DS021/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM node:12 -USER mike -RUN apt-get install apt-utils && apt-get clean \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.allowed b/test/testdata/dockerfile/DS022/Dockerfile.allowed deleted file mode 100644 index eaa7e488..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.allowed +++ /dev/null @@ -1,2 +0,0 @@ -FROM busybox:1.33.1 -USER mike \ No newline at end of file diff --git a/test/testdata/dockerfile/DS022/Dockerfile.denied b/test/testdata/dockerfile/DS022/Dockerfile.denied deleted file mode 100644 index aebd38f0..00000000 --- a/test/testdata/dockerfile/DS022/Dockerfile.denied +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox:1.33.1 -USER mike -MAINTAINER Lukas Martinelli \ No newline at end of file diff --git a/test/testdata/dockerfile/DS023/Dockerfile.allowed b/test/testdata/dockerfile/DS023/Dockerfile.allowed deleted file mode 100644 index 29c48f20..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.allowed +++ /dev/null @@ -1,7 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS023/Dockerfile.denied b/test/testdata/dockerfile/DS023/Dockerfile.denied deleted file mode 100644 index 6dc49ab5..00000000 --- a/test/testdata/dockerfile/DS023/Dockerfile.denied +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox:1.33.1 -HEALTHCHECK CMD curl http://localhost:8080 -HEALTHCHECK CMD /bin/healthcheck - -FROM alpine:3.13 -HEALTHCHECK CMD /bin/healthcheck -USER mike -CMD ./app diff --git a/test/testdata/dockerfile/DS024/Dockerfile.allowed b/test/testdata/dockerfile/DS024/Dockerfile.allowed deleted file mode 100644 index b5512870..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.allowed +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get install -y curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py diff --git a/test/testdata/dockerfile/DS024/Dockerfile.denied b/test/testdata/dockerfile/DS024/Dockerfile.denied deleted file mode 100644 index 7bc3ae89..00000000 --- a/test/testdata/dockerfile/DS024/Dockerfile.denied +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:9.13 -RUN apt-get update && apt-get dist-upgrade && apt-get -y install curl && apt-get clean -USER mike -CMD python /usr/src/app/app.py diff --git a/test/testdata/kubernetes/KSV001/allowed.yaml b/test/testdata/kubernetes/KSV001/allowed.yaml deleted file mode 100644 index f40d17d2..00000000 --- a/test/testdata/kubernetes/KSV001/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/KSV001/denied.yaml b/test/testdata/kubernetes/KSV001/denied.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV001/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV002/allowed.yaml b/test/testdata/kubernetes/KSV002/allowed.yaml deleted file mode 100644 index c98da678..00000000 --- a/test/testdata/kubernetes/KSV002/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: runtime/default - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV002/denied.yaml b/test/testdata/kubernetes/KSV002/denied.yaml deleted file mode 100644 index a127b4b4..00000000 --- a/test/testdata/kubernetes/KSV002/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/hello: custom - name: hello-apparmor -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello AppArmor!' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV003/allowed.yaml b/test/testdata/kubernetes/KSV003/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/KSV003/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/KSV003/denied.yaml b/test/testdata/kubernetes/KSV003/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV003/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/allowed.yaml b/test/testdata/kubernetes/KSV005/allowed.yaml deleted file mode 100644 index ff08b26f..00000000 --- a/test/testdata/kubernetes/KSV005/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV005/denied.yaml b/test/testdata/kubernetes/KSV005/denied.yaml deleted file mode 100644 index c34e9fad..00000000 --- a/test/testdata/kubernetes/KSV005/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sys-admin-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - SYS_ADMIN diff --git a/test/testdata/kubernetes/KSV006/allowed.yaml b/test/testdata/kubernetes/KSV006/allowed.yaml deleted file mode 100644 index 04f1710d..00000000 --- a/test/testdata/kubernetes/KSV006/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume diff --git a/test/testdata/kubernetes/KSV006/denied.yaml b/test/testdata/kubernetes/KSV006/denied.yaml deleted file mode 100644 index d7335ac9..00000000 --- a/test/testdata/kubernetes/KSV006/denied.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-docker-socket -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: test-volume - hostPath: - path: "/var/run/docker.sock" - type: Directory diff --git a/test/testdata/kubernetes/KSV008/allowed.yaml b/test/testdata/kubernetes/KSV008/allowed.yaml deleted file mode 100644 index 6dd4513d..00000000 --- a/test/testdata/kubernetes/KSV008/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV008/denied.yaml b/test/testdata/kubernetes/KSV008/denied.yaml deleted file mode 100644 index 826f58a6..00000000 --- a/test/testdata/kubernetes/KSV008/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-ipc -spec: - hostIPC: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV009/allowed.yaml b/test/testdata/kubernetes/KSV009/allowed.yaml deleted file mode 100644 index 61d615b1..00000000 --- a/test/testdata/kubernetes/KSV009/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV009/denied.yaml b/test/testdata/kubernetes/KSV009/denied.yaml deleted file mode 100644 index 2b862ca5..00000000 --- a/test/testdata/kubernetes/KSV009/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostNetwork: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/allowed.yaml b/test/testdata/kubernetes/KSV010/allowed.yaml deleted file mode 100644 index b215b5c7..00000000 --- a/test/testdata/kubernetes/KSV010/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: false - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV010/denied.yaml b/test/testdata/kubernetes/KSV010/denied.yaml deleted file mode 100644 index 69acff1a..00000000 --- a/test/testdata/kubernetes/KSV010/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-network -spec: - hostPID: true - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV011/allowed.yaml b/test/testdata/kubernetes/KSV011/allowed.yaml deleted file mode 100644 index f271ed67..00000000 --- a/test/testdata/kubernetes/KSV011/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - cpu: 500m diff --git a/test/testdata/kubernetes/KSV011/denied.yaml b/test/testdata/kubernetes/KSV011/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV011/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV012/allowed.yaml b/test/testdata/kubernetes/KSV012/allowed.yaml deleted file mode 100644 index 0811a40e..00000000 --- a/test/testdata/kubernetes/KSV012/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - runAsNonRoot: true diff --git a/test/testdata/kubernetes/KSV012/denied.yaml b/test/testdata/kubernetes/KSV012/denied.yaml deleted file mode 100644 index 07754a35..00000000 --- a/test/testdata/kubernetes/KSV012/denied.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV013/allowed.yaml b/test/testdata/kubernetes/KSV013/allowed.yaml deleted file mode 100644 index f46dae03..00000000 --- a/test/testdata/kubernetes/KSV013/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:1.33.1 - name: hello diff --git a/test/testdata/kubernetes/KSV013/denied.yaml b/test/testdata/kubernetes/KSV013/denied.yaml deleted file mode 100644 index d6fd1939..00000000 --- a/test/testdata/kubernetes/KSV013/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-tag -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox:latest - name: hello diff --git a/test/testdata/kubernetes/KSV014/allowed.yaml b/test/testdata/kubernetes/KSV014/allowed.yaml deleted file mode 100644 index 0ff96a44..00000000 --- a/test/testdata/kubernetes/KSV014/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: true diff --git a/test/testdata/kubernetes/KSV014/denied.yaml b/test/testdata/kubernetes/KSV014/denied.yaml deleted file mode 100644 index c15b769f..00000000 --- a/test/testdata/kubernetes/KSV014/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-fs-not-readonly -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - readOnlyRootFilesystem: false diff --git a/test/testdata/kubernetes/KSV015/allowed.yaml b/test/testdata/kubernetes/KSV015/allowed.yaml deleted file mode 100644 index fd552363..00000000 --- a/test/testdata/kubernetes/KSV015/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - cpu: 250m diff --git a/test/testdata/kubernetes/KSV015/denied.yaml b/test/testdata/kubernetes/KSV015/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV015/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV016/allowed.yaml b/test/testdata/kubernetes/KSV016/allowed.yaml deleted file mode 100644 index c43f990f..00000000 --- a/test/testdata/kubernetes/KSV016/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - requests: - memory: 64Mi diff --git a/test/testdata/kubernetes/KSV016/denied.yaml b/test/testdata/kubernetes/KSV016/denied.yaml deleted file mode 100644 index 71287dea..00000000 --- a/test/testdata/kubernetes/KSV016/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/allowed.yaml b/test/testdata/kubernetes/KSV017/allowed.yaml deleted file mode 100644 index b608e5c7..00000000 --- a/test/testdata/kubernetes/KSV017/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV017/denied.yaml b/test/testdata/kubernetes/KSV017/denied.yaml deleted file mode 100644 index 620f6497..00000000 --- a/test/testdata/kubernetes/KSV017/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-privileged -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - privileged: true diff --git a/test/testdata/kubernetes/KSV018/allowed.yaml b/test/testdata/kubernetes/KSV018/allowed.yaml deleted file mode 100644 index eb00e56e..00000000 --- a/test/testdata/kubernetes/KSV018/allowed.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - resources: - limits: - memory: 128Mi diff --git a/test/testdata/kubernetes/KSV018/denied.yaml b/test/testdata/kubernetes/KSV018/denied.yaml deleted file mode 100644 index 6bf001e3..00000000 --- a/test/testdata/kubernetes/KSV018/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - diff --git a/test/testdata/kubernetes/KSV020/allowed.yaml b/test/testdata/kubernetes/KSV020/allowed.yaml deleted file mode 100644 index 36f7916b..00000000 --- a/test/testdata/kubernetes/KSV020/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsUser: 10004 diff --git a/test/testdata/kubernetes/KSV020/denied.yaml b/test/testdata/kubernetes/KSV020/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV020/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV021/allowed.yaml b/test/testdata/kubernetes/KSV021/allowed.yaml deleted file mode 100644 index f176cb07..00000000 --- a/test/testdata/kubernetes/KSV021/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - runAsGroup: 10004 diff --git a/test/testdata/kubernetes/KSV021/denied.yaml b/test/testdata/kubernetes/KSV021/denied.yaml deleted file mode 100644 index e9dbef33..00000000 --- a/test/testdata/kubernetes/KSV021/denied.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-gid -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/allowed.yaml b/test/testdata/kubernetes/KSV022/allowed.yaml deleted file mode 100644 index 1e4b014e..00000000 --- a/test/testdata/kubernetes/KSV022/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV022/denied.yaml b/test/testdata/kubernetes/KSV022/denied.yaml deleted file mode 100644 index 3e5b7aec..00000000 --- a/test/testdata/kubernetes/KSV022/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-add-capabilities -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - securityContext: - capabilities: - add: - - NET_BIND_SERVICE \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV023/allowed.yaml b/test/testdata/kubernetes/KSV023/allowed.yaml deleted file mode 100644 index 8c198274..00000000 --- a/test/testdata/kubernetes/KSV023/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV023/denied.yaml b/test/testdata/kubernetes/KSV023/denied.yaml deleted file mode 100644 index da474eb9..00000000 --- a/test/testdata/kubernetes/KSV023/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-path -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - hostPath: - path: "/sys" - type: '' diff --git a/test/testdata/kubernetes/KSV024/allowed.yaml b/test/testdata/kubernetes/KSV024/allowed.yaml deleted file mode 100644 index 24b1c975..00000000 --- a/test/testdata/kubernetes/KSV024/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV024/denied.yaml b/test/testdata/kubernetes/KSV024/denied.yaml deleted file mode 100644 index f23d66ed..00000000 --- a/test/testdata/kubernetes/KSV024/denied.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-host-ports -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/allowed.yaml b/test/testdata/kubernetes/KSV025/allowed.yaml deleted file mode 100644 index 508ad7b2..00000000 --- a/test/testdata/kubernetes/KSV025/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV025/denied.yaml b/test/testdata/kubernetes/KSV025/denied.yaml deleted file mode 100644 index 9fbaa41d..00000000 --- a/test/testdata/kubernetes/KSV025/denied.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-selinux -spec: - securityContext: - seLinuxOptions: - type: custom - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV026/allowed.yaml b/test/testdata/kubernetes/KSV026/allowed.yaml deleted file mode 100644 index 9ff2d7bc..00000000 --- a/test/testdata/kubernetes/KSV026/allowed.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: '0' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV026/denied.yaml b/test/testdata/kubernetes/KSV026/denied.yaml deleted file mode 100644 index 69eed5d6..00000000 --- a/test/testdata/kubernetes/KSV026/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-sysctls -spec: - securityContext: - sysctls: - - name: net.core.somaxconn - value: '1024' - - name: kernel.msgmax - value: '65536' - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello diff --git a/test/testdata/kubernetes/KSV027/allowed.yaml b/test/testdata/kubernetes/KSV027/allowed.yaml deleted file mode 100644 index 40b8c24a..00000000 --- a/test/testdata/kubernetes/KSV027/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 diff --git a/test/testdata/kubernetes/KSV027/denied.yaml b/test/testdata/kubernetes/KSV027/denied.yaml deleted file mode 100644 index 40354e4e..00000000 --- a/test/testdata/kubernetes/KSV027/denied.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-proc-mount -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - ports: - - hostPort: 8080 - securityContext: - procMount: Unmasked diff --git a/test/testdata/kubernetes/KSV028/allowed.yaml b/test/testdata/kubernetes/KSV028/allowed.yaml deleted file mode 100644 index a2f93da0..00000000 --- a/test/testdata/kubernetes/KSV028/allowed.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a diff --git a/test/testdata/kubernetes/KSV028/denied.yaml b/test/testdata/kubernetes/KSV028/denied.yaml deleted file mode 100644 index 57fc35cf..00000000 --- a/test/testdata/kubernetes/KSV028/denied.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-volume-types -spec: - containers: - - command: - - sh - - "-c" - - echo 'Hello' && sleep 1h - image: busybox - name: hello - volumes: - - name: volume-a - scaleIO: - gateway: https://localhost:443/api - system: scaleio - protectionDomain: sd0 - storagePool: sp1 - volumeName: vol-a - secretRef: - name: sio-secret - fsType: xfs diff --git a/test/testdata/kubernetes/KSV030/allowed.yaml b/test/testdata/kubernetes/KSV030/allowed.yaml deleted file mode 100644 index 48b8c1d4..00000000 --- a/test/testdata/kubernetes/KSV030/allowed.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: RuntimeDefault - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV030/denied.yaml b/test/testdata/kubernetes/KSV030/denied.yaml deleted file mode 100644 index 45b3bd31..00000000 --- a/test/testdata/kubernetes/KSV030/denied.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - seccompProfile: - type: LocalPort - localhostProfile: profiles/audit.json \ No newline at end of file diff --git a/test/testdata/kubernetes/KSV036/allowed.yaml b/test/testdata/kubernetes/KSV036/allowed.yaml deleted file mode 100644 index 42a9ded8..00000000 --- a/test/testdata/kubernetes/KSV036/allowed.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV036/denied.yaml b/test/testdata/kubernetes/KSV036/denied.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/test/testdata/kubernetes/KSV037/allowed.yaml b/test/testdata/kubernetes/KSV037/allowed.yaml deleted file mode 100644 index 99c22f0a..00000000 --- a/test/testdata/kubernetes/KSV037/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: test - labels: - name: mypod -spec: - automountServiceAccountToken: true - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV037/denied.yaml b/test/testdata/kubernetes/KSV037/denied.yaml deleted file mode 100644 index c42d41e0..00000000 --- a/test/testdata/kubernetes/KSV037/denied.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: mypod - namespace: kube-system - labels: - name: mypod -spec: - containers: - - name: mypod - image: nginx - diff --git a/test/testdata/kubernetes/KSV038/allowed.yaml b/test/testdata/kubernetes/KSV038/allowed.yaml deleted file mode 100644 index ccdac794..00000000 --- a/test/testdata/kubernetes/KSV038/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - podSelector: - matchLabels: - role: db diff --git a/test/testdata/kubernetes/KSV038/denied.yaml b/test/testdata/kubernetes/KSV038/denied.yaml deleted file mode 100644 index ed554dac..00000000 --- a/test/testdata/kubernetes/KSV038/denied.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: NetworkPolicy -metadata: - name: hello-cpu-limit -spec: - something: true diff --git a/test/testdata/kubernetes/KSV102/allowed.yaml b/test/testdata/kubernetes/KSV102/allowed.yaml deleted file mode 100644 index 3b6b9f49..00000000 --- a/test/testdata/kubernetes/KSV102/allowed.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: Onga -spec: - template: - spec: - containers: - - name: carts-db - image: mongo - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false - metadata: - name: None - labels: - app: example - tier: backend diff --git a/test/testdata/kubernetes/KSV102/denied.yaml b/test/testdata/kubernetes/KSV102/denied.yaml deleted file mode 100644 index c760bc68..00000000 --- a/test/testdata/kubernetes/KSV102/denied.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongo-deployment -spec: - template: - spec: - containers: - - name: carts-db - image: tiller - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: true - initContainers: - - name: init-svc - image: busybox:1.28 - securityContext: - allowPrivilegeEscalation: false diff --git a/test/testdata/kubernetes/optional/KSV004/allowed.yaml b/test/testdata/kubernetes/optional/KSV004/allowed.yaml deleted file mode 100644 index 3622b1bf..00000000 --- a/test/testdata/kubernetes/optional/KSV004/allowed.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: - drop: - - all diff --git a/test/testdata/kubernetes/optional/KSV004/denied.yaml b/test/testdata/kubernetes/optional/KSV004/denied.yaml deleted file mode 100644 index dc02a266..00000000 --- a/test/testdata/kubernetes/optional/KSV004/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - command: ["sh", "-c", "echo 'Hello' && sleep 1h"] - image: busybox - name: hello - securityContext: - capabilities: diff --git a/test/testdata/kubernetes/optional/KSV007/allowed.yaml b/test/testdata/kubernetes/optional/KSV007/allowed.yaml deleted file mode 100644 index 86b25607..00000000 --- a/test/testdata/kubernetes/optional/KSV007/allowed.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: diff --git a/test/testdata/kubernetes/optional/KSV007/denied.yaml b/test/testdata/kubernetes/optional/KSV007/denied.yaml deleted file mode 100644 index a9480234..00000000 --- a/test/testdata/kubernetes/optional/KSV007/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "foo.local" - - "bar.local" diff --git a/test/testdata/kubernetes/optional/KSV032/allowed.yaml b/test/testdata/kubernetes/optional/KSV032/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV032/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV032/denied.yaml b/test/testdata/kubernetes/optional/KSV032/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV032/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV033/allowed.yaml b/test/testdata/kubernetes/optional/KSV033/allowed.yaml deleted file mode 100644 index 4c8bfa57..00000000 --- a/test/testdata/kubernetes/optional/KSV033/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: gcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV033/denied.yaml b/test/testdata/kubernetes/optional/KSV033/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV033/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV034/allowed.yaml b/test/testdata/kubernetes/optional/KSV034/allowed.yaml deleted file mode 100644 index 5809dcb0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: azurecr.io/something diff --git a/test/testdata/kubernetes/optional/KSV034/denied.yaml b/test/testdata/kubernetes/optional/KSV034/denied.yaml deleted file mode 100644 index b7f7eef0..00000000 --- a/test/testdata/kubernetes/optional/KSV034/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ghcr.io/something diff --git a/test/testdata/kubernetes/optional/KSV035/allowed.yaml b/test/testdata/kubernetes/optional/KSV035/allowed.yaml deleted file mode 100644 index feaa3199..00000000 --- a/test/testdata/kubernetes/optional/KSV035/allowed.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: ecr.us-east-2.amazonaws.com/something diff --git a/test/testdata/kubernetes/optional/KSV035/denied.yaml b/test/testdata/kubernetes/optional/KSV035/denied.yaml deleted file mode 100644 index 0d9857ca..00000000 --- a/test/testdata/kubernetes/optional/KSV035/denied.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: hello-cpu-limit -spec: - containers: - - name: hello - image: blah/something diff --git a/test/testdata/kubernetes/optional/KSV039/allowed.yaml b/test/testdata/kubernetes/optional/KSV039/allowed.yaml deleted file mode 100644 index 7844f5db..00000000 --- a/test/testdata/kubernetes/optional/KSV039/allowed.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: core-resource-limits -spec: - limits: - - type: Pod - default: - cpu: '2' - memory: 1Gi - defaultRequest: - cpu: '2' - memory: 1Gi - max: - cpu: '2' - memory: 1Gi - min: - cpu: 200m - memory: 6Mi - - type: Container - max: - cpu: '2' - memory: 1Gi - min: - cpu: 100m - memory: 4Mi - default: - cpu: 300m - memory: 200Mi - defaultRequest: - cpu: 200m - memory: 100Mi - maxLimitRequestRatio: - cpu: '10' \ No newline at end of file diff --git a/test/testdata/kubernetes/optional/KSV039/denied.yaml b/test/testdata/kubernetes/optional/KSV039/denied.yaml deleted file mode 100644 index b53d2971..00000000 --- a/test/testdata/kubernetes/optional/KSV039/denied.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - name: cpu-limit-range -spec: - limits: - - default: - cpu: 1 - defaultRequest: - cpu: 0.5 - type: Container diff --git a/test/testdata/kubernetes/optional/KSV040/allowed.yaml b/test/testdata/kubernetes/optional/KSV040/allowed.yaml deleted file mode 100644 index cf9bbf2d..00000000 --- a/test/testdata/kubernetes/optional/KSV040/allowed.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2' - limits.memory: 2Gi diff --git a/test/testdata/kubernetes/optional/KSV040/denied.yaml b/test/testdata/kubernetes/optional/KSV040/denied.yaml deleted file mode 100644 index b73d6e67..00000000 --- a/test/testdata/kubernetes/optional/KSV040/denied.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: mem-cpu-demo -spec: - hard: - requests.cpu: '1' - requests.memory: 1Gi - limits.cpu: '2'