feat(query): Added Authorization Mode Node Not Set for Kubernetes (Ch…

…eckmarx#5070) * + Authorization Mode Node Not Set * + added func to k8s library and description change
Dipesh-Reen · Mar 29, 2022 · 397c9a0 · 397c9a0
1 parent 1cf3067
commit 397c9a0
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 17 deletions.
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/metadata.json b/assets/queries/k8s/authorization_mode_node_not_set/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "4d7ee40f-fc5d-427d-8cac-dffbe22d42d1",
+  "queryName": "Authorization Mode Node Not Set",
+  "severity": "MEDIUM",
+  "category": "Insecure Configurations",
+  "descriptionText": "When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode",
+  "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "platform": "Kubernetes",
+  "descriptionID": "1d944481"
+}
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/query.rego b/assets/queries/k8s/authorization_mode_node_not_set/query.rego
@@ -0,0 +1,24 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.k8s as k8sLib
+
+CxPolicy[result] {
+	resource := input.document[i]
+	metadata := resource.metadata
+	specInfo := k8sLib.getSpecInfo(resource)
+	types := {"initContainers", "containers"}
+	container := specInfo.spec[types[x]][j]
+	common_lib.inArray(container.command, "kube-apiserver")
+	not k8sLib.hasFlagWithValue(container, "--authorization-mode", "Node")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "--authorization-mode flag contains 'Node' mode",
+		"keyActualValue": "--authorization-mode flag does not contain 'Node' mode",
+		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]),
+	}
+}
+
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/negative1.yaml b/assets/queries/k8s/authorization_mode_node_not_set/test/negative1.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--authorization-mode=RBAC,Node"]
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/negative2.yaml b/assets/queries/k8s/authorization_mode_node_not_set/test/negative2.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver","--authorization-mode=RBAC,Node"]
+      args: []
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive1.yaml b/assets/queries/k8s/authorization_mode_node_not_set/test/positive1.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--authorization-mode=AlwaysAllow"]
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive2.yaml b/assets/queries/k8s/authorization_mode_node_not_set/test/positive2.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--authorization-mode=RBAC"]
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Authorization Mode Node Not Set",
+    "severity": "MEDIUM",
+    "line": 11,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "Authorization Mode Node Not Set",
+    "severity": "MEDIUM",
+    "line": 11,
+    "filename": "positive2.yaml"
+  }
+]
diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego
@@ -12,7 +12,7 @@ CxPolicy[result] {
 	commands := ["kube-apiserver", "kubelet"]
 
 	common_lib.inArray(container.command, commands[_])
-	hasFlagWithValue(container, "--authorization-mode", "AlwaysAllow")
+	k8sLib.hasFlagWithValue(container, "--authorization-mode", "AlwaysAllow")
 
 	result := {
 		"documentId": input.document[i].id,
@@ -38,19 +38,3 @@ CxPolicy[result] {
 	}
 }
 
-hasFlagWithValue(container, flag, value) {
-	command := container.command
-	startswith(command[a], flag)
-	values := split(command[a], "=")[1]
-	hasValue(values, value)
-} else {
-	args := container.args
-	startswith(args[a], flag)
-	values := split(args[a], "=")[1]
-	hasValue(values, value)
-}
-
-hasValue(values, value) {
-	splittedValues := split(values, ",")
-	splittedValues[_] == value
-}