Add Service Does Not Target Pod query for Kubernetes Checkmarx#1430 (C…

…heckmarx#1431)

assets/queries/k8s/service_does_not_target_pod/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "service_does not_target_pod",
+  "queryName": "Service Does Not Target Pod",
+  "severity": "LOW",
+  "category": "Networking",
+  "descriptionText": "Service should Target a Pod",
+  "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service/"
+}

assets/queries/k8s/service_does_not_target_pod/query.rego

@@ -0,0 +1,54 @@
+package Cx
+
+CxPolicy [ result ] {
+
+  service := input.document[i]
+  service.kind == "Service"
+  metadata := service.metadata
+  ports := service.spec.ports
+  servicePorts := ports[j]
+  contains(service.spec.selector.app)
+  not confirmPorts(servicePorts)
+
+  result := {
+                "documentId": 		input.document[i].id,
+                "searchKey": 	    sprintf("metadata.name=%s.spec.ports.name=%s.targetPort", [metadata.name,ports[k].name]),
+                "issueType":		"IncorrectValue",
+                "keyExpectedValue": sprintf("metadata.name=%s.spec.ports=%s.targetPort has a Pod Port", [metadata.name,servicePorts.name]),
+                "keyActualValue": 	sprintf("metadata.name=%s.spec.ports=%s.targetPort does not have a Pod Port", [metadata.name,servicePorts.name])
+            }
+}
+
+CxPolicy [ result ] {
+
+  service := input.document[i]
+  service.kind == "Service"
+  metadata := service.metadata
+  ports := service.spec.ports
+  servicePorts := ports[j]
+  not contains(service.spec.selector.app)
+
+
+
+  result := {
+                "documentId": 		input.document[i].id,
+                "searchKey": 	    sprintf("metadata.name=%s.spec.selector.app", [metadata.name]),
+                "issueType":		"IncorrectValue",
+                "keyExpectedValue": sprintf("metadata.name=%s.spec.selector.app Pod label match with Service", [metadata.name]),
+                "keyActualValue": 	sprintf("metadata.name=%s.spec.selector.app Pod label does not match with Service", [metadata.name])
+            }
+}
+
+confirmPorts(servicePorts) = true {
+	pod := input.document[i]
+    pod.kind == "Pod"
+    containers := pod.spec.containers[j]
+    containers.ports[k].containerPort == servicePorts.targetPort
+} else = false {true}
+
+contains(string) = true {
+	pod := input.document[i]
+    pod.kind == "Pod"
+	pod.metadata.labels.app == string
+} else = false {true}
+

assets/queries/k8s/service_does_not_target_pod/test/negative.yaml

@@ -0,0 +1,30 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+spec:
+  type: NodePort
+  selector:
+    app: helloworld
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 8089
+      protocol: TCP
+      targetPort: 8089
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    app: helloworld
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+      - containerPort: 8089

assets/queries/k8s/service_does_not_target_pod/test/positive.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+spec:
+  type: NodePort
+  selector:
+    app: helloworld
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 8089
+      protocol: TCP
+      targetPort: 8089
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld2
+spec:
+  type: NodePort
+  selector:
+    app: helloworld2
+  ports:
+    - name: http
+      nodePort: 30475
+      port: 9377
+      protocol: TCP
+      targetPort: 9377
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx2
+  labels:
+    app: helloworld
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+      - containerPort: 9377
+

assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json

@@ -0,0 +1,12 @@
+[
+	{
+		"queryName": "Service Does Not Target Pod",
+		"severity": "LOW",
+		"line": 14
+	},
+	{
+		"queryName": "Service Does Not Target Pod",
+		"severity": "LOW",
+		"line": 25
+	}
+]