Skip to content

Commit

Permalink
Feat(Query): added "Kubelet Streaming Connection Timeout Disabled" fo…
Browse files Browse the repository at this point in the history
…r Kubernetes (Checkmarx#5007)

* kubernetes yaml streaming flag timeout=0 query

* Update query.rego

* Added search line, removed unnecessary funcs

* fixed search line

* cookies

* uncomment search line

* updated query name

* updates folder name

* change query searchkey, keyExpectedValue

* added samples

* changed key expected value and samples image

* changed --extra

* Update negative1.yaml

* Update positive1.yaml
  • Loading branch information
cxAndreFelicidade authored Mar 21, 2022
1 parent b196991 commit 458e9ff
Show file tree
Hide file tree
Showing 9 changed files with 131 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"id": "ed89b97d-04e9-4fd4-919f-ee5b27e555e9",
"queryName": "Kubelet Streaming Connection Timeout Disabled",
"severity": "MEDIUM",
"category": "Networking and Firewall",
"descriptionText": "The flag --streaming-connection-idle-timeout should not be set to 0",
"descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/",
"platform": "Kubernetes",
"descriptionID": "f0a2431d"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package Cx

import data.generic.common as common_lib
import data.generic.k8s as k8sLib

CxPolicy[result] {
resource := input.document[i]
metadata := resource.metadata
specInfo := k8sLib.getSpecInfo(resource)
types := {"initContainers", "containers"}
container := specInfo.spec[types[x]][j]
command := "kubelet"

common_lib.inArray(container.command, command)
k8sLib.hasFlag(container, "--streaming-connection-idle-timeout=0")

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": "--streaming-connection-idle-timeout flag not to be 0",
"keyActualValue": "--streaming-connection-idle-timeout flag is 0",
"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"])
}
}

CxPolicy[result] {
resource := input.document[i]
resource.kind == "KubeletConfiguration"
resource.streamingConnectionIdleTimeout == "0s"

result := {
"documentId": input.document[i].id,
"searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout",
"issueType": "IncorrectValue",
"keyExpectedValue": "streamingConnectionIdleTimeout not to be 0s",
"keyActualValue": "streamingConnectionIdleTimeout is 0s",
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: joaodanielrufino/kubelet
command: ["kubelet"]
args: [""]
restartPolicy: OnFailure
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
memory.available: "200Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"address": "192.168.0.8",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"evictionHard": {
"memory.available": "200Mi"
},
"kind": "KubeletConfiguration",
"port": 20250,
"serializeImagePulls": false
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: joaodanielrufino/kubelet
command: ["kubelet"]
args: ["--streaming-connection-idle-timeout=0"]
restartPolicy: OnFailure
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
memory.available: "200Mi"
streamingConnectionIdleTimeout: 0s
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"evictionHard": {
"memory.available": "200Mi"
},
"kind": "KubeletConfiguration",
"serializeImagePulls": false,
"address": "192.168.0.8",
"port": 20250,
"streamingConnectionIdleTimeout": "0s"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
[
{
"queryName": "Kubelet Streaming Connection Timeout Disabled",
"severity": "MEDIUM",
"line": 11,
"filename": "positive1.yaml"
},
{
"queryName": "Kubelet Streaming Connection Timeout Disabled",
"severity": "MEDIUM",
"line": 8,
"filename": "positive2.yaml"
},
{
"queryName": "Kubelet Streaming Connection Timeout Disabled",
"severity": "MEDIUM",
"line": 10,
"filename": "positive3.json"
}
]

0 comments on commit 458e9ff

Please sign in to comment.