forked from Checkmarx/kics
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(query): ETCD Not Unique Certificate Authority for Kubernetes (Ch…
…eckmarx#5035) * + Not Unique Certificate Authority * changed desc and add search line * new commit * change positive samples
- Loading branch information
1 parent
d885515
commit 96e9a12
Showing
5 changed files
with
150 additions
and
0 deletions.
There are no files selected for viewing
11 changes: 11 additions & 0 deletions
11
assets/queries/k8s/not_unique_certificate_authority/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| { | ||
| "id": "cb7e695d-6a85-495c-b15f-23aed2519303", | ||
| "queryName": "Not Unique Certificate Authority", | ||
| "severity": "MEDIUM", | ||
| "category": "Secret Management", | ||
| "descriptionText": "Certificate Authority should be unique for etcd", | ||
| "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", | ||
| "platform": "Kubernetes", | ||
| "descriptionID": "d2c6c9e8" | ||
| } | ||
|
|
51 changes: 51 additions & 0 deletions
51
assets/queries/k8s/not_unique_certificate_authority/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.common as common_lib | ||
| import data.generic.k8s as k8s_lib | ||
|
|
||
|
|
||
| CxPolicy[result] { | ||
| resource := input.document[i] | ||
| metadata := resource.metadata | ||
| specInfo := k8s_lib.getSpecInfo(resource) | ||
| types := {"initContainers", "containers"} | ||
| container := specInfo.spec[types[x]][j] | ||
| common_lib.inArray(container.command, "etcd") | ||
| trusted_path := getTrustedPath(container) | ||
| resource_aux := input.document[_] | ||
| client_path := getClientPath(resource_aux) | ||
| trusted_path == client_path | ||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", | ||
| "keyActualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File", | ||
| "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) | ||
| } | ||
| } | ||
|
|
||
| getTrustedPath(container) = path{ | ||
| path:= split(flagValue(container, "--trusted-ca-file"),"=")[1] | ||
|
|
||
| } | ||
|
|
||
| flagValue(container, flag) = val{ | ||
| val:=getFlag(container.command, flag) | ||
| } else = val{ | ||
| val:=getFlag(container.args, flag) | ||
| } | ||
|
|
||
| getFlag(arr, item) = array_item { | ||
| array_item = arr[_] | ||
| startswith(array_item, item) | ||
| } | ||
|
|
||
| getClientPath(resource) = path { | ||
| specInfo := k8s_lib.getSpecInfo(resource) | ||
| types := {"initContainers", "containers"} | ||
| container := specInfo.spec[types[x]][j] | ||
| common_lib.inArray(container.command, "kube-apiserver") | ||
| path:= split(flagValue(container, "--client-ca-file"),"=")[1] | ||
| } |
40 changes: 40 additions & 0 deletions
40
assets/queries/k8s/not_unique_certificate_authority/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: command-demo | ||
| labels: | ||
| purpose: demonstrate-command | ||
| spec: | ||
| containers: | ||
| - name: command-demo-container | ||
| image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 | ||
| command: ["kube-apiserver"] | ||
| args: ["--client-ca-file=/etc/env/valid.pem"] | ||
| restartPolicy: OnFailure | ||
| --- | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: database | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: database | ||
| version: v1 | ||
| replicas: 1 | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: database | ||
| version: v1 | ||
| spec: | ||
| serviceAccountName: database | ||
| containers: | ||
| - name: database | ||
| image: gcr.io/google_containers/kube-apiserver:certification | ||
| imagePullPolicy: IfNotPresent | ||
| command: ["etcd"] | ||
| args: ["--trusted-ca-file=/etc/env/valid2.pem"] | ||
| nodeSelector: | ||
| kubernetes.io/hostname: worker02 | ||
| restartPolicy: OnFailure |
40 changes: 40 additions & 0 deletions
40
assets/queries/k8s/not_unique_certificate_authority/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: database | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: database | ||
| version: v1 | ||
| replicas: 1 | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: database | ||
| version: v1 | ||
| spec: | ||
| serviceAccountName: database | ||
| containers: | ||
| - name: database | ||
| image: gcr.io/google_containers/kube-apiserver:certification | ||
| imagePullPolicy: IfNotPresent | ||
| command: ["etcd"] | ||
| args: ["--trusted-ca-file=/etc/env/valid3.pem"] | ||
| nodeSelector: | ||
| kubernetes.io/hostname: worker02 | ||
| restartPolicy: OnFailure | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: command-demo | ||
| labels: | ||
| purpose: demonstrate-command | ||
| spec: | ||
| containers: | ||
| - name: command-demo-container | ||
| image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 | ||
| command: ["kube-apiserver"] | ||
| args: ["--client-ca-file=/etc/env/valid3.pem"] | ||
| restartPolicy: OnFailure |
8 changes: 8 additions & 0 deletions
8
assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| [ | ||
| { | ||
| "queryName": "Not Unique Certificate Authority", | ||
| "severity": "MEDIUM", | ||
| "line": 22, | ||
| "filename": "positive1.yaml" | ||
| } | ||
| ] |