🧹 K8s: Update checks related to workload and securityContext (#412)

- updates 7 checks to `v9` policy --------- Signed-off-by: Manuel Weber <[email protected]>
mondoohq · Jun 19, 2024 · a2759a3 · a2759a3
1 parent 343432d
commit a2759a3
Showing 1 changed file with 48 additions and 91 deletions.
diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml
@@ -2638,27 +2638,17 @@ queries:
   - uid: mondoo-kubernetes-security-pod-runasnonroot
     title: Container should not run as root
     impact: 100
+    filters: k8s.pod.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-pod-runasnonroot'] != 'ignore'
     mql: |
-      if (k8s.pod.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-pod-runasnonroot'] != 'ignore') {
-        k8s.pod {
-          podSecurityContext=podSpec['securityContext']
-          ephemeralContainers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-          initContainers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-          containers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-        }
-      }
+      k8s.pod.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.pod.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.pod.podSpec.securityContext.runAsNonRoot == true
+      k8s.pod.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.pod.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.pod.podSpec.securityContext.runAsNonRoot == true
+      k8s.pod.ephemeralContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.pod.ephemeralContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.pod.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -2725,22 +2715,14 @@ queries:
   - uid: mondoo-kubernetes-security-cronjob-runasnonroot
     title: Container should not run as root
     impact: 100
+    filters: k8s.cronjob.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-cronjob-runasnonroot'] != 'ignore'
     mql: |
-      if (k8s.cronjob.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-cronjob-runasnonroot'] != 'ignore') {
-        k8s.cronjob {
-          podSecurityContext=podSpec['securityContext']
-          initContainers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-          containers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-        }
-      }
+      k8s.cronjob.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.cronjob.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.cronjob.podSpec.securityContext.runAsNonRoot == true
+      k8s.cronjob.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.cronjob.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.cronjob.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -2808,19 +2790,12 @@ queries:
     title: Container should not run as root
     impact: 100
     mql: |
-      k8s.statefulset {
-        podSecurityContext=podSpec['securityContext']
-        initContainers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-        containers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-      }
+      k8s.statefulset.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.statefulset.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.statefulset.podSpec.securityContext.runAsNonRoot == true
+      k8s.statefulset.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.statefulset.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.statefulset.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -2888,8 +2863,12 @@ queries:
     title: Container should not run as root
     impact: 100
     mql: |
-      k8s.deployment.containers.all( securityContext['runAsNonRoot'] == true )
-      k8s.deployment.initContainers.all( securityContext['runAsNonRoot'] == true )
+      k8s.deployment.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.deployment.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.deployment.podSpec.securityContext.runAsNonRoot == true
+      k8s.deployment.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.deployment.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.deployment.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -2956,22 +2935,14 @@ queries:
   - uid: mondoo-kubernetes-security-job-runasnonroot
     title: Container should not run as root
     impact: 100
+    filters: k8s.job.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-job-runasnonroot'] != 'ignore'
     mql: |
-      if (k8s.job.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-job-runasnonroot'] != 'ignore') {
-        k8s.job {
-          podSecurityContext=podSpec['securityContext']
-          initContainers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-          containers {
-            a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-            res = securityContext['runAsNonRoot'] == true || a
-            res == true
-          }
-        }
-      }
+      k8s.job.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.job.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.job.podSpec.securityContext.runAsNonRoot == true
+      k8s.job.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.job.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.job.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -3039,19 +3010,12 @@ queries:
     title: Container should not run as root
     impact: 100
     mql: |
-      k8s.replicaset {
-        podSecurityContext=podSpec['securityContext']
-        initContainers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-        containers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-      }
+      k8s.replicaset.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.replicaset.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.replicaset.podSpec.securityContext.runAsNonRoot == true
+      k8s.replicaset.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.replicaset.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.replicaset.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.
@@ -3119,19 +3083,12 @@ queries:
     title: Container should not run as root
     impact: 100
     mql: |
-      k8s.daemonset {
-        podSecurityContext=podSpec['securityContext']
-        initContainers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-        containers {
-          a = podSecurityContext['runAsNonRoot'] == true && securityContext['runAsNonRoot'] == null
-          res = securityContext['runAsNonRoot'] == true || a
-          res == true
-        }
-      }
+      k8s.daemonset.containers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.daemonset.containers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.daemonset.podSpec.securityContext.runAsNonRoot == true
+      k8s.daemonset.initContainers.all(securityContext['runAsNonRoot'] == true)
+        || k8s.daemonset.initContainers.all(securityContext['runAsNonRoot'] == empty)
+        && k8s.daemonset.podSpec.securityContext.runAsNonRoot == true
     docs:
       desc: |
         Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.