search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.21k stars 201 forks source link

combine true not working in custom rego policies #2097

Closed lsoica closed 1 month ago

lsoica commented 4 months ago

For the following rego policy:

package appshield.kubernetes.ID01

import data.lib.kubernetes
import data.lib.utils

__rego_metadata__ := {
  "id": "ID01",
  "title": "Makes sure that all Ingresses target an existing service.",
  "description": "Makes sure that all Ingresses target an existing service.",
  "severity": "MEDIUM",
  "recommended_actions": "The Ingress should target a valid service.",
  "type": "Security Check",
}

__rego_input__ := {
  "combine": true,
  "selector": [{"type": "kubernetes"}],
}

deny[res] {
  ingress := input[_]
  ingress.contents.kind == "Ingress"
  not service_exists(ingress)

  msg := sprintf("Ingress %s does not target an existing Service.", [ingress.contents.metadata.name])

  res := {
    "msg": msg,
    "id": __rego_metadata__.id,
    "title": __rego_metadata__.title,
    "severity": __rego_metadata__.severity,
    "type": __rego_metadata__.type,
    "filepath": ingress.path,
  }
}

service_exists(ingress) {
  some service
  input[service].contents.kind == "Service"
  some rule
  some path
  input[service].contents.metadata.name == ingress.contents.spec.rules[rule].http.paths[path].backend.service.name
}

the trivy operator mark the following Ingress definition as non compliant:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
  name: myingress
  namespace: mynamespace
spec:
  rules:
  - host: somehost
    http:
      paths:
      - backend:
          service:
            name: myservice
            port:
              number: 80
        path: /
        pathType: Prefix

although a service with that name exists:

apiVersion: v1
kind: Service
metadata:
  name: myservice
  namespace: mynamespace
spec:
...

Tried with both kinds: "Ingress,Service" and kinds: "*"

Running the policy through the trivy CLI works as expected.

chen-keinan commented 4 months ago

@lsoica I guess it is not supported as trivy-operator work different from trivy config ..., the operator reconcile resource one by one, based on events and scan it individually.

need to think creatively to see if multi resources can be combined with in operator pattern

github-actions[bot] commented 2 months ago

This issue is stale because it has been labeled with inactivity.