diff --git a/build/starboard-operator/Dockerfile.ubi8 b/build/starboard-operator/Dockerfile.ubi8 index 605364b03..f7d39372a 100644 --- a/build/starboard-operator/Dockerfile.ubi8 +++ b/build/starboard-operator/Dockerfile.ubi8 @@ -2,7 +2,7 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal LABEL name="Starboard" \ vendor="Aqua Security Software Ltd." \ - version="v0.15.10" \ + version="v0.15.11" \ summary="Starboard Operator." RUN microdnf install shadow-utils diff --git a/deploy/crd/ciskubebenchreports.crd.yaml b/deploy/crd/ciskubebenchreports.crd.yaml index 48c66125b..b3f368e58 100644 --- a/deploy/crd/ciskubebenchreports.crd.yaml +++ b/deploy/crd/ciskubebenchreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: ciskubebenchreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/crd/clustercompliancedetailreports.crd.yaml b/deploy/crd/clustercompliancedetailreports.crd.yaml index 1ca03885c..3b4586d4c 100644 --- a/deploy/crd/clustercompliancedetailreports.crd.yaml +++ b/deploy/crd/clustercompliancedetailreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: clustercompliancedetailreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -37,6 +37,6 @@ spec: plural: clustercompliancedetailreports kind: ClusterComplianceDetailReport listKind: ClusterComplianceDetailReportList - categories: [ ] + categories: [] shortNames: - compliancedetail diff --git a/deploy/crd/clustercompliancereports.crd.yaml b/deploy/crd/clustercompliancereports.crd.yaml index 3e827516f..a74711d79 100644 --- a/deploy/crd/clustercompliancereports.crd.yaml +++ b/deploy/crd/clustercompliancereports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: clustercompliancereports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io scope: Cluster @@ -61,7 +61,7 @@ spec: cron: type: string pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$' - description: 'cron define the intervals for report generation' + description: "cron define the intervals for report generation" controls: type: array items: @@ -79,12 +79,12 @@ spec: type: string id: type: string - description: 'id define the control check id' + description: "id define the control check id" kinds: type: array items: type: string - description: 'kinds define the list of kinds control check apply on , example: Node,Workload ' + description: "kinds define the list of kinds control check apply on , example: Node,Workload " mapping: type: object required: @@ -93,8 +93,8 @@ spec: properties: scanner: type: string - pattern: '^config-audit$|^kube-bench$' - description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported' + pattern: "^config-audit$|^kube-bench$" + description: "scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported" checks: type: array items: @@ -104,10 +104,10 @@ spec: properties: id: type: string - description: 'id define the check id as produced by scanner' + description: "id define the check id as produced by scanner" severity: type: string - description: 'define the severity of the control' + description: "define the severity of the control" enum: - CRITICAL - HIGH @@ -116,7 +116,7 @@ spec: - UNKNOWN defaultStatus: type: string - description: 'define the default value for check status in case resource not found' + description: "define the default value for check status in case resource not found" enum: - PASS - WARN @@ -126,12 +126,12 @@ spec: type: object subresources: # status enables the status subresource. - status: { } + status: {} names: singular: clustercompliancereport plural: clustercompliancereports kind: ClusterComplianceReport listKind: ClusterComplianceReportList - categories: [ ] + categories: [] shortNames: - compliance diff --git a/deploy/crd/clusterconfigauditreports.crd.yaml b/deploy/crd/clusterconfigauditreports.crd.yaml index b751b12f7..1cf2eef17 100644 --- a/deploy/crd/clusterconfigauditreports.crd.yaml +++ b/deploy/crd/clusterconfigauditreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: clusterconfigauditreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/crd/clustervulnerabilityreports.crd.yaml b/deploy/crd/clustervulnerabilityreports.crd.yaml index d0c465d38..b1f0c0936 100644 --- a/deploy/crd/clustervulnerabilityreports.crd.yaml +++ b/deploy/crd/clustervulnerabilityreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: clustervulnerabilityreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/crd/configauditreports.crd.yaml b/deploy/crd/configauditreports.crd.yaml index b2f0c0b7a..996fac8fb 100644 --- a/deploy/crd/configauditreports.crd.yaml +++ b/deploy/crd/configauditreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: configauditreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/crd/kubehunterreports.crd.yaml b/deploy/crd/kubehunterreports.crd.yaml index 7b052b234..c4f28da85 100644 --- a/deploy/crd/kubehunterreports.crd.yaml +++ b/deploy/crd/kubehunterreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: kubehunterreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/crd/vulnerabilityreports.crd.yaml b/deploy/crd/vulnerabilityreports.crd.yaml index 0beff41b2..0ce3f8782 100644 --- a/deploy/crd/vulnerabilityreports.crd.yaml +++ b/deploy/crd/vulnerabilityreports.crd.yaml @@ -5,7 +5,7 @@ metadata: name: vulnerabilityreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index 3de97f0e8..6c73061f5 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -6,12 +6,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.10.10 +version: 0.10.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.15.10 +appVersion: 0.15.11 # kubeVersion: A SemVer range of compatible Kubernetes versions (optional) diff --git a/deploy/specs/nsa-1.0.yaml b/deploy/specs/nsa-1.0.yaml index d0eb7cf19..410cb939b 100644 --- a/deploy/specs/nsa-1.0.yaml +++ b/deploy/specs/nsa-1.0.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl spec: name: nsa @@ -15,202 +15,202 @@ spec: cron: "0 */3 * * *" controls: - name: Non-root containers - description: 'Check that container is not running as root' - id: '1.0' + description: "Check that container is not running as root" + id: "1.0" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV012 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Immutable container file systems - description: 'Check that container root file system is immutable' - id: '1.1' + description: "Check that container root file system is immutable" + id: "1.1" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV014 - severity: 'LOW' + severity: "LOW" - name: Preventing privileged containers - description: 'Controls whether Pods can run privileged containers' - id: '1.2' + description: "Controls whether Pods can run privileged containers" + id: "1.2" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV017 - severity: 'HIGH' + severity: "HIGH" - name: Share containers process namespaces - description: 'Controls whether containers can share process namespaces' - id: '1.3' + description: "Controls whether containers can share process namespaces" + id: "1.3" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV008 - severity: 'HIGH' + severity: "HIGH" - name: Share host process namespaces - description: 'Controls whether share host process namespaces' - id: '1.4' + description: "Controls whether share host process namespaces" + id: "1.4" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV009 - severity: 'HIGH' + severity: "HIGH" - name: Use the host network - description: 'Controls whether containers can use the host network' - id: '1.5' + description: "Controls whether containers can use the host network" + id: "1.5" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV010 - severity: 'HIGH' - - name: Run with root privileges or with root group membership - description: 'Controls whether container applications can run with root privileges or with root group membership' - id: '1.6' + severity: "HIGH" + - name: Run with root privileges or with root group membership + description: "Controls whether container applications can run with root privileges or with root group membership" + id: "1.6" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV029 - severity: 'LOW' + severity: "LOW" - name: Restricts escalation to root privileges - description: 'Control check restrictions escalation to root privileges' - id: '1.7' + description: "Control check restrictions escalation to root privileges" + id: "1.7" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV001 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Sets the SELinux context of the container - description: 'Control checks if pod sets the SELinux context of the container' - id: '1.8' + description: "Control checks if pod sets the SELinux context of the container" + id: "1.8" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV002 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Restrict a container's access to resources with AppArmor - description: 'Control checks the restriction of containers access to resources with AppArmor' - id: '1.9' + description: "Control checks the restriction of containers access to resources with AppArmor" + id: "1.9" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV030 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Sets the seccomp profile used to sandbox containers. - description: 'Control checks the sets the seccomp profile used to sandbox containers' - id: '1.10' + description: "Control checks the sets the seccomp profile used to sandbox containers" + id: "1.10" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV030 - severity: 'LOW' + severity: "LOW" - name: Protecting Pod service account tokens - description: 'Control check whether disable secret token been mount ,automountServiceAccountToken: false' - id: '1.11' + description: "Control check whether disable secret token been mount ,automountServiceAccountToken: false" + id: "1.11" kinds: - Workload mapping: scanner: config-audit checks: - id: KSV036 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Namespace kube-system should not be used by users - description: 'Control check whether Namespace kube-system is not be used by users' - id: '1.12' + description: "Control check whether Namespace kube-system is not be used by users" + id: "1.12" kinds: - NetworkPolicy - defaultStatus: 'FAIL' + defaultStatus: "FAIL" mapping: scanner: config-audit checks: - id: KSV037 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Pod and/or namespace Selectors usage - description: 'Control check validate the pod and/or namespace Selectors usage' - id: '2.0' + description: "Control check validate the pod and/or namespace Selectors usage" + id: "2.0" kinds: - NetworkPolicy - defaultStatus: 'FAIL' + defaultStatus: "FAIL" mapping: scanner: config-audit checks: - id: KSV038 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Use CNI plugin that supports NetworkPolicy API - description: 'Control check whether check cni plugin installed' - id: '3.0' + description: "Control check whether check cni plugin installed" + id: "3.0" kinds: - Node mapping: scanner: kube-bench checks: - id: 5.3.1 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Use ResourceQuota policies to limit resources - description: 'Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace' - id: '4.0' + description: "Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace" + id: "4.0" kinds: - ResourceQuota - defaultStatus: 'FAIL' + defaultStatus: "FAIL" mapping: scanner: config-audit checks: - id: "KSV040" - severity: 'MEDIUM' + severity: "MEDIUM" - name: Use LimitRange policies to limit resources - description: 'Control check the use of LimitRange policy limit resource usage for namespaces or nodes' - id: '4.1' + description: "Control check the use of LimitRange policy limit resource usage for namespaces or nodes" + id: "4.1" kinds: - LimitRange - defaultStatus: 'FAIL' + defaultStatus: "FAIL" mapping: scanner: config-audit checks: - id: "KSV039" - severity: 'MEDIUM' + severity: "MEDIUM" - name: Control plan disable insecure port - description: 'Control check whether control plan disable insecure port' - id: '5.0' + description: "Control check whether control plan disable insecure port" + id: "5.0" kinds: - Node mapping: scanner: kube-bench checks: - id: 1.2.19 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Encrypt etcd communication - description: 'Control check whether etcd communication is encrypted' - id: '5.1' + description: "Control check whether etcd communication is encrypted" + id: "5.1" kinds: - Node mapping: scanner: kube-bench checks: - - id: '2.1' - severity: 'CRITICAL' + - id: "2.1" + severity: "CRITICAL" - name: Ensure kube config file permission - description: 'Control check whether kube config file permissions' - id: '6.0' + description: "Control check whether kube config file permissions" + id: "6.0" kinds: - Node mapping: @@ -218,10 +218,10 @@ spec: checks: - id: 4.1.3 - id: 4.1.4 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Check that encryption resource has been set - description: 'Control checks whether encryption resource has been set' - id: '6.1' + description: "Control checks whether encryption resource has been set" + id: "6.1" kinds: - Node mapping: @@ -229,30 +229,30 @@ spec: checks: - id: 1.2.31 - id: 1.2.32 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Check encryption provider - description: 'Control checks whether encryption provider has been set' - id: '6.2' + description: "Control checks whether encryption provider has been set" + id: "6.2" kinds: - Node mapping: scanner: kube-bench checks: - id: 1.2.3 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Make sure anonymous-auth is unset - description: 'Control checks whether anonymous-auth is unset' - id: '7.0' + description: "Control checks whether anonymous-auth is unset" + id: "7.0" kinds: - Node mapping: scanner: kube-bench checks: - id: 1.2.1 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Make sure -authorization-mode=RBAC - description: 'Control check whether RBAC permission is in use' - id: '7.1' + description: "Control check whether RBAC permission is in use" + id: "7.1" kinds: - Node mapping: @@ -260,34 +260,34 @@ spec: checks: - id: 1.2.7 - id: 1.2.8 - severity: 'CRITICAL' + severity: "CRITICAL" - name: Audit policy is configure - description: 'Control check whether audit policy is configure' - id: '8.0' + description: "Control check whether audit policy is configure" + id: "8.0" kinds: - Node mapping: scanner: kube-bench checks: - id: 3.2.1 - severity: 'HIGH' + severity: "HIGH" - name: Audit log path is configure - description: 'Control check whether audit log path is configure' - id: '8.1' + description: "Control check whether audit log path is configure" + id: "8.1" kinds: - Node mapping: scanner: kube-bench checks: - id: 1.2.22 - severity: 'MEDIUM' + severity: "MEDIUM" - name: Audit log aging - description: 'Control check whether audit log aging is configure' - id: '8.2' + description: "Control check whether audit log aging is configure" + id: "8.2" kinds: - Node mapping: scanner: kube-bench checks: - id: 1.2.23 - severity: 'MEDIUM' + severity: "MEDIUM" diff --git a/deploy/static/01-starboard-operator.ns.yaml b/deploy/static/01-starboard-operator.ns.yaml index 8ae55ffb1..b2884ebdd 100644 --- a/deploy/static/01-starboard-operator.ns.yaml +++ b/deploy/static/01-starboard-operator.ns.yaml @@ -6,5 +6,5 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl diff --git a/deploy/static/02-starboard-operator.rbac.yaml b/deploy/static/02-starboard-operator.rbac.yaml index c1f93a379..f0274db2c 100644 --- a/deploy/static/02-starboard-operator.rbac.yaml +++ b/deploy/static/02-starboard-operator.rbac.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 @@ -17,7 +17,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -166,7 +166,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml index cb814a1bc..8384e8ab0 100644 --- a/deploy/static/03-starboard-operator.config.yaml +++ b/deploy/static/03-starboard-operator.config.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -18,7 +18,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -29,7 +29,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: vulnerabilityReports.scanner: "Trivy" @@ -45,7 +45,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: trivy.imageRef: "docker.io/aquasec/trivy:0.25.2" @@ -66,7 +66,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: polaris.imageRef: "quay.io/fairwinds/polaris:4.2" diff --git a/deploy/static/04-starboard-operator.policies.yaml b/deploy/static/04-starboard-operator.policies.yaml index 37dcbc974..255389ce3 100644 --- a/deploy/static/04-starboard-operator.policies.yaml +++ b/deploy/static/04-starboard-operator.policies.yaml @@ -7,10 +7,11 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: - library.kubernetes.rego: "package lib.kubernetes\n\ndefault is_gatekeeper = false\n\nis_gatekeeper + library.kubernetes.rego: + "package lib.kubernetes\n\ndefault is_gatekeeper = false\n\nis_gatekeeper {\n\thas_field(input, \"review\")\n\thas_field(input.review, \"object\")\n}\n\nobject = input {\n\tnot is_gatekeeper\n}\n\nobject = input.review.object {\n\tis_gatekeeper\n}\n\nformat(msg) = gatekeeper_format {\n\tis_gatekeeper\n\tgatekeeper_format = {\"msg\": msg}\n}\n\nformat(msg) @@ -43,7 +44,8 @@ data: = pod.spec\n}\n" library.utils.rego: "package lib.utils\n\nhas_key(x, k) {\n\t_ = x[k]\n}\n" policy.1_host_ipc.kinds: Workload - policy.1_host_ipc.rego: "package appshield.kubernetes.KSV008\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_ipc.rego: + "package appshield.kubernetes.KSV008\n\nimport data.lib.kubernetes\n\ndefault failHostIPC = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV008\",\n\t\"avd_id\": \"AVD-KSV-0008\",\n\t\"title\": \"Access to host IPC namespace\",\n\t\"short_code\": \"no-shared-ipc-namespace\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -58,7 +60,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_host_network.kinds: Workload - policy.1_host_network.rego: "package appshield.kubernetes.KSV009\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_network.rego: + "package appshield.kubernetes.KSV009\n\nimport data.lib.kubernetes\n\ndefault failHostNetwork = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV009\",\n\t\"avd_id\": \"AVD-KSV-0009\",\n\t\"title\": \"Access to host network\",\n\t\"short_code\": \"no-host-network\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -74,7 +77,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_host_pid.kinds: Workload - policy.1_host_pid.rego: "package appshield.kubernetes.KSV010\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_pid.rego: + "package appshield.kubernetes.KSV010\n\nimport data.lib.kubernetes\n\ndefault failHostPID = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV010\",\n\t\"avd_id\": \"AVD-KSV-0010\",\n\t\"title\": \"Access to host PID\",\n\t\"short_code\": \"no-host-pid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -89,7 +93,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_non_core_volume_types.kinds: Workload - policy.1_non_core_volume_types.rego: "package appshield.kubernetes.KSV028\n\nimport + policy.1_non_core_volume_types.rego: + "package appshield.kubernetes.KSV028\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV028\",\n\t\"avd_id\": \"AVD-KSV-0028\",\n\t\"title\": \"Non-ephemeral volume types used\",\n\t\"short_code\": \"no-non-ephemeral-volumes\",\n\t\"version\": @@ -112,7 +117,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.2_can_elevate_its_own_privileges.kinds: Workload - policy.2_can_elevate_its_own_privileges.rego: "package appshield.kubernetes.KSV001\n\nimport + policy.2_can_elevate_its_own_privileges.rego: + "package appshield.kubernetes.KSV001\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault checkAllowPrivilegeEscalation = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV001\",\n\t\"avd_id\": \"AVD-KSV-0001\",\n\t\"title\": \"Process can elevate its own privileges\",\n\t\"short_code\": \"no-self-privesc\",\n\t\"version\": @@ -137,7 +143,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.2_privileged.kinds: Workload - policy.2_privileged.rego: "package appshield.kubernetes.KSV017\n\nimport data.lib.kubernetes\n\ndefault + policy.2_privileged.rego: + "package appshield.kubernetes.KSV017\n\nimport data.lib.kubernetes\n\ndefault failPrivileged = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV017\",\n\t\"avd_id\": \"AVD-KSV-0017\",\n\t\"title\": \"Privileged container\",\n\t\"short_code\": \"no-privileged-containers\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -156,7 +163,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.3_runs_as_root.kinds: Workload - policy.3_runs_as_root.rego: "package appshield.kubernetes.KSV012\n\nimport data.lib.kubernetes\nimport + policy.3_runs_as_root.rego: + "package appshield.kubernetes.KSV012\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault checkRunAsNonRoot = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV012\",\n\t\"avd_id\": \"AVD-KSV-0012\",\n\t\"title\": \"Runs as root user\",\n\t\"short_code\": \"no-root\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": @@ -178,7 +186,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.3_specific_capabilities_added.kinds: Workload - policy.3_specific_capabilities_added.rego: "package appshield.kubernetes.KSV022\n\nimport + policy.3_specific_capabilities_added.rego: + "package appshield.kubernetes.KSV022\n\nimport data.lib.kubernetes\n\ndefault failAdditionalCaps = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV022\",\n\t\"avd_id\": \"AVD-KSV-0022\",\n\t\"title\": \"Non-default capabilities added\",\n\t\"short_code\": \"no-non-default-capabilities\",\n\t\"version\": @@ -203,7 +212,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.4_hostpath_volumes_mounted.kinds: Workload - policy.4_hostpath_volumes_mounted.rego: "package appshield.kubernetes.KSV023\n\nimport + policy.4_hostpath_volumes_mounted.rego: + "package appshield.kubernetes.KSV023\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failHostPathVolume = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV023\",\n\t\"avd_id\": \"AVD-KSV-0023\",\n\t\"title\": \"hostPath volumes mounted\",\n\t\"short_code\": \"no-mounted-hostpath\",\n\t\"version\": @@ -217,7 +227,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.4_runs_with_a_root_gid.kinds: Workload - policy.4_runs_with_a_root_gid.rego: "package appshield.kubernetes.KSV029\n\nimport + policy.4_runs_with_a_root_gid.rego: + "package appshield.kubernetes.KSV029\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRootGroupId = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV029\",\n\t\"avd_id\": \"AVD-KSV-0029\",\n\t\"title\": \"A root primary or supplementary GID set\",\n\t\"short_code\": \"no-run-root-gid\",\n\t\"version\": @@ -246,7 +257,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.5_access_to_host_ports.kinds: Workload - policy.5_access_to_host_ports.rego: "package appshield.kubernetes.KSV024\n\nimport + policy.5_access_to_host_ports.rego: + "package appshield.kubernetes.KSV024\n\nimport data.lib.kubernetes\n\ndefault failHostPorts = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV024\",\n\t\"avd_id\": \"AVD-KSV-0024\",\n\t\"title\": \"Access to host ports\",\n\t\"short_code\": \"no-host-port-access\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -272,7 +284,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.5_runtime_default_seccomp_profile_not_set.kinds: Workload - policy.5_runtime_default_seccomp_profile_not_set.rego: "package appshield.kubernetes.KSV030\n\nimport + policy.5_runtime_default_seccomp_profile_not_set.rego: + "package appshield.kubernetes.KSV030\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSeccompProfileType = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV030\",\n\t\"avd_id\": \"AVD-KSV-0030\",\n\t\"title\": \"Default Seccomp profile not set\",\n\t\"short_code\": \"use-default-seccomp\",\n\t\"version\": @@ -305,7 +318,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.6_apparmor_policy_disabled.kinds: Workload - policy.6_apparmor_policy_disabled.rego: "package appshield.kubernetes.KSV002\n\nimport + policy.6_apparmor_policy_disabled.rego: + "package appshield.kubernetes.KSV002\n\nimport data.lib.kubernetes\n\ndefault failAppArmor = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV002\",\n\t\"avd_id\": \"AVD-KSV-0002\",\n\t\"title\": \"Default AppArmor profile not set\",\n\t\"short_code\": \"use-default-apparmor-profile\",\n\t\"version\": @@ -324,7 +338,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.7_selinux_custom_options_set.kinds: Workload - policy.7_selinux_custom_options_set.rego: "package appshield.kubernetes.KSV025\n\nimport + policy.7_selinux_custom_options_set.rego: + "package appshield.kubernetes.KSV025\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSELinux = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV025\",\n\t\"avd_id\": \"AVD-KSV-0025\",\n\t\"title\": \"SELinux custom options set\",\n\t\"short_code\": \"no-custom-selinux-options\",\n\t\"version\": @@ -354,7 +369,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.8_non_default_proc_masks_set.kinds: Workload - policy.8_non_default_proc_masks_set.rego: "package appshield.kubernetes.KSV027\n\nimport + policy.8_non_default_proc_masks_set.rego: + "package appshield.kubernetes.KSV027\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failProcMount = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV027\",\n\t\"avd_id\": \"AVD-KSV-0027\",\n\t\"title\": \"Non-default /proc masks set\",\n\t\"short_code\": \"no-custom-proc-mask\",\n\t\"version\": @@ -371,7 +387,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.9_unsafe_sysctl_options_set.kinds: Workload - policy.9_unsafe_sysctl_options_set.rego: "package appshield.kubernetes.KSV026\n\nimport + policy.9_unsafe_sysctl_options_set.rego: + "package appshield.kubernetes.KSV026\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSysctls = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV026\",\n\t\"avd_id\": \"AVD-KSV-0026\",\n\t\"title\": \"Unsafe sysctl options set\",\n\t\"short_code\": \"no-unsafe-sysctl\",\n\t\"version\": @@ -392,7 +409,8 @@ data: msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.CPU_not_limited.kinds: Workload - policy.CPU_not_limited.rego: "package appshield.kubernetes.KSV011\n\nimport data.lib.kubernetes\nimport + policy.CPU_not_limited.rego: + "package appshield.kubernetes.KSV011\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failLimitsCPU = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV011\",\n\t\"avd_id\": \"AVD-KSV-0011\",\n\t\"title\": \"CPU not limited\",\n\t\"short_code\": \"limit-cpu\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -413,7 +431,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.CPU_requests_not_specified.kinds: Workload - policy.CPU_requests_not_specified.rego: "package appshield.kubernetes.KSV015\n\nimport + policy.CPU_requests_not_specified.rego: + "package appshield.kubernetes.KSV015\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsCPU = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV015\",\n\t\"avd_id\": \"AVD-KSV-0015\",\n\t\"title\": \"CPU requests not specified\",\n\t\"short_code\": \"no-unspecified-cpu-requests\",\n\t\"version\": @@ -435,7 +454,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.SYS_ADMIN_capability.kinds: Workload - policy.SYS_ADMIN_capability.rego: "package appshield.kubernetes.KSV005\n\nimport + policy.SYS_ADMIN_capability.rego: + "package appshield.kubernetes.KSV005\n\nimport data.lib.kubernetes\n\ndefault failCapsSysAdmin = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV005\",\n\t\"avd_id\": \"AVD-KSV-0005\",\n\t\"title\": \"SYS_ADMIN capability added\",\n\t\"short_code\": \"no-sysadmin-capability\",\n\t\"version\": @@ -456,7 +476,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.capabilities_no_drop_all.kinds: Workload - policy.capabilities_no_drop_all.rego: "package appshield.kubernetes.KSV003\n\nimport + policy.capabilities_no_drop_all.rego: + "package appshield.kubernetes.KSV003\n\nimport data.lib.kubernetes\n\ndefault checkCapsDropAll = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV003\",\n\t\"avd_id\": \"AVD-KSV-0003\",\n\t\"title\": \"Default capabilities not dropped\",\n\t\"short_code\": \"drop-default-capabilities\",\n\t\"version\": @@ -478,7 +499,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.capabilities_no_drop_at_least_one.kinds: Workload - policy.capabilities_no_drop_at_least_one.rego: "package appshield.kubernetes.KSV004\n\nimport + policy.capabilities_no_drop_at_least_one.rego: + "package appshield.kubernetes.KSV004\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failCapsDropAny = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV004\",\n\t\"avd_id\": \"AVD-KSV-0004\",\n\t\"title\": \"Unused capabilities should be dropped (drop any)\",\n\t\"short_code\": \"drop-unused-capabilities\",\n\t\"version\": @@ -500,7 +522,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.file_system_not_read_only.kinds: Workload - policy.file_system_not_read_only.rego: "package appshield.kubernetes.KSV014\n\nimport + policy.file_system_not_read_only.rego: + "package appshield.kubernetes.KSV014\n\nimport data.lib.kubernetes\n\ndefault failReadOnlyRootFilesystem = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV014\",\n\t\"avd_id\": \"AVD-KSV-0014\",\n\t\"title\": \"Root file system is not read-only\",\n\t\"short_code\": \"use-readonly-filesystem\",\n\t\"version\": @@ -526,7 +549,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.manages_etc_hosts.kinds: Workload - policy.manages_etc_hosts.rego: "package appshield.kubernetes.KSV007\n\nimport data.lib.kubernetes\nimport + policy.manages_etc_hosts.rego: + "package appshield.kubernetes.KSV007\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failHostAliases = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV007\",\n\t\"avd_id\": \"AVD-KSV-0007\",\n\t\"title\": \"hostAliases is set\",\n\t\"short_code\": \"no-hostaliases\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -542,7 +566,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.memory_not_limited.kinds: Workload - policy.memory_not_limited.rego: "package appshield.kubernetes.KSV018\n\nimport data.lib.kubernetes\nimport + policy.memory_not_limited.rego: + "package appshield.kubernetes.KSV018\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failLimitsMemory = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV018\",\n\t\"avd_id\": \"AVD-KSV-0018\",\n\t\"title\": \"Memory not limited\",\n\t\"short_code\": \"limit-memory\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -563,7 +588,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.memory_requests_not_specified.kinds: Workload - policy.memory_requests_not_specified.rego: "package appshield.kubernetes.KSV016\n\nimport + policy.memory_requests_not_specified.rego: + "package appshield.kubernetes.KSV016\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsMemory = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV016\",\n\t\"avd_id\": \"AVD-KSV-0016\",\n\t\"title\": \"Memory requests not specified\",\n\t\"short_code\": \"no-unspecified-memory-requests\",\n\t\"version\": @@ -585,7 +611,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.mounts_docker_socket.kinds: Workload - policy.mounts_docker_socket.rego: "package appshield.kubernetes.KSV006\n\nimport + policy.mounts_docker_socket.rego: + "package appshield.kubernetes.KSV006\n\nimport data.lib.kubernetes\n\nname = input.metadata.name\n\ndefault checkDockerSocket = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV006\",\n\t\"avd_id\": \"AVD-KSV-0006\",\n\t\"title\": \"hostPath volume mounted with docker.sock\",\n\t\"short_code\": \"no-docker-sock-mount\",\n\t\"version\": @@ -603,7 +630,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.protect_core_components_namespace.kinds: Workload - policy.protect_core_components_namespace.rego: "package appshield.kubernetes.KSV037\n\nimport + policy.protect_core_components_namespace.rego: + "package appshield.kubernetes.KSV037\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV037\",\n\t\"avd_id\": \"AVD-KSV-0037\",\n\t\"title\": \"User Pods should not be placed in kube-system namespace\",\n\t\"short_code\": \"no-user-pods-in-system-namespace\",\n\t\"version\": @@ -623,7 +651,8 @@ data: \"component\")\n\tcoreComponentLabels := [\"kube-apiserver\", \"etcd\", \"kube-controller-manager\", \"kube-scheduler\"]\n\tmetadata.labels.component = coreComponentLabels[_]\n}\n" policy.protecting_pod_service_account_tokens.kinds: Workload - policy.protecting_pod_service_account_tokens.rego: "package appshield.kubernetes.KSV036\n\nimport + policy.protecting_pod_service_account_tokens.rego: + "package appshield.kubernetes.KSV036\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV036\",\n\t\"avd_id\": \"AVD-KSV-0036\",\n\t\"title\": \"Protecting Pod service account tokens\",\n\t\"short_code\": \"no-auto-mount-service-token\",\n\t\"version\": @@ -644,7 +673,8 @@ data: == kubernetes.containers[_].volumeMounts[_].mountPath\n}\n\nhas_key(x, k) {\n\t_ = x[k]\n}\n" policy.runs_with_GID_le_10000.kinds: Workload - policy.runs_with_GID_le_10000.rego: "package appshield.kubernetes.KSV021\n\nimport + policy.runs_with_GID_le_10000.rego: + "package appshield.kubernetes.KSV021\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsGroup = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV021\",\n\t\"avd_id\": \"AVD-KSV-0021\",\n\t\"title\": \"Runs with low group ID\",\n\t\"short_code\": \"use-high-gid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": @@ -671,7 +701,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.runs_with_UID_le_10000.kinds: Workload - policy.runs_with_UID_le_10000.rego: "package appshield.kubernetes.KSV020\n\nimport + policy.runs_with_UID_le_10000.rego: + "package appshield.kubernetes.KSV020\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsUser = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV020\",\n\t\"avd_id\": \"AVD-KSV-0020\",\n\t\"title\": \"Runs with low user ID\",\n\t\"short_code\": \"use-high-uid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": @@ -698,7 +729,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.selector_usage_in_network_policies.kinds: NetworkPolicy - policy.selector_usage_in_network_policies.rego: "package appshield.kubernetes.KSV038\n\nimport + policy.selector_usage_in_network_policies.rego: + "package appshield.kubernetes.KSV038\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV038\",\n\t\"avd_id\": \"AVD-KSV-0038\",\n\t\"title\": \"Selector usage in network policies\",\n\t\"short_code\": \"selector-usage-in-network-policies\",\n\t\"version\": @@ -732,7 +764,8 @@ data: == {}\n\tcontains(input.spec.policyType, \"Ingress\")\n}\n\ncontains(arr, elem) {\n\tarr[_] = elem\n}\n" policy.tiller_is_deployed.kinds: Workload - policy.tiller_is_deployed.rego: "package appshield.kubernetes.KSV202\n\nimport data.lib.kubernetes\n\n__rego_metadata__ + policy.tiller_is_deployed.rego: + "package appshield.kubernetes.KSV202\n\nimport data.lib.kubernetes\n\n__rego_metadata__ := {\n\t\"id\": \"KSV102\",\n\t\"avd_id\": \"AVD-KSV-0102\",\n\t\"title\": \"Tiller Is Deployed\",\n\t\"short_code\": \"no-tiller\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"Critical\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -755,7 +788,8 @@ data: == \"helm\"\n}\n\n# Check for tiller by name label\ncheckMetadata(metadata) {\n\tmetadata.labels.name == \"tiller\"\n}\n" policy.use_limit_range.kinds: LimitRange - policy.use_limit_range.rego: "package appshield.kubernetes.KSV039\n\nimport data.lib.kubernetes\nimport + policy.use_limit_range.rego: + "package appshield.kubernetes.KSV039\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV039\",\n\t\"avd_id\": \"AVD-KSV-0039\",\n\t\"title\": \"limit range usage\",\n\t\"short_code\": \"limit-range-usage\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure @@ -772,7 +806,8 @@ data: \"min\")\n\tkubernetes.has_field(input.spec.limits[_], \"default\")\n\tkubernetes.has_field(input.spec.limits[_], \"defaultRequest\")\n}\n" policy.use_resource_quota.kinds: ResourceQuota - policy.use_resource_quota.rego: "package appshield.kubernetes.KSV040\n\nimport data.lib.kubernetes\nimport + policy.use_resource_quota.rego: + "package appshield.kubernetes.KSV040\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV040\",\n\t\"avd_id\": \"AVD-KSV-0040\",\n\t\"title\": \"resource quota usage\",\n\t\"short_code\": \"resource-quota-usage\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure @@ -788,7 +823,8 @@ data: \"requests.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"requests.memory\")\n\tkubernetes.has_field(input.spec.hard, \"limits.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"limits.memory\")\n}\n" policy.uses_image_tag_latest.kinds: Workload - policy.uses_image_tag_latest.rego: "package appshield.kubernetes.KSV013\n\nimport + policy.uses_image_tag_latest.rego: + "package appshield.kubernetes.KSV013\n\nimport data.lib.kubernetes\n\ndefault checkUsingLatestTag = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV013\",\n\t\"avd_id\": \"AVD-KSV-0013\",\n\t\"title\": \"Image tag ':latest' used\",\n\t\"short_code\": \"use-specific-tags\",\n\t\"version\": @@ -814,7 +850,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.uses_untrusted_azure_registry.kinds: Workload - policy.uses_untrusted_azure_registry.rego: "package appshield.kubernetes.KSV032\n\nimport + policy.uses_untrusted_azure_registry.rego: + "package appshield.kubernetes.KSV032\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedAzureRegistry = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV032\",\n\t\"avd_id\": \"AVD-KSV-0032\",\n\t\"title\": \"All container images must start with the *.azurecr.io domain\",\n\t\"short_code\": @@ -840,7 +877,8 @@ data: msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.uses_untrusted_gcr_registry.kinds: Workload - policy.uses_untrusted_gcr_registry.rego: "package appshield.kubernetes.KSV033\n\nimport + policy.uses_untrusted_gcr_registry.rego: + "package appshield.kubernetes.KSV033\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedGCRRegistry = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV033\",\n\t\"avd_id\": \"AVD-KSV-0033\",\n\t\"title\": \"All container images must start with a GCR domain\",\n\t\"short_code\": \"use-gcr-domain\",\n\t\"version\": diff --git a/deploy/static/05-starboard-operator.deployment.yaml b/deploy/static/05-starboard-operator.deployment.yaml index 6d764236a..c5916cd51 100644 --- a/deploy/static/05-starboard-operator.deployment.yaml +++ b/deploy/static/05-starboard-operator.deployment.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl annotations: prometheus.io/path: /metrics @@ -30,7 +30,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -50,7 +50,7 @@ spec: automountServiceAccountToken: true containers: - name: "starboard-operator" - image: "docker.io/aquasec/starboard-operator:0.15.10" + image: "docker.io/aquasec/starboard-operator:0.15.11" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -114,14 +114,12 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 - resources: - {} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false readOnlyRootFilesystem: true - securityContext: - {} + securityContext: {} diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml index 20747a8d4..5ad06e88a 100644 --- a/deploy/static/starboard.yaml +++ b/deploy/static/starboard.yaml @@ -5,7 +5,7 @@ metadata: name: vulnerabilityreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -248,7 +248,7 @@ metadata: name: configauditreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -304,7 +304,7 @@ metadata: name: clusterconfigauditreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -360,7 +360,7 @@ metadata: name: ciskubebenchreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -410,7 +410,7 @@ metadata: name: clustercompliancereports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io scope: Cluster @@ -466,7 +466,7 @@ spec: cron: type: string pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$' - description: 'cron define the intervals for report generation' + description: "cron define the intervals for report generation" controls: type: array items: @@ -484,12 +484,12 @@ spec: type: string id: type: string - description: 'id define the control check id' + description: "id define the control check id" kinds: type: array items: type: string - description: 'kinds define the list of kinds control check apply on , example: Node,Workload ' + description: "kinds define the list of kinds control check apply on , example: Node,Workload " mapping: type: object required: @@ -498,8 +498,8 @@ spec: properties: scanner: type: string - pattern: '^config-audit$|^kube-bench$' - description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported' + pattern: "^config-audit$|^kube-bench$" + description: "scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported" checks: type: array items: @@ -509,10 +509,10 @@ spec: properties: id: type: string - description: 'id define the check id as produced by scanner' + description: "id define the check id as produced by scanner" severity: type: string - description: 'define the severity of the control' + description: "define the severity of the control" enum: - CRITICAL - HIGH @@ -521,7 +521,7 @@ spec: - UNKNOWN defaultStatus: type: string - description: 'define the default value for check status in case resource not found' + description: "define the default value for check status in case resource not found" enum: - PASS - WARN @@ -531,13 +531,13 @@ spec: type: object subresources: # status enables the status subresource. - status: { } + status: {} names: singular: clustercompliancereport plural: clustercompliancereports kind: ClusterComplianceReport listKind: ClusterComplianceReportList - categories: [ ] + categories: [] shortNames: - compliance --- @@ -547,7 +547,7 @@ metadata: name: clustercompliancedetailreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" spec: group: aquasecurity.github.io versions: @@ -579,7 +579,7 @@ spec: plural: clustercompliancedetailreports kind: ClusterComplianceDetailReport listKind: ClusterComplianceDetailReportList - categories: [ ] + categories: [] shortNames: - compliancedetail --- @@ -590,7 +590,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -601,7 +601,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 @@ -611,7 +611,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -752,7 +752,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -771,7 +771,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -782,7 +782,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -793,7 +793,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: vulnerabilityReports.scanner: "Trivy" @@ -809,7 +809,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: trivy.imageRef: "docker.io/aquasec/trivy:0.25.2" @@ -830,7 +830,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: polaris.imageRef: "quay.io/fairwinds/polaris:4.2" @@ -1031,10 +1031,11 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl data: - library.kubernetes.rego: "package lib.kubernetes\n\ndefault is_gatekeeper = false\n\nis_gatekeeper + library.kubernetes.rego: + "package lib.kubernetes\n\ndefault is_gatekeeper = false\n\nis_gatekeeper {\n\thas_field(input, \"review\")\n\thas_field(input.review, \"object\")\n}\n\nobject = input {\n\tnot is_gatekeeper\n}\n\nobject = input.review.object {\n\tis_gatekeeper\n}\n\nformat(msg) = gatekeeper_format {\n\tis_gatekeeper\n\tgatekeeper_format = {\"msg\": msg}\n}\n\nformat(msg) @@ -1067,7 +1068,8 @@ data: = pod.spec\n}\n" library.utils.rego: "package lib.utils\n\nhas_key(x, k) {\n\t_ = x[k]\n}\n" policy.1_host_ipc.kinds: Workload - policy.1_host_ipc.rego: "package appshield.kubernetes.KSV008\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_ipc.rego: + "package appshield.kubernetes.KSV008\n\nimport data.lib.kubernetes\n\ndefault failHostIPC = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV008\",\n\t\"avd_id\": \"AVD-KSV-0008\",\n\t\"title\": \"Access to host IPC namespace\",\n\t\"short_code\": \"no-shared-ipc-namespace\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -1082,7 +1084,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_host_network.kinds: Workload - policy.1_host_network.rego: "package appshield.kubernetes.KSV009\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_network.rego: + "package appshield.kubernetes.KSV009\n\nimport data.lib.kubernetes\n\ndefault failHostNetwork = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV009\",\n\t\"avd_id\": \"AVD-KSV-0009\",\n\t\"title\": \"Access to host network\",\n\t\"short_code\": \"no-host-network\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -1098,7 +1101,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_host_pid.kinds: Workload - policy.1_host_pid.rego: "package appshield.kubernetes.KSV010\n\nimport data.lib.kubernetes\n\ndefault + policy.1_host_pid.rego: + "package appshield.kubernetes.KSV010\n\nimport data.lib.kubernetes\n\ndefault failHostPID = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV010\",\n\t\"avd_id\": \"AVD-KSV-0010\",\n\t\"title\": \"Access to host PID\",\n\t\"short_code\": \"no-host-pid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -1113,7 +1117,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.1_non_core_volume_types.kinds: Workload - policy.1_non_core_volume_types.rego: "package appshield.kubernetes.KSV028\n\nimport + policy.1_non_core_volume_types.rego: + "package appshield.kubernetes.KSV028\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV028\",\n\t\"avd_id\": \"AVD-KSV-0028\",\n\t\"title\": \"Non-ephemeral volume types used\",\n\t\"short_code\": \"no-non-ephemeral-volumes\",\n\t\"version\": @@ -1136,7 +1141,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.2_can_elevate_its_own_privileges.kinds: Workload - policy.2_can_elevate_its_own_privileges.rego: "package appshield.kubernetes.KSV001\n\nimport + policy.2_can_elevate_its_own_privileges.rego: + "package appshield.kubernetes.KSV001\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault checkAllowPrivilegeEscalation = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV001\",\n\t\"avd_id\": \"AVD-KSV-0001\",\n\t\"title\": \"Process can elevate its own privileges\",\n\t\"short_code\": \"no-self-privesc\",\n\t\"version\": @@ -1161,7 +1167,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.2_privileged.kinds: Workload - policy.2_privileged.rego: "package appshield.kubernetes.KSV017\n\nimport data.lib.kubernetes\n\ndefault + policy.2_privileged.rego: + "package appshield.kubernetes.KSV017\n\nimport data.lib.kubernetes\n\ndefault failPrivileged = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV017\",\n\t\"avd_id\": \"AVD-KSV-0017\",\n\t\"title\": \"Privileged container\",\n\t\"short_code\": \"no-privileged-containers\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -1180,7 +1187,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.3_runs_as_root.kinds: Workload - policy.3_runs_as_root.rego: "package appshield.kubernetes.KSV012\n\nimport data.lib.kubernetes\nimport + policy.3_runs_as_root.rego: + "package appshield.kubernetes.KSV012\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault checkRunAsNonRoot = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV012\",\n\t\"avd_id\": \"AVD-KSV-0012\",\n\t\"title\": \"Runs as root user\",\n\t\"short_code\": \"no-root\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": @@ -1202,7 +1210,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.3_specific_capabilities_added.kinds: Workload - policy.3_specific_capabilities_added.rego: "package appshield.kubernetes.KSV022\n\nimport + policy.3_specific_capabilities_added.rego: + "package appshield.kubernetes.KSV022\n\nimport data.lib.kubernetes\n\ndefault failAdditionalCaps = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV022\",\n\t\"avd_id\": \"AVD-KSV-0022\",\n\t\"title\": \"Non-default capabilities added\",\n\t\"short_code\": \"no-non-default-capabilities\",\n\t\"version\": @@ -1227,7 +1236,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.4_hostpath_volumes_mounted.kinds: Workload - policy.4_hostpath_volumes_mounted.rego: "package appshield.kubernetes.KSV023\n\nimport + policy.4_hostpath_volumes_mounted.rego: + "package appshield.kubernetes.KSV023\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failHostPathVolume = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV023\",\n\t\"avd_id\": \"AVD-KSV-0023\",\n\t\"title\": \"hostPath volumes mounted\",\n\t\"short_code\": \"no-mounted-hostpath\",\n\t\"version\": @@ -1241,7 +1251,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.4_runs_with_a_root_gid.kinds: Workload - policy.4_runs_with_a_root_gid.rego: "package appshield.kubernetes.KSV029\n\nimport + policy.4_runs_with_a_root_gid.rego: + "package appshield.kubernetes.KSV029\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRootGroupId = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV029\",\n\t\"avd_id\": \"AVD-KSV-0029\",\n\t\"title\": \"A root primary or supplementary GID set\",\n\t\"short_code\": \"no-run-root-gid\",\n\t\"version\": @@ -1270,7 +1281,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.5_access_to_host_ports.kinds: Workload - policy.5_access_to_host_ports.rego: "package appshield.kubernetes.KSV024\n\nimport + policy.5_access_to_host_ports.rego: + "package appshield.kubernetes.KSV024\n\nimport data.lib.kubernetes\n\ndefault failHostPorts = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV024\",\n\t\"avd_id\": \"AVD-KSV-0024\",\n\t\"title\": \"Access to host ports\",\n\t\"short_code\": \"no-host-port-access\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": @@ -1296,7 +1308,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.5_runtime_default_seccomp_profile_not_set.kinds: Workload - policy.5_runtime_default_seccomp_profile_not_set.rego: "package appshield.kubernetes.KSV030\n\nimport + policy.5_runtime_default_seccomp_profile_not_set.rego: + "package appshield.kubernetes.KSV030\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSeccompProfileType = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV030\",\n\t\"avd_id\": \"AVD-KSV-0030\",\n\t\"title\": \"Default Seccomp profile not set\",\n\t\"short_code\": \"use-default-seccomp\",\n\t\"version\": @@ -1329,7 +1342,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.6_apparmor_policy_disabled.kinds: Workload - policy.6_apparmor_policy_disabled.rego: "package appshield.kubernetes.KSV002\n\nimport + policy.6_apparmor_policy_disabled.rego: + "package appshield.kubernetes.KSV002\n\nimport data.lib.kubernetes\n\ndefault failAppArmor = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV002\",\n\t\"avd_id\": \"AVD-KSV-0002\",\n\t\"title\": \"Default AppArmor profile not set\",\n\t\"short_code\": \"use-default-apparmor-profile\",\n\t\"version\": @@ -1348,7 +1362,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.7_selinux_custom_options_set.kinds: Workload - policy.7_selinux_custom_options_set.rego: "package appshield.kubernetes.KSV025\n\nimport + policy.7_selinux_custom_options_set.rego: + "package appshield.kubernetes.KSV025\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSELinux = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV025\",\n\t\"avd_id\": \"AVD-KSV-0025\",\n\t\"title\": \"SELinux custom options set\",\n\t\"short_code\": \"no-custom-selinux-options\",\n\t\"version\": @@ -1378,7 +1393,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.8_non_default_proc_masks_set.kinds: Workload - policy.8_non_default_proc_masks_set.rego: "package appshield.kubernetes.KSV027\n\nimport + policy.8_non_default_proc_masks_set.rego: + "package appshield.kubernetes.KSV027\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failProcMount = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV027\",\n\t\"avd_id\": \"AVD-KSV-0027\",\n\t\"title\": \"Non-default /proc masks set\",\n\t\"short_code\": \"no-custom-proc-mask\",\n\t\"version\": @@ -1395,7 +1411,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.9_unsafe_sysctl_options_set.kinds: Workload - policy.9_unsafe_sysctl_options_set.rego: "package appshield.kubernetes.KSV026\n\nimport + policy.9_unsafe_sysctl_options_set.rego: + "package appshield.kubernetes.KSV026\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSysctls = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV026\",\n\t\"avd_id\": \"AVD-KSV-0026\",\n\t\"title\": \"Unsafe sysctl options set\",\n\t\"short_code\": \"no-unsafe-sysctl\",\n\t\"version\": @@ -1416,7 +1433,8 @@ data: msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.CPU_not_limited.kinds: Workload - policy.CPU_not_limited.rego: "package appshield.kubernetes.KSV011\n\nimport data.lib.kubernetes\nimport + policy.CPU_not_limited.rego: + "package appshield.kubernetes.KSV011\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failLimitsCPU = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV011\",\n\t\"avd_id\": \"AVD-KSV-0011\",\n\t\"title\": \"CPU not limited\",\n\t\"short_code\": \"limit-cpu\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -1437,7 +1455,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.CPU_requests_not_specified.kinds: Workload - policy.CPU_requests_not_specified.rego: "package appshield.kubernetes.KSV015\n\nimport + policy.CPU_requests_not_specified.rego: + "package appshield.kubernetes.KSV015\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsCPU = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV015\",\n\t\"avd_id\": \"AVD-KSV-0015\",\n\t\"title\": \"CPU requests not specified\",\n\t\"short_code\": \"no-unspecified-cpu-requests\",\n\t\"version\": @@ -1459,7 +1478,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.SYS_ADMIN_capability.kinds: Workload - policy.SYS_ADMIN_capability.rego: "package appshield.kubernetes.KSV005\n\nimport + policy.SYS_ADMIN_capability.rego: + "package appshield.kubernetes.KSV005\n\nimport data.lib.kubernetes\n\ndefault failCapsSysAdmin = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV005\",\n\t\"avd_id\": \"AVD-KSV-0005\",\n\t\"title\": \"SYS_ADMIN capability added\",\n\t\"short_code\": \"no-sysadmin-capability\",\n\t\"version\": @@ -1480,7 +1500,8 @@ data: __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.capabilities_no_drop_all.kinds: Workload - policy.capabilities_no_drop_all.rego: "package appshield.kubernetes.KSV003\n\nimport + policy.capabilities_no_drop_all.rego: + "package appshield.kubernetes.KSV003\n\nimport data.lib.kubernetes\n\ndefault checkCapsDropAll = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV003\",\n\t\"avd_id\": \"AVD-KSV-0003\",\n\t\"title\": \"Default capabilities not dropped\",\n\t\"short_code\": \"drop-default-capabilities\",\n\t\"version\": @@ -1502,7 +1523,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.capabilities_no_drop_at_least_one.kinds: Workload - policy.capabilities_no_drop_at_least_one.rego: "package appshield.kubernetes.KSV004\n\nimport + policy.capabilities_no_drop_at_least_one.rego: + "package appshield.kubernetes.KSV004\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failCapsDropAny = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV004\",\n\t\"avd_id\": \"AVD-KSV-0004\",\n\t\"title\": \"Unused capabilities should be dropped (drop any)\",\n\t\"short_code\": \"drop-unused-capabilities\",\n\t\"version\": @@ -1524,7 +1546,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.file_system_not_read_only.kinds: Workload - policy.file_system_not_read_only.rego: "package appshield.kubernetes.KSV014\n\nimport + policy.file_system_not_read_only.rego: + "package appshield.kubernetes.KSV014\n\nimport data.lib.kubernetes\n\ndefault failReadOnlyRootFilesystem = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV014\",\n\t\"avd_id\": \"AVD-KSV-0014\",\n\t\"title\": \"Root file system is not read-only\",\n\t\"short_code\": \"use-readonly-filesystem\",\n\t\"version\": @@ -1550,7 +1573,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.manages_etc_hosts.kinds: Workload - policy.manages_etc_hosts.rego: "package appshield.kubernetes.KSV007\n\nimport data.lib.kubernetes\nimport + policy.manages_etc_hosts.rego: + "package appshield.kubernetes.KSV007\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failHostAliases = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV007\",\n\t\"avd_id\": \"AVD-KSV-0007\",\n\t\"title\": \"hostAliases is set\",\n\t\"short_code\": \"no-hostaliases\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -1566,7 +1590,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.memory_not_limited.kinds: Workload - policy.memory_not_limited.rego: "package appshield.kubernetes.KSV018\n\nimport data.lib.kubernetes\nimport + policy.memory_not_limited.rego: + "package appshield.kubernetes.KSV018\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failLimitsMemory = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV018\",\n\t\"avd_id\": \"AVD-KSV-0018\",\n\t\"title\": \"Memory not limited\",\n\t\"short_code\": \"limit-memory\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": @@ -1587,7 +1612,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.memory_requests_not_specified.kinds: Workload - policy.memory_requests_not_specified.rego: "package appshield.kubernetes.KSV016\n\nimport + policy.memory_requests_not_specified.rego: + "package appshield.kubernetes.KSV016\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsMemory = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV016\",\n\t\"avd_id\": \"AVD-KSV-0016\",\n\t\"title\": \"Memory requests not specified\",\n\t\"short_code\": \"no-unspecified-memory-requests\",\n\t\"version\": @@ -1609,7 +1635,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.mounts_docker_socket.kinds: Workload - policy.mounts_docker_socket.rego: "package appshield.kubernetes.KSV006\n\nimport + policy.mounts_docker_socket.rego: + "package appshield.kubernetes.KSV006\n\nimport data.lib.kubernetes\n\nname = input.metadata.name\n\ndefault checkDockerSocket = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV006\",\n\t\"avd_id\": \"AVD-KSV-0006\",\n\t\"title\": \"hostPath volume mounted with docker.sock\",\n\t\"short_code\": \"no-docker-sock-mount\",\n\t\"version\": @@ -1627,7 +1654,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.protect_core_components_namespace.kinds: Workload - policy.protect_core_components_namespace.rego: "package appshield.kubernetes.KSV037\n\nimport + policy.protect_core_components_namespace.rego: + "package appshield.kubernetes.KSV037\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV037\",\n\t\"avd_id\": \"AVD-KSV-0037\",\n\t\"title\": \"User Pods should not be placed in kube-system namespace\",\n\t\"short_code\": \"no-user-pods-in-system-namespace\",\n\t\"version\": @@ -1647,7 +1675,8 @@ data: \"component\")\n\tcoreComponentLabels := [\"kube-apiserver\", \"etcd\", \"kube-controller-manager\", \"kube-scheduler\"]\n\tmetadata.labels.component = coreComponentLabels[_]\n}\n" policy.protecting_pod_service_account_tokens.kinds: Workload - policy.protecting_pod_service_account_tokens.rego: "package appshield.kubernetes.KSV036\n\nimport + policy.protecting_pod_service_account_tokens.rego: + "package appshield.kubernetes.KSV036\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV036\",\n\t\"avd_id\": \"AVD-KSV-0036\",\n\t\"title\": \"Protecting Pod service account tokens\",\n\t\"short_code\": \"no-auto-mount-service-token\",\n\t\"version\": @@ -1668,7 +1697,8 @@ data: == kubernetes.containers[_].volumeMounts[_].mountPath\n}\n\nhas_key(x, k) {\n\t_ = x[k]\n}\n" policy.runs_with_GID_le_10000.kinds: Workload - policy.runs_with_GID_le_10000.rego: "package appshield.kubernetes.KSV021\n\nimport + policy.runs_with_GID_le_10000.rego: + "package appshield.kubernetes.KSV021\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsGroup = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV021\",\n\t\"avd_id\": \"AVD-KSV-0021\",\n\t\"title\": \"Runs with low group ID\",\n\t\"short_code\": \"use-high-gid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": @@ -1695,7 +1725,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.runs_with_UID_le_10000.kinds: Workload - policy.runs_with_UID_le_10000.rego: "package appshield.kubernetes.KSV020\n\nimport + policy.runs_with_UID_le_10000.rego: + "package appshield.kubernetes.KSV020\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsUser = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV020\",\n\t\"avd_id\": \"AVD-KSV-0020\",\n\t\"title\": \"Runs with low user ID\",\n\t\"short_code\": \"use-high-uid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": @@ -1722,7 +1753,8 @@ data: __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.selector_usage_in_network_policies.kinds: NetworkPolicy - policy.selector_usage_in_network_policies.rego: "package appshield.kubernetes.KSV038\n\nimport + policy.selector_usage_in_network_policies.rego: + "package appshield.kubernetes.KSV038\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV038\",\n\t\"avd_id\": \"AVD-KSV-0038\",\n\t\"title\": \"Selector usage in network policies\",\n\t\"short_code\": \"selector-usage-in-network-policies\",\n\t\"version\": @@ -1756,7 +1788,8 @@ data: == {}\n\tcontains(input.spec.policyType, \"Ingress\")\n}\n\ncontains(arr, elem) {\n\tarr[_] = elem\n}\n" policy.tiller_is_deployed.kinds: Workload - policy.tiller_is_deployed.rego: "package appshield.kubernetes.KSV202\n\nimport data.lib.kubernetes\n\n__rego_metadata__ + policy.tiller_is_deployed.rego: + "package appshield.kubernetes.KSV202\n\nimport data.lib.kubernetes\n\n__rego_metadata__ := {\n\t\"id\": \"KSV102\",\n\t\"avd_id\": \"AVD-KSV-0102\",\n\t\"title\": \"Tiller Is Deployed\",\n\t\"short_code\": \"no-tiller\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"Critical\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": @@ -1779,7 +1812,8 @@ data: == \"helm\"\n}\n\n# Check for tiller by name label\ncheckMetadata(metadata) {\n\tmetadata.labels.name == \"tiller\"\n}\n" policy.use_limit_range.kinds: LimitRange - policy.use_limit_range.rego: "package appshield.kubernetes.KSV039\n\nimport data.lib.kubernetes\nimport + policy.use_limit_range.rego: + "package appshield.kubernetes.KSV039\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV039\",\n\t\"avd_id\": \"AVD-KSV-0039\",\n\t\"title\": \"limit range usage\",\n\t\"short_code\": \"limit-range-usage\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure @@ -1796,7 +1830,8 @@ data: \"min\")\n\tkubernetes.has_field(input.spec.limits[_], \"default\")\n\tkubernetes.has_field(input.spec.limits[_], \"defaultRequest\")\n}\n" policy.use_resource_quota.kinds: ResourceQuota - policy.use_resource_quota.rego: "package appshield.kubernetes.KSV040\n\nimport data.lib.kubernetes\nimport + policy.use_resource_quota.rego: + "package appshield.kubernetes.KSV040\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV040\",\n\t\"avd_id\": \"AVD-KSV-0040\",\n\t\"title\": \"resource quota usage\",\n\t\"short_code\": \"resource-quota-usage\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure @@ -1812,7 +1847,8 @@ data: \"requests.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"requests.memory\")\n\tkubernetes.has_field(input.spec.hard, \"limits.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"limits.memory\")\n}\n" policy.uses_image_tag_latest.kinds: Workload - policy.uses_image_tag_latest.rego: "package appshield.kubernetes.KSV013\n\nimport + policy.uses_image_tag_latest.rego: + "package appshield.kubernetes.KSV013\n\nimport data.lib.kubernetes\n\ndefault checkUsingLatestTag = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV013\",\n\t\"avd_id\": \"AVD-KSV-0013\",\n\t\"title\": \"Image tag ':latest' used\",\n\t\"short_code\": \"use-specific-tags\",\n\t\"version\": @@ -1838,7 +1874,8 @@ data: := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.uses_untrusted_azure_registry.kinds: Workload - policy.uses_untrusted_azure_registry.rego: "package appshield.kubernetes.KSV032\n\nimport + policy.uses_untrusted_azure_registry.rego: + "package appshield.kubernetes.KSV032\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedAzureRegistry = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV032\",\n\t\"avd_id\": \"AVD-KSV-0032\",\n\t\"title\": \"All container images must start with the *.azurecr.io domain\",\n\t\"short_code\": @@ -1864,7 +1901,8 @@ data: msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" policy.uses_untrusted_gcr_registry.kinds: Workload - policy.uses_untrusted_gcr_registry.rego: "package appshield.kubernetes.KSV033\n\nimport + policy.uses_untrusted_gcr_registry.rego: + "package appshield.kubernetes.KSV033\n\nimport data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedGCRRegistry = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV033\",\n\t\"avd_id\": \"AVD-KSV-0033\",\n\t\"title\": \"All container images must start with a GCR domain\",\n\t\"short_code\": \"use-gcr-domain\",\n\t\"version\": @@ -1900,7 +1938,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl annotations: prometheus.io/path: /metrics @@ -1923,7 +1961,7 @@ metadata: labels: app.kubernetes.io/name: starboard-operator app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.10" + app.kubernetes.io/version: "0.15.11" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -1943,7 +1981,7 @@ spec: automountServiceAccountToken: true containers: - name: "starboard-operator" - image: "docker.io/aquasec/starboard-operator:0.15.10" + image: "docker.io/aquasec/starboard-operator:0.15.11" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -2007,14 +2045,12 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 - resources: - {} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false readOnlyRootFilesystem: true - securityContext: - {} + securityContext: {} diff --git a/mkdocs.yml b/mkdocs.yml index 858ca187c..df4c4b9f1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -99,8 +99,8 @@ extra: version: provider: mike var: - prev_git_tag: "v0.15.9" - chart_version: 0.10.10 + prev_git_tag: "v0.15.10" + chart_version: 0.10.11 # Requires pip install mkdocs-macros-plugin plugins: