starboard.yaml

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: vulnerabilityreports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          description: |
            VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages
            built into container images.
          type: object
          required:
            - apiVersion
            - kind
            - metadata
            - report
          properties:
            apiVersion:
              type: string
            kind:
              type: string
            metadata:
              type: object
            report:
              description: |
                Report is the actual vulnerability report data.
              type: object
              required:
                - updateTimestamp
                - scanner
                - artifact
                - summary
                - vulnerabilities
              properties:
                updateTimestamp:
                  description: |
                    UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated.
                  type: string
                  format: date-time
                scanner:
                  description: |
                    Scanner is the scanner that generated this report.
                  type: object
                  required:
                    - name
                    - vendor
                    - version
                  properties:
                    name:
                      description: |
                        Name the name of the scanner.
                      type: string
                    vendor:
                      description: |
                        Vendor the name of the vendor providing the scanner.
                      type: string
                    version:
                      description: |
                        Version the version of the scanner.
                      type: string
                registry:
                  description: |
                    Registry is the registry the Artifact was pulled from.
                  type: object
                  properties:
                    server:
                      description: |
                        Server the FQDN of registry server.
                      type: string
                artifact:
                  description: |
                    Artifact represents a standalone, executable package of software that includes everything needed to
                    run an application.
                  type: object
                  properties:
                    repository:
                      description: |
                        Repository is the name of the repository in the Artifact registry.
                      type: string
                    digest:
                      description: |
                        Digest is a unique and immutable identifier of an Artifact.
                      type: string
                    tag:
                      description: |
                        Tag is a mutable, human-readable string used to identify an Artifact.
                      type: string
                    mimeType:
                      description: |
                        MimeType represents a type and format of an Artifact.
                      type: string
                summary:
                  description: |
                    Summary is a summary of Vulnerability counts grouped by Severity.
                  type: object
                  required:
                    - criticalCount
                    - highCount
                    - mediumCount
                    - lowCount
                    - unknownCount
                  properties:
                    criticalCount:
                      description: |
                        CriticalCount is the number of vulnerabilities with Critical Severity.
                      type: integer
                      minimum: 0
                    highCount:
                      description: |
                        HighCount is the number of vulnerabilities with High Severity.
                      type: integer
                      minimum: 0
                    mediumCount:
                      description: |
                        MediumCount is the number of vulnerabilities with Medium Severity.
                      type: integer
                      minimum: 0
                    lowCount:
                      description: |
                        LowCount is the number of vulnerabilities with Low Severity.
                      type: integer
                      minimum: 0
                    unknownCount:
                      description: |
                        UnknownCount is the number of vulnerabilities with unknown severity.
                      type: integer
                      minimum: 0
                    noneCount:
                      description: |
                        NoneCount is the number of packages without any vulnerability.
                      type: integer
                      minimum: 0
                vulnerabilities:
                  description: |
                    Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact.
                  type: array
                  items:
                    type: object
                    required:
                      - vulnerabilityID
                      - resource
                      - installedVersion
                      - fixedVersion
                      - severity
                      - title
                    properties:
                      vulnerabilityID:
                        description: |
                          VulnerabilityID the vulnerability identifier.
                        type: string
                      resource:
                        description: |
                          Resource is a vulnerable package, application, or library.
                        type: string
                      installedVersion:
                        description: |
                          InstalledVersion indicates the installed version of the Resource.
                        type: string
                      fixedVersion:
                        description: |
                          FixedVersion indicates the version of the Resource in which this vulnerability has been fixed.
                        type: string
                      score:
                        type: number
                      severity:
                        type: string
                        enum:
                          - CRITICAL
                          - HIGH
                          - MEDIUM
                          - LOW
                          - UNKNOWN
                      title:
                        type: string
                      description:
                        type: string
                      primaryLink:
                        type: string
                      links:
                        type: array
                        items:
                          type: string
      additionalPrinterColumns:
        - jsonPath: .report.artifact.repository
          type: string
          name: Repository
          description: The name of image repository
        - jsonPath: .report.artifact.tag
          type: string
          name: Tag
          description: The name of image tag
        - jsonPath: .report.scanner.name
          type: string
          name: Scanner
          description: The name of the vulnerability scanner
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .report.summary.criticalCount
          type: integer
          name: Critical
          description: The number of critical vulnerabilities
          priority: 1
        - jsonPath: .report.summary.highCount
          type: integer
          name: High
          description: The number of high vulnerabilities
          priority: 1
        - jsonPath: .report.summary.mediumCount
          type: integer
          name: Medium
          description: The number of medium vulnerabilities
          priority: 1
        - jsonPath: .report.summary.lowCount
          type: integer
          name: Low
          description: The number of low vulnerabilities
          priority: 1
        - jsonPath: .report.summary.unknownCount
          type: integer
          name: Unknown
          description: The number of unknown vulnerabilities
          priority: 1
  scope: Namespaced
  names:
    singular: vulnerabilityreport
    plural: vulnerabilityreports
    kind: VulnerabilityReport
    listKind: VulnerabilityReportList
    categories: []
    shortNames:
      - vuln
      - vulns
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: configauditreports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .report.scanner.name
          type: string
          name: Scanner
          description: The name of the config audit scanner
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .report.summary.criticalCount
          type: integer
          name: Critical
          priority: 1
          description: The number of failed checks with critical severity
        - jsonPath: .report.summary.highCount
          type: integer
          name: High
          priority: 1
          description: The number of failed checks with high severity
        - jsonPath: .report.summary.mediumCount
          type: integer
          name: Medium
          priority: 1
          description: The number of failed checks with medium severity
        - jsonPath: .report.summary.lowCount
          type: integer
          name: Low
          priority: 1
          description: The number of failed checks with low severity
      schema:
        openAPIV3Schema:
          x-kubernetes-preserve-unknown-fields: true
          type: object
  scope: Namespaced
  names:
    singular: configauditreport
    plural: configauditreports
    kind: ConfigAuditReport
    listKind: ConfigAuditReportList
    categories: []
    shortNames:
      - configaudit
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clusterconfigauditreports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .report.scanner.name
          type: string
          name: Scanner
          description: The name of the config audit scanner
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .report.summary.criticalCount
          type: integer
          name: Critical
          priority: 1
          description: The number of failed checks with critical severity
        - jsonPath: .report.summary.highCount
          type: integer
          name: High
          priority: 1
          description: The number of failed checks with high severity
        - jsonPath: .report.summary.mediumCount
          type: integer
          name: Medium
          priority: 1
          description: The number of failed checks with medium severity
        - jsonPath: .report.summary.lowCount
          type: integer
          name: Low
          priority: 1
          description: The number of failed checks with low severity
      schema:
        openAPIV3Schema:
          x-kubernetes-preserve-unknown-fields: true
          type: object
  scope: Cluster
  names:
    singular: clusterconfigauditreport
    plural: clusterconfigauditreports
    kind: ClusterConfigAuditReport
    listKind: ClusterConfigAuditReportList
    categories: []
    shortNames:
      - clusterconfigaudit
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: ciskubebenchreports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .report.scanner.name
          type: string
          name: Scanner
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
        - jsonPath: .report.summary.failCount
          type: integer
          name: Fail
          priority: 1
        - jsonPath: .report.summary.warnCount
          type: integer
          name: Warn
          priority: 1
        - jsonPath: .report.summary.infoCount
          type: integer
          name: Info
          priority: 1
        - jsonPath: .report.summary.passCount
          type: integer
          name: Pass
          priority: 1
      schema:
        openAPIV3Schema:
          x-kubernetes-preserve-unknown-fields: true
          type: "object"
  scope: Cluster
  names:
    singular: ciskubebenchreport
    plural: ciskubebenchreports
    kind: CISKubeBenchReport
    listKind: CISKubeBenchReportList
    categories: []
    shortNames:
      - kubebench
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clustercompliancereports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  scope: Cluster
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .status.summary.failCount
          type: integer
          name: Fail
          priority: 1
          description: The number of checks that failed with Danger status
        - jsonPath: .status.summary.passCount
          type: integer
          name: Pass
          priority: 1
          description: The number of checks that passed
      schema:
        openAPIV3Schema:
          type: object
          required:
            - apiVersion
            - kind
            - metadata
            - spec
          properties:
            apiVersion:
              type: string
            kind:
              type: string
            metadata:
              type: object
            spec:
              type: object
              required:
                - name
                - description
                - version
                - cron
                - controls
              properties:
                name:
                  type: string
                description:
                  type: string
                version:
                  type: string
                cron:
                  type: string
                  pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$'
                  description: 'cron define the intervals for report generation'
                controls:
                  type: array
                  items:
                    type: object
                    required:
                      - name
                      - id
                      - kinds
                      - mapping
                      - severity
                    properties:
                      name:
                        type: string
                      description:
                        type: string
                      id:
                        type: string
                        description: 'id define the control check id'
                      kinds:
                        type: array
                        items:
                          type: string
                          description: 'kinds define the list of kinds control check apply on , example: Node,Workload '
                      mapping:
                        type: object
                        required:
                          - scanner
                          - checks
                        properties:
                          scanner:
                            type: string
                            pattern: '^config-audit$|^kube-bench$'
                            description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported'
                          checks:
                            type: array
                            items:
                              type: object
                              required:
                                - id
                              properties:
                                id:
                                  type: string
                                  description: 'id define the check id as produced by scanner'
                      severity:
                        type: string
                        description: 'define the severity of the control'
                        enum:
                          - CRITICAL
                          - HIGH
                          - MEDIUM
                          - LOW
                          - UNKNOWN
                      defaultStatus:
                        type: string
                        description: 'define the default value for check status in case resource not found'
                        enum:
                          - PASS
                          - WARN
                          - FAIL
            status:
              x-kubernetes-preserve-unknown-fields: true
              type: object
      subresources:
        # status enables the status subresource.
        status: { }
  names:
    singular: clustercompliancereport
    plural: clustercompliancereports
    kind: ClusterComplianceReport
    listKind: ClusterComplianceReportList
    categories: [ ]
    shortNames:
      - compliance
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clustercompliancedetailreports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.6"
spec:
  group: aquasecurity.github.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .report.summary.failCount
          type: integer
          name: Fail
          priority: 1
          description: The number of checks that failed with Danger status
        - jsonPath: .report.summary.passCount
          type: integer
          name: Pass
          priority: 1
          description: The number of checks that passed
      schema:
        openAPIV3Schema:
          x-kubernetes-preserve-unknown-fields: true
          type: object
  scope: Cluster
  names:
    singular: clustercompliancedetailreport
    plural: clustercompliancedetailreports
    kind: ClusterComplianceDetailReport
    listKind: ClusterComplianceDetailReportList
    categories: [ ]
    shortNames:
      - compliancedetail
---
apiVersion: v1
kind: Namespace
metadata:
  name: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: starboard-operator
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: starboard-operator
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
      - replicationcontrollers
      - services
      - resourcequotas
      - limitranges
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
      - secrets
      - serviceaccounts
    verbs:
      - list
      - watch
      - get
      - create
      - update
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
  - apiGroups:
      - apps
    resources:
      - replicasets
      - statefulsets
      - daemonsets
      - deployments
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
      - cronjobs
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
      - delete
  - apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - aquasecurity.github.io
    resources:
      - vulnerabilityreports
      - configauditreports
      - clusterconfigauditreports
      - ciskubebenchreports
      - clustercompliancereports
      - clustercompliancedetailreports
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - aquasecurity.github.io
    resources:
      - clustercompliancereports/status
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: starboard-operator
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: starboard-operator
subjects:
  - kind: ServiceAccount
    name: starboard-operator
    namespace: starboard-system
---
apiVersion: v1
kind: Secret
metadata:
  name: starboard
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
---
apiVersion: v1
kind: Secret
metadata:
  name: starboard-trivy-config
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
data:
  vulnerabilityReports.scanner: "Trivy"
  configAuditReports.scanner: "Polaris"
  kube-bench.imageRef: "docker.io/aquasec/kube-bench:v0.6.6"
  compliance.failEntriesLimit: "10"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard-trivy-config
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
data:
  trivy.imageRef: "docker.io/aquasec/trivy:0.25.2"
  trivy.mode: "Standalone"
  trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  trivy.timeout: "5m0s"
  trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
  trivy.resources.requests.cpu: 100m
  trivy.resources.requests.memory: 100M
  trivy.resources.limits.cpu: 500m
  trivy.resources.limits.memory: 500M
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard-polaris-config
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
data:
  polaris.imageRef: "quay.io/fairwinds/polaris:4.2"
  polaris.resources.requests.cpu: "50m"
  polaris.resources.requests.memory: "50M"
  polaris.resources.limits.cpu: "300m"
  polaris.resources.limits.memory: "300M"
  polaris.config.yaml: |
    checks:
      # reliability
      multipleReplicasForDeployment: ignore
      priorityClassNotSet: ignore
      # resources
      cpuRequestsMissing: warning
      cpuLimitsMissing: warning
      memoryRequestsMissing: warning
      memoryLimitsMissing: warning
      # images
      tagNotSpecified: danger
      pullPolicyNotAlways: ignore
      # healthChecks
      readinessProbeMissing: warning
      livenessProbeMissing: warning
      # networking
      hostNetworkSet: warning
      hostPortSet: warning
      # security
      hostIPCSet: danger
      hostPIDSet: danger
      notReadOnlyRootFilesystem: warning
      privilegeEscalationAllowed: danger
      runAsRootAllowed: warning
      runAsPrivileged: danger
      dangerousCapabilities: danger
      insecureCapabilities: warning
    exemptions:
      - controllerNames:
        - kube-apiserver
        - kube-proxy
        - kube-scheduler
        - etcd-manager-events
        - kube-controller-manager
        - kube-dns
        - etcd-manager-main
        rules:
        - hostPortSet
        - hostNetworkSet
        - readinessProbeMissing
        - livenessProbeMissing
        - cpuRequestsMissing
        - cpuLimitsMissing
        - memoryRequestsMissing
        - memoryLimitsMissing
        - runAsRootAllowed
        - runAsPrivileged
        - notReadOnlyRootFilesystem
        - hostPIDSet
      - controllerNames:
        - kube-flannel-ds
        rules:
        - notReadOnlyRootFilesystem
        - runAsRootAllowed
        - notReadOnlyRootFilesystem
        - readinessProbeMissing
        - livenessProbeMissing
        - cpuLimitsMissing
      - controllerNames:
        - cert-manager
        rules:
        - notReadOnlyRootFilesystem
        - runAsRootAllowed
        - readinessProbeMissing
        - livenessProbeMissing
      - controllerNames:
        - cluster-autoscaler
        rules:
        - notReadOnlyRootFilesystem
        - runAsRootAllowed
        - readinessProbeMissing
      - controllerNames:
        - vpa
        rules:
        - runAsRootAllowed
        - readinessProbeMissing
        - livenessProbeMissing
        - notReadOnlyRootFilesystem
      - controllerNames:
        - datadog
        rules:
        - runAsRootAllowed
        - readinessProbeMissing
        - livenessProbeMissing
        - notReadOnlyRootFilesystem
      - controllerNames:
        - nginx-ingress-controller
        rules:
        - privilegeEscalationAllowed
        - insecureCapabilities
        - runAsRootAllowed
      - controllerNames:
        - dns-controller
        - datadog-datadog
        - kube-flannel-ds
        - kube2iam
        - aws-iam-authenticator
        - datadog
        - kube2iam
        rules:
        - hostNetworkSet
      - controllerNames:
        - aws-iam-authenticator
        - aws-cluster-autoscaler
        - kube-state-metrics
        - dns-controller
        - external-dns
        - dnsmasq
        - autoscaler
        - kubernetes-dashboard
        - install-cni
        - kube2iam
        rules:
        - readinessProbeMissing
        - livenessProbeMissing
      - controllerNames:
        - aws-iam-authenticator
        - nginx-ingress-default-backend
        - aws-cluster-autoscaler
        - kube-state-metrics
        - dns-controller
        - external-dns
        - kubedns
        - dnsmasq
        - autoscaler
        - tiller
        - kube2iam
        rules:
        - runAsRootAllowed
      - controllerNames:
        - aws-iam-authenticator
        - nginx-ingress-controller
        - nginx-ingress-default-backend
        - aws-cluster-autoscaler
        - kube-state-metrics
        - dns-controller
        - external-dns
        - kubedns
        - dnsmasq
        - autoscaler
        - tiller
        - kube2iam
        rules:
        - notReadOnlyRootFilesystem
      - controllerNames:
        - cert-manager
        - dns-controller
        - kubedns
        - dnsmasq
        - autoscaler
        - insights-agent-goldilocks-vpa-install
        - datadog
        rules:
        - cpuRequestsMissing
        - cpuLimitsMissing
        - memoryRequestsMissing
        - memoryLimitsMissing
      - controllerNames:
        - kube2iam
        - kube-flannel-ds
        rules:
        - runAsPrivileged
      - controllerNames:
        - kube-hunter
        rules:
        - hostPIDSet
      - controllerNames:
        - polaris
        - kube-hunter
        - goldilocks
        - insights-agent-goldilocks-vpa-install
        rules:
        - notReadOnlyRootFilesystem
      - controllerNames:
        - insights-agent-goldilocks-controller
        rules:
        - livenessProbeMissing
        - readinessProbeMissing
      - controllerNames:
        - insights-agent-goldilocks-vpa-install
        - kube-hunter
        rules:
        - runAsRootAllowed
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard-policies-config
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
data:
  library.kubernetes.rego: "package lib.kubernetes\n\ndefault is_gatekeeper = false\n\nis_gatekeeper
    {\n\thas_field(input, \"review\")\n\thas_field(input.review, \"object\")\n}\n\nobject
    = input {\n\tnot is_gatekeeper\n}\n\nobject = input.review.object {\n\tis_gatekeeper\n}\n\nformat(msg)
    = gatekeeper_format {\n\tis_gatekeeper\n\tgatekeeper_format = {\"msg\": msg}\n}\n\nformat(msg)
    = msg {\n\tnot is_gatekeeper\n}\n\nname = object.metadata.name\n\ndefault namespace
    = \"default\"\n\nnamespace = object.metadata.namespace\n\n#annotations = object.metadata.annotations\n\nkind
    = object.kind\n\nis_pod {\n\tkind = \"Pod\"\n}\n\nis_cronjob {\n\tkind = \"CronJob\"\n}\n\ndefault
    is_controller = false\n\nis_controller {\n\tkind = \"Deployment\"\n}\n\nis_controller
    {\n\tkind = \"StatefulSet\"\n}\n\nis_controller {\n\tkind = \"DaemonSet\"\n}\n\nis_controller
    {\n\tkind = \"ReplicaSet\"\n}\n\nis_controller {\n\tkind = \"ReplicationController\"\n}\n\nis_controller
    {\n\tkind = \"Job\"\n}\n\nsplit_image(image) = [image, \"latest\"] {\n\tnot contains(image,
    \":\")\n}\n\nsplit_image(image) = [image_name, tag] {\n\t[image_name, tag] = split(image,
    \":\")\n}\n\npod_containers(pod) = all_containers {\n\tkeys = {\"containers\",
    \"initContainers\"}\n\tall_containers = [c | keys[k]; c = pod.spec[k][_]]\n}\n\ncontainers[container]
    {\n\tpods[pod]\n\tall_containers = pod_containers(pod)\n\tcontainer = all_containers[_]\n}\n\ncontainers[container]
    {\n\tall_containers = pod_containers(object)\n\tcontainer = all_containers[_]\n}\n\npods[pod]
    {\n\tis_pod\n\tpod = object\n}\n\npods[pod] {\n\tis_controller\n\tpod = object.spec.template\n}\n\npods[pod]
    {\n\tis_cronjob\n\tpod = object.spec.jobTemplate.spec.template\n}\n\nvolumes[volume]
    {\n\tpods[pod]\n\tvolume = pod.spec.volumes[_]\n}\n\ndropped_capability(container,
    cap) {\n\tcontainer.securityContext.capabilities.drop[_] == cap\n}\n\nadded_capability(container,
    cap) {\n\tcontainer.securityContext.capabilities.add[_] == cap\n}\n\nhas_field(obj,
    field) {\n\tobj[field]\n}\n\nno_read_only_filesystem(c) {\n\tnot has_field(c,
    \"securityContext\")\n}\n\nno_read_only_filesystem(c) {\n\thas_field(c, \"securityContext\")\n\tnot
    has_field(c.securityContext, \"readOnlyRootFilesystem\")\n}\n\npriviledge_escalation_allowed(c)
    {\n\tnot has_field(c, \"securityContext\")\n}\n\npriviledge_escalation_allowed(c)
    {\n\thas_field(c, \"securityContext\")\n\thas_field(c.securityContext, \"allowPrivilegeEscalation\")\n}\n\nannotations[annotation]
    {\n\tpods[pod]\n\tannotation = pod.metadata.annotations\n}\n\nhost_ipcs[host_ipc]
    {\n\tpods[pod]\n\thost_ipc = pod.spec.hostIPC\n}\n\nhost_networks[host_network]
    {\n\tpods[pod]\n\thost_network = pod.spec.hostNetwork\n}\n\nhost_pids[host_pid]
    {\n\tpods[pod]\n\thost_pid = pod.spec.hostPID\n}\n\nhost_aliases[host_alias] {\n\tpods[pod]\n\thost_alias
    = pod.spec\n}\n"
  library.utils.rego: "package lib.utils\n\nhas_key(x, k) {\n\t_ = x[k]\n}\n"
  policy.1_host_ipc.kinds: Workload
  policy.1_host_ipc.rego: "package appshield.kubernetes.KSV008\n\nimport data.lib.kubernetes\n\ndefault
    failHostIPC = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV008\",\n\t\"avd_id\":
    \"AVD-KSV-0008\",\n\t\"title\": \"Access to host IPC namespace\",\n\t\"short_code\":
    \"no-shared-ipc-namespace\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Sharing the host’s IPC namespace
    allows container processes to communicate with processes on the host.\",\n\t\"recommended_actions\":
    \"Do not set 'spec.template.spec.hostIPC' to true.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    failHostIPC is true if spec.hostIPC is set to true (on all resources)\nfailHostIPC
    {\n\tkubernetes.host_ipcs[_] == true\n}\n\ndeny[res] {\n\tfailHostIPC\n\n\tmsg
    := kubernetes.format(sprintf(\"%s '%s' should not set 'spec.template.spec.hostIPC'
    to true\", [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.1_host_network.kinds: Workload
  policy.1_host_network.rego: "package appshield.kubernetes.KSV009\n\nimport data.lib.kubernetes\n\ndefault
    failHostNetwork = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV009\",\n\t\"avd_id\":
    \"AVD-KSV-0009\",\n\t\"title\": \"Access to host network\",\n\t\"short_code\":
    \"no-host-network\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Sharing the host’s network
    namespace permits processes in the pod to communicate with processes bound to
    the host’s loopback adapter.\",\n\t\"recommended_actions\": \"Do not set 'spec.template.spec.hostNetwork'
    to true.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    failHostNetwork is true if spec.hostNetwork is set to true (on all controllers)\nfailHostNetwork
    {\n\tkubernetes.host_networks[_] == true\n}\n\ndeny[res] {\n\tfailHostNetwork\n\n\tmsg
    := kubernetes.format(sprintf(\"%s '%s' should not set 'spec.template.spec.hostNetwork'
    to true\", [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.1_host_pid.kinds: Workload
  policy.1_host_pid.rego: "package appshield.kubernetes.KSV010\n\nimport data.lib.kubernetes\n\ndefault
    failHostPID = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV010\",\n\t\"avd_id\":
    \"AVD-KSV-0010\",\n\t\"title\": \"Access to host PID\",\n\t\"short_code\": \"no-host-pid\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Sharing the host’s PID namespace allows visibility on host processes, potentially
    leaking information such as environment variables and configuration.\",\n\t\"recommended_actions\":
    \"Do not set 'spec.template.spec.hostPID' to true.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    failHostPID is true if spec.hostPID is set to true (on all controllers)\nfailHostPID
    {\n\tkubernetes.host_pids[_] == true\n}\n\ndeny[res] {\n\tfailHostPID\n\n\tmsg
    := kubernetes.format(sprintf(\"%s '%s' should not set 'spec.template.spec.hostPID'
    to true\", [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.1_non_core_volume_types.kinds: Workload
  policy.1_non_core_volume_types.rego: "package appshield.kubernetes.KSV028\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV028\",\n\t\"avd_id\": \"AVD-KSV-0028\",\n\t\"title\": \"Non-ephemeral volume
    types used\",\n\t\"short_code\": \"no-non-ephemeral-volumes\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"In addition to restricting HostPath volumes, usage of non-ephemeral volume types
    should be limited to those defined through PersistentVolumes.\",\n\t\"recommended_actions\":
    \"Do not Set 'spec.volumes[*]' to any of the disallowed volume types.\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    Add disallowed volume type\ndisallowed_volume_types = [\n\t\"gcePersistentDisk\",\n\t\"awsElasticBlockStore\",\n\t#
    \"hostPath\", Baseline detects spec.volumes[*].hostPath\n\t\"gitRepo\",\n\t\"nfs\",\n\t\"iscsi\",\n\t\"glusterfs\",\n\t\"rbd\",\n\t\"flexVolume\",\n\t\"cinder\",\n\t\"cephFS\",\n\t\"flocker\",\n\t\"fc\",\n\t\"azureFile\",\n\t\"vsphereVolume\",\n\t\"quobyte\",\n\t\"azureDisk\",\n\t\"portworxVolume\",\n\t\"scaleIO\",\n\t\"storageos\",\n\t\"csi\",\n]\n\n#
    getDisallowedVolumes returns a list of volume names\n# which set volume type to
    any of the disallowed volume types\ngetDisallowedVolumes[name] {\n\tvolume :=
    kubernetes.volumes[_]\n\ttype := disallowed_volume_types[_]\n\tutils.has_key(volume,
    type)\n\tname := volume.name\n}\n\n# failVolumeTypes is true if any of volume
    has a disallowed\n# volume type\nfailVolumeTypes {\n\tcount(getDisallowedVolumes)
    > 0\n}\n\ndeny[res] {\n\tfailVolumeTypes\n\n\tmsg := kubernetes.format(sprintf(\"%s
    '%s' should set 'spec.volumes[*]' to type 'PersistentVolumeClaim'\", [kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
  policy.2_can_elevate_its_own_privileges.kinds: Workload
  policy.2_can_elevate_its_own_privileges.rego: "package appshield.kubernetes.KSV001\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault checkAllowPrivilegeEscalation
    = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV001\",\n\t\"avd_id\": \"AVD-KSV-0001\",\n\t\"title\":
    \"Process can elevate its own privileges\",\n\t\"short_code\": \"no-self-privesc\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"A program inside the container can elevate its own privileges and run as root,
    which might give the program control over the container and node.\",\n\t\"recommended_actions\":
    \"Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getNoPrivilegeEscalationContainers returns the names of all containers which have\n#
    securityContext.allowPrivilegeEscalation set to false.\ngetNoPrivilegeEscalationContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tallContainers.securityContext.allowPrivilegeEscalation
    == false\n\tcontainer := allContainers.name\n}\n\n# getPrivilegeEscalationContainers
    returns the names of all containers which have\n# securityContext.allowPrivilegeEscalation
    set to true or not set.\ngetPrivilegeEscalationContainers[container] {\n\tcontainer
    := kubernetes.containers[_].name\n\tnot getNoPrivilegeEscalationContainers[container]\n}\n\n#
    checkAllowPrivilegeEscalation is true if any container has\n# securityContext.allowPrivilegeEscalation
    set to true or not set.\ncheckAllowPrivilegeEscalation {\n\tcount(getPrivilegeEscalationContainers)
    > 0\n}\n\ndeny[res] {\n\tcheckAllowPrivilegeEscalation\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should set 'securityContext.allowPrivilegeEscalation' to false\",
    [getPrivilegeEscalationContainers[_], kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.2_privileged.kinds: Workload
  policy.2_privileged.rego: "package appshield.kubernetes.KSV017\n\nimport data.lib.kubernetes\n\ndefault
    failPrivileged = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV017\",\n\t\"avd_id\":
    \"AVD-KSV-0017\",\n\t\"title\": \"Privileged container\",\n\t\"short_code\": \"no-privileged-containers\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Privileged containers share namespaces with the host system and do not offer
    any security. They should be used exclusively for system containers that require
    high privileges.\",\n\t\"recommended_actions\": \"Change 'containers[].securityContext.privileged'
    to 'false'.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getPrivilegedContainers returns all containers which have\n# securityContext.privileged
    set to true.\ngetPrivilegedContainers[container] {\n\tallContainers := kubernetes.containers[_]\n\tallContainers.securityContext.privileged
    == true\n\tcontainer := allContainers.name\n}\n\n# failPrivileged is true if there
    is ANY container with securityContext.privileged\n# set to true.\nfailPrivileged
    {\n\tcount(getPrivilegedContainers) > 0\n}\n\ndeny[res] {\n\tfailPrivileged\n\n\tmsg
    := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should set 'securityContext.privileged'
    to false\", [getPrivilegedContainers[_], kubernetes.kind, kubernetes.name]))\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.3_runs_as_root.kinds: Workload
  policy.3_runs_as_root.rego: "package appshield.kubernetes.KSV012\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\ndefault checkRunAsNonRoot = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV012\",\n\t\"avd_id\": \"AVD-KSV-0012\",\n\t\"title\": \"Runs as root user\",\n\t\"short_code\":
    \"no-root\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"'runAsNonRoot' forces the
    running image to run as a non-root user to ensure least privileges.\",\n\t\"recommended_actions\":
    \"Set 'containers[].securityContext.runAsNonRoot' to true.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getNonRootContainers returns the names of all containers which have\n# securityContext.runAsNonRoot
    set to true.\ngetNonRootContainers[container] {\n\tallContainers := kubernetes.containers[_]\n\tallContainers.securityContext.runAsNonRoot
    == true\n\tcontainer := allContainers.name\n}\n\n# getRootContainers returns the
    names of all containers which have\n# securityContext.runAsNonRoot set to false
    or not set.\ngetRootContainers[container] {\n\tcontainer := kubernetes.containers[_].name\n\tnot
    getNonRootContainers[container]\n}\n\n# checkRunAsNonRoot is true if securityContext.runAsNonRoot
    is set to false\n# or if securityContext.runAsNonRoot is not set.\ncheckRunAsNonRootContainers
    {\n\tcount(getRootContainers) > 0\n}\n\ncheckRunAsNonRootPod {\n\tallPods := kubernetes.pods[_]\n\tnot
    allPods.spec.securityContext.runAsNonRoot\n}\n\ndeny[res] {\n\tcheckRunAsNonRootPod\n\n\tcheckRunAsNonRootContainers\n\n\tmsg
    := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should set 'securityContext.runAsNonRoot'
    to true\", [getRootContainers[_], kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.3_specific_capabilities_added.kinds: Workload
  policy.3_specific_capabilities_added.rego: "package appshield.kubernetes.KSV022\n\nimport
    data.lib.kubernetes\n\ndefault failAdditionalCaps = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV022\",\n\t\"avd_id\": \"AVD-KSV-0022\",\n\t\"title\": \"Non-default
    capabilities added\",\n\t\"short_code\": \"no-non-default-capabilities\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Adding NET_RAW or capabilities beyond the default set must be disallowed.\",\n\t\"recommended_actions\":
    \"Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    Add allowed capabilities to this set\nallowed_caps = set()\n\n# getContainersWithDisallowedCaps
    returns a list of containers which have\n# additional capabilities not included
    in the allowed capabilities list\ngetContainersWithDisallowedCaps[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tset_caps := {cap | cap := allContainers.securityContext.capabilities.add[_]}\n\tcaps_not_allowed
    := set_caps - allowed_caps\n\tcount(caps_not_allowed) > 0\n\tcontainer := allContainers.name\n}\n\n#
    cap_msg is a string of allowed capabilities to be print as part of deny message\ncaps_msg
    = \"\" {\n\tcount(allowed_caps) == 0\n} else = msg {\n\tmsg := sprintf(\" or set
    it to the following allowed values: %s\", [concat(\", \", allowed_caps)])\n}\n\n#
    failAdditionalCaps is true if there are containers which set additional capabilities\n#
    not included in the allowed capabilities list\nfailAdditionalCaps {\n\tcount(getContainersWithDisallowedCaps)
    > 0\n}\n\ndeny[res] {\n\tfailAdditionalCaps\n\n\tmsg := sprintf(\"Container '%s'
    of %s '%s' should not set 'securityContext.capabilities.add'%s\", [getContainersWithDisallowedCaps[_],
    kubernetes.kind, kubernetes.name, caps_msg])\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.4_hostpath_volumes_mounted.kinds: Workload
  policy.4_hostpath_volumes_mounted.rego: "package appshield.kubernetes.KSV023\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failHostPathVolume = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV023\",\n\t\"avd_id\": \"AVD-KSV-0023\",\n\t\"title\": \"hostPath
    volumes mounted\",\n\t\"short_code\": \"no-mounted-hostpath\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"HostPath volumes must be forbidden.\",\n\t\"recommended_actions\": \"Do not
    set 'spec.volumes[*].hostPath'.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\nfailHostPathVolume
    {\n\tvolumes := kubernetes.volumes\n\tutils.has_key(volumes[_], \"hostPath\")\n}\n\ndeny[res]
    {\n\tfailHostPathVolume\n\n\tmsg := kubernetes.format(sprintf(\"%s '%s' should
    not set 'spec.template.volumes.hostPath'\", [kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.4_runs_with_a_root_gid.kinds: Workload
  policy.4_runs_with_a_root_gid.rego: "package appshield.kubernetes.KSV029\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRootGroupId = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV029\",\n\t\"avd_id\": \"AVD-KSV-0029\",\n\t\"title\": \"A
    root primary or supplementary GID set\",\n\t\"short_code\": \"no-run-root-gid\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Containers should be forbidden from running with a root primary or supplementary
    GID.\",\n\t\"recommended_actions\": \"Set 'containers[].securityContext.runAsGroup'
    to a non-zero integer or leave undefined.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getContainersWithRootGroupId returns a list of containers\n# with root group id
    set\ngetContainersWithRootGroupId[name] {\n\tcontainer := kubernetes.containers[_]\n\tcontainer.securityContext.runAsGroup
    == 0\n\tname := container.name\n}\n\n# failRootGroupId is true if root group id
    is set on pod\nfailRootGroupId {\n\tpod := kubernetes.pods[_]\n\tpod.spec.securityContext.runAsGroup
    == 0\n}\n\n# failRootGroupId is true if root group id is set on pod\nfailRootGroupId
    {\n\tpod := kubernetes.pods[_]\n\tutils.has_key(pod.spec.securityContext, \"supplementalGroups\")\n}\n\n#
    failRootGroupId is true if root group id is set on pod\nfailRootGroupId {\n\tpod
    := kubernetes.pods[_]\n\tutils.has_key(pod.spec.securityContext, \"fsGroup\")\n}\n\ndeny[res]
    {\n\tfailRootGroupId\n\n\tmsg := kubernetes.format(sprintf(\"%s '%s' should set
    'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]'
    and 'spec.securityContext.fsGroup' to integer greater than 0\", [kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n\ndeny[res] {\n\tcount(getContainersWithRootGroupId)
    > 0\n\n\tmsg := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should set
    'spec.securityContext.runAsGroup' to integer greater than  0\", [getContainersWithRootGroupId[_],
    kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.5_access_to_host_ports.kinds: Workload
  policy.5_access_to_host_ports.rego: "package appshield.kubernetes.KSV024\n\nimport
    data.lib.kubernetes\n\ndefault failHostPorts = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV024\",\n\t\"avd_id\": \"AVD-KSV-0024\",\n\t\"title\": \"Access to host ports\",\n\t\"short_code\":
    \"no-host-port-access\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"HostPorts should be disallowed,
    or at minimum restricted to a known list.\",\n\t\"recommended_actions\": \"Do
    not set spec.containers[*].ports[*].hostPort and spec.initContainers[*].ports[*].hostPort.\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    Add allowed host ports to this set\nallowed_host_ports = set()\n\n# getContainersWithDisallowedHostPorts
    returns a list of containers which have\n# host ports not included in the allowed
    host port list\ngetContainersWithDisallowedHostPorts[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tset_host_ports := {port | port := allContainers.ports[_].hostPort}\n\thost_ports_not_allowed
    := set_host_ports - allowed_host_ports\n\tcount(host_ports_not_allowed) > 0\n\tcontainer
    := allContainers.name\n}\n\n# host_ports_msg is a string of allowed host ports
    to be print as part of deny message\nhost_ports_msg = \"\" {\n\tcount(allowed_host_ports)
    == 0\n} else = msg {\n\tmsg := sprintf(\" or set it to the following allowed values:
    %s\", [concat(\", \", allowed_host_ports)])\n}\n\n# failHostPorts is true if there
    are containers which set host ports\n# not included in the allowed host ports
    list\nfailHostPorts {\n\tcount(getContainersWithDisallowedHostPorts) > 0\n}\n\ndeny[res]
    {\n\tfailHostPorts\n\n\tmsg := sprintf(\"Container '%s' of %s '%s' should not
    set host ports, 'ports[*].hostPort'%s\", [getContainersWithDisallowedHostPorts[_],
    kubernetes.kind, kubernetes.name, host_ports_msg])\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.5_runtime_default_seccomp_profile_not_set.kinds: Workload
  policy.5_runtime_default_seccomp_profile_not_set.rego: "package appshield.kubernetes.KSV030\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSeccompProfileType =
    false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV030\",\n\t\"avd_id\": \"AVD-KSV-0030\",\n\t\"title\":
    \"Default Seccomp profile not set\",\n\t\"short_code\": \"use-default-seccomp\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"The RuntimeDefault seccomp profile must be required, or allow specific additional
    profiles.\",\n\t\"recommended_actions\": \"Set 'spec.securityContext.seccompProfile.type',
    'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile'
    to 'RuntimeDefault' or undefined.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    containers\ngetContainersWithDisallowedSeccompProfileType[name] {\n\tcontainer
    := kubernetes.containers[_]\n\ttype := container.securityContext.seccompProfile.type\n\tnot
    type == \"RuntimeDefault\"\n\tname := container.name\n}\n\n# pods\nfailSeccompProfileType
    {\n\tpod := kubernetes.pods[_]\n\ttype := pod.spec.securityContext.seccompProfile.type\n\tnot
    type == \"RuntimeDefault\"\n}\n\n# annotations (Kubernetes pre-v1.19)\nfailSeccompAnnotation
    {\n\tannotations := kubernetes.annotations[_]\n\tval := annotations[\"seccomp.security.alpha.kubernetes.io/pod\"]\n\tval
    != \"runtime/default\"\n}\n\n# annotations\ndeny[res] {\n\tfailSeccompAnnotation\n\n\tmsg
    := kubernetes.format(sprintf(\"%s '%s' should set 'seccomp.security.alpha.kubernetes.io/pod'
    to 'runtime/default'\", [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\":
    msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\n#
    pods\ndeny[res] {\n\tfailSeccompProfileType\n\n\tmsg := kubernetes.format(sprintf(\"%s
    '%s' should set 'spec.securityContext.seccompProfile.type' to 'RuntimeDefault'\",
    [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\n#
    containers\ndeny[res] {\n\tcount(getContainersWithDisallowedSeccompProfileType)
    > 0\n\n\tmsg := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should set
    'spec.containers[*].securityContext.seccompProfile.type' to 'RuntimeDefault'\",
    [getContainersWithDisallowedSeccompProfileType[_], kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.6_apparmor_policy_disabled.kinds: Workload
  policy.6_apparmor_policy_disabled.rego: "package appshield.kubernetes.KSV002\n\nimport
    data.lib.kubernetes\n\ndefault failAppArmor = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV002\",\n\t\"avd_id\": \"AVD-KSV-0002\",\n\t\"title\": \"Default AppArmor
    profile not set\",\n\t\"short_code\": \"use-default-apparmor-profile\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"A program inside the container can bypass AppArmor protection policies.\",\n\t\"recommended_actions\":
    \"Remove 'container.apparmor.security.beta.kubernetes.io' annotation or set it
    to 'runtime/default'.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\napparmor_keys[container]
    = key {\n\tcontainer := kubernetes.containers[_].name\n\tkey := sprintf(\"%s/%s\",
    [\"container.apparmor.security.beta.kubernetes.io\", container])\n}\n\ncustom_apparmor_containers[container]
    {\n\tkey := apparmor_keys[container]\n\tannotations := kubernetes.annotations[_]\n\tval
    := annotations[key]\n\tval != \"runtime/default\"\n}\n\ndeny[res] {\n\tcontainer
    := custom_apparmor_containers[_]\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should specify an AppArmor profile\", [container, kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
  policy.7_selinux_custom_options_set.kinds: Workload
  policy.7_selinux_custom_options_set.rego: "package appshield.kubernetes.KSV025\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSELinux = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV025\",\n\t\"avd_id\": \"AVD-KSV-0025\",\n\t\"title\": \"SELinux
    custom options set\",\n\t\"short_code\": \"no-custom-selinux-options\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Setting a custom SELinux user or role option should be forbidden.\",\n\t\"recommended_actions\":
    \"Do not set 'spec.securityContext.seLinuxOptions', spec.containers[*].securityContext.seLinuxOptions
    and spec.initContainers[*].securityContext.seLinuxOptions.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\nallowed_selinux_types
    := [\"container_t\", \"container_init_t\", \"container_kvm_t\"]\n\ngetAllSecurityContexts[context]
    {\n\tcontext := kubernetes.containers[_].securityContext\n}\n\ngetAllSecurityContexts[context]
    {\n\tcontext := kubernetes.pods[_].spec.securityContext\n}\n\nfailSELinuxType[type]
    {\n\tcontext := getAllSecurityContexts[_]\n\n\ttrace(context.seLinuxOptions.type)\n\tcontext.seLinuxOptions
    != null\n\tcontext.seLinuxOptions.type != null\n\n\tnot hasAllowedType(context.seLinuxOptions)\n\n\ttype
    := context.seLinuxOptions.type\n}\n\nfailForbiddenSELinuxProperties[key] {\n\tcontext
    := getAllSecurityContexts[_]\n\n\tcontext.seLinuxOptions != null\n\n\tforbiddenProps
    := getForbiddenSELinuxProperties(context)\n\tkey := forbiddenProps[_]\n}\n\ngetForbiddenSELinuxProperties(context)
    = keys {\n\tforbiddenProperties = [\"role\", \"user\"]\n\tkeys := {msg |\n\t\tkey
    := forbiddenProperties[_]\n\t\tutils.has_key(context.seLinuxOptions, key)\n\t\tmsg
    := sprintf(\"'%s'\", [key])\n\t}\n}\n\nhasAllowedType(options) {\n\tallowed_selinux_types[_]
    == options.type\n}\n\ndeny[res] {\n\ttype := failSELinuxType[_]\n\n\tmsg := kubernetes.format(sprintf(\"%s
    '%s' uses invalid seLinux type '%s'\", [kubernetes.kind, kubernetes.name, type]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\ndeny[res]
    {\n\tkeys := failForbiddenSELinuxProperties\n\n\tcount(keys) > 0\n\n\tmsg := kubernetes.format(sprintf(\"%s
    '%s' uses restricted properties in seLinuxOptions: (%s)\", [kubernetes.kind, kubernetes.name,
    concat(\", \", keys)]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
  policy.8_non_default_proc_masks_set.kinds: Workload
  policy.8_non_default_proc_masks_set.rego: "package appshield.kubernetes.KSV027\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failProcMount = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV027\",\n\t\"avd_id\": \"AVD-KSV-0027\",\n\t\"title\": \"Non-default
    /proc masks set\",\n\t\"short_code\": \"no-custom-proc-mask\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"The default /proc masks are set up to reduce attack surface, and should be required.\",\n\t\"recommended_actions\":
    \"Do not set spec.containers[*].securityContext.procMount and spec.initContainers[*].securityContext.procMount.\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    failProcMountOpts is true if securityContext.procMount is set in any container\nfailProcMountOpts
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.securityContext,
    \"procMount\")\n}\n\ndeny[res] {\n\tfailProcMountOpts\n\n\tmsg := kubernetes.format(sprintf(\"%s
    '%s' should not set 'spec.containers[*].securityContext.procMount' or 'spec.initContainers[*].securityContext.procMount'\",
    [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.9_unsafe_sysctl_options_set.kinds: Workload
  policy.9_unsafe_sysctl_options_set.rego: "package appshield.kubernetes.KSV026\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failSysctls = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV026\",\n\t\"avd_id\": \"AVD-KSV-0026\",\n\t\"title\": \"Unsafe
    sysctl options set\",\n\t\"short_code\": \"no-unsafe-sysctl\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Sysctls can disable security mechanisms or affect all containers on a host,
    and should be disallowed except for an allowed 'safe' subset. A sysctl is considered
    safe if it is namespaced in the container or the Pod, and it is isolated from
    other Pods or processes on the same Node.\",\n\t\"recommended_actions\": \"Do
    not set 'spec.securityContext.sysctls' or set to values in an allowed subset\",\n\t\"url\":
    \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    Add allowed sysctls\nallowed_sysctls = {\n\t\"kernel.shm_rmid_forced\",\n\t\"net.ipv4.ip_local_port_range\",\n\t\"net.ipv4.tcp_syncookies\",\n\t\"net.ipv4.ping_group_range\",\n}\n\n#
    failSysctls is true if a disallowed sysctl is set\nfailSysctls {\n\tpod := kubernetes.pods[_]\n\tset_sysctls
    := {sysctl | sysctl := pod.spec.securityContext.sysctls[_].name}\n\tsysctls_not_allowed
    := set_sysctls - allowed_sysctls\n\tcount(sysctls_not_allowed) > 0\n}\n\ndeny[res]
    {\n\tfailSysctls\n\n\tmsg := kubernetes.format(sprintf(\"%s '%s' should set 'securityContext.sysctl'
    to the allowed values\", [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\":
    msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.CPU_not_limited.kinds: Workload
  policy.CPU_not_limited.rego: "package appshield.kubernetes.KSV011\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\ndefault failLimitsCPU = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV011\",\n\t\"avd_id\": \"AVD-KSV-0011\",\n\t\"title\": \"CPU not limited\",\n\t\"short_code\":
    \"limit-cpu\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Enforcing CPU limits prevents
    DoS via resource exhaustion.\",\n\t\"recommended_actions\": \"Set a limit value
    under 'containers[].resources.limits.cpu'.\",\n\t\"url\": \"https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getLimitsCPUContainers returns all containers which have set resources.limits.cpu\ngetLimitsCPUContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.resources.limits,
    \"cpu\")\n\tcontainer := allContainers.name\n}\n\n# getNoLimitsCPUContainers returns
    all containers which have not set\n# resources.limits.cpu\ngetNoLimitsCPUContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getLimitsCPUContainers[container]\n}\n\n#
    failLimitsCPU is true if containers[].resources.limits.cpu is not set\n# for ANY
    container\nfailLimitsCPU {\n\tcount(getNoLimitsCPUContainers) > 0\n}\n\ndeny[res]
    {\n\tfailLimitsCPU\n\n\tmsg := kubernetes.format(sprintf(\"Container '%s' of %s
    '%s' should set 'resources.limits.cpu'\", [getNoLimitsCPUContainers[_], kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
  policy.CPU_requests_not_specified.kinds: Workload
  policy.CPU_requests_not_specified.rego: "package appshield.kubernetes.KSV015\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsCPU = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV015\",\n\t\"avd_id\": \"AVD-KSV-0015\",\n\t\"title\": \"CPU
    requests not specified\",\n\t\"short_code\": \"no-unspecified-cpu-requests\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"When containers have resource requests specified, the scheduler can make better
    decisions about which nodes to place pods on, and how to deal with resource contention.\",\n\t\"recommended_actions\":
    \"Set 'containers[].resources.requests.cpu'.\",\n\t\"url\": \"https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getRequestsCPUContainers returns all containers which have set resources.requests.cpu\ngetRequestsCPUContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.resources.requests,
    \"cpu\")\n\tcontainer := allContainers.name\n}\n\n# getNoRequestsCPUContainers
    returns all containers which have not set\n# resources.requests.cpu\ngetNoRequestsCPUContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getRequestsCPUContainers[container]\n}\n\n#
    failRequestsCPU is true if containers[].resources.requests.cpu is not set\n# for
    ANY container\nfailRequestsCPU {\n\tcount(getNoRequestsCPUContainers) > 0\n}\n\ndeny[res]
    {\n\tfailRequestsCPU\n\n\tmsg := kubernetes.format(sprintf(\"Container '%s' of
    %s '%s' should set 'resources.requests.cpu'\", [getNoRequestsCPUContainers[_],
    kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.SYS_ADMIN_capability.kinds: Workload
  policy.SYS_ADMIN_capability.rego: "package appshield.kubernetes.KSV005\n\nimport
    data.lib.kubernetes\n\ndefault failCapsSysAdmin = false\n\n__rego_metadata__ :=
    {\n\t\"id\": \"KSV005\",\n\t\"avd_id\": \"AVD-KSV-0005\",\n\t\"title\": \"SYS_ADMIN
    capability added\",\n\t\"short_code\": \"no-sysadmin-capability\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"SYS_ADMIN gives the processes running inside the container privileges that are
    equivalent to root.\",\n\t\"recommended_actions\": \"Remove the SYS_ADMIN capability
    from 'containers[].securityContext.capabilities.add'.\",\n\t\"url\": \"https://kubesec.io/basics/containers-securitycontext-capabilities-add-index-sys-admin/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getCapsSysAdmin returns the names of all containers which include\n# 'SYS_ADMIN'
    in securityContext.capabilities.add.\ngetCapsSysAdmin[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tallContainers.securityContext.capabilities.add[_]
    == \"SYS_ADMIN\"\n\tcontainer := allContainers.name\n}\n\n# failCapsSysAdmin is
    true if securityContext.capabilities.add\n# includes 'SYS_ADMIN'.\nfailCapsSysAdmin
    {\n\tcount(getCapsSysAdmin) > 0\n}\n\ndeny[res] {\n\tfailCapsSysAdmin\n\n\tmsg
    := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should not include 'SYS_ADMIN'
    in 'securityContext.capabilities.add'\", [getCapsSysAdmin[_], kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
  policy.capabilities_no_drop_all.kinds: Workload
  policy.capabilities_no_drop_all.rego: "package appshield.kubernetes.KSV003\n\nimport
    data.lib.kubernetes\n\ndefault checkCapsDropAll = false\n\n__rego_metadata__ :=
    {\n\t\"id\": \"KSV003\",\n\t\"avd_id\": \"AVD-KSV-0003\",\n\t\"title\": \"Default
    capabilities not dropped\",\n\t\"short_code\": \"drop-default-capabilities\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"The container should drop all default capabilities and add only those that are
    needed for its execution.\",\n\t\"recommended_actions\": \"Add 'ALL' to containers[].securityContext.capabilities.drop.\",\n\t\"url\":
    \"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    Get all containers which include 'ALL' in security.capabilities.drop\ngetCapsDropAllContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tallContainers.securityContext.capabilities.drop[_]
    == \"ALL\"\n\tcontainer := allContainers.name\n}\n\n# Get all containers which
    don't include 'ALL' in security.capabilities.drop\ngetCapsNoDropAllContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getCapsDropAllContainers[container]\n}\n\n#
    checkCapsDropAll is true if capabilities drop does not include 'ALL',\n# or if
    capabilities drop is not specified at all.\ncheckCapsDropAll {\n\tcount(getCapsNoDropAllContainers)
    > 0\n}\n\ndeny[res] {\n\tcheckCapsDropAll\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should add 'ALL' to 'securityContext.capabilities.drop'\", [getCapsNoDropAllContainers[_],
    kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.capabilities_no_drop_at_least_one.kinds: Workload
  policy.capabilities_no_drop_at_least_one.rego: "package appshield.kubernetes.KSV004\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failCapsDropAny = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV004\",\n\t\"avd_id\": \"AVD-KSV-0004\",\n\t\"title\": \"Unused
    capabilities should be dropped (drop any)\",\n\t\"short_code\": \"drop-unused-capabilities\",\n\t\"version\":
    \"v0.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Security best practices require containers to run with minimal required capabilities.\",\n\t\"recommended_actions\":
    \"Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'\",\n\t\"url\":
    \"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getCapsDropAnyContainers returns names of all containers\n# which set securityContext.capabilities.drop\ngetCapsDropAnyContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.securityContext.capabilities,
    \"drop\")\n\tcontainer := allContainers.name\n}\n\n# getNoCapsDropContainers returns
    names of all containers which\n# do not set securityContext.capabilities.drop\ngetNoCapsDropContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getCapsDropAnyContainers[container]\n}\n\n#
    failCapsDropAny is true if ANY container does not\n# set securityContext.capabilities.drop\nfailCapsDropAny
    {\n\tcount(getNoCapsDropContainers) > 0\n}\n\ndeny[res] {\n\tfailCapsDropAny\n\n\tmsg
    := kubernetes.format(sprintf(\"Container '%s' of '%s' '%s' in '%s' namespace should
    set securityContext.capabilities.drop\", [getNoCapsDropContainers[_], lower(kubernetes.kind),
    kubernetes.name, kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.file_system_not_read_only.kinds: Workload
  policy.file_system_not_read_only.rego: "package appshield.kubernetes.KSV014\n\nimport
    data.lib.kubernetes\n\ndefault failReadOnlyRootFilesystem = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV014\",\n\t\"avd_id\": \"AVD-KSV-0014\",\n\t\"title\": \"Root
    file system is not read-only\",\n\t\"short_code\": \"use-readonly-filesystem\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"An immutable root file system prevents applications from writing to their local
    disk. This can limit intrusions, as attackers will not be able to tamper with
    the file system or write foreign executables to disk.\",\n\t\"recommended_actions\":
    \"Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.\",\n\t\"url\":
    \"https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getReadOnlyRootFilesystemContainers returns all containers that have\n# securityContext.readOnlyFilesystem
    set to true.\ngetReadOnlyRootFilesystemContainers[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tallContainers.securityContext.readOnlyRootFilesystem
    == true\n\tcontainer := allContainers.name\n}\n\n# getNotReadOnlyRootFilesystemContainers
    returns all containers that have\n# securityContext.readOnlyRootFilesystem set
    to false or not set at all.\ngetNotReadOnlyRootFilesystemContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getReadOnlyRootFilesystemContainers[container]\n}\n\n#
    failReadOnlyRootFilesystem is true if ANY container sets\n# securityContext.readOnlyRootFilesystem
    set to false or not set at all.\nfailReadOnlyRootFilesystem {\n\tcount(getNotReadOnlyRootFilesystemContainers)
    > 0\n}\n\ndeny[res] {\n\tfailReadOnlyRootFilesystem\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should set 'securityContext.readOnlyRootFilesystem' to true\",
    [getNotReadOnlyRootFilesystemContainers[_], kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.manages_etc_hosts.kinds: Workload
  policy.manages_etc_hosts.rego: "package appshield.kubernetes.KSV007\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\ndefault failHostAliases = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV007\",\n\t\"avd_id\": \"AVD-KSV-0007\",\n\t\"title\": \"hostAliases is set\",\n\t\"short_code\":
    \"no-hostaliases\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Managing /etc/hosts aliases
    can prevent the container engine from modifying the file after a pod’s containers
    have already been started.\",\n\t\"recommended_actions\": \"Do not set 'spec.template.spec.hostAliases'.\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    failHostAliases is true if spec.hostAliases is set (on all controllers)\nfailHostAliases
    {\n\tutils.has_key(kubernetes.host_aliases[_], \"hostAliases\")\n}\n\ndeny[res]
    {\n\tfailHostAliases\n\n\tmsg := kubernetes.format(sprintf(\"'%s' '%s' in '%s'
    namespace should not set spec.template.spec.hostAliases\", [lower(kubernetes.kind),
    kubernetes.name, kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.memory_not_limited.kinds: Workload
  policy.memory_not_limited.rego: "package appshield.kubernetes.KSV018\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\ndefault failLimitsMemory = false\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV018\",\n\t\"avd_id\": \"AVD-KSV-0018\",\n\t\"title\": \"Memory not limited\",\n\t\"short_code\":
    \"limit-memory\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Enforcing memory limits prevents
    DoS via resource exhaustion.\",\n\t\"recommended_actions\": \"Set a limit value
    under 'containers[].resources.limits.memory'.\",\n\t\"url\": \"https://kubesec.io/basics/containers-resources-limits-memory/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getLimitsMemoryContainers returns all containers which have set resources.limits.memory\ngetLimitsMemoryContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.resources.limits,
    \"memory\")\n\tcontainer := allContainers.name\n}\n\n# getNoLimitsMemoryContainers
    returns all containers which have not set\n# resources.limits.memory\ngetNoLimitsMemoryContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getLimitsMemoryContainers[container]\n}\n\n#
    failLimitsMemory is true if containers[].resources.limits.memory is not set\n#
    for ANY container\nfailLimitsMemory {\n\tcount(getNoLimitsMemoryContainers) >
    0\n}\n\ndeny[res] {\n\tfailLimitsMemory\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should set 'resources.limits.memory'\", [getNoLimitsMemoryContainers[_],
    kubernetes.kind, kubernetes.name]))\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.memory_requests_not_specified.kinds: Workload
  policy.memory_requests_not_specified.rego: "package appshield.kubernetes.KSV016\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRequestsMemory = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV016\",\n\t\"avd_id\": \"AVD-KSV-0016\",\n\t\"title\": \"Memory
    requests not specified\",\n\t\"short_code\": \"no-unspecified-memory-requests\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"When containers have memory requests specified, the scheduler can make better
    decisions about which nodes to place pods on, and how to deal with resource contention.\",\n\t\"recommended_actions\":
    \"Set 'containers[].resources.requests.memory'.\",\n\t\"url\": \"https://kubesec.io/basics/containers-resources-limits-memory/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getRequestsMemoryContainers returns all containers which have set resources.requests.memory\ngetRequestsMemoryContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tutils.has_key(allContainers.resources.requests,
    \"memory\")\n\tcontainer := allContainers.name\n}\n\n# getNoRequestsMemoryContainers
    returns all containers which have not set\n# resources.requests.memory\ngetNoRequestsMemoryContainers[container]
    {\n\tcontainer := kubernetes.containers[_].name\n\tnot getRequestsMemoryContainers[container]\n}\n\n#
    failRequestsMemory is true if containers[].resources.requests.memory is not set\n#
    for ANY container\nfailRequestsMemory {\n\tcount(getNoRequestsMemoryContainers)
    > 0\n}\n\ndeny[res] {\n\tfailRequestsMemory\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should set 'resources.requests.memory'\", [getNoRequestsMemoryContainers[_],
    kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.mounts_docker_socket.kinds: Workload
  policy.mounts_docker_socket.rego: "package appshield.kubernetes.KSV006\n\nimport
    data.lib.kubernetes\n\nname = input.metadata.name\n\ndefault checkDockerSocket
    = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV006\",\n\t\"avd_id\": \"AVD-KSV-0006\",\n\t\"title\":
    \"hostPath volume mounted with docker.sock\",\n\t\"short_code\": \"no-docker-sock-mount\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"HIGH\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Mounting docker.sock from the host can give the container full root access to
    the host.\",\n\t\"recommended_actions\": \"Do not specify /var/run/docker.socket
    in 'spec.template.volumes.hostPath.path'.\",\n\t\"url\": \"https://kubesec.io/basics/spec-volumes-hostpath-path-var-run-docker-sock/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    checkDockerSocket is true if volumes.hostPath.path is set to /var/run/docker.sock\n#
    and is false if volumes.hostPath is set to some other path or not set.\ncheckDockerSocket
    {\n\tvolumes := kubernetes.volumes\n\tvolumes[_].hostPath.path == \"/var/run/docker.sock\"\n}\n\ndeny[res]
    {\n\tcheckDockerSocket\n\n\tmsg := kubernetes.format(sprintf(\"%s '%s' should
    not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'\",
    [kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.protect_core_components_namespace.kinds: Workload
  policy.protect_core_components_namespace.rego: "package appshield.kubernetes.KSV037\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV037\",\n\t\"avd_id\": \"AVD-KSV-0037\",\n\t\"title\": \"User Pods should
    not be placed in kube-system namespace\",\n\t\"short_code\": \"no-user-pods-in-system-namespace\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"ensure that User pods are not placed in kube-system namespace\",\n\t\"recommended_actions\":
    \"Deploy the use pods into a designated namespace which is not kube-system.\",\n\t\"url\":
    \"https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
    {\n\tsystemNamespaceInUse(input.metadata, input.spec)\n\tmsg := sprintf(\"%s '%s'
    should not be set with 'kube-system' namespace\", [kubernetes.kind, kubernetes.name])\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\nsystemNamespaceInUse(metadata,
    spec) {\n\tkubernetes.namespace == \"kube-system\"\n\tnot core_component(metadata,
    spec)\n}\n\ncore_component(metadata, spec) {\n\tkubernetes.has_field(metadata.labels,
    \"tier\")\n\tmetadata.labels.tier == \"control-plane\"\n\tkubernetes.has_field(spec,
    \"priorityClassName\")\n\tspec.priorityClassName == \"system-node-critical\"\n\tkubernetes.has_field(metadata.labels,
    \"component\")\n\tcoreComponentLabels := [\"kube-apiserver\", \"etcd\", \"kube-controller-manager\",
    \"kube-scheduler\"]\n\tmetadata.labels.component = coreComponentLabels[_]\n}\n"
  policy.protecting_pod_service_account_tokens.kinds: Workload
  policy.protecting_pod_service_account_tokens.rego: "package appshield.kubernetes.KSV036\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV036\",\n\t\"avd_id\": \"AVD-KSV-0036\",\n\t\"title\": \"Protecting Pod service
    account tokens\",\n\t\"short_code\": \"no-auto-mount-service-token\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"ensure that Pod specifications disable the secret token being mounted by setting
    automountServiceAccountToken: false\",\n\t\"recommended_actions\": \"Remove 'container.apparmor.security.beta.kubernetes.io'
    annotation or set it to 'runtime/default'.\",\n\t\"url\": \"https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
    {\n\tmountServiceAccountToken(input.spec)\n\tmsg := kubernetes.format(sprintf(\"Container
    of %s '%s' should set 'spec.automountServiceAccountToken' to false\", [kubernetes.kind,
    kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n\nmountServiceAccountToken(spec) {\n\thas_key(spec,
    \"automountServiceAccountToken\")\n\tspec.automountServiceAccountToken == true\n}\n\n#
    if there is no automountServiceAccountToken spec, check on volumeMount in containers.
    Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount\nmountServiceAccountToken(spec)
    {\n\tnot has_key(spec, \"automountServiceAccountToken\")\n\t\"/var/run/secrets/kubernetes.io/serviceaccount\"
    == kubernetes.containers[_].volumeMounts[_].mountPath\n}\n\nhas_key(x, k) {\n\t_
    = x[k]\n}\n"
  policy.runs_with_GID_le_10000.kinds: Workload
  policy.runs_with_GID_le_10000.rego: "package appshield.kubernetes.KSV021\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsGroup = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV021\",\n\t\"avd_id\": \"AVD-KSV-0021\",\n\t\"title\": \"Runs
    with low group ID\",\n\t\"short_code\": \"use-high-gid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\":
    \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"Force
    the container to run with group ID > 10000 to avoid conflicts with the host’s
    user table.\",\n\t\"recommended_actions\": \"Set 'containers[].securityContext.runAsGroup'
    to an integer > 10000.\",\n\t\"url\": \"https://kubesec.io/basics/containers-securitycontext-runasuser/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getGroupIdContainers returns the names of all containers which have\n# securityContext.runAsGroup
    less than or equal to 10000.\ngetGroupIdContainers[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tallContainers.securityContext.runAsGroup <= 10000\n\tcontainer
    := allContainers.name\n}\n\n# getGroupIdContainers returns the names of all containers
    which do\n# not have securityContext.runAsGroup set.\ngetGroupIdContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tnot utils.has_key(allContainers.securityContext,
    \"runAsGroup\")\n\tcontainer := allContainers.name\n}\n\n# getGroupIdContainers
    returns the names of all containers which do\n# not have securityContext set.\ngetGroupIdContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tnot utils.has_key(allContainers,
    \"securityContext\")\n\tcontainer := allContainers.name\n}\n\n# failRunAsGroup
    is true if securityContext.runAsGroup is less than or\n# equal to 10000 or if
    securityContext.runAsGroup is not set.\nfailRunAsGroup {\n\tcount(getGroupIdContainers)
    > 0\n}\n\ndeny[res] {\n\tfailRunAsGroup\n\n\tmsg := kubernetes.format(sprintf(\"Container
    '%s' of %s '%s' should set 'securityContext.runAsGroup' > 10000\", [getGroupIdContainers[_],
    kubernetes.kind, kubernetes.name]))\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.runs_with_UID_le_10000.kinds: Workload
  policy.runs_with_UID_le_10000.rego: "package appshield.kubernetes.KSV020\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failRunAsUser = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV020\",\n\t\"avd_id\": \"AVD-KSV-0020\",\n\t\"title\": \"Runs
    with low user ID\",\n\t\"short_code\": \"use-high-uid\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\":
    \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"Force
    the container to run with user ID > 10000 to avoid conflicts with the host’s user
    table.\",\n\t\"recommended_actions\": \"Set 'containers[].securityContext.runAsUser'
    to an integer > 10000.\",\n\t\"url\": \"https://kubesec.io/basics/containers-securitycontext-runasuser/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getUserIdContainers returns the names of all containers which have\n# securityContext.runAsUser
    less than or equal to 100000.\ngetUserIdContainers[container] {\n\tallContainers
    := kubernetes.containers[_]\n\tallContainers.securityContext.runAsUser <= 10000\n\tcontainer
    := allContainers.name\n}\n\n# getUserIdContainers returns the names of all containers
    which do\n# not have securityContext.runAsUser set.\ngetUserIdContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tnot utils.has_key(allContainers.securityContext,
    \"runAsUser\")\n\tcontainer := allContainers.name\n}\n\n# getUserIdContainers
    returns the names of all containers which do\n# not have securityContext set.\ngetUserIdContainers[container]
    {\n\tallContainers := kubernetes.containers[_]\n\tnot utils.has_key(allContainers,
    \"securityContext\")\n\tcontainer := allContainers.name\n}\n\n# failRunAsUser
    is true if securityContext.runAsUser is less than or\n# equal to 10000 or if securityContext.runAsUser
    is not set.\nfailRunAsUser {\n\tcount(getUserIdContainers) > 0\n}\n\ndeny[res]
    {\n\tfailRunAsUser\n\n\tmsg := kubernetes.format(sprintf(\"Container '%s' of %s
    '%s' should set 'securityContext.runAsUser' > 10000\", [getUserIdContainers[_],
    kubernetes.kind, kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.selector_usage_in_network_policies.kinds: NetworkPolicy
  policy.selector_usage_in_network_policies.rego: "package appshield.kubernetes.KSV038\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\":
    \"KSV038\",\n\t\"avd_id\": \"AVD-KSV-0038\",\n\t\"title\": \"Selector usage in
    network policies\",\n\t\"short_code\": \"selector-usage-in-network-policies\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"ensure that network policies selectors are applied to pods or namespaces to
    restricted ingress and egress traffic within the pod network\",\n\t\"recommended_actions\":
    \"create network policies and ensure that pods are selected using the podSelector
    and/or the namespaceSelector options\",\n\t\"url\": \"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
    {\n\tnot hasSelector(input.spec)\n\tmsg := \"Network policy should uses podSelector
    and/or the namespaceSelector to restrict ingress and egress traffic within the
    Pod network\"\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind)
    == \"networkpolicy\"\n\tkubernetes.has_field(spec, \"podSelector\")\n\tkubernetes.has_field(spec.podSelector,
    \"matchLabels\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) == \"networkpolicy\"\n\tkubernetes.has_field(spec,
    \"namespaceSelector\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) ==
    \"networkpolicy\"\n\tkubernetes.has_field(spec, \"podSelector\")\n}\n\nhasSelector(spec)
    {\n\tlower(kubernetes.kind) == \"networkpolicy\"\n\tkubernetes.has_field(spec,
    \"ingress\")\n\tkubernetes.has_field(spec.ingress[_], \"from\")\n\tkubernetes.has_field(spec.ingress[_].from[_],
    \"namespaceSelector\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) ==
    \"networkpolicy\"\n\tkubernetes.has_field(spec, \"ingress\")\n\tkubernetes.has_field(spec.ingress[_],
    \"from\")\n\tkubernetes.has_field(spec.ingress[_].from[_], \"podSelector\")\n}\n\nhasSelector(spec)
    {\n\tlower(kubernetes.kind) == \"networkpolicy\"\n\tkubernetes.has_field(spec,
    \"egress\")\n\tkubernetes.has_field(spec.egress[_], \"to\")\n\tkubernetes.has_field(spec.egress[_].to[_],
    \"podSelector\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) == \"networkpolicy\"\n\tkubernetes.has_field(spec,
    \"egress\")\n\tkubernetes.has_field(spec.egress[_], \"to\")\n\tkubernetes.has_field(spec.egress[_].to[_],
    \"namespaceSelector\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) ==
    \"networkpolicy\"\n\tkubernetes.spec.podSelector == {}\n\tcontains(input.spec.policyType,
    \"Egress\")\n}\n\nhasSelector(spec) {\n\tlower(kubernetes.kind) == \"networkpolicy\"\n\tkubernetes.spec.podSelector
    == {}\n\tcontains(input.spec.policyType, \"Ingress\")\n}\n\ncontains(arr, elem)
    {\n\tarr[_] = elem\n}\n"
  policy.tiller_is_deployed.kinds: Workload
  policy.tiller_is_deployed.rego: "package appshield.kubernetes.KSV202\n\nimport data.lib.kubernetes\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV102\",\n\t\"avd_id\": \"AVD-KSV-0102\",\n\t\"title\": \"Tiller
    Is Deployed\",\n\t\"short_code\": \"no-tiller\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\":
    \"Critical\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Check if Helm Tiller component is deployed.\",\n\t\"recommended_actions\": \"Migrate
    to Helm v3 which no longer has Tiller component\",\n}\n\n__rego_input__ := {\n\t\"combine\":
    false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n# Get all containers
    and check kubernetes metadata for tiller\ntillerDeployed[container] {\n\tcurrentContainer
    := kubernetes.containers[_]\n\tcheckMetadata(input.metadata)\n\tcontainer := currentContainer.name\n}\n\n#
    Get all containers and check each image for tiller\ntillerDeployed[container]
    {\n\tcurrentContainer := kubernetes.containers[_]\n\tcontains(currentContainer.image,
    \"tiller\")\n\tcontainer := currentContainer.name\n}\n\n# Get all pods and check
    each metadata for tiller\ntillerDeployed[pod] {\n\tcurrentPod := kubernetes.pods[_]\n\tcheckMetadata(currentPod.metadata)\n\tpod
    := currentPod.metadata.name\n}\n\ndeny[res] {\n\tmsg := kubernetes.format(sprintf(\"container
    '%s' of %s '%s' in '%s' namespace shouldn't have tiller deployed\", [tillerDeployed[_],
    lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\":
    msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\n#
    Check for tiller by resource name\ncheckMetadata(metadata) {\n\tcontains(metadata.name,
    \"tiller\")\n}\n\n# Check for tiller by app label\ncheckMetadata(metadata) {\n\tmetadata.labels.app
    == \"helm\"\n}\n\n# Check for tiller by name label\ncheckMetadata(metadata) {\n\tmetadata.labels.name
    == \"tiller\"\n}\n"
  policy.use_limit_range.kinds: LimitRange
  policy.use_limit_range.rego: "package appshield.kubernetes.KSV039\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV039\",\n\t\"avd_id\":
    \"AVD-KSV-0039\",\n\t\"title\": \"limit range usage\",\n\t\"short_code\": \"limit-range-usage\",\n\t\"severity\":
    \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure
    limit range policy has configure in order to limit resource usage for namespaces
    or nodes\",\n\t\"recommended_actions\": \"create limit range policy with a default
    request and limit, min and max request, for each container.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/policy/limit-range/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
    {\n\tnot limitRangeConfigure\n\tmsg := \"limit range policy with a default request
    and limit, min and max request, for each container should be configure\"\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\nlimitRangeConfigure
    {\n\tlower(input.kind) == \"limitrange\"\n\tinput.spec[limits]\n\tkubernetes.has_field(input.spec.limits[_],
    \"type\")\n\tkubernetes.has_field(input.spec.limits[_], \"max\")\n\tkubernetes.has_field(input.spec.limits[_],
    \"min\")\n\tkubernetes.has_field(input.spec.limits[_], \"default\")\n\tkubernetes.has_field(input.spec.limits[_],
    \"defaultRequest\")\n}\n"
  policy.use_resource_quota.kinds: ResourceQuota
  policy.use_resource_quota.rego: "package appshield.kubernetes.KSV040\n\nimport data.lib.kubernetes\nimport
    data.lib.utils\n\n__rego_metadata__ := {\n\t\"id\": \"KSV040\",\n\t\"avd_id\":
    \"AVD-KSV-0040\",\n\t\"title\": \"resource quota usage\",\n\t\"short_code\": \"resource-quota-usage\",\n\t\"severity\":
    \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\": \"ensure
    resource quota policy has configure in order to limit aggregate resource usage
    within namespace\",\n\t\"recommended_actions\": \"create resource quota policy
    with mem and cpu quota per each namespace\",\n\t\"url\": \"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
    {\n\tnot resourceQuotaConfigure\n\tmsg := \"resource quota policy with hard memory
    and cpu quota per namespace should be configure\"\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\":
    __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n\nresourceQuotaConfigure
    {\n\tlower(input.kind) == \"resourcequota\"\n\tinput.spec[hard]\n\tkubernetes.has_field(input.spec.hard,
    \"requests.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"requests.memory\")\n\tkubernetes.has_field(input.spec.hard,
    \"limits.cpu\")\n\tkubernetes.has_field(input.spec.hard, \"limits.memory\")\n}\n"
  policy.uses_image_tag_latest.kinds: Workload
  policy.uses_image_tag_latest.rego: "package appshield.kubernetes.KSV013\n\nimport
    data.lib.kubernetes\n\ndefault checkUsingLatestTag = false\n\n__rego_metadata__
    := {\n\t\"id\": \"KSV013\",\n\t\"avd_id\": \"AVD-KSV-0013\",\n\t\"title\": \"Image
    tag ':latest' used\",\n\t\"short_code\": \"use-specific-tags\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"LOW\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"It is best to avoid using the ':latest' image tag when deploying containers
    in production. Doing so makes it hard to track which version of the image is running,
    and hard to roll back the version.\",\n\t\"recommended_actions\": \"Use a specific
    container image tag that is not 'latest'.\",\n\t\"url\": \"https://kubernetes.io/docs/concepts/configuration/overview/#container-images\",\n}\n\n__rego_input__
    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n#
    getTaggedContainers returns the names of all containers which\n# have tagged images.\ngetTaggedContainers[container]
    {\n\t# If the image defines a digest value, we don't care about the tag\n\tallContainers
    := kubernetes.containers[_]\n\tdigest := split(allContainers.image, \"@\")[1]\n\tcontainer
    := allContainers.name\n}\n\ngetTaggedContainers[container] {\n\t# No digest, look
    at tag\n\tallContainers := kubernetes.containers[_]\n\ttag := split(allContainers.image,
    \":\")[1]\n\ttag != \"latest\"\n\tcontainer := allContainers.name\n}\n\n# getUntaggedContainers
    returns the names of all containers which\n# have untagged images or images with
    the latest tag.\ngetUntaggedContainers[container] {\n\tcontainer := kubernetes.containers[_].name\n\tnot
    getTaggedContainers[container]\n}\n\n# checkUsingLatestTag is true if there is
    a container whose image tag\n# is untagged or uses the latest tag.\ncheckUsingLatestTag
    {\n\tcount(getUntaggedContainers) > 0\n}\n\ndeny[res] {\n\tcheckUsingLatestTag\n\n\tmsg
    := kubernetes.format(sprintf(\"Container '%s' of %s '%s' should specify an image
    tag\", [getUntaggedContainers[_], kubernetes.kind, kubernetes.name]))\n\n\tres
    := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.uses_untrusted_azure_registry.kinds: Workload
  policy.uses_untrusted_azure_registry.rego: "package appshield.kubernetes.KSV032\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedAzureRegistry
    = false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV032\",\n\t\"avd_id\": \"AVD-KSV-0032\",\n\t\"title\":
    \"All container images must start with the *.azurecr.io domain\",\n\t\"short_code\":
    \"use-azure-image-prefix\",\n\t\"version\": \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\":
    \"Kubernetes Security Check\",\n\t\"description\": \"Containers should only use
    images from trusted registries.\",\n\t\"recommended_actions\": \"Use images from
    trusted Azure registries.\",\n}\n\n__rego_input__ := {\n\t\"combine\": false,\n\t\"selector\":
    [{\"type\": \"kubernetes\"}],\n}\n\n# getContainersWithTrustedAzureRegistry returns
    a list of containers\n# with image from a trusted Azure registry\ngetContainersWithTrustedAzureRegistry[name]
    {\n\tcontainer := kubernetes.containers[_]\n\timage := container.image\n\n\t#
    get image registry/repo parts\n\timage_parts := split(image, \"/\")\n\n\t# images
    with only one part do not specify a registry\n\tcount(image_parts) > 1\n\tregistry
    = image_parts[0]\n\tendswith(registry, \"azurecr.io\")\n\tname := container.name\n}\n\n#
    getContainersWithUntrustedAzureRegistry returns a list of containers\n# with image
    from an untrusted Azure registry\ngetContainersWithUntrustedAzureRegistry[name]
    {\n\tname := kubernetes.containers[_].name\n\tnot getContainersWithTrustedAzureRegistry[name]\n}\n\n#
    failTrustedAzureRegistry is true if a container uses an image from an\n# untrusted
    Azure registry\nfailTrustedAzureRegistry {\n\tcount(getContainersWithUntrustedAzureRegistry)
    > 0\n}\n\ndeny[res] {\n\tfailTrustedAzureRegistry\n\n\tmsg := kubernetes.format(sprintf(\"container
    %s of %s %s in %s namespace should restrict container image to your specific registry
    domain. For Azure any domain ending in 'azurecr.io'\", [getContainersWithUntrustedAzureRegistry[_],
    lower(kubernetes.kind), kubernetes.name, kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\":
    msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
    __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n"
  policy.uses_untrusted_gcr_registry.kinds: Workload
  policy.uses_untrusted_gcr_registry.rego: "package appshield.kubernetes.KSV033\n\nimport
    data.lib.kubernetes\nimport data.lib.utils\n\ndefault failTrustedGCRRegistry =
    false\n\n__rego_metadata__ := {\n\t\"id\": \"KSV033\",\n\t\"avd_id\": \"AVD-KSV-0033\",\n\t\"title\":
    \"All container images must start with a GCR domain\",\n\t\"short_code\": \"use-gcr-domain\",\n\t\"version\":
    \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
    \"Containers should only use images from trusted GCR registries.\",\n\t\"recommended_actions\":
    \"Use images from trusted GCR registries.\",\n}\n\n__rego_input__ := {\n\t\"combine\":
    false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\n# list of trusted
    GCR registries\ntrusted_gcr_registries = [\n\t\"gcr.io\",\n\t\"us.gcr.io\",\n\t\"eu.gcr.io\",\n\t\"asia.gcr.io\",\n]\n\n#
    getContainersWithTrustedGCRRegistry returns a list of containers\n# with image
    from a trusted gcr registry\ngetContainersWithTrustedGCRRegistry[name] {\n\tcontainer
    := kubernetes.containers[_]\n\timage := container.image\n\n\t# get image registry/repo
    parts\n\timage_parts := split(image, \"/\")\n\n\t# images with only one part do
    not specify a registry\n\tcount(image_parts) > 1\n\tregistry = image_parts[0]\n\ttrusted
    := trusted_gcr_registries[_]\n\tendswith(registry, trusted)\n\tname := container.name\n}\n\n#
    getContainersWithUntrustedGCRRegistry returns a list of containers\n# with image
    from an untrusted gcr registry\ngetContainersWithUntrustedGCRRegistry[name] {\n\tname
    := kubernetes.containers[_].name\n\tnot getContainersWithTrustedGCRRegistry[name]\n}\n\n#
    failTrustedGCRRegistry is true if a container uses an image from an\n# untrusted
    gcr registry\nfailTrustedGCRRegistry {\n\tcount(getContainersWithUntrustedGCRRegistry)
    > 0\n}\n\ndeny[res] {\n\tfailTrustedGCRRegistry\n\n\tmsg := kubernetes.format(sprintf(\"container
    %s of %s %s in %s namespace should restrict container image to your specific registry
    domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries\",
    [getContainersWithUntrustedGCRRegistry[_], lower(kubernetes.kind), kubernetes.name,
    kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
    __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
    __rego_metadata__.type,\n\t}\n}\n"
---
apiVersion: v1
kind: Service
metadata:
  name: starboard-operator
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
  annotations:
    prometheus.io/path: /metrics
    prometheus.io/scrape: "true"
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: metrics
      name: metrics
  selector:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: starboard-operator
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.6"
    app.kubernetes.io/managed-by: kubectl
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: starboard-operator
      app.kubernetes.io/instance: starboard-operator
  template:
    metadata:
      labels:
        app.kubernetes.io/name: starboard-operator
        app.kubernetes.io/instance: starboard-operator
    spec:
      serviceAccountName: starboard-operator
      automountServiceAccountToken: true
      containers:
        - name: "starboard-operator"
          image: "docker.io/aquasec/starboard-operator:0.15.6"
          imagePullPolicy: IfNotPresent
          env:
            - name: OPERATOR_NAMESPACE
              value: "starboard-system"
            - name: OPERATOR_TARGET_NAMESPACES
              value: ""
            - name: OPERATOR_EXCLUDE_NAMESPACES
              value: "kube-system,starboard-system"
            - name: OPERATOR_SERVICE_ACCOUNT
              value: "starboard-operator"
            - name: OPERATOR_LOG_DEV_MODE
              value: "false"
            - name: OPERATOR_SCAN_JOB_TIMEOUT
              value: "5m"
            - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT
              value: "10"
            - name: OPERATOR_SCAN_JOB_RETRY_AFTER
              value: "30s"
            - name: OPERATOR_BATCH_DELETE_LIMIT
              value: "10"
            - name: OPERATOR_BATCH_DELETE_DELAY
              value: "10s"
            - name: OPERATOR_METRICS_BIND_ADDRESS
              value: ":8080"
            - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
              value: ":9090"
            - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
              value: "true"
            - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
              value: "true"
            - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
              value: "false"
            - name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
              value: ""
            - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
              value: "false"
            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
              value: "false"
            - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
              value: "true"
            - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED
              value: "true"
          ports:
            - name: metrics
              containerPort: 8080
            - name: probes
              containerPort: 9090
          readinessProbe:
            httpGet:
              path: /readyz/
              port: probes
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          livenessProbe:
            httpGet:
              path: /healthz/
              port: probes
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 10
          resources:
            {}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
      securityContext:
        {}