fix(query): update terraform k8s workload host port specified query logic #7941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

cx-artur-ribeiro wants to merge 10 commits into master from AST-129307-fix-tf-k8s-workload-hostport-query

+46 −45

.github/workflows/validate-k8s-samples.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -13,21 +13,21 @@ jobs:
  
          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            with:

              persist-credentials: false

          - name: Get Kubeval

          - name: Get Kubeconform

            env:

              KUBEVAL_RELEASES_URL: https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz

              KUBECONFORM_VERSION: v0.6.4

            run: |

              mkdir -p .bin

              PROJDIR=$(pwd)

              cd .bin && wget "${KUBEVAL_RELEASES_URL}" \

                && tar xf $(basename "${KUBEVAL_RELEASES_URL}") \

                && chmod +x kubeval \

                && rm -vf $(basename "${KUBEVAL_RELEASES_URL}") \

              cd .bin && wget "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \

                && tar xf kubeconform-linux-amd64.tar.gz \

                && chmod +x kubeconform \

                && rm -vf kubeconform-linux-amd64.tar.gz \

                && cd "${PROJDIR}"

          - name: Validate k8s manifests

            run: |

              python3 -u .github/scripts/samples-linters/validate-syntax.py \

                "assets/queries/k8s/**/test/*.yaml" \

                --extra ' --skip-kinds CustomResourceDefinition,KubeletConfiguration,Policy,EncryptionConfiguration,KubeSchedulerConfiguration,SecretProviderClass,Service,Configuration,ContainerSource,Revision' \

                --linter .bin/kubeval \

                --extra ' -skip CustomResourceDefinition,KubeletConfiguration,Policy,EncryptionConfiguration,KubeSchedulerConfiguration,SecretProviderClass,Service,Configuration,ContainerSource,Revision,PodSecurityPolicy -ignore-missing-schemas' \

                --linter .bin/kubeconform \

                --skip '.github/scripts/samples-linters/ignore-list/k8s' -v

assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json

This file was deleted.

...oad_host_port_not_specified/metadata.json → ...orkload_host_port_specified/metadata.json

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,6 +1,6 @@
  
    {

      "id": "2b1836f1-dcce-416e-8e16-da8c71920633",

      "queryName": "Workload Host Port Not Specified",

      "id": "cfe96671-84e4-4f25-b349-bea992f590a2",

      "queryName": "Workload Host Port Specified",

      "severity": "LOW",

      "category": "Networking and Firewall",

      "descriptionText": "Verifies if Kubernetes workload's host port is specified",

    @@ -10,4 +10,4 @@
  
      "cloudProvider": "common",

      "cwe": "665",

      "riskScore": "2.3"

    }
      
    }

0 ...rkload_host_port_not_specified/query.rego → ...s/workload_host_port_specified/query.rego

File renamed without changes.

0 ...ost_port_not_specified/test/negative.yaml → ...ad_host_port_specified/test/negative.yaml

File renamed without changes.

0 ...ost_port_not_specified/test/positive.yaml → ...ad_host_port_specified/test/positive.yaml

File renamed without changes.

assets/queries/k8s/workload_host_port_specified/test/positive_expected_result.json

-Original file line number
+Diff line change
@@ -0,0 +1,12 @@
+    [
+      {
+        "queryName": "Workload Host Port Specified",
+        "severity": "LOW",
+        "line": 9
+      },
+      {
+        "queryName": "Workload Host Port Specified",
+        "severity": "LOW",
+        "line": 24
+      }
+    ]

.../terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json

This file was deleted.

...oad_host_port_not_specified/metadata.json → ...orkload_host_port_specified/metadata.json

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,6 +1,6 @@
  
    {

      "id": "4e74cf4f-ff65-4c1a-885c-67ab608206ce",

      "queryName": "Workload Host Port Not Specified",

      "id": "0cfc4fe7-24eb-451f-a1c1-8c2bb82c0fae",

      "queryName": "Workload Host Port Specified",

      "severity": "LOW",

      "category": "Networking and Firewall",

      "descriptionText": "Verifies if Kubernetes workload's host port is specified",

    @@ -10,4 +10,4 @@
  
      "cwe": "665",

      "cloudProvider": "common",

      "riskScore": "2.3"

    }
      
    }

...rkload_host_port_not_specified/query.rego → ...s/workload_host_port_specified/query.rego

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,17 +9,18 @@ CxPolicy[result] { @@
     	resource := input.document[i].resource[x][name]
     	path := checkPath(resource)
+        common_lib.valid_key(path.port, "host_port")
-    	not common_lib.valid_key(path.port, "host_port")
     	result := {
     		"documentId": input.document[i].id,
     		"resourceType": x,
     		"resourceName": tf_lib.get_resource_name(resource, name),
-    		"searchKey": sprintf("%s[%s].%s.port", [x, name, resource_prefix]),
+    		"searchKey": sprintf("%s[%s].%s.port.host_port", [x, name, resource_prefix]),
     		"issueType": "IncorrectValue",
-    		"keyExpectedValue": "Attribute 'host_port' should be defined and not null",
-    		"keyActualValue": "Attribute 'host_port' is undefined or null",
-    	}
+    		"keyExpectedValue": sprintf("%s[%s].%s.port.host_port should not be defined", [x, name, resource_prefix]),
+    		"keyActualValue": sprintf("%s[%s].%s.port.host_port is defined", [x, name, resource_prefix]),
+    		"searchLine": common_lib.build_search_line(array.concat(["resource", x, name], split(resource_prefix, ".")), ["port", "host_port"]),
+        }
     }
     checkPath(resource) = path {
@@ Expand Down @@

0 ...host_port_not_specified/test/positive1.tf → ...oad_host_port_specified/test/negative1.tf

File renamed without changes.

0 ...host_port_not_specified/test/positive2.tf → ...oad_host_port_specified/test/negative2.tf

File renamed without changes.

0 ...host_port_not_specified/test/negative1.tf → ...oad_host_port_specified/test/positive1.tf

File renamed without changes.

0 ...host_port_not_specified/test/negative2.tf → ...oad_host_port_specified/test/positive2.tf

File renamed without changes.

...ries/terraform/kubernetes/workload_host_port_specified/test/positive_expected_result.json

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    [
+      {
+        "queryName": "Workload Host Port Specified",
+        "severity": "LOW",
+        "line": 18,
+        "fileName": "positive1.tf"
+      },
+      {
+        "queryName": "Workload Host Port Specified",
+        "severity": "LOW",
+        "line": 43,
+        "fileName": "positive2.tf"
+      }
+    ]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(query): update terraform k8s workload host port specified query logic #7941

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

fix(query): update terraform k8s workload host port specified query logic #7941

Are you sure you want to change the base?

fix(query): update terraform k8s workload host port specified query logic #7941

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!