├── .coveragerc ├── .flake8 ├── .github └── workflows │ ├── bumpversion.yml │ ├── ci.yaml │ └── pythonpublish.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── docs ├── cluster_wide │ ├── index.html │ ├── reliability │ │ ├── applications.html │ │ └── index.html │ └── security │ │ ├── detective_controls.html │ │ ├── encryption_secrets.html │ │ ├── iam.html │ │ ├── image_security.html │ │ ├── index.html │ │ ├── infrastructure_security.html │ │ ├── multi_tenancy.html │ │ ├── network_security.html │ │ └── pod_security.html ├── harden.html ├── hardeneks.gif ├── hardeneks.png ├── index.html ├── namespace_based │ ├── index.html │ ├── reliability │ │ ├── applications.html │ │ └── index.html │ └── security │ │ ├── encryption_secrets.html │ │ ├── iam.html │ │ ├── index.html │ │ ├── network_security.html │ │ ├── pod_security.html │ │ └── runtime_security.html ├── report.html └── resources.html ├── hardeneks ├── __init__.py ├── cluster_wide │ ├── __init__.py │ ├── cluster_autoscaling │ │ ├── __init__.py │ │ └── cluster_autoscaler.py │ ├── reliability │ │ ├── __init__.py │ │ └── applications.py │ ├── scalability │ │ ├── __init__.py │ │ ├── control_plane.py │ │ └── skipped.json │ └── security │ │ ├── __init__.py │ │ ├── detective_controls.py │ │ ├── encryption_secrets.py │ │ ├── iam.py │ │ ├── image_security.py │ │ ├── infrastructure_security.py │ │ ├── multi_tenancy.py │ │ ├── network_security.py │ │ └── pod_security.py ├── config.yaml ├── harden.py ├── helpers.py ├── namespace_based │ ├── __init__.py │ ├── reliability │ │ ├── __init__.py │ │ └── applications.py │ └── security │ │ ├── __init__.py │ │ ├── encryption_secrets.py │ │ ├── iam.py │ │ ├── network_security.py │ │ ├── pod_security.py │ │ └── runtime_security.py ├── resources.py └── rules.py ├── poetry.lock ├── pyproject.toml ├── scripts └── create_k8s_test_data.sh ├── tests ├── __init__.py ├── conftest.py ├── data │ ├── avoid_running_singleton_pods │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── check_access_to_instance_profile │ │ └── instance_metadata.json │ ├── check_any_cluster_autoscaler_exists │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ ├── check_aws_node_daemonset_service_account │ │ ├── daemon_sets_api_response.json │ │ └── service_accounts_api_response.json │ ├── check_awspca_exists │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── check_default_deny_policy_exists │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ ├── check_endpoint_public_access │ │ └── cluster_metadata.json │ ├── check_horizontal_pod_autoscaling_exists │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── check_liveness_probes │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── check_logs_are_enabled │ │ └── cluster_metadata.json │ ├── check_metrics_server_is_running │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ ├── check_read_only_root_file_system │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── check_readiness_probes │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── check_vertical_pod_autoscaler_exists │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ ├── check_vpc_flow_logs │ │ └── cluster_metadata.json │ ├── deploy_workers_onto_private_subnets │ │ └── instance_metadata.json │ ├── disable_anonymous_access_for_cluster_roles │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── disable_anonymous_access_for_roles │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── disable_run_as_root_user │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── disable_run_as_root_user_container │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── disable_service_account_token_mounts │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── disallow_container_socket_mount │ │ ├── bad.yaml │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── disallow_host_path_or_make_it_read_only │ │ ├── bad.yaml │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── disallow_linux_capabilities │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── disallow_privilege_escalation │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── disallow_secrets_from_env_vars │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── employ_least_privileged_access_cluster_autoscaler_role │ │ ├── cluster │ │ │ ├── deployments_api_response.json │ │ │ └── service_accounts_api_response.json │ │ ├── get_policy.json │ │ ├── get_policy_version.json │ │ ├── get_role_policy.json │ │ ├── list_attached_role_policies.json │ │ └── list_role_policies.json │ ├── ensure_cluster_autoscaler_and_cluster_versions_match │ │ └── cluster │ │ │ └── deployments_api_response.json │ ├── ensure_cluster_autoscaler_has_autodiscovery_mode │ │ └── cluster │ │ │ └── deployments_api_response.json │ ├── ensure_namespace_psa_exist │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── ensure_namespace_quotas_exist │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── make_sure_inspector_is_enabled │ │ └── inspector_status.json │ ├── restrict_wildcard_for_cluster_roles │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── restrict_wildcard_for_roles │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── run_multiple_replicas │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── schedule_replicas_across_nodes │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── set_requests_limits_for_containers │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── use_dedicated_service_accounts_for_each_daemon_set │ │ ├── bad.yaml │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── use_dedicated_service_accounts_for_each_deployment │ │ ├── bad.yaml │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── use_dedicated_service_accounts_for_each_stateful_set │ │ ├── bad.yaml │ │ └── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ ├── use_efs_access_points │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── use_encryption_with_aws_load_balancers │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ └── stateful_sets_api_response.json │ │ └── good.yaml │ ├── use_encryption_with_ebs │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── use_encryption_with_efs │ │ ├── bad.yaml │ │ ├── cluster │ │ │ ├── cluster_role_bindings_api_response.json │ │ │ ├── cluster_roles_api_response.json │ │ │ ├── daemon_sets_api_response.json │ │ │ ├── deployments_api_response.json │ │ │ ├── horizontal_pod_autoscaler_api_response.json │ │ │ ├── namespaces_api_response.json │ │ │ ├── network_policies_api_response.json │ │ │ ├── persistent_volumes_api_response.json │ │ │ ├── pods_api_response.json │ │ │ ├── resource_quotas_api_response.json │ │ │ ├── role_bindings_api_response.json │ │ │ ├── roles_api_response.json │ │ │ ├── services_api_response.json │ │ │ ├── stateful_sets_api_response.json │ │ │ └── storage_classes_api_response.json │ │ └── good.yaml │ ├── use_immutable_tags_with_ecr │ │ └── repositories.json │ ├── use_managed_nodegroups │ │ └── cluster │ │ │ └── nodes_api_response.json │ └── use_separate_iam_role_for_cluster_autoscaler │ │ └── cluster │ │ ├── deployments_api_response.json │ │ └── service_accounts_api_response.json ├── test_cli.py ├── test_cluster_autoscaling_cluster_autoscaler.py ├── test_reliability_applications.py ├── test_scalability_control_plane.py ├── test_security_detective_controls.py ├── test_security_encryption_secrets.py ├── test_security_iam.py ├── test_security_image_security.py ├── test_security_infrastructure_security.py ├── test_security_multi_tenancy.py ├── test_security_network_security.py ├── test_security_pod_security.py └── test_security_runtime_security.py └── tox.ini /.coveragerc: -------------------------------------------------------------------------------- 1 | [coverage:report] 2 | skip_empty = true 3 | -------------------------------------------------------------------------------- /.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | extend-ignore = E501 -------------------------------------------------------------------------------- /.github/workflows/bumpversion.yml: -------------------------------------------------------------------------------- 1 | name: Bump version 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | bump-version: 10 | if: "!startsWith(github.event.head_commit.message, 'bump:')" 11 | runs-on: ubuntu-latest 12 | name: "Bump version and create changelog with commitizen" 13 | steps: 14 | - name: Check out 15 | uses: actions/checkout@v2 16 | with: 17 | token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}" 18 | fetch-depth: 0 19 | - name: Create bump and changelog 20 | uses: commitizen-tools/commitizen-action@master 21 | with: 22 | github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} 23 | changelog_increment_filename: CHANGELOG.md 24 | - name: Release 25 | uses: softprops/action-gh-release@v1 26 | with: 27 | body_path: "CHANGELOG.md" 28 | tag_name: "v${{ env.REVISION }}" 29 | env: 30 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 31 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: Python package 2 | 3 | on: 4 | - push 5 | - pull_request 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | strategy: 11 | matrix: 12 | python-version: ['3.9', '3.10', '3.11', '3.12', '3.13'] 13 | 14 | steps: 15 | - uses: actions/checkout@v3 16 | 17 | - name: Set up Python ${{ matrix.python-version }} 18 | uses: actions/setup-python@v4 19 | with: 20 | python-version: ${{ matrix.python-version }} 21 | 22 | - name: Install Poetry 23 | uses: snok/install-poetry@v1 24 | with: 25 | virtualenvs-create: true 26 | virtualenvs-in-project: true 27 | installer-parallel: true 28 | 29 | - name: Load cached venv 30 | id: cached-poetry-dependencies 31 | uses: actions/cache@v2 32 | with: 33 | path: .venv 34 | key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} 35 | 36 | - name: Install dependencies 37 | if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' 38 | run: poetry install --no-interaction --no-root 39 | 40 | - name: Install library 41 | run: poetry install --no-interaction 42 | 43 | - name: Install dependencies 44 | run: | 45 | python -m pip install --upgrade pip 46 | python -m pip install tox-gh-actions 47 | 48 | - name: Test with tox 49 | run: tox 50 | 51 | -------------------------------------------------------------------------------- /.github/workflows/pythonpublish.yaml: -------------------------------------------------------------------------------- 1 | name: Upload Python Package 2 | 3 | on: 4 | push: 5 | tags: 6 | - "v*" 7 | 8 | jobs: 9 | deploy: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v1 13 | - name: Set up Python 14 | uses: actions/setup-python@v1 15 | with: 16 | python-version: "3.x" 17 | - name: Install dependencies 18 | run: | 19 | python -m pip install --pre -U poetry 20 | poetry --version 21 | poetry install 22 | - name: Build and publish 23 | env: 24 | PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }} 25 | PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} 26 | run: | 27 | poetry publish --build -u $PYPI_USERNAME -p $PYPI_PASSWORD 28 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/psf/black 3 | rev: 22.10.0 4 | hooks: 5 | - id: black 6 | language_version: python3.10 7 | - repo: https://github.com/pre-commit/pre-commit-hooks 8 | rev: v1.2.3 9 | hooks: 10 | - id: flake8 11 | - hooks: 12 | - id: commitizen 13 | repo: https://github.com/commitizen-tools/commitizen 14 | rev: v2.37.0 15 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /docs/hardeneks.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/docs/hardeneks.gif -------------------------------------------------------------------------------- /docs/hardeneks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/docs/hardeneks.png -------------------------------------------------------------------------------- /hardeneks/cluster_wide/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/cluster_wide/__init__.py -------------------------------------------------------------------------------- /hardeneks/cluster_wide/cluster_autoscaling/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/cluster_wide/cluster_autoscaling/__init__.py -------------------------------------------------------------------------------- /hardeneks/cluster_wide/reliability/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/cluster_wide/reliability/__init__.py -------------------------------------------------------------------------------- /hardeneks/cluster_wide/reliability/applications.py: -------------------------------------------------------------------------------- 1 | from kubernetes import client 2 | 3 | from hardeneks.rules import Rule, Result 4 | from hardeneks.resources import Resources 5 | 6 | 7 | class check_metrics_server_is_running(Rule): 8 | _type = "cluster_wide" 9 | pillar = "reliability" 10 | section = "applications" 11 | message = "Metrics server is not deployed." 12 | url = "https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#run-kubernetes-metrics-server" 13 | 14 | def check(self, resources: Resources): 15 | services = [ 16 | i.metadata.name 17 | for i in client.CoreV1Api().list_service_for_all_namespaces().items 18 | ] 19 | 20 | if "metrics-server" in services: 21 | self.result = Result(status=True, resource_type="Service") 22 | else: 23 | self.result = Result(status=False, resource_type="Service") 24 | 25 | 26 | class check_vertical_pod_autoscaler_exists(Rule): 27 | _type = "cluster_wide" 28 | pillar = "reliability" 29 | section = "applications" 30 | message = "Vertical pod autoscaler is not deployed." 31 | url = "https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#run-kubernetes-metrics-server" 32 | 33 | def check(self, resources: Resources): 34 | 35 | deployments = [ 36 | i.metadata.name 37 | for i in client.AppsV1Api() 38 | .list_deployment_for_all_namespaces() 39 | .items 40 | ] 41 | 42 | if "vpa-recommender" in deployments: 43 | self.result = Result(status=True, resource_type="Deployment") 44 | else: 45 | self.result = Result(status=False, resource_type="Deployment") 46 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/scalability/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/cluster_wide/scalability/__init__.py -------------------------------------------------------------------------------- /hardeneks/cluster_wide/scalability/control_plane.py: -------------------------------------------------------------------------------- 1 | import re 2 | import kubernetes 3 | from hardeneks import helpers 4 | from hardeneks.rules import Rule, Result 5 | from hardeneks import Resources 6 | 7 | 8 | class check_EKS_version(Rule): 9 | _type = "cluster_wide" 10 | pillar = "scalability" 11 | section = "control_plane" 12 | message = "EKS Version Should be greater or equal to 1.24." 13 | url = "https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#use-eks-124-or-above" 14 | 15 | def check(self, resources: Resources): 16 | client = kubernetes.client.VersionApi() 17 | version = client.get_code() 18 | minor = version.minor 19 | 20 | if int(re.sub("[^0-9]", "", minor)) < 24: 21 | self.result = Result( 22 | status=False, 23 | resources=f"{version.major}.{minor}", 24 | resource_type="Cluster Version", 25 | ) 26 | else: 27 | self.result = Result(status=True, resource_type="Cluster Version") 28 | 29 | 30 | # 31 | # check_kubectl_compression 32 | # checks all clusters in config for disable-compression flag set to true 33 | # if any cluster does not have setting, it returns False 34 | class check_kubectl_compression(Rule): 35 | _type = "cluster_wide" 36 | pillar = "scalability" 37 | section = "control_plane" 38 | message = "`disable-compression` in kubeconfig should equal True" 39 | url = "https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#disable-kubectl-compression" 40 | 41 | def check(self, resources: Resources): 42 | kubeconfig = helpers.get_kube_config() 43 | for cluster in kubeconfig.get("clusters", []): 44 | clusterName = cluster.get("name", "") 45 | if resources.cluster in clusterName: 46 | if not ( 47 | cluster.get("cluster", {}).get( 48 | "disable-compression", False 49 | ) 50 | ): 51 | self.result = Result( 52 | status=False, resource_type="Compression Setting" 53 | ) 54 | else: 55 | self.result = Result( 56 | status=True, resource_type="Compression Setting" 57 | ) 58 | break 59 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/scalability/skipped.json: -------------------------------------------------------------------------------- 1 | [{ 2 | "name": "Limit workload and node bursting", 3 | "link": "https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#limit-workload-and-node-bursting" 4 | }, 5 | { 6 | "name": "Scale nodes and pods down safely", 7 | "link": "https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#scale-nodes-and-pods-down-safely" 8 | }, 9 | { 10 | "name": "Use Client-Side Cache when running Kubectl", 11 | "link": "https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#use-client-side-cache-when-running-kubectl" 12 | }] -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/cluster_wide/security/__init__.py -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/detective_controls.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | 3 | from ...resources import Resources 4 | from hardeneks.rules import Rule, Result 5 | 6 | 7 | class check_logs_are_enabled(Rule): 8 | _type = "cluster_wide" 9 | pillar = "security" 10 | section = "detective_controls" 11 | message = "Enable control plane logs for auditing." 12 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/detective/#enable-audit-logs" 13 | 14 | def check(self, resources: Resources): 15 | client = boto3.client("eks", region_name=resources.region) 16 | cluster_metadata = client.describe_cluster(name=resources.cluster) 17 | logs = filter(lambda x: x.get('enabled') and 'audit' in x.get('types'), 18 | cluster_metadata["cluster"]["logging"]["clusterLogging"]) 19 | self.result = Result(status=True, resource_type="Log Configuration") 20 | if not list(logs): 21 | self.result = Result( 22 | status=False, resource_type="Log Configuration" 23 | ) 24 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/image_security.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | 3 | from ...resources import Resources 4 | from hardeneks.rules import Rule, Result 5 | 6 | 7 | class use_immutable_tags_with_ecr(Rule): 8 | _type = "cluster_wide" 9 | pillar = "security" 10 | section = "image_security" 11 | message = "Make image tags immutable." 12 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/image/#use-immutable-tags-with-ecr" 13 | 14 | def check(self, resources: Resources): 15 | offenders = [] 16 | 17 | client = boto3.client("ecr", region_name=resources.region) 18 | repositories = client.describe_repositories() 19 | for repository in repositories["repositories"]: 20 | if repository["imageTagMutability"] != "IMMUTABLE": 21 | offenders.append(repository) 22 | 23 | self.result = Result(status=True, resource_type="ECR Repository") 24 | if offenders: 25 | self.result = Result( 26 | status=False, 27 | resource_type="ECR Repository", 28 | resources=[i["repositoryName"] for i in offenders], 29 | ) 30 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/infrastructure_security.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | 3 | from ...resources import Resources 4 | from hardeneks.rules import Rule, Result 5 | 6 | 7 | class deploy_workers_onto_private_subnets(Result): 8 | _type = "cluster_wide" 9 | pillar = "security" 10 | section = "infrastructure_security" 11 | message = "Place worker nodes on private subnets." 12 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/hosts/#deploy-workers-onto-private-subnets" 13 | 14 | def check(self, resources: Resources): 15 | client = boto3.client("ec2", region_name=resources.region) 16 | 17 | offenders = [] 18 | 19 | instance_metadata = client.describe_instances( 20 | Filters=[ 21 | { 22 | "Name": "tag:aws:eks:cluster-name", 23 | "Values": [ 24 | resources.cluster, 25 | ], 26 | }, 27 | ] 28 | ) 29 | 30 | for instance in instance_metadata["Reservations"]: 31 | if instance["Instances"][0]["PublicDnsName"]: 32 | offenders.append(instance["Instances"][0]["InstanceId"]) 33 | 34 | self.result = Result(status=True, resource_type="Node") 35 | 36 | if offenders: 37 | self.result = Result( 38 | status=False, resource_type="Node", resources=offenders 39 | ) 40 | 41 | 42 | class make_sure_inspector_is_enabled(Rule): 43 | _type = "cluster_wide" 44 | pillar = "security" 45 | section = "infrastructure_security" 46 | message = "Enable Amazon Inspector for ec2 and ecr." 47 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/hosts/#deploy-workers-onto-private-subnets" 48 | 49 | def check(self, resources: Resources): 50 | client = boto3.client("inspector2", region_name=resources.region) 51 | account_id = boto3.client( 52 | "sts", region_name=resources.region 53 | ).get_caller_identity()["Account"] 54 | 55 | response = client.batch_get_account_status( 56 | accountIds=[ 57 | account_id, 58 | ] 59 | ) 60 | 61 | resource_state = response["accounts"][0]["resourceState"] 62 | ec2_status = resource_state["ec2"]["status"] 63 | ecr_status = resource_state["ecr"]["status"] 64 | 65 | self.result = Result( 66 | status=True, resource_type="Inspector Configuration" 67 | ) 68 | 69 | if ec2_status != "ENABLED" and ecr_status != "ENABLED": 70 | self.result = Result( 71 | status=False, resource_type="Inspector Configuration" 72 | ) 73 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/multi_tenancy.py: -------------------------------------------------------------------------------- 1 | from ...resources import Resources 2 | from hardeneks.rules import Rule, Result 3 | 4 | 5 | class ensure_namespace_quotas_exist(Rule): 6 | _type = "cluster_wide" 7 | pillar = "security" 8 | section = "multi_tenancy" 9 | message = "Namespaces should have quotas assigned." 10 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#namespaces" 11 | 12 | def check(self, resources: Resources): 13 | offenders = resources.namespaces 14 | 15 | for quota in resources.resource_quotas: 16 | offenders.remove(quota.metadata.namespace) 17 | 18 | self.result = Result(status=True, resource_type="Namespace") 19 | if offenders: 20 | self.result = Result( 21 | status=False, resources=offenders, resource_type="Namespace" 22 | ) 23 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/network_security.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | from kubernetes import client 3 | 4 | from ...resources import Resources 5 | from hardeneks.rules import Rule, Result 6 | 7 | 8 | class check_vpc_flow_logs(Rule): 9 | _type = "cluster_wide" 10 | pillar = "security" 11 | section = "network_security" 12 | message = "Enable flow logs for your VPC." 13 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/network/#log-network-traffic-metadata" 14 | 15 | def check(self, resources: Resources): 16 | client = boto3.client("eks", region_name=resources.region) 17 | cluster_metadata = client.describe_cluster(name=resources.cluster) 18 | 19 | vpc_id = cluster_metadata["cluster"]["resourcesVpcConfig"]["vpcId"] 20 | client = boto3.client("ec2", region_name=resources.region) 21 | 22 | flow_logs = client.describe_flow_logs( 23 | Filters=[{"Name": "resource-id", "Values": [vpc_id]}] 24 | )["FlowLogs"] 25 | 26 | self.result = Result(status=True, resource_type="VPC Configuration") 27 | if not flow_logs: 28 | self.result = Result( 29 | status=False, resource_type="VPC Configuration" 30 | ) 31 | 32 | 33 | class check_awspca_exists(Rule): 34 | _type = "cluster_wide" 35 | pillar = "security" 36 | section = "network_security" 37 | message = "Install aws privateca issuer for your certificates." 38 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/network/#acm-private-ca-with-cert-manager" 39 | 40 | def check(self, resources: Resources): 41 | services = client.CoreV1Api().list_service_for_all_namespaces().items 42 | for service in services: 43 | if service.metadata.name.startswith("aws-privateca-issuer"): 44 | self.result = Result(status=True, resource_type="Service") 45 | 46 | self.result = Result( 47 | status=False, 48 | resource_type="Service", 49 | resources=["aws-privateca-issuer"], 50 | ) 51 | 52 | 53 | class check_default_deny_policy_exists(Rule): 54 | _type = "cluster_wide" 55 | pillar = "security" 56 | section = "network_security" 57 | message = "Namespaces that does not have default network deny policies." 58 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/network/#create-a-default-deny-policy" 59 | 60 | def check(self, resources: Resources): 61 | offenders = resources.namespaces 62 | 63 | for policy in resources.network_policies: 64 | offenders.remove(policy.metadata.namespace) 65 | 66 | self.result = Result(status=True, resource_type="Namespace") 67 | 68 | if offenders: 69 | self.result = Result( 70 | status=False, resource_type="Service", resources=offenders 71 | ) 72 | -------------------------------------------------------------------------------- /hardeneks/cluster_wide/security/pod_security.py: -------------------------------------------------------------------------------- 1 | import kubernetes 2 | 3 | from ...resources import Resources 4 | from hardeneks.rules import Rule, Result 5 | 6 | 7 | class ensure_namespace_psa_exist(Rule): 8 | _type = "cluster_wide" 9 | pillar = "security" 10 | section = "pod_security" 11 | message = "Namespaces should have psa modes." 12 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa" 13 | 14 | def check(self, resources: Resources): 15 | offenders = [] 16 | 17 | namespaces = kubernetes.client.CoreV1Api().list_namespace().items 18 | psa_labels = [ 19 | "pod-security.kubernetes.io/enforce", 20 | "pod-security.kubernetes.io/warn", 21 | "pod-security.kubernetes.io/audit", 22 | ] 23 | 24 | for namespace in namespaces: 25 | if namespace.metadata.name in resources.namespaces: 26 | labels = namespace.metadata.labels.keys() 27 | if not any(i in labels for i in psa_labels): 28 | offenders.append(namespace.metadata.name) 29 | 30 | self.result = Result(status=True, resource_type="Namespace") 31 | if offenders: 32 | self.result = Result( 33 | status=False, resource_type="Namespace", resources=offenders 34 | ) 35 | -------------------------------------------------------------------------------- /hardeneks/harden.py: -------------------------------------------------------------------------------- 1 | from importlib import import_module 2 | 3 | 4 | def harden(resources, config, _type): 5 | config = config[_type] 6 | results = [] 7 | for pillar in config.keys(): 8 | for section in config[pillar]: 9 | for rule in config[pillar][section]: 10 | module = import_module(f"hardeneks.{_type}.{pillar}.{section}") 11 | try: 12 | cls = getattr(module, rule) 13 | except AttributeError as exc: 14 | print(f"[bold][red]{exc}") 15 | try: 16 | rule = cls() 17 | rule.check(resources) 18 | results.append(rule) 19 | except Exception as exc: 20 | print(f"[bold][red]{exc}") 21 | 22 | return results 23 | -------------------------------------------------------------------------------- /hardeneks/helpers.py: -------------------------------------------------------------------------------- 1 | from pathlib import Path 2 | import urllib3 3 | import yaml 4 | 5 | # 6 | # get_kube_config 7 | # returns kube config in json 8 | # 9 | # we need to update this function to take in a config string, so users can pass in kubeconfig as a param 10 | def get_kube_config(): 11 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 12 | # need to fix this, so user can pass in .kube/config as a param (joshkurz) 13 | kube_config_orig = f"{Path.home()}/.kube/config" 14 | 15 | with open(kube_config_orig, "r") as fd: 16 | kubeconfig = yaml.safe_load(fd) 17 | return kubeconfig -------------------------------------------------------------------------------- /hardeneks/namespace_based/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/namespace_based/__init__.py -------------------------------------------------------------------------------- /hardeneks/namespace_based/reliability/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/namespace_based/reliability/__init__.py -------------------------------------------------------------------------------- /hardeneks/namespace_based/security/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/hardeneks/namespace_based/security/__init__.py -------------------------------------------------------------------------------- /hardeneks/namespace_based/security/encryption_secrets.py: -------------------------------------------------------------------------------- 1 | from ...resources import NamespacedResources 2 | from hardeneks.rules import Rule, Result 3 | 4 | 5 | class disallow_secrets_from_env_vars(Rule): 6 | _type = "namespace_based" 7 | pillar = "security" 8 | section = "encryption_secrets" 9 | message = "Disallow secrets from env vars." 10 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/data/#use-volume-mounts-instead-of-environment-variables" 11 | 12 | def check(self, namespaced_resources: NamespacedResources): 13 | offenders = [] 14 | 15 | for pod in namespaced_resources.pods: 16 | for container in pod.spec.containers: 17 | if container.env: 18 | for env in container.env: 19 | if env.value_from and env.value_from.secret_key_ref: 20 | offenders.append(pod) 21 | if container.env_from: 22 | for env_from in container.env_from: 23 | if env_from.secret_ref: 24 | offenders.append(pod) 25 | 26 | self.result = Result( 27 | status=True, 28 | resource_type="Pod", 29 | namespace=namespaced_resources.namespace 30 | ) 31 | if offenders: 32 | self.result = Result( 33 | status=False, 34 | resource_type="Pod", 35 | resources=[i.metadata.name for i in offenders], 36 | namespace=namespaced_resources.namespace, 37 | ) 38 | -------------------------------------------------------------------------------- /hardeneks/namespace_based/security/network_security.py: -------------------------------------------------------------------------------- 1 | from hardeneks.rules import Rule, Result 2 | from hardeneks.resources import NamespacedResources 3 | 4 | 5 | class use_encryption_with_aws_load_balancers(Rule): 6 | _type = "namespace_based" 7 | pillar = "security" 8 | section = "network_security" 9 | message = "Make sure you specify an ssl cert." 10 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/network/#use-encryption-with-aws-load-balancers" 11 | 12 | def check(self, namespaced_resources: NamespacedResources): 13 | offenders = [] 14 | for service in namespaced_resources.services: 15 | annotations = service.metadata.annotations 16 | if service.spec.type == 'LoadBalancer' and annotations: 17 | ssl_cert = ( 18 | "service.beta.kubernetes.io/aws-load-balancer-ssl-cert" 19 | in annotations 20 | ) 21 | ssl_cert_port = annotations.get( 22 | "service.beta.kubernetes.io/aws-load-balancer-ssl-ports" 23 | ) 24 | if not (ssl_cert and ssl_cert_port == "443"): 25 | offenders.append(service) 26 | 27 | self.result = Result( 28 | status=True, 29 | resource_type="Service", 30 | namespace=namespaced_resources.namespace, 31 | ) 32 | if offenders: 33 | self.result = Result( 34 | status=False, 35 | resource_type="Service", 36 | resources=[i.metadata.name for i in offenders], 37 | namespace=namespaced_resources.namespace, 38 | ) 39 | -------------------------------------------------------------------------------- /hardeneks/namespace_based/security/runtime_security.py: -------------------------------------------------------------------------------- 1 | from ...resources import NamespacedResources 2 | from hardeneks.rules import Rule, Result 3 | 4 | 5 | class disallow_linux_capabilities(Rule): 6 | _type = "namespace_based" 7 | pillar = "security" 8 | section = "runtime_security" 9 | message = "Capabilities beyond the allowed list are disallowed." 10 | url = "https://aws.github.io/aws-eks-best-practices/security/docs/runtime/#consider-adddropping-linux-capabilities-before-writing-seccomp-policies" 11 | 12 | def check(self, namespaced_resources: NamespacedResources): 13 | offenders = [] 14 | 15 | allowed_list = [ 16 | "AUDIT_WRITE", 17 | "CHOWN", 18 | "DAC_OVERRIDE", 19 | "FOWNER", 20 | "FSETID", 21 | "KILL", 22 | "MKNOD", 23 | "NET_BIND_SERVICE", 24 | "SETFCAP", 25 | "SETGID", 26 | "SETPCAP", 27 | "SETUID", 28 | "SYS_CHROOT", 29 | ] 30 | for pod in namespaced_resources.pods: 31 | for container in pod.spec.containers: 32 | if ( 33 | container.security_context 34 | and container.security_context.capabilities 35 | and container.security_context.capabilities.add 36 | ): 37 | capabilities = set( 38 | container.security_context.capabilities.add 39 | ) 40 | if not capabilities.issubset(set(allowed_list)): 41 | offenders.append(pod) 42 | 43 | self.result = Result( 44 | status=True, 45 | resource_type="Pod", 46 | namespace=namespaced_resources.namespace, 47 | ) 48 | if offenders: 49 | self.result = Result( 50 | status=False, 51 | resource_type="Pod", 52 | resources=[i.metadata.name for i in offenders], 53 | namespace=namespaced_resources.namespace, 54 | ) 55 | -------------------------------------------------------------------------------- /hardeneks/resources.py: -------------------------------------------------------------------------------- 1 | from kubernetes import client 2 | 3 | 4 | class Resources: 5 | def __init__(self, region, context, cluster, namespaces): 6 | self.region = region 7 | self.context = context 8 | self.cluster = cluster 9 | self.namespaces = namespaces 10 | 11 | def set_resources(self): 12 | self.cluster_roles = ( 13 | client.RbacAuthorizationV1Api().list_cluster_role().items 14 | ) 15 | self.cluster_role_bindings = ( 16 | client.RbacAuthorizationV1Api().list_cluster_role_binding().items 17 | ) 18 | self.resource_quotas = ( 19 | client.CoreV1Api().list_resource_quota_for_all_namespaces().items 20 | ) 21 | self.network_policies = ( 22 | client.NetworkingV1Api() 23 | .list_network_policy_for_all_namespaces() 24 | .items 25 | ) 26 | self.storage_classes = client.StorageV1Api().list_storage_class().items 27 | self.persistent_volumes = ( 28 | client.CoreV1Api().list_persistent_volume().items 29 | ) 30 | 31 | 32 | class NamespacedResources: 33 | def __init__(self, region, context, cluster, namespace): 34 | self.namespace = namespace 35 | self.region = region 36 | self.cluster = cluster 37 | self.context = context 38 | 39 | def set_resources(self): 40 | self.roles = ( 41 | client.RbacAuthorizationV1Api() 42 | .list_namespaced_role(self.namespace) 43 | .items 44 | ) 45 | self.pods = ( 46 | client.CoreV1Api().list_namespaced_pod(self.namespace).items 47 | ) 48 | self.role_bindings = ( 49 | client.RbacAuthorizationV1Api() 50 | .list_namespaced_role_binding(self.namespace) 51 | .items 52 | ) 53 | self.deployments = ( 54 | client.AppsV1Api().list_namespaced_deployment(self.namespace).items 55 | ) 56 | self.daemon_sets = ( 57 | client.AppsV1Api().list_namespaced_daemon_set(self.namespace).items 58 | ) 59 | self.stateful_sets = ( 60 | client.AppsV1Api() 61 | .list_namespaced_stateful_set(self.namespace) 62 | .items 63 | ) 64 | self.services = ( 65 | client.CoreV1Api().list_namespaced_service(self.namespace).items 66 | ) 67 | self.hpas = ( 68 | client.AutoscalingV1Api() 69 | .list_namespaced_horizontal_pod_autoscaler(self.namespace) 70 | .items 71 | ) 72 | -------------------------------------------------------------------------------- /hardeneks/rules.py: -------------------------------------------------------------------------------- 1 | from abc import ABC, abstractmethod 2 | 3 | from hardeneks import console 4 | 5 | 6 | class Result(object): 7 | def __init__( 8 | self, status=True, resources=[""], resource_type=None, namespace=None 9 | ): 10 | self.status = status 11 | self.resources = resources 12 | self.resource_type = resource_type 13 | self.namespace = namespace 14 | 15 | 16 | class Rule(ABC): 17 | 18 | message = None 19 | url = None 20 | _type = None 21 | pillar = None 22 | section = None 23 | console = console 24 | 25 | def __init__(self, result=Result()): 26 | self.result = result 27 | 28 | if not (hasattr(self, "message") and self.message): 29 | raise NotImplementedError( 30 | "Class needs to have class variable message" 31 | ) 32 | if not (hasattr(self, "url") and self.url): 33 | raise NotImplementedError("Class needs to have class variable url") 34 | if not (hasattr(self, "_type") and self._type): 35 | raise NotImplementedError( 36 | "Class needs to have class variable _type" 37 | ) 38 | if not (hasattr(self, "pillar") and self.pillar): 39 | raise NotImplementedError( 40 | "Class needs to have class variable pillar" 41 | ) 42 | if not (hasattr(self, "section") and self.section): 43 | raise NotImplementedError( 44 | "Class needs to have class variable section" 45 | ) 46 | 47 | @abstractmethod 48 | def check(self): 49 | pass 50 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.poetry] 2 | name = "hardeneks" 3 | version = "0.10.4" 4 | description = "" 5 | authors = ["Doruk Ozturk "] 6 | readme = "README.md" 7 | 8 | [tool.poetry.dependencies] 9 | python = "^3.8" 10 | typer = {extras = ["all"], version = "^0.6.1"} 11 | kubernetes = "^25.3.0" 12 | boto3 = "^1.26.2" 13 | pre-commit = "^2.20.0" 14 | tox-gh-actions = "^3.0.0" 15 | 16 | [tool.poetry.group.test.dependencies] 17 | pytest = "^7.2.0" 18 | pytest-cov = "^4.0.0" 19 | pytest-datadir = "^1.4.1" 20 | tox = "^4.1.2" 21 | 22 | [tool.poetry.scripts] 23 | hardeneks = "hardeneks:app" 24 | 25 | [tool.black] 26 | line-length = 79 27 | include = '\.pyi?$' 28 | exclude = ''' 29 | /( 30 | \.git 31 | | \.hg 32 | | \.mypy_cache 33 | | \.tox 34 | | \.venv 35 | | _build 36 | | buck-out 37 | | build 38 | | dist 39 | )/ 40 | ''' 41 | 42 | [tool.commitizen] 43 | name = "cz_conventional_commits" 44 | version = "0.11.0" 45 | version_files = [ 46 | "pyproject.toml:[tool.commitizen]\nversion", 47 | "pyproject.toml:[tool.poetry]\nname = \"commitizen\"\nversion", 48 | "pyproject.toml:^version" 49 | ] 50 | tag_format = "v$version" 51 | [build-system] 52 | requires = ["poetry-core"] 53 | build-backend = "poetry.core.masonry.api" 54 | 55 | -------------------------------------------------------------------------------- /scripts/create_k8s_test_data.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | NAMESPACE=test-namespace 3 | TEST_DATA_DIRECTORY=$1 4 | 5 | mkdir "$TEST_DATA_DIRECTORY/cluster" 6 | kubectl create namespace $NAMESPACE 7 | kubectl apply -f "$TEST_DATA_DIRECTORY/good.yaml" 8 | kubectl apply -f "$TEST_DATA_DIRECTORY/bad.yaml" 9 | kubectl get namespace -o json > "$TEST_DATA_DIRECTORY/cluster/namespaces_api_response.json" 10 | kubectl get resourcequota -A -o json > "$TEST_DATA_DIRECTORY/cluster/resource_quotas_api_response.json" 11 | kubectl get pv -o json > "$TEST_DATA_DIRECTORY/cluster/persistent_volumes_api_response.json" 12 | kubectl get pod -o json -n $NAMESPACE > "$TEST_DATA_DIRECTORY/cluster/pods_api_response.json" 13 | kubectl get service -o json -n $NAMESPACE > "$TEST_DATA_DIRECTORY/cluster/services_api_response.json" 14 | kubectl get role -o json -n $NAMESPACE > "$TEST_DATA_DIRECTORY/cluster/roles_api_response.json" 15 | kubectl get clusterrole -o json > "$TEST_DATA_DIRECTORY/cluster/cluster_roles_api_response.json" 16 | kubectl get rolebinding -o json -n $NAMESPACE > "$TEST_DATA_DIRECTORY/cluster/role_bindings_api_response.json" 17 | kubectl get clusterrolebinding -o json > "$TEST_DATA_DIRECTORY/cluster/cluster_role_bindings_api_response.json" 18 | kubectl get daemonset -o json -n "$NAMESPACE" > "$TEST_DATA_DIRECTORY/cluster/daemon_sets_api_response.json" 19 | kubectl get statefulset -o json -n "$NAMESPACE" > "$TEST_DATA_DIRECTORY/cluster/stateful_sets_api_response.json" 20 | kubectl get deployment -o json -n "$NAMESPACE" > "$TEST_DATA_DIRECTORY/cluster/deployments_api_response.json" 21 | kubectl get networkpolicy -o json -n "$NAMESPACE" > "$TEST_DATA_DIRECTORY/cluster/network_policies_api_response.json" 22 | kubectl get hpa -o json -n "$NAMESPACE" > "$TEST_DATA_DIRECTORY/cluster/horizontal_pod_autoscaler_api_response.json" 23 | kubectl get storageclass -o json > "$TEST_DATA_DIRECTORY/cluster/storage_classes_api_response.json" 24 | 25 | kubectl delete namespace $NAMESPACE --force 26 | kubectl get namespace $NAMESPACE -o json | jq 'del(.spec.finalizers[0])' | kubectl replace --raw "/api/v1/namespaces/$NAMESPACE/finalize" -f - 27 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/hardeneks/ca456aa456adfd24d241da9d6f1a4a9cf32f8660/tests/__init__.py -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | ports: 11 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/avoid_running_singleton_pods/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: test-namespace 5 | name: good-deployment 6 | labels: 7 | app: good 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: good 13 | template: 14 | metadata: 15 | labels: 16 | app: good 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/check_access_to_instance_profile/instance_metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Reservations": [ 3 | { 4 | "Groups": [], 5 | "Instances": [ 6 | { 7 | "InstanceId": "foo", 8 | "MetadataOptions": { 9 | "State": "applied", 10 | "HttpTokens": "optional", 11 | "HttpPutResponseHopLimit": 2, 12 | "HttpEndpoint": "enabled", 13 | "HttpProtocolIpv6": "disabled", 14 | "InstanceMetadataTags": "disabled" 15 | } 16 | } 17 | ] 18 | }, 19 | { 20 | "Groups": [], 21 | "Instances": [ 22 | { 23 | "InstanceId": "baz", 24 | "MetadataOptions": { 25 | "State": "applied", 26 | "HttpTokens": "optional", 27 | "HttpPutResponseHopLimit": 2, 28 | "HttpEndpoint": "enabled", 29 | "HttpProtocolIpv6": "disabled", 30 | "InstanceMetadataTags": "disabled" 31 | } 32 | } 33 | ] 34 | } 35 | ] 36 | } -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "rbac.authorization.k8s.io/v1", 6 | "kind": "Role", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"restrict-wildcard-for-roles\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n" 10 | }, 11 | "creationTimestamp": "2022-12-13T16:52:57Z", 12 | "name": "restrict-wildcard-for-roles", 13 | "namespace": "test-namespace", 14 | "resourceVersion": "15138800", 15 | "uid": "cb4b4100-3d38-468e-b042-5fecb1147af8" 16 | }, 17 | "rules": [ 18 | { 19 | "apiGroups": [ 20 | "" 21 | ], 22 | "resources": [ 23 | "*" 24 | ], 25 | "verbs": [ 26 | "*" 27 | ] 28 | } 29 | ] 30 | }, 31 | { 32 | "apiVersion": "rbac.authorization.k8s.io/v1", 33 | "kind": "Role", 34 | "metadata": { 35 | "annotations": { 36 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"restrict_wildcard_for_roles\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n" 37 | }, 38 | "creationTimestamp": "2022-12-13T16:51:28Z", 39 | "name": "restrict_wildcard_for_roles", 40 | "namespace": "test-namespace", 41 | "resourceVersion": "15138463", 42 | "uid": "0f0de429-03db-4de0-9bc3-4322ef072637" 43 | }, 44 | "rules": [ 45 | { 46 | "apiGroups": [ 47 | "" 48 | ], 49 | "resources": [ 50 | "*" 51 | ], 52 | "verbs": [ 53 | "*" 54 | ] 55 | } 56 | ] 57 | } 58 | ], 59 | "kind": "List", 60 | "metadata": { 61 | "resourceVersion": "" 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_any_cluster_autoscaler_exists/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_aws_node_daemonset_service_account/service_accounts_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "kind": "ServiceAccount", 4 | "metadata": { 5 | "annotations": { 6 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"annotations\":{},\"labels\":{\"app.kubernetes.io/instance\":\"aws-vpc-cni\",\"app.kubernetes.io/name\":\"aws-node\",\"app.kubernetes.io/version\":\"v1.11.4\",\"k8s-app\":\"aws-node\"},\"name\":\"aws-node\",\"namespace\":\"kube-system\"}}\n" 7 | }, 8 | "creationTimestamp": "2023-04-14T12:17:01Z", 9 | "labels": { 10 | "app.kubernetes.io/instance": "aws-vpc-cni", 11 | "app.kubernetes.io/name": "aws-node", 12 | "app.kubernetes.io/version": "v1.11.4", 13 | "k8s-app": "aws-node" 14 | }, 15 | "name": "aws-node", 16 | "namespace": "kube-system", 17 | "resourceVersion": "3691", 18 | "uid": "122cc1c7-ba3b-4133-9b7a-b847398cf11b" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_awspca_exists/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_default_deny_policy_exists/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "autoscaling/v1", 6 | "kind": "HorizontalPodAutoscaler", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"autoscaling/v1\",\"kind\":\"HorizontalPodAutoscaler\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"test-namespace\"},\"spec\":{\"maxReplicas\":10,\"minReplicas\":1,\"scaleTargetRef\":{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"name\":\"good\"},\"targetCPUUtilizationPercentage\":50}}\n" 10 | }, 11 | "creationTimestamp": "2022-11-22T20:09:18Z", 12 | "name": "good", 13 | "namespace": "test-namespace", 14 | "resourceVersion": "9744566", 15 | "uid": "3438f3ac-a329-4c3a-9deb-004d7df71925" 16 | }, 17 | "spec": { 18 | "maxReplicas": 10, 19 | "minReplicas": 1, 20 | "scaleTargetRef": { 21 | "apiVersion": "apps/v1", 22 | "kind": "Deployment", 23 | "name": "good" 24 | }, 25 | "targetCPUUtilizationPercentage": 50 26 | }, 27 | "status": { 28 | "currentReplicas": 0, 29 | "desiredReplicas": 0 30 | } 31 | } 32 | ], 33 | "kind": "List", 34 | "metadata": { 35 | "resourceVersion": "" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_horizontal_pod_autoscaling_exists/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: good 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 23 | --- 24 | apiVersion: autoscaling/v1 25 | kind: HorizontalPodAutoscaler 26 | metadata: 27 | name: good 28 | namespace: test-namespace 29 | spec: 30 | scaleTargetRef: 31 | apiVersion: apps/v1 32 | kind: Deployment 33 | name: good 34 | minReplicas: 1 35 | maxReplicas: 10 36 | targetCPUUtilizationPercentage: 50 -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: liveness 9 | image: registry.k8s.io/busybox 10 | args: 11 | - /bin/sh 12 | - -c 13 | - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600 -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "autoscaling/v1", 6 | "kind": "HorizontalPodAutoscaler", 7 | "metadata": { 8 | "annotations": { 9 | "autoscaling.alpha.kubernetes.io/conditions": "[{\"type\":\"AbleToScale\",\"status\":\"True\",\"lastTransitionTime\":\"2022-11-23T13:36:08Z\",\"reason\":\"SucceededGetScale\",\"message\":\"the HPA controller was able to get the target's current scale\"},{\"type\":\"ScalingActive\",\"status\":\"False\",\"lastTransitionTime\":\"2022-11-23T13:36:08Z\",\"reason\":\"FailedGetResourceMetric\",\"message\":\"the HPA was unable to compute the replica count: failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server is currently unable to handle the request (get pods.metrics.k8s.io)\"}]", 10 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"autoscaling/v1\",\"kind\":\"HorizontalPodAutoscaler\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"test-namespace\"},\"spec\":{\"maxReplicas\":10,\"minReplicas\":1,\"scaleTargetRef\":{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"name\":\"good\"},\"targetCPUUtilizationPercentage\":50}}\n" 11 | }, 12 | "creationTimestamp": "2022-11-22T20:09:18Z", 13 | "name": "good", 14 | "namespace": "test-namespace", 15 | "resourceVersion": "9932460", 16 | "uid": "3438f3ac-a329-4c3a-9deb-004d7df71925" 17 | }, 18 | "spec": { 19 | "maxReplicas": 10, 20 | "minReplicas": 1, 21 | "scaleTargetRef": { 22 | "apiVersion": "apps/v1", 23 | "kind": "Deployment", 24 | "name": "good" 25 | }, 26 | "targetCPUUtilizationPercentage": 50 27 | }, 28 | "status": { 29 | "currentReplicas": 3, 30 | "desiredReplicas": 0 31 | } 32 | } 33 | ], 34 | "kind": "List", 35 | "metadata": { 36 | "resourceVersion": "" 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_liveness_probes/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: liveness 9 | image: registry.k8s.io/busybox 10 | args: 11 | - /bin/sh 12 | - -c 13 | - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600 14 | livenessProbe: 15 | exec: 16 | command: 17 | - cat 18 | - /tmp/healthy 19 | initialDelaySeconds: 5 20 | periodSeconds: 5 -------------------------------------------------------------------------------- /tests/data/check_logs_are_enabled/cluster_metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster": { 3 | "logging": { 4 | "clusterLogging": [ 5 | { 6 | "types": [ 7 | "api", 8 | "audit", 9 | "authenticator", 10 | "controllerManager", 11 | "scheduler" 12 | ], 13 | "enabled": false 14 | } 15 | ] 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_metrics_server_is_running/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: nginx 9 | securityContext: 10 | readOnlyRootFilesystem: false 11 | image: nginx:1.14.2 12 | ports: 13 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_read_only_root_file_system/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: nginx 9 | securityContext: 10 | readOnlyRootFilesystem: true 11 | image: nginx:1.14.2 12 | ports: 13 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | spec: 7 | containers: 8 | - name: goproxy 9 | image: registry.k8s.io/goproxy:0.1 10 | ports: 11 | - containerPort: 8080 -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_readiness_probes/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: good 5 | namespace: test-namespace 6 | spec: 7 | containers: 8 | - name: goproxy 9 | image: registry.k8s.io/goproxy:0.1 10 | ports: 11 | - containerPort: 8080 12 | readinessProbe: 13 | tcpSocket: 14 | port: 8080 15 | initialDelaySeconds: 5 16 | periodSeconds: 10 17 | livenessProbe: 18 | tcpSocket: 19 | port: 8080 20 | initialDelaySeconds: 15 21 | periodSeconds: 20 -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/check_vertical_pod_autoscaler_exists/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: bad 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["pods"] 8 | verbs: ["get", "watch", "list"] 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: ClusterRoleBinding 12 | metadata: 13 | name: bad 14 | subjects: 15 | - kind: Group 16 | name: system:unauthenticated 17 | apiGroup: rbac.authorization.k8s.io 18 | - kind: Group 19 | name: system:anonymous 20 | apiGroup: rbac.authorization.k8s.io 21 | roleRef: 22 | kind: ClusterRole 23 | name: bad 24 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_cluster_roles/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: good 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["pods"] 8 | verbs: ["get", "watch", "list"] 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: ClusterRoleBinding 12 | metadata: 13 | name: good 14 | roleRef: 15 | kind: ClusterRole 16 | name: good 17 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["pods"] 9 | verbs: ["get", "watch", "list"] 10 | --- 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: RoleBinding 13 | metadata: 14 | name: bad 15 | namespace: test-namespace 16 | subjects: 17 | - kind: Group 18 | name: system:unauthenticated 19 | apiGroup: rbac.authorization.k8s.io 20 | - kind: Group 21 | name: system:anonymous 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: Role 25 | name: bad 26 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "rbac.authorization.k8s.io/v1", 6 | "kind": "Role", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"bad\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\",\"watch\",\"list\"]}]}\n" 10 | }, 11 | "creationTimestamp": "2022-11-11T14:13:57Z", 12 | "name": "bad", 13 | "namespace": "test-namespace", 14 | "resourceVersion": "6925453", 15 | "uid": "4e1786e5-8aa2-400e-9e1d-7d41539ca7b9" 16 | }, 17 | "rules": [ 18 | { 19 | "apiGroups": [ 20 | "" 21 | ], 22 | "resources": [ 23 | "pods" 24 | ], 25 | "verbs": [ 26 | "get", 27 | "watch", 28 | "list" 29 | ] 30 | } 31 | ] 32 | }, 33 | { 34 | "apiVersion": "rbac.authorization.k8s.io/v1", 35 | "kind": "Role", 36 | "metadata": { 37 | "annotations": { 38 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\",\"watch\",\"list\"]}]}\n" 39 | }, 40 | "creationTimestamp": "2022-11-11T14:13:56Z", 41 | "name": "good", 42 | "namespace": "test-namespace", 43 | "resourceVersion": "6925451", 44 | "uid": "a30042a5-4d0a-469c-9c73-292c3fc37ae1" 45 | }, 46 | "rules": [ 47 | { 48 | "apiGroups": [ 49 | "" 50 | ], 51 | "resources": [ 52 | "pods" 53 | ], 54 | "verbs": [ 55 | "get", 56 | "watch", 57 | "list" 58 | ] 59 | } 60 | ] 61 | } 62 | ], 63 | "kind": "List", 64 | "metadata": { 65 | "resourceVersion": "" 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_anonymous_access_for_roles/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["pods"] 9 | verbs: ["get", "watch", "list"] 10 | --- 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: RoleBinding 13 | metadata: 14 | name: good 15 | namespace: test-namespace 16 | subjects: 17 | roleRef: 18 | kind: Role 19 | name: good 20 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | ports: 11 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | securityContext: 8 | runAsUser: 1000 9 | runAsGroup: 3000 10 | containers: 11 | - name: sec-ctx-demo 12 | image: busybox 13 | command: [ "sh", "-c", "sleep 1h" ] -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: sec-ctx-demo 9 | image: busybox 10 | command: [ "sh", "-c", "sleep 1h" ] 11 | securityContext: 12 | runAsUser: 1000 13 | runAsGroup: 3000 14 | - name: sec-ctx-demo-2 15 | image: busybox 16 | command: [ "sh", "-c", "sleep 1h" ] -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/persistent_volumes_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/cluster/storage_classes_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "storage.k8s.io/v1", 6 | "kind": "StorageClass", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"storage.k8s.io/v1\",\"kind\":\"StorageClass\",\"metadata\":{\"annotations\":{\"storageclass.kubernetes.io/is-default-class\":\"true\"},\"name\":\"gp2\"},\"parameters\":{\"fsType\":\"ext4\",\"type\":\"gp2\"},\"provisioner\":\"kubernetes.io/aws-ebs\",\"volumeBindingMode\":\"WaitForFirstConsumer\"}\n", 10 | "storageclass.kubernetes.io/is-default-class": "true" 11 | }, 12 | "creationTimestamp": "2023-09-11T19:26:20Z", 13 | "name": "gp2", 14 | "resourceVersion": "301", 15 | "uid": "949fdd2a-508e-407f-a36e-ade29b1ad0ea" 16 | }, 17 | "parameters": { 18 | "fsType": "ext4", 19 | "type": "gp2" 20 | }, 21 | "provisioner": "kubernetes.io/aws-ebs", 22 | "reclaimPolicy": "Delete", 23 | "volumeBindingMode": "WaitForFirstConsumer" 24 | } 25 | ], 26 | "kind": "List", 27 | "metadata": { 28 | "resourceVersion": "" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /tests/data/disable_run_as_root_user_container/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: sec-ctx-demo 9 | image: busybox 10 | command: [ "sh", "-c", "sleep 1h" ] 11 | securityContext: 12 | runAsUser: 1000 13 | runAsGroup: 3000 -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | automountServiceAccountToken: true 8 | containers: 9 | - name: nginx 10 | image: nginx:1.14.2 11 | ports: 12 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disable_service_account_token_mounts/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | automountServiceAccountToken: false 8 | containers: 9 | - name: nginx 10 | image: nginx:1.14.2 11 | ports: 12 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | automountServiceAccountToken: true 8 | containers: 9 | - name: nginx 10 | image: nginx:1.14.2 11 | ports: 12 | - containerPort: 80 13 | volumeMounts: 14 | - mountPath: /var/run/docker.sock 15 | name: docker-socket-volume 16 | volumes: 17 | - name: docker-socket-volume 18 | hostPath: 19 | path: /var/run/docker.sock 20 | type: File -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_container_socket_mount/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | volumes: 8 | - name: task-pv-storage 9 | hostPath: 10 | path: /home/ 11 | type: Directory 12 | containers: 13 | - name: nginx 14 | image: nginx:1.14.2 15 | ports: 16 | - containerPort: 80 17 | volumeMounts: 18 | - name: task-pv-storage 19 | mountPath: /mnt/sample -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_host_path_or_make_it_read_only/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: sec-ctx-4 9 | image: gcr.io/google-samples/node-hello:1.0 10 | securityContext: 11 | capabilities: 12 | add: ["NET_ADMIN", "SYS_TIME"] -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_linux_capabilities/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: sec-ctx-4 9 | image: gcr.io/google-samples/node-hello:1.0 10 | securityContext: 11 | capabilities: 12 | add: ["KILL", "SETFCAP"] -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | securityContext: 11 | allowPrivilegeEscalation: true 12 | ports: 13 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_privilege_escalation/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: nginx 9 | securityContext: 10 | allowPrivilegeEscalation: false 11 | image: nginx:1.14.2 12 | ports: 13 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | spec: 7 | containers: 8 | - name: test-container 9 | image: registry.k8s.io/busybox 10 | command: [ "/bin/sh", "-c", "env" ] 11 | env: 12 | - name: SECRET_USERNAME 13 | valueFrom: 14 | secretKeyRef: 15 | name: mysecret 16 | key: username 17 | envFrom: 18 | - secretRef: 19 | name: mysecret 20 | restartPolicy: Never -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/disallow_secrets_from_env_vars/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | ports: 11 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/cluster/service_accounts_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "automountServiceAccountToken": true, 4 | "kind": "ServiceAccount", 5 | "metadata": { 6 | "annotations": { 7 | "eks.amazonaws.com/role-arn": "arn:aws:iam::foo:role/eksdemo.eks-bp-cli.kube-system.cluster-autoscaler", 8 | "meta.helm.sh/release-name": "autoscaling-cluster-autoscaler", 9 | "meta.helm.sh/release-namespace": "kube-system" 10 | }, 11 | "creationTimestamp": "2023-01-31T15:07:45Z", 12 | "labels": { 13 | "app.kubernetes.io/instance": "autoscaling-cluster-autoscaler", 14 | "app.kubernetes.io/managed-by": "Helm", 15 | "app.kubernetes.io/name": "aws-cluster-autoscaler", 16 | "helm.sh/chart": "cluster-autoscaler-9.21.0" 17 | }, 18 | "name": "cluster-autoscaler", 19 | "namespace": "kube-system", 20 | "resourceVersion": "28819798", 21 | "uid": "bdfc3e88-1a85-4156-8d20-1fe0a0f10530" 22 | }, 23 | "secrets": [ 24 | { 25 | "name": "cluster-autoscaler-token-lqxr5" 26 | } 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/get_policy.json: -------------------------------------------------------------------------------- 1 | {"Policy": {"PolicyName": "AutoScalingReadOnlyAccess", "PolicyId": "ANPAIAFWUVLC2LPLSFTFG", "Arn": "arn:aws:iam::aws:policy/AutoScalingReadOnlyAccess", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 1, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "Description": "Provides read-only access to Auto Scaling. "}} -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/get_policy_version.json: -------------------------------------------------------------------------------- 1 | {"PolicyVersion": {"Document": {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "autoscaling:Describe*", "Resource": "*"}]}, "VersionId": "v1", "IsDefaultVersion": true}} -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/get_role_policy.json: -------------------------------------------------------------------------------- 1 | {"RoleName": "eksdemo.eks-bp-cli.kube-system.cluster-autoscaler", "PolicyName": "eksctl-eks-bp-cli-addon-iamserviceaccount-kube-system-cluster-autoscaler-Policy1", "PolicyDocument": {"Version": "2012-10-17", "Statement": [{"Action": ["autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplateVersions", "ec2:GetInstanceTypesFromInstanceRequirements", "eks:DescribeNodegroup"], "Resource": "*", "Effect": "Allow"}, {"Condition": {"StringEquals": {"aws:ResourceTag/k8s.io/cluster-autoscaler/eks-bp-cli": "owned"}}, "Action": ["autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup"], "Resource": "*", "Effect": "Allow"}]}, "ResponseMetadata": {"RequestId": "ab94223a-9971-4639-9b9f-fdb59d250a33", "HTTPStatusCode": 200, "HTTPHeaders": {"x-amzn-requestid": "ab94223a-9971-4639-9b9f-fdb59d250a33", "content-type": "text/xml", "content-length": "1373", "date": "Wed, 01 Feb 2023 20:36:57 GMT"}, "RetryAttempts": 0}} -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/list_attached_role_policies.json: -------------------------------------------------------------------------------- 1 | {"AttachedPolicies": [{"PolicyName": "AmazonEKS_EFS_CSI_Driver_Policy", "PolicyArn": 2 | "arn:aws:iam:::policy/AmazonEKS_EFS_CSI_Driver_Policy"}]} -------------------------------------------------------------------------------- /tests/data/employ_least_privileged_access_cluster_autoscaler_role/list_role_policies.json: -------------------------------------------------------------------------------- 1 | {"PolicyNames": ["eksctl-eks-bp-cli-addon-iamserviceaccount-kube-system-cluster-autoscaler-Policy1"], "IsTruncated": 2 | false, "ResponseMetadata": {"RequestId": "5e00e43f-e293-4e26-b639-9487df5dc52c", "HTTPStatusCode": 200, 3 | "HTTPHeaders": {"x-amzn-requestid": "5e00e43f-e293-4e26-b639-9487df5dc52c", "content-type": "text/xml", 4 | "content-length": "445", "date": "Thu, 02 Feb 2023 01:28:27 GMT"}, "RetryAttempts": 0}} -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_psa_exist/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: good 5 | labels: 6 | pod-security.kubernetes.io/enforce: restricted 7 | pod-security.kubernetes.io/warn: restricted -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "v1", 6 | "kind": "ResourceQuota", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ResourceQuota\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"good\"},\"spec\":{\"hard\":{\"limits.cpu\":\"2\",\"limits.memory\":\"2Gi\",\"requests.cpu\":\"1\",\"requests.memory\":\"1Gi\"}}}\n" 10 | }, 11 | "creationTimestamp": "2022-11-16T16:29:46Z", 12 | "name": "good", 13 | "namespace": "good", 14 | "resourceVersion": "8158446", 15 | "uid": "30c7d400-d976-4f95-96e9-f1e1f32de123" 16 | }, 17 | "spec": { 18 | "hard": { 19 | "limits.cpu": "2", 20 | "limits.memory": "2Gi", 21 | "requests.cpu": "1", 22 | "requests.memory": "1Gi" 23 | } 24 | }, 25 | "status": { 26 | "hard": { 27 | "limits.cpu": "2", 28 | "limits.memory": "2Gi", 29 | "requests.cpu": "1", 30 | "requests.memory": "1Gi" 31 | }, 32 | "used": { 33 | "limits.cpu": "0", 34 | "limits.memory": "0", 35 | "requests.cpu": "0", 36 | "requests.memory": "0" 37 | } 38 | } 39 | } 40 | ], 41 | "kind": "List", 42 | "metadata": { 43 | "resourceVersion": "" 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/ensure_namespace_quotas_exist/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: good 5 | --- 6 | apiVersion: v1 7 | kind: ResourceQuota 8 | metadata: 9 | name: good 10 | namespace: good 11 | spec: 12 | hard: 13 | requests.cpu: "1" 14 | requests.memory: 1Gi 15 | limits.cpu: "2" 16 | limits.memory: 2Gi -------------------------------------------------------------------------------- /tests/data/make_sure_inspector_is_enabled/inspector_status.json: -------------------------------------------------------------------------------- 1 | { 2 | "ResponseMetadata": { 3 | "RequestId": "c894ca13-7bde-41a6-a6d3-c4b567a95506", 4 | "HTTPStatusCode": 200, 5 | "HTTPHeaders": { 6 | "date": "Mon, 28 Nov 2022 04:42:24 GMT", 7 | "content-type": "application/json", 8 | "content-length": "195", 9 | "connection": "keep-alive", 10 | "x-amzn-requestid": "c894ca13-7bde-41a6-a6d3-c4b567a95506", 11 | "x-amz-apigw-id": "cS5XkFJzPHcF0qA=", 12 | "x-amzn-trace-id": "Root=1-63843c30-7846a7b361b2604103a76200" 13 | }, 14 | "RetryAttempts": 0 15 | }, 16 | "accounts": [ 17 | { 18 | "accountId": "foo", 19 | "resourceState": { 20 | "ec2": { 21 | "status": "DISABLED" 22 | }, 23 | "ecr": { 24 | "status": "DISABLED" 25 | } 26 | }, 27 | "state": { 28 | "status": "DISABLED" 29 | } 30 | } 31 | ], 32 | "failedAccounts": [] 33 | } -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: bad 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["*"] 8 | verbs: ["*"] -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_cluster_roles/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: good 5 | rules: 6 | - apiGroups: [""] 7 | resources: [""] 8 | verbs: [""] -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["*"] 9 | verbs: ["*"] -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "rbac.authorization.k8s.io/v1", 6 | "kind": "Role", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"bad\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n" 10 | }, 11 | "creationTimestamp": "2022-11-10T03:14:33Z", 12 | "name": "bad", 13 | "namespace": "test-namespace", 14 | "resourceVersion": "6572715", 15 | "uid": "5c96fe31-02a6-4748-8af5-fd6ff2a7d74f" 16 | }, 17 | "rules": [ 18 | { 19 | "apiGroups": [ 20 | "" 21 | ], 22 | "resources": [ 23 | "*" 24 | ], 25 | "verbs": [ 26 | "*" 27 | ] 28 | } 29 | ] 30 | }, 31 | { 32 | "apiVersion": "rbac.authorization.k8s.io/v1", 33 | "kind": "Role", 34 | "metadata": { 35 | "annotations": { 36 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"test-namespace\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"\"],\"verbs\":[\"\"]}]}\n" 37 | }, 38 | "creationTimestamp": "2022-11-10T03:14:33Z", 39 | "name": "good", 40 | "namespace": "test-namespace", 41 | "resourceVersion": "6572714", 42 | "uid": "6411771f-2588-4ec9-9aa0-15ab26521ce5" 43 | }, 44 | "rules": [ 45 | { 46 | "apiGroups": [ 47 | "" 48 | ], 49 | "resources": [ 50 | "" 51 | ], 52 | "verbs": [ 53 | "" 54 | ] 55 | } 56 | ] 57 | } 58 | ], 59 | "kind": "List", 60 | "metadata": { 61 | "resourceVersion": "" 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/restrict_wildcard_for_roles/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | rules: 7 | - apiGroups: [""] 8 | resources: [""] 9 | verbs: [""] -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/run_multiple_replicas/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: good 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/schedule_replicas_across_nodes/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: good 5 | namespace: test-namespace 6 | spec: 7 | replicas: 3 8 | selector: 9 | matchLabels: 10 | app: good 11 | template: 12 | metadata: 13 | labels: 14 | app: good 15 | spec: 16 | topologySpreadConstraints: 17 | - maxSkew: 1 18 | whenUnsatisfiable: ScheduleAnyway 19 | topologyKey: topology.kubernetes.io/zone 20 | labelSelector: 21 | matchLabels: 22 | app: good 23 | containers: 24 | - name: web-app 25 | image: nginx 26 | resources: 27 | requests: 28 | cpu: 1 -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: bad 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | ports: 11 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/set_requests_limits_for_containers/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | namespace: test-namespace 5 | name: good 6 | spec: 7 | containers: 8 | - name: nginx 9 | image: nginx:1.14.2 10 | resources: 11 | requests: 12 | memory: "64Mi" 13 | cpu: "250m" 14 | limits: 15 | memory: "128Mi" 16 | cpu: "500m" 17 | ports: 18 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: shared-sa-1 5 | namespace: test-namespace 6 | labels: 7 | k8s-app: fluentd-logging 8 | spec: 9 | selector: 10 | matchLabels: 11 | name: fluentd-elasticsearch 12 | template: 13 | metadata: 14 | labels: 15 | name: fluentd-elasticsearch 16 | spec: 17 | tolerations: 18 | # these tolerations are to have the daemonset runnable on control plane nodes 19 | # remove them if your control plane nodes should not run pods 20 | - key: node-role.kubernetes.io/control-plane 21 | operator: Exists 22 | effect: NoSchedule 23 | - key: node-role.kubernetes.io/master 24 | operator: Exists 25 | effect: NoSchedule 26 | containers: 27 | - name: fluentd-elasticsearch 28 | image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 29 | resources: 30 | limits: 31 | memory: 200Mi 32 | requests: 33 | cpu: 100m 34 | memory: 200Mi 35 | volumeMounts: 36 | - name: varlog 37 | mountPath: /var/log 38 | terminationGracePeriodSeconds: 30 39 | volumes: 40 | - name: varlog 41 | hostPath: 42 | path: /var/log 43 | --- 44 | apiVersion: apps/v1 45 | kind: DaemonSet 46 | metadata: 47 | name: shared-sa-2 48 | namespace: test-namespace 49 | labels: 50 | k8s-app: fluentd-logging 51 | spec: 52 | selector: 53 | matchLabels: 54 | name: fluentd-elasticsearch 55 | template: 56 | metadata: 57 | labels: 58 | name: fluentd-elasticsearch 59 | spec: 60 | tolerations: 61 | # these tolerations are to have the daemonset runnable on control plane nodes 62 | # remove them if your control plane nodes should not run pods 63 | - key: node-role.kubernetes.io/control-plane 64 | operator: Exists 65 | effect: NoSchedule 66 | - key: node-role.kubernetes.io/master 67 | operator: Exists 68 | effect: NoSchedule 69 | containers: 70 | - name: fluentd-elasticsearch 71 | image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 72 | resources: 73 | limits: 74 | memory: 200Mi 75 | requests: 76 | cpu: 100m 77 | memory: 200Mi 78 | volumeMounts: 79 | - name: varlog 80 | mountPath: /var/log 81 | terminationGracePeriodSeconds: 30 82 | volumes: 83 | - name: varlog 84 | hostPath: 85 | path: /var/log -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_daemon_set/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: shared-sa-1 5 | namespace: test-namespace 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 23 | --- 24 | apiVersion: apps/v1 25 | kind: Deployment 26 | metadata: 27 | name: shared-sa-2 28 | namespace: test-namespace 29 | labels: 30 | app: nginx 31 | spec: 32 | replicas: 3 33 | selector: 34 | matchLabels: 35 | app: nginx 36 | template: 37 | metadata: 38 | labels: 39 | app: nginx 40 | spec: 41 | containers: 42 | - name: nginx 43 | image: nginx:1.14.2 44 | ports: 45 | - containerPort: 80 -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_deployment/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | namespace: test-namespace 5 | name: shared-sa-1 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: nginx # has to match .spec.template.metadata.labels 10 | serviceName: "nginx" 11 | replicas: 3 # by default is 1 12 | minReadySeconds: 10 # by default is 0 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx # has to match .spec.selector.matchLabels 17 | spec: 18 | terminationGracePeriodSeconds: 10 19 | containers: 20 | - name: nginx 21 | image: registry.k8s.io/nginx-slim:0.8 22 | ports: 23 | - containerPort: 80 24 | name: web 25 | volumeMounts: 26 | - name: www 27 | mountPath: /usr/share/nginx/html 28 | volumeClaimTemplates: 29 | - metadata: 30 | name: www 31 | spec: 32 | accessModes: [ "ReadWriteOnce" ] 33 | storageClassName: "my-storage-class" 34 | resources: 35 | requests: 36 | storage: 1Gi 37 | --- 38 | apiVersion: apps/v1 39 | kind: StatefulSet 40 | metadata: 41 | namespace: test-namespace 42 | name: shared-sa-2 43 | spec: 44 | selector: 45 | matchLabels: 46 | app: nginx # has to match .spec.template.metadata.labels 47 | serviceName: "nginx" 48 | replicas: 3 # by default is 1 49 | minReadySeconds: 10 # by default is 0 50 | template: 51 | metadata: 52 | labels: 53 | app: nginx # has to match .spec.selector.matchLabels 54 | spec: 55 | terminationGracePeriodSeconds: 10 56 | containers: 57 | - name: nginx 58 | image: registry.k8s.io/nginx-slim:0.8 59 | ports: 60 | - containerPort: 80 61 | name: web 62 | volumeMounts: 63 | - name: www 64 | mountPath: /usr/share/nginx/html 65 | volumeClaimTemplates: 66 | - metadata: 67 | name: www 68 | spec: 69 | accessModes: [ "ReadWriteOnce" ] 70 | storageClassName: "my-storage-class" 71 | resources: 72 | requests: 73 | storage: 1Gi -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_dedicated_service_accounts_for_each_stateful_set/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: bad 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: efs-sc 13 | csi: 14 | driver: efs.csi.aws.com 15 | volumeHandle: some_id -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_efs_access_points/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: good 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: efs-sc 13 | csi: 14 | driver: efs.csi.aws.com 15 | volumeHandle: some_id::some_access_point -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: bad 5 | namespace: test-namespace 6 | labels: 7 | app: bad 8 | spec: 9 | type: LoadBalancer 10 | ports: 11 | - port: 443 12 | targetPort: 80 13 | protocol: TCP 14 | selector: 15 | app: bad 16 | --- 17 | kind: Deployment 18 | apiVersion: apps/v1 19 | metadata: 20 | name: bad 21 | namespace: default 22 | labels: 23 | app: bad 24 | spec: 25 | replicas: 1 26 | selector: 27 | matchLabels: 28 | app: bad 29 | template: 30 | metadata: 31 | labels: 32 | app: bad 33 | spec: 34 | containers: 35 | - name: nginx 36 | image: nginx 37 | ports: 38 | - containerPort: 443 39 | protocol: TCP 40 | - containerPort: 80 41 | protocol: TCP 42 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_aws_load_balancers/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: good 5 | namespace: test-namespace 6 | labels: 7 | app: good 8 | annotations: 9 | service.beta.kubernetes.io/aws-load-balancer-type: "nlb" 10 | service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "" 11 | service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" 12 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" 13 | spec: 14 | type: LoadBalancer 15 | ports: 16 | - port: 443 17 | targetPort: 80 18 | protocol: TCP 19 | selector: 20 | app: good 21 | --- 22 | kind: Deployment 23 | apiVersion: apps/v1 24 | metadata: 25 | name: good 26 | namespace: default 27 | labels: 28 | app: good 29 | spec: 30 | replicas: 1 31 | selector: 32 | matchLabels: 33 | app: good 34 | template: 35 | metadata: 36 | labels: 37 | app: good 38 | spec: 39 | containers: 40 | - name: nginx 41 | image: nginx 42 | ports: 43 | - containerPort: 443 44 | protocol: TCP 45 | - containerPort: 80 46 | protocol: TCP 47 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: bad 5 | provisioner: ebs.csi.aws.com 6 | volumeBindingMode: WaitForFirstConsumer 7 | parameters: 8 | csi.storage.k8s.io/fstype: xfs 9 | type: io1 10 | iopsPerGB: "50" 11 | encrypted: "false" 12 | allowedTopologies: 13 | - matchLabelExpressions: 14 | - key: topology.ebs.csi.aws.com/zone 15 | values: 16 | - us-east-2c -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_ebs/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: good 5 | provisioner: ebs.csi.aws.com 6 | volumeBindingMode: WaitForFirstConsumer 7 | parameters: 8 | csi.storage.k8s.io/fstype: xfs 9 | type: io1 10 | iopsPerGB: "50" 11 | encrypted: "true" 12 | allowedTopologies: 13 | - matchLabelExpressions: 14 | - key: topology.ebs.csi.aws.com/zone 15 | values: 16 | - us-east-2c -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: bad 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: efs-sc 13 | csi: 14 | driver: efs.csi.aws.com 15 | volumeHandle: some_id -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/daemon_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/deployments_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/horizontal_pod_autoscaler_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/network_policies_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/pods_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/resource_quotas_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [ 4 | { 5 | "apiVersion": "v1", 6 | "kind": "ResourceQuota", 7 | "metadata": { 8 | "annotations": { 9 | "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ResourceQuota\",\"metadata\":{\"annotations\":{},\"name\":\"good\",\"namespace\":\"good\"},\"spec\":{\"hard\":{\"limits.cpu\":\"2\",\"limits.memory\":\"2Gi\",\"requests.cpu\":\"1\",\"requests.memory\":\"1Gi\"}}}\n" 10 | }, 11 | "creationTimestamp": "2022-11-16T16:29:46Z", 12 | "name": "good", 13 | "namespace": "good", 14 | "resourceVersion": "8158446", 15 | "uid": "30c7d400-d976-4f95-96e9-f1e1f32de123" 16 | }, 17 | "spec": { 18 | "hard": { 19 | "limits.cpu": "2", 20 | "limits.memory": "2Gi", 21 | "requests.cpu": "1", 22 | "requests.memory": "1Gi" 23 | } 24 | }, 25 | "status": { 26 | "hard": { 27 | "limits.cpu": "2", 28 | "limits.memory": "2Gi", 29 | "requests.cpu": "1", 30 | "requests.memory": "1Gi" 31 | }, 32 | "used": { 33 | "limits.cpu": "0", 34 | "limits.memory": "0", 35 | "requests.cpu": "0", 36 | "requests.memory": "0" 37 | } 38 | } 39 | } 40 | ], 41 | "kind": "List", 42 | "metadata": { 43 | "resourceVersion": "" 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/role_bindings_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/roles_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/services_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/cluster/stateful_sets_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "items": [], 4 | "kind": "List", 5 | "metadata": { 6 | "resourceVersion": "" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /tests/data/use_encryption_with_efs/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: good 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: efs-sc 13 | mountOptions: 14 | - tls 15 | csi: 16 | driver: efs.csi.aws.com 17 | volumeHandle: some_id -------------------------------------------------------------------------------- /tests/data/use_immutable_tags_with_ecr/repositories.json: -------------------------------------------------------------------------------- 1 | { 2 | "repositories": [ 3 | { 4 | "repositoryArn": "arn:aws:ecr:us-west-2::repository/rolling-deployment-service-ecrrepo714fb1b2-xbs3hua1h3ud", 5 | "registryId": "", 6 | "repositoryName": "rolling-deployment-service-ecrrepo714fb1b2-xbs3hua1h3ud", 7 | "repositoryUri": ".dkr.ecr.us-west-2.amazonaws.com/rolling-deployment-service-ecrrepo714fb1b2-xbs3hua1h3ud", 8 | "createdAt": "2022-08-12 14:07:16-04:00", 9 | "imageTagMutability": "MUTABLE", 10 | "imageScanningConfiguration": { 11 | "scanOnPush": true 12 | }, 13 | "encryptionConfiguration": { 14 | "encryptionType": "AES256" 15 | } 16 | }, 17 | { 18 | "repositoryArn": "arn:aws:ecr:us-west-2:foo:repository/rolling-deployment-service-ecrrepo714fb1b2-nyrkgiafcyyx", 19 | "registryId": "foo", 20 | "repositoryName": "rolling-deployment-service-ecrrepo714fb1b2-nyrkgiafcyyx", 21 | "repositoryUri": "foo.dkr.ecr.us-west-2.amazonaws.com/rolling-deployment-service-ecrrepo714fb1b2-nyrkgiafcyyx", 22 | "createdAt": "2022-08-12 11:49:13-04:00", 23 | "imageTagMutability": "IMMUTABLE", 24 | "imageScanningConfiguration": { 25 | "scanOnPush": true 26 | }, 27 | "encryptionConfiguration": { 28 | "encryptionType": "AES256" 29 | } 30 | } 31 | ] 32 | } -------------------------------------------------------------------------------- /tests/data/use_separate_iam_role_for_cluster_autoscaler/cluster/service_accounts_api_response.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "automountServiceAccountToken": true, 4 | "kind": "ServiceAccount", 5 | "metadata": { 6 | "annotations": { 7 | "meta.helm.sh/release-name": "autoscaling-cluster-autoscaler", 8 | "meta.helm.sh/release-namespace": "kube-system" 9 | }, 10 | "creationTimestamp": "2023-01-31T15:07:45Z", 11 | "labels": { 12 | "app.kubernetes.io/instance": "autoscaling-cluster-autoscaler", 13 | "app.kubernetes.io/managed-by": "Helm", 14 | "app.kubernetes.io/name": "aws-cluster-autoscaler", 15 | "helm.sh/chart": "cluster-autoscaler-9.21.0" 16 | }, 17 | "name": "cluster-autoscaler", 18 | "namespace": "kube-system", 19 | "resourceVersion": "28819798", 20 | "uid": "bdfc3e88-1a85-4156-8d20-1fe0a0f10530" 21 | }, 22 | "secrets": [ 23 | { 24 | "name": "cluster-autoscaler-token-lqxr5" 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /tests/test_cli.py: -------------------------------------------------------------------------------- 1 | from unittest.mock import patch 2 | from pathlib import Path 3 | 4 | from click import exceptions 5 | import pytest 6 | 7 | 8 | from hardeneks import ( 9 | _config_callback, 10 | _get_cluster_name, 11 | _get_current_context, 12 | ) 13 | 14 | 15 | def test_config_callback_path_non_existent(): 16 | path = Path("foo") 17 | with pytest.raises(exceptions.BadParameter): 18 | _config_callback(path) 19 | 20 | 21 | def test_config_callback_path_directory(tmp_path): 22 | path = Path(tmp_path) 23 | with pytest.raises(exceptions.BadParameter): 24 | _config_callback(path) 25 | 26 | 27 | def test_config_callback_file(tmp_path): 28 | config = tmp_path / "config.yaml" 29 | config.write_text("hello") 30 | path = _config_callback(config) 31 | assert config == path 32 | 33 | 34 | def test_config_callback_bad_yaml(tmp_path): 35 | config = tmp_path / "config.yaml" 36 | config.write_text("'foo") 37 | with pytest.raises(exceptions.BadParameter): 38 | _config_callback(config) 39 | 40 | 41 | @patch("kubernetes.config.list_kube_config_contexts") 42 | def test_get_current_context_None(config): 43 | config.return_value = ({}, {"name": "some-context"}) 44 | context = _get_current_context("") 45 | assert context == "some-context" 46 | 47 | 48 | def test_get_current_context(): 49 | context = "some-context" 50 | assert _get_current_context(context) == context 51 | 52 | 53 | @patch("boto3.client") 54 | def test_get_cluster_name(client): 55 | client.return_value.list_clusters.return_value = { 56 | "clusters": ["gpu-cluster-test", "foo-cluster", "bad-cluster"] 57 | } 58 | context = "someperson@gpu-cluster-test.us-west-2.eksctl.io" 59 | region = "us-west-2" 60 | cluster_name = "gpu-cluster-test" 61 | 62 | assert _get_cluster_name(context, region) == cluster_name 63 | -------------------------------------------------------------------------------- /tests/test_security_detective_controls.py: -------------------------------------------------------------------------------- 1 | import json 2 | from pathlib import Path 3 | from unittest.mock import patch 4 | 5 | from hardeneks.resources import NamespacedResources 6 | from hardeneks.cluster_wide.security.detective_controls import ( 7 | check_logs_are_enabled, 8 | ) 9 | 10 | 11 | def read_json(file_path): 12 | with open(file_path) as f: 13 | json_content = json.load(f) 14 | return json_content 15 | 16 | 17 | @patch("boto3.client") 18 | def test_check_logs_are_enabled(mocked_client): 19 | namespaced_resources = NamespacedResources( 20 | "some_region", "some_context", "some_cluster", "some_ns" 21 | ) 22 | test_data = ( 23 | Path.cwd() 24 | / "tests" 25 | / "data" 26 | / "check_logs_are_enabled" 27 | / "cluster_metadata.json" 28 | ) 29 | 30 | mocked_client.return_value.describe_cluster.return_value = read_json( 31 | test_data 32 | ) 33 | rule = check_logs_are_enabled() 34 | rule.check(namespaced_resources) 35 | 36 | assert not rule.result.status 37 | -------------------------------------------------------------------------------- /tests/test_security_encryption_secrets.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from hardeneks.cluster_wide.security.encryption_secrets import ( 4 | use_encryption_with_ebs, 5 | use_encryption_with_efs, 6 | use_efs_access_points, 7 | ) 8 | from hardeneks.namespace_based.security.encryption_secrets import ( 9 | disallow_secrets_from_env_vars, 10 | ) 11 | 12 | 13 | @pytest.mark.parametrize( 14 | "resources", 15 | [("use_encryption_with_ebs")], 16 | indirect=["resources"], 17 | ) 18 | def test_use_encryption_with_ebs(resources): 19 | rule = use_encryption_with_ebs() 20 | rule.check(resources) 21 | 22 | assert "good" not in rule.result.resources 23 | assert "bad" in rule.result.resources 24 | 25 | 26 | @pytest.mark.parametrize( 27 | "resources", 28 | [("use_encryption_with_efs")], 29 | indirect=["resources"], 30 | ) 31 | def test_use_encryption_with_efs(resources): 32 | rule = use_encryption_with_efs() 33 | rule.check(resources) 34 | 35 | assert "good" not in rule.result.resources 36 | assert "bad" in rule.result.resources 37 | 38 | 39 | @pytest.mark.parametrize( 40 | "resources", 41 | [("use_efs_access_points")], 42 | indirect=["resources"], 43 | ) 44 | def test_use_efs_access_points(resources): 45 | rule = use_efs_access_points() 46 | rule.check(resources) 47 | 48 | assert "good" not in rule.result.resources 49 | assert "bad" in rule.result.resources 50 | 51 | 52 | @pytest.mark.parametrize( 53 | "namespaced_resources", 54 | [("disallow_secrets_from_env_vars")], 55 | indirect=["namespaced_resources"], 56 | ) 57 | def test_disallow_secrets_from_env_vars(namespaced_resources): 58 | rule = disallow_secrets_from_env_vars() 59 | 60 | rule.check(namespaced_resources) 61 | 62 | assert "good" not in rule.result.resources 63 | assert "bad" in rule.result.resources 64 | -------------------------------------------------------------------------------- /tests/test_security_image_security.py: -------------------------------------------------------------------------------- 1 | import json 2 | from pathlib import Path 3 | from unittest.mock import patch 4 | 5 | from hardeneks.resources import Resources 6 | from hardeneks.cluster_wide.security.image_security import ( 7 | use_immutable_tags_with_ecr, 8 | ) 9 | 10 | 11 | def read_json(file_path): 12 | with open(file_path) as f: 13 | json_content = json.load(f) 14 | return json_content 15 | 16 | 17 | @patch("boto3.client") 18 | def test_use_immutable_tags_with_ecr(mocked_client): 19 | namespaced_resources = Resources( 20 | "some_region", "some_context", "some_cluster", "some_ns" 21 | ) 22 | 23 | test_data = ( 24 | Path.cwd() 25 | / "tests" 26 | / "data" 27 | / "use_immutable_tags_with_ecr" 28 | / "repositories.json" 29 | ) 30 | 31 | mocked_client.return_value.describe_repositories.return_value = read_json( 32 | test_data 33 | ) 34 | 35 | rule = use_immutable_tags_with_ecr() 36 | rule.check(namespaced_resources) 37 | 38 | assert ( 39 | "rolling-deployment-service-ecrrepo714fb1b2-xbs3hua1h3ud" 40 | in rule.result.resources 41 | ) 42 | assert ( 43 | "rolling-deployment-service-ecrrepo714fb1b2-nyrkgiafcyyx" 44 | not in rule.result.resources 45 | ) 46 | -------------------------------------------------------------------------------- /tests/test_security_infrastructure_security.py: -------------------------------------------------------------------------------- 1 | import json 2 | from pathlib import Path 3 | from unittest.mock import patch 4 | 5 | from hardeneks.cluster_wide.security.infrastructure_security import ( 6 | deploy_workers_onto_private_subnets, 7 | make_sure_inspector_is_enabled, 8 | ) 9 | from hardeneks.resources import Resources 10 | 11 | 12 | def read_json(file_path): 13 | with open(file_path) as f: 14 | json_content = json.load(f) 15 | return json_content 16 | 17 | 18 | def mocked_caller_identity(): 19 | return {"Account": "foo"} 20 | 21 | 22 | @patch("boto3.client") 23 | def test_deploy_workers_onto_private_subnets(mocked_client): 24 | namespaced_resources = Resources( 25 | "some_region", "some_context", "some_cluster", "some_ns" 26 | ) 27 | 28 | test_data = ( 29 | Path.cwd() 30 | / "tests" 31 | / "data" 32 | / "deploy_workers_onto_private_subnets" 33 | / "instance_metadata.json" 34 | ) 35 | 36 | mocked_client.return_value.describe_instances.return_value = read_json( 37 | test_data 38 | ) 39 | rule = deploy_workers_onto_private_subnets() 40 | rule.check(namespaced_resources) 41 | 42 | assert "i-063ca77fc509e2bf6" not in rule.result.resources 43 | assert "i-083cc9da5e18e2702" not in rule.result.resources 44 | assert "i-01c10da9688b958a0" in rule.result.resources 45 | assert "i-0f282d6ee7edb633f" in rule.result.resources 46 | 47 | 48 | @patch("boto3.client") 49 | def test_make_sure_inspector_is_enabled(mocked_client): 50 | namespaced_resources = Resources( 51 | "some_region", "some_context", "some_cluster", "some_ns" 52 | ) 53 | 54 | test_data = ( 55 | Path.cwd() 56 | / "tests" 57 | / "data" 58 | / "make_sure_inspector_is_enabled" 59 | / "inspector_status.json" 60 | ) 61 | 62 | mocked_client.return_value.batch_get_account_status.return_value = ( 63 | read_json(test_data) 64 | ) 65 | mocked_client.return_value.get_caller_identity = mocked_caller_identity 66 | rule = make_sure_inspector_is_enabled() 67 | rule.check(namespaced_resources) 68 | assert not rule.result.status 69 | -------------------------------------------------------------------------------- /tests/test_security_multi_tenancy.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from hardeneks.cluster_wide.security.multi_tenancy import ( 4 | ensure_namespace_quotas_exist, 5 | ) 6 | 7 | 8 | @pytest.mark.parametrize( 9 | "resources", 10 | [("ensure_namespace_quotas_exist")], 11 | indirect=["resources"], 12 | ) 13 | def test_ensure_namespace_quotas_exist(resources): 14 | rule = ensure_namespace_quotas_exist() 15 | rule.check(resources) 16 | 17 | assert "good" not in rule.result.resources 18 | assert "bad" in rule.result.resources 19 | -------------------------------------------------------------------------------- /tests/test_security_network_security.py: -------------------------------------------------------------------------------- 1 | import json 2 | import kubernetes 3 | from pathlib import Path 4 | from unittest.mock import patch 5 | 6 | import pytest 7 | 8 | from hardeneks.namespace_based.security.network_security import ( 9 | use_encryption_with_aws_load_balancers, 10 | ) 11 | from hardeneks.cluster_wide.security.network_security import ( 12 | check_vpc_flow_logs, 13 | check_awspca_exists, 14 | check_default_deny_policy_exists, 15 | ) 16 | from hardeneks.resources import Resources 17 | from .conftest import get_response 18 | 19 | 20 | def read_json(file_path): 21 | with open(file_path) as f: 22 | json_content = json.load(f) 23 | return json_content 24 | 25 | 26 | @pytest.mark.parametrize( 27 | "namespaced_resources", 28 | [("use_encryption_with_aws_load_balancers")], 29 | indirect=["namespaced_resources"], 30 | ) 31 | def test_use_encryption_with_aws_load_balancers(namespaced_resources): 32 | rule = use_encryption_with_aws_load_balancers() 33 | rule.check(namespaced_resources) 34 | 35 | assert "good" not in rule.result.resources 36 | assert "bad" in rule.result.resources 37 | 38 | 39 | @patch("boto3.client") 40 | def test_check_vpc_flow_logs(mocked_client): 41 | resources = Resources("some_region", "some_context", "some_cluster", []) 42 | test_data = ( 43 | Path.cwd() 44 | / "tests" 45 | / "data" 46 | / "check_vpc_flow_logs" 47 | / "cluster_metadata.json" 48 | ) 49 | 50 | mocked_client.return_value.describe_cluster.return_value = read_json( 51 | test_data 52 | ) 53 | 54 | mocked_client.return_value.describe_flow_logs.return_value = { 55 | "FlowLogs": [] 56 | } 57 | rule = check_vpc_flow_logs() 58 | rule.check(resources) 59 | 60 | assert not rule.result.status 61 | 62 | 63 | @pytest.mark.parametrize( 64 | "resources", 65 | [("check_default_deny_policy_exists")], 66 | indirect=["resources"], 67 | ) 68 | def test_check_default_deny_policy_exists(resources): 69 | rule = check_default_deny_policy_exists() 70 | rule.check(resources) 71 | assert ["good", "bad", "default"] == rule.result.resources 72 | 73 | 74 | @patch("kubernetes.client.CoreV1Api.list_service_for_all_namespaces") 75 | def test_check_awspca_exists(mocked_client): 76 | test_data = ( 77 | Path.cwd() 78 | / "tests" 79 | / "data" 80 | / "check_awspca_exists" 81 | / "cluster" 82 | / "services_api_response.json" 83 | ) 84 | mocked_client.return_value = get_response( 85 | kubernetes.client.CoreV1Api, 86 | test_data, 87 | "V1ServiceList", 88 | ) 89 | 90 | namespaced_resources = Resources( 91 | "some_region", "some_context", "some_cluster", [] 92 | ) 93 | rule = check_awspca_exists() 94 | rule.check(namespaced_resources) 95 | 96 | assert not rule.result.status 97 | -------------------------------------------------------------------------------- /tests/test_security_runtime_security.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from hardeneks.namespace_based.security.runtime_security import ( 4 | disallow_linux_capabilities, 5 | ) 6 | 7 | 8 | @pytest.mark.parametrize( 9 | "namespaced_resources", 10 | [("disallow_linux_capabilities")], 11 | indirect=["namespaced_resources"], 12 | ) 13 | def test_disallow_linux_capabilities(namespaced_resources): 14 | rule = disallow_linux_capabilities() 15 | rule.check(namespaced_resources) 16 | assert "good" not in rule.result.resources 17 | assert "bad" in rule.result.resources 18 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | skipsdist = true 3 | envlist = py38, py39, py310, py311 4 | 5 | [testenv] 6 | allowlist_externals = poetry 7 | commands = 8 | poetry install -v 9 | poetry run pytest --------------------------------------------------------------------------------