syncable-cli 0.37.1

A Rust-based CLI that analyzes code repositories and generates Infrastructure as Code configurations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

//! Privileged container detection template.

use crate::analyzer::kubelint::context::Object;
use crate::analyzer::kubelint::extract;
use crate::analyzer::kubelint::templates::{CheckFunc, ParameterDesc, Template, TemplateError};
use crate::analyzer::kubelint::types::{Diagnostic, ObjectKindsDesc};

/// Template for detecting privileged containers.
pub struct PrivilegedTemplate;

impl Template for PrivilegedTemplate {
    fn key(&self) -> &str {
        "privileged"
    }

    fn human_name(&self) -> &str {
        "Privileged Container"
    }

    fn description(&self) -> &str {
        "Detects containers running in privileged mode"
    }

    fn supported_object_kinds(&self) -> ObjectKindsDesc {
        ObjectKindsDesc::default()
    }

    fn parameters(&self) -> Vec<ParameterDesc> {
        Vec::new()
    }

    fn instantiate(
        &self,
        _params: &serde_yaml::Value,
    ) -> Result<Box<dyn CheckFunc>, TemplateError> {
        Ok(Box::new(PrivilegedCheck))
    }
}

struct PrivilegedCheck;

impl CheckFunc for PrivilegedCheck {
    fn check(&self, object: &Object) -> Vec<Diagnostic> {
        let mut diagnostics = Vec::new();

        if let Some(pod_spec) = extract::pod_spec::extract_pod_spec(&object.k8s_object) {
            for container in extract::container::all_containers(pod_spec) {
                if let Some(sc) = &container.security_context
                    && sc.privileged == Some(true)
                {
                    diagnostics.push(Diagnostic {
                            message: format!(
                                "Container '{}' is running in privileged mode",
                                container.name
                            ),
                            remediation: Some(
                                "Do not run containers in privileged mode unless absolutely necessary. \
                                 Set securityContext.privileged to false.".to_string()
                            ),
                        });
                }
            }
        }

        diagnostics
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::analyzer::kubelint::parser::yaml::parse_yaml;

    #[test]
    fn test_privileged_container_detected() {
        let yaml = r#"
apiVersion: apps/v1
kind: Deployment
metadata:
  name: privileged-deploy
spec:
  template:
    spec:
      containers:
      - name: privileged-container
        image: nginx
        securityContext:
          privileged: true
"#;
        let objects = parse_yaml(yaml).unwrap();
        let check = PrivilegedCheck;
        let diagnostics = check.check(&objects[0]);
        assert_eq!(diagnostics.len(), 1);
        assert!(diagnostics[0].message.contains("privileged mode"));
    }

    #[test]
    fn test_non_privileged_container_ok() {
        let yaml = r#"
apiVersion: apps/v1
kind: Deployment
metadata:
  name: safe-deploy
spec:
  template:
    spec:
      containers:
      - name: safe-container
        image: nginx
        securityContext:
          privileged: false
"#;
        let objects = parse_yaml(yaml).unwrap();
        let check = PrivilegedCheck;
        let diagnostics = check.check(&objects[0]);
        assert!(diagnostics.is_empty());
    }
}