syncable_cli/analyzer/kubelint/templates/
capabilities.rs1use crate::analyzer::kubelint::context::Object;
4use crate::analyzer::kubelint::extract;
5use crate::analyzer::kubelint::templates::{CheckFunc, ParameterDesc, Template, TemplateError};
6use crate::analyzer::kubelint::types::{Diagnostic, ObjectKindsDesc};
7
8pub struct DropNetRawCapabilityTemplate;
10
11impl Template for DropNetRawCapabilityTemplate {
12 fn key(&self) -> &str {
13 "drop-net-raw-capability"
14 }
15
16 fn human_name(&self) -> &str {
17 "Drop NET_RAW Capability"
18 }
19
20 fn description(&self) -> &str {
21 "Detects containers that don't drop the NET_RAW capability"
22 }
23
24 fn supported_object_kinds(&self) -> ObjectKindsDesc {
25 ObjectKindsDesc::default()
26 }
27
28 fn parameters(&self) -> Vec<ParameterDesc> {
29 Vec::new()
30 }
31
32 fn instantiate(
33 &self,
34 _params: &serde_yaml::Value,
35 ) -> Result<Box<dyn CheckFunc>, TemplateError> {
36 Ok(Box::new(DropNetRawCheck))
37 }
38}
39
40struct DropNetRawCheck;
41
42impl CheckFunc for DropNetRawCheck {
43 fn check(&self, object: &Object) -> Vec<Diagnostic> {
44 let mut diagnostics = Vec::new();
45
46 if let Some(pod_spec) = extract::pod_spec::extract_pod_spec(&object.k8s_object) {
47 for container in extract::container::all_containers(pod_spec) {
48 let drops_net_raw = container
49 .security_context
50 .as_ref()
51 .and_then(|sc| sc.capabilities.as_ref())
52 .map(|caps| {
53 caps.drop
54 .iter()
55 .any(|c| c == "NET_RAW" || c == "ALL" || c == "all")
56 })
57 .unwrap_or(false);
58
59 if !drops_net_raw {
60 diagnostics.push(Diagnostic {
61 message: format!(
62 "Container '{}' does not drop NET_RAW capability",
63 container.name
64 ),
65 remediation: Some(
66 "Add NET_RAW to securityContext.capabilities.drop, or drop ALL capabilities."
67 .to_string(),
68 ),
69 });
70 }
71 }
72 }
73
74 diagnostics
75 }
76}