kubescape/regolibrary

Add rego rule to check for windows securityContext compliance

Open

#317 opened on Mar 6, 2023

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Open Policy Agent (69 forks)auto 404
enhancementgood first issue

Repository metrics

Stars
 (131 stars)
PR merge metrics
 (PR metrics pending)

Description

In order to support Windows system, we should add rego rules to check for securityContext parameters also for this OS. Reading from the official documentation, we should implement a control for each of the following listed fields: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#windowssecuritycontextoptions-v1-core So, the new checks to be added, are the following:

  • gmsaCredentialSpec
  • gmsaCredentialSpecName
  • hostProcess
  • runAsUserName

The equivalent rules should be named like so:

  • set-gmsacredentialspec-value
  • set-gmsacredentialspecname-value
  • set-hostprocess-true (checking also if WindowsHostProcessContainers feature flag is enabled in api-server)
  • runAsUserName

Contributor guide