Skip to content

Add policy AC-K8-NS-SE-M-0188 for CVE-2020-8554 #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from Dec 11, 2020
Merged

Add policy AC-K8-NS-SE-M-0188 for CVE-2020-8554 #428

merged 2 commits into from Dec 11, 2020

Conversation

ghost
Copy link

@ghost ghost commented Dec 10, 2020

No description provided.

@codecov
Copy link

codecov bot commented Dec 10, 2020
edited
Loading

Codecov Report

Merging #428 (9f68c60) into master (929e377) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #428   +/-   ##
=======================================
  Coverage   66.21%   66.21%           
=======================================
  Files          85       85           
  Lines        1915     1915           
=======================================
  Hits         1268     1268           
  Misses        535      535           
  Partials      112      112

williepaul
williepaul reviewed Dec 10, 2020
View reviewed changes
pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego
{{.prefix}}{{.name}}{{.suffix}}[service.id] {
service := input.{{.resource_type}}[_]
service.config.kind == "Service"
type_check(service.config.spec)
Copy link
Contributor

@williepaul williepaul Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should keep our checks as simple as possible. it looks like you're just trying to do the following:
service.config.spec.type == "ClusterIP"
not service.config.spec.type
service.config.spec.externalIPs

Do we also need a check for service.config.spec.clusterIPs?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Service type may or may not be set. If its set then I want to if its ClusterIP

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@williepaul williepaul merged commit 90e4ea7 into tenable:master Dec 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@williepaul