cloudquery
diff --git a/‎plugins/source/k8s/policies/README.md‎
Lines changed: 4 additions & 0 deletions b/‎plugins/source/k8s/policies/README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/README.md‎
Lines changed: 33 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/README.md‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/create_k8s_policy_results.sql‎
Lines changed: 12 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/create_k8s_policy_results.sql‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/README.md‎ b/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/README.md‎
diff --git a/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/network_hardening.sql‎
Lines changed: 132 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/network_hardening.sql‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/pod_security.sql‎
Lines changed: 152 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/pod_security.sql‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/policy.sql‎
Lines changed: 15 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/nsa_cisa_v1/policy.sql‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/policy.sql‎
Lines changed: 11 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/policy.sql‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎plugins/source/k8s/policies_v1/queries/network_hardening/daemonset_cpu_limit.sql‎
Lines changed: 25 additions & 0 deletions b/‎plugins/source/k8s/policies_v1/queries/network_hardening/daemonset_cpu_limit.sql‎
Lines changed: 25 additions & 0 deletions
@@ -1,3 +1,7 @@
+# Deprecation Notice
+
+These are the policy files for CloudQuery **v0.x.x**. Please use the [policies_v1/](../policies_v1/) directory for CloudQuery v1.x.x policies.
+
 # CloudQuery Policies
 
 CloudQuery SQL Policies for Kubernetes
 
@@ -0,0 +1,33 @@
+# CloudQuery Policies
+
+CloudQuery SQL Policies for Kubernetes
+
+## Policies and Compliance Frameworks Available
+
+- [Kubernetes NSA CISA v1](./nsa_cisa_v1/policy.sql)
+
+## Running
+
+You can execute policies with `psql`. For example:
+
+```bash
+# Set DSN to your PostgreSQL populated by CloudQuery
+export DSN=postgres://postgres:pass@localhost:5432/postgres
+# Execute the NSA CISA Policy
+psql ${DSN} -f  ./nsa_cisa_v1/policy.sql
+```
+
+This will create all the results in `k8s_policy_results` table which you can query directly, connect to any BI system (Grafana, Preset, AWS QuickSight, PowerBI, …).
+
+You can also output it into CSV or HTML with the following built-in `psql` commands:
+
+```bash
+# Set DSN to your PostgreSQL populated by CloudQuery
+export DSN=postgres://postgres:pass@localhost:5432/postgres
+# default tabular output
+psql ${DSN} -c "select * from k8s_policy_results"
+# CSV output
+psql ${DSN} -c "select * from k8s_policy_results" --csv
+# HTML output
+psql ${DSN} -c "select * from k8s_policy_results" --html
+```
@@ -0,0 +1,12 @@
+create table if not exists k8s_policy_results
+(
+    execution_time timestamp with time zone,
+    framework      varchar(255),
+    check_id       varchar(255),
+    title          text,
+    context        text,
+    namespace      text,
+    resource_id    varchar(1024),
+    resource_name  text,
+    status         varchar(16)
+)
@@ -0,0 +1,132 @@
+\echo "Executing K8S Network Hardening NSA CISA v1"
+
+\echo "Enforce CPU resource limits"
+
+\echo "Deamonsets enforce cpu limit"
+\set check_id "daemonset_cpu_limit"
+\ir ../queries/network_hardening/daemonset_cpu_limit.sql
+
+\echo "Deployments enforce cpu limit"
+\set check_id "deployment_cpu_limit"
+\ir ../queries/network_hardening/deployment_cpu_limit.sql
+
+\echo "Jobs enforce cpu limit"
+\set check_id "job_cpu_limit"
+\ir ../queries/network_hardening/job_cpu_limit.sql
+
+
+\echo "Namespaces CPU limit range default"
+\set check_id "namespace_limit_range_default_cpu_limit"
+\ir ../queries/network_hardening/namespace_limit_range_default_cpu_limit.sql
+
+
+\echo "Namespaces CPU limit resource quota"
+\set check_id "namespace_resource_quota_cpu_limit"
+\ir ../queries/network_hardening/namespace_resource_quota_cpu_limit.sql
+
+
+\echo "ReplciaSets enforce cpu limit"
+\set check_id "replicaset_cpu_limit"
+\ir ../queries/network_hardening/replicaset_cpu_limit.sql
+
+
+\echo "Enforce CPU request"
+
+\echo "Deamonsets enforce cpu request"
+\set check_id "daemonset_cpu_request"
+\ir ../queries/network_hardening/daemonset_cpu_request.sql
+
+\echo "Deployments enforce cpu request"
+\set check_id "deployment_cpu_request"
+\ir ../queries/network_hardening/deployment_cpu_request.sql
+
+\echo "Jobs enforce cpu request"
+\set check_id "job_cpu_limit"
+\ir ../queries/network_hardening/job_cpu_limit.sql
+
+
+\echo "Namespaces CPU request range default"
+\set check_id "namespace_limit_range_default_cpu_request"
+\ir ../queries/network_hardening/namespace_limit_range_default_cpu_request.sql
+
+
+\echo "Namespaces CPU request resource quota"
+\set check_id "namespace_resource_quota_cpu_request"
+\ir ../queries/network_hardening/namespace_resource_quota_cpu_request.sql
+
+
+\echo "ReplciaSets enforce cpu request"
+\set check_id "replicaset_cpu_request"
+\ir ../queries/network_hardening/replicaset_cpu_request.sql
+
+\echo "Ensure memory limits set"
+
+\echo "Deamonsets enforce memory limit"
+\set check_id "daemonset_memory_limit"
+\ir ../queries/network_hardening/daemonset_memory_limit.sql
+
+\echo "Deployments enforce memory limit"
+\set check_id "deployment_memory_limit"
+\ir ../queries/network_hardening/deployment_memory_limit.sql
+
+\echo "Jobs enforce memory limit"
+\set check_id "job_memory_limit"
+\ir ../queries/network_hardening/job_memory_limit.sql
+
+
+\echo "Namespaces CPU memory range default"
+\set check_id "namespace_limit_range_default_memory_limit"
+\ir ../queries/network_hardening/namespace_limit_range_default_memory_limit.sql
+
+
+\echo "Namespaces CPU memory resource quota"
+\set check_id "namespace_resource_quota_memory_limit"
+\ir ../queries/network_hardening/namespace_resource_quota_memory_limit.sql
+
+
+\echo "ReplciaSets enforce memory limit"
+\set check_id "replicaset_memory_limit"
+\ir ../queries/network_hardening/replicaset_memory_limit.sql
+
+
+\echo "Enforce Memory request"
+
+\echo "Deamonsets enforce memory request"
+\set check_id "daemonset_memory_request"
+\ir ../queries/network_hardening/daemonset_memory_request.sql
+
+\echo "Deployments enforce memory request"
+\set check_id "deployment_memory_request"
+\ir ../queries/network_hardening/deployment_memory_request.sql
+
+\echo "Jobs enforce memory request"
+\set check_id "job_memory_request"
+\ir ../queries/network_hardening/job_memory_request.sql
+
+
+\echo "Namespaces Memory request range default"
+\set check_id "namespace_limit_range_default_memory_request"
+\ir ../queries/network_hardening/namespace_limit_range_default_memory_request.sql
+
+
+\echo "Namespaces Memory request resource quota"
+\set check_id "namespace_resource_quota_memory_request"
+\ir ../queries/network_hardening/namespace_resource_quota_memory_request.sql
+
+
+\echo "ReplciaSets enforce cpu request"
+\set check_id "replicaset_memory_request"
+\ir ../queries/network_hardening/replicaset_memory_request.sql
+
+
+\echo "Enforce default deny network policy"
+
+\echo "Network policy default deny egress"
+\set check_id "network_policy_default_deny_egress"
+\ir ../queries/network_hardening/network_policy_default_deny_egress.sql
+
+
+\echo "Network policy default deny ingress"
+\set check_id "network_policy_default_deny_ingress"
+\ir ../queries/network_hardening/network_policy_default_deny_ingress.sql
+
@@ -0,0 +1,152 @@
+\echo "Executing K8S Pod Security NSA CISA v1"
+
+\set check_id "container_disallow_host_path"
+\echo "Disallow host path access"
+\ir ../queries/pod_security/pod_volume_host_path.sql
+
+\echo "Verify containers have privileged access disabled"
+
+\echo "Deamonset privileges disabled"
+\set check_id "daemonset_container_privilege_disabled"
+\ir ../queries/pod_security/daemonset_container_privilege_disabled.sql
+
+\echo "Deployment containers privileged access disabled"
+\set check_id "deployment_container_privilege_disabled"
+\ir ../queries/pod_security/deployment_container_privilege_disabled.sql
+
+\echo "Jobs container privileged access disabled"
+\set check_id "job_container_privilege_disabled"
+\ir ../queries/pod_security/job_container_privilege_disabled.sql
+
+\echo "Pod container privileged access disabled"
+\set check_id "pod_container_privilege_disabled"
+\ir ../queries/pod_security/pod_container_privilege_disabled.sql
+
+\echo "ReplicaSet container privileged access disabled"
+\set check_id "replicaset_container_privilege_disabled"
+\ir ../queries/pod_security/replicaset_container_privilege_disabled.sql
+
+\echo "Container privileged escalation disabled"
+
+\echo "DaemonSet container privileged escalation disabled"
+\set check_id "daemonset_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/daemonset_container_privilege_escalation_disabled.sql
+
+\echo "Deployment container privileged escalation disabled"
+\set check_id "deployment_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/deployment_container_privilege_escalation_disabled.sql
+
+\echo "Job container privileged escalation disabled"
+\set check_id "job_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/job_container_privilege_escalation_disabled.sql
+
+\echo "Pod container privileged escalation disabled"
+\set check_id "pod_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/pod_container_privilege_escalation_disabled.sql
+
+\echo "ReplicaSet container privileged escalation disabled"
+\set check_id "replicaset_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/replicaset_container_privilege_escalation_disabled.sql
+
+
+\echo "Host network access disabled"
+
+\echo "DaemonSet container hostNetwork disabled"
+\set check_id "daemonset_host_network_access_disabled"
+\ir ../queries/pod_security/daemonset_host_network_access_disabled.sql
+
+\echo "Deployment container hostNetwork disabled"
+\set check_id "deployment_host_network_access_disabled"
+\ir ../queries/pod_security/deployment_host_network_access_disabled.sql
+
+\echo "Job container hostNetwork disabled"
+\set check_id "job_host_network_access_disabled"
+\ir ../queries/pod_security/job_host_network_access_disabled.sql
+
+\echo "Pod container hostNetwork disabled"
+\set check_id "pod_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/pod_host_network_access_disabled.sql
+
+\echo "ReplicaSet container hostNetwork disabled"
+\set check_id "replicaset_container_privilege_escalation_disabled"
+\ir ../queries/pod_security/replicaset_host_network_access_disabled.sql
+
+
+\echo "HostPID and HostIPC sharing disabled"
+
+\echo "DeamonSet containers HostPID and HostIPC sharing disabled"
+\set check_id "daemonset_hostpid_hostipc_sharing_disabled"
+\ir ../queries/pod_security/daemonset_hostpid_hostipc_sharing_disabled.sql
+
+\echo "Deployment containers HostPID and HostIPC sharing disabled"
+\set check_id "deployment_hostpid_hostipc_sharing_disabled"
+\ir ../queries/pod_security/deployment_hostpid_hostipc_sharing_disabled.sql
+
+\echo "Job containers HostPID and HostIPC sharing disabled"
+\set check_id "job_hostpid_hostipc_sharing_disabled"
+\ir ../queries/pod_security/job_hostpid_hostipc_sharing_disabled.sql
+
+\echo "Pod containers HostPID and HostIPC sharing disabled"
+\set check_id "pod_hostpid_hostipc_sharing_disabled"
+\ir ../queries/pod_security/pod_hostpid_hostipc_sharing_disabled.sql
+
+\echo "ReplicaSet containers HostPID and HostIPC sharing disabled"
+\set check_id "replicaset_hostpid_hostipc_sharing_disabled"
+\ir ../queries/pod_security/replicaset_hostpid_hostipc_sharing_disabled.sql
+
+\echo "Containers root file system is read-only"
+
+\echo "DeamonSet containers root file system is read-only"
+\set check_id "daemonset_immutable_container_filesystem"
+\ir ../queries/pod_security/daemonset_immutable_container_filesystem.sql
+
+\echo "Deployment containers root file system is read-only"
+\set check_id "deployment_immutable_container_filesystem"
+\ir ../queries/pod_security/deployment_immutable_container_filesystem.sql
+
+\echo "Job containers root file system is read-only"
+\set check_id "job_immutable_container_filesystem"
+\ir ../queries/pod_security/job_immutable_container_filesystem.sql
+
+\echo "Pod containers root file system is read-only"
+\set check_id "pod_immutable_container_filesystem"
+\ir ../queries/pod_security/pod_immutable_container_filesystem.sql
+
+\echo "ReplicaSet containers root file system is read-only"
+\set check_id "replicaset_immutable_container_filesystem"
+\ir ../queries/pod_security/replicaset_immutable_container_filesystem.sql
+
+
+\echo "Enforce containers to run as non-root"
+
+\echo "DeamonSet containers to run as non-root"
+\set check_id "daemonset_non_root_container"
+\ir ../queries/pod_security/daemonset_non_root_container.sql
+
+\echo "Deployment containers to run as non-root"
+\set check_id "deployment_non_root_container"
+\ir ../queries/pod_security/deployment_non_root_container.sql
+
+\echo "Job containers to run as non-root"
+\set check_id "job_non_root_container"
+\ir ../queries/pod_security/job_non_root_container.sql
+
+\echo "Pod containers to run as non-root"
+\set check_id "pod_non_root_container"
+\ir ../queries/pod_security/pod_non_root_container.sql
+
+\echo "ReplicaSet containers to run as non-root"
+\set check_id "replicaset_non_root_container"
+\ir ../queries/pod_security/replicaset_non_root_container.sql
+
+
+\echo "Automatic mapping of the service account tokens disabled"
+
+\echo "Pod service account tokens disabled"
+\set check_id "pod_service_account_token_disabled"
+\ir ../queries/pod_security/pod_service_account_token_disabled.sql
+
+\echo "Service account tokens disabled"
+\set check_id "service_account_token_disabled"
+\ir ../queries/pod_security/service_account_token_disabled.sql
+
@@ -0,0 +1,15 @@
+\set ON_ERROR_STOP on
+SET TIME ZONE 'UTC';
+-- neat trick to set execution_time if not already set
+-- https://stackoverflow.com/questions/32582600/only-set-variable-in-psql-script-if-not-specified-on-the-command-line
+\set execution_time :execution_time
+SELECT CASE 
+  WHEN :'execution_time' = ':execution_time' THEN to_char(now(), 'YYYY-MM-dd HH24:MI:SS.US')
+  ELSE :'execution_time'
+END AS "execution_time"  \gset
+
+\set framework 'cis_v1.2.0'
+
+\ir ../create_k8s_policy_results.sql
+\ir ./network_hardening.sql
+\ir ./pod_security.sql
@@ -0,0 +1,11 @@
+\set ON_ERROR_STOP on
+SET TIME ZONE 'UTC';
+-- neat trick to set execution_time if not already set
+-- https://stackoverflow.com/questions/32582600/only-set-variable-in-psql-script-if-not-specified-on-the-command-line
+\set execution_time :execution_time
+SELECT CASE 
+  WHEN :'execution_time' = ':execution_time' THEN to_char(now(), 'YYYY-MM-dd HH24:MI:SS.US')
+  ELSE :'execution_time'
+END AS "execution_time"  \gset
+
+\ir nsa_cisa_v1/policy.sql
@@ -0,0 +1,25 @@
+-- Join every row in the daemonset table with its json array of containers.
+WITH daemonset_containers AS (SELECT uid, value AS container 
+                               FROM k8s_apps_daemon_sets
+                               CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers') AS value)
+
+INSERT INTO k8s_policy_results (resource_id, execution_time, framework, check_id, title, context, namespace,
+                                resource_name, status)
+select uid                              AS resource_id,
+        :'execution_time'::timestamp     AS execution_time,
+        :'framework'                     AS framework,
+        :'check_id'                      AS check_id,
+        'Daemonset enforces cpu limits' AS title,
+        context                          AS context,
+        namespace                        AS namespace,
+        name                             AS resource_name,
+        CASE
+            WHEN
+                  -- Every container needs to have a CPU limit for the check to pass
+                  (SELECT COUNT(*) FROM daemonset_containers WHERE daemonset_containers.uid = k8s_apps_daemon_sets.uid AND
+                  daemonset_containers.container->'resources'->'limits'->>'cpu' IS NULL) > 0
+                THEN 'fail'
+                ELSE 'pass'
+            END                          AS status
+FROM k8s_apps_daemon_sets
+