-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(arm): add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes #6279
Merged
tsmithv11
merged 8 commits into
bridgecrewio:main
from
tehila86127:AzureDefenderOnKubernetes
Jul 3, 2024
Merged
Changes from 4 commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
6163385
added new arm policy for resource: AzureDefenderOnKubernetes
tehila86127 39c999b
update arm policy for resource: AzureDefenderOnKubernetes
tehila86127 8e9af87
update arm policy for resource: AzureDefenderOnKubernetes
tehila86127 5cb027b
update arm policy for resource: AzureDefenderOnKubernetes
tehila86127 35ff3b6
update arm policy for resource: AzureDefenderOnKubernetes
tehila86127 6994cde
Merge branch 'main' into AzureDefenderOnKubernetes
ChanochShayner a870235
update arm policy for resource: AzureDefenderOnKubernetes
tehila86127 ea4eeb2
Merge remote-tracking branch 'origin/AzureDefenderOnKubernetes' into …
tehila86127 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
from __future__ import annotations | ||
from typing import Any | ||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class AzureDefenderOnKubernetes(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that Azure Defender is set to On for Kubernetes" | ||
id = "CKV_AZURE_85" | ||
supported_resources = ("Microsoft.Security/pricings",) | ||
categories = (CheckCategories.GENERAL_SECURITY,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
return ( | ||
CheckResult.PASSED | ||
if conf.get("name") != "KubernetesService" or str(conf["properties"]["pricingTier"]).lower() == "standard" | ||
else CheckResult.FAILED | ||
) | ||
|
||
def get_evaluated_keys(self) -> list[str]: | ||
return ["name", "pricingTier"] | ||
|
||
|
||
check = AzureDefenderOnKubernetes() |
51 changes: 51 additions & 0 deletions
51
tests/arm/checks/resource/example_AzureDefenderOnKubernetes/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"pricing": { | ||
"type": "string", | ||
"allowedValues": [ | ||
"Standard", | ||
"Free" | ||
] | ||
} | ||
}, | ||
|
||
"resources": [ | ||
{ | ||
"type": "Microsoft.Security/pricings", | ||
"apiVersion": "2017-08-01-preview", | ||
"name": "KubernetesService", | ||
"properties": { | ||
"pricingTier": "Free" | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Compute/disks", | ||
"apiVersion": "2023-01-02", | ||
"name": "[parameters('disks_acctestmd1_name')]", | ||
"location": "westus2", | ||
"tags": { | ||
"environment": "staging" | ||
}, | ||
"sku": { | ||
"name": "Standard_LRS", | ||
"tier": "Standard" | ||
}, | ||
"properties": { | ||
"creationData": { | ||
"createOption": "Empty" | ||
}, | ||
"diskSizeGB": 1, | ||
"diskIOPSReadWrite": 500, | ||
"diskMBpsReadWrite": 60, | ||
"encryption": { | ||
"type": "EncryptionAtRestWithPlatformKey" | ||
}, | ||
"networkAccessPolicy": "AllowAll", | ||
"publicNetworkAccess": "Enabled", | ||
"diskState": "Unattached" | ||
} | ||
} | ||
|
||
]} |
49 changes: 49 additions & 0 deletions
49
tests/arm/checks/resource/example_AzureDefenderOnKubernetes/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"pricing": { | ||
"type": "string", | ||
"allowedValues": [ | ||
"Standard", | ||
"Free" | ||
] | ||
} | ||
}, | ||
"resources": [ | ||
|
||
{ | ||
"type": "Microsoft.Security/pricings", | ||
"apiVersion": "2018-06-01", | ||
"name": "KubernetesService", | ||
"dependsOn": [ | ||
"[concat('Microsoft.Security/pricings/default')]" | ||
], | ||
"properties": { | ||
"pricingTier": "Standard" | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Security/pricings", | ||
"apiVersion": "2018-06-01", | ||
"name": "KeyVaults", | ||
"dependsOn": [ | ||
"[concat('Microsoft.Security/pricings/SqlServers')]" | ||
], | ||
"properties": { | ||
"pricingTier": "Free" | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Security/pricings", | ||
"apiVersion": "2018-06-01", | ||
"name": "SqlServerVirtualMachines", | ||
"dependsOn": [ | ||
"[concat('Microsoft.Security/pricings/AppServices')]" | ||
], | ||
"properties": { | ||
"pricingTier": "Free" | ||
} | ||
} | ||
] | ||
} |
41 changes: 41 additions & 0 deletions
41
tests/arm/checks/resource/test_AzureDefenderOnKubernetes.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
import unittest | ||
import os | ||
from checkov.arm.checks.resource.AzureDefenderOnKubernetes import check | ||
from checkov.arm.runner import Runner | ||
from checkov.runner_filter import RunnerFilter | ||
|
||
|
||
class TestAzureDefenderOnKubernetes(unittest.TestCase): | ||
def test_summary(self): | ||
current_dir = os.path.dirname(os.path.realpath(__file__)) | ||
# given | ||
test_files_dir = current_dir + "/example_AzureDefenderOnKubernetes" | ||
|
||
# when | ||
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) | ||
|
||
# then | ||
summary = report.get_summary() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please assert the resources names as well There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please ☝️ |
||
passing_resources = { | ||
"Microsoft.Security/pricings.KubernetesService", | ||
"Microsoft.Security/pricings.KeyVaults", | ||
"Microsoft.Security/pricings.SqlServerVirtualMachines", | ||
} | ||
failing_resources = { | ||
"Microsoft.Security/pricings.KubernetesService", | ||
} | ||
|
||
passed_check_resources = {c.resource for c in report.passed_checks} | ||
failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
||
self.assertEqual(summary['passed'], 3) | ||
self.assertEqual(summary['failed'], 1) | ||
self.assertEqual(summary['skipped'], 0) | ||
self.assertEqual(summary['parsing_errors'], 0) | ||
|
||
self.assertEqual(passing_resources, passed_check_resources) | ||
self.assertEqual(failing_resources, failed_check_resources) | ||
|
||
|
||
if __name__ == "__main__": | ||
unittest.main() |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Im not sure that this is the right check -
conf.get("name") != "KubernetesService"
, the name can be everything..There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did like the TF check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove the
name
from the condition, it is not the same as TF.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChanochShayner I believe it should only fail if the
"name" : "KubernetesService"
and the pricing tier is not Standard. Otherwise, it will fail for resources that are not K8s based and can't have Defender, despite the name of the policy. It's a very narrow scope, but I believe that's the purpose of the check.