Merge pull request #546 from kubescape/remove-armobuiltin

remove from README.md
kubescape · Nov 26, 2023 · a569fa1 · a569fa1
2 parents 49b18f9 + 3b6827e
commit a569fa1
Show file tree

Hide file tree

Showing 513 changed files with 30 additions and 568 deletions.
diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml
@@ -3,10 +3,7 @@ on:
   push:
     branches: [ master, main ]
   pull_request:
-    # run for every chnage in the PR
     types: [ opened, synchronize, reopened, ready_for_review ]
-    # Do not run the pipeline if only Markdown files changed
-    # paths-ignore: ['**.md']
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -15,43 +12,19 @@ concurrency:
 env:
   REGO_ARTIFACT_KEY_NAME: rego_artifact
   REGO_ARTIFACT_PATH: releaseDev
+  GH_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
 
 jobs:
-  # # testing link checks
-  # markdown-link-check:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-  #     - name: Check links
-  #       uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368
-  #       with:
-  #         use-verbose-mode: 'yes'
-
   # main job of testing and building the env.
   test_pr_checks:
-    # needs: [markdown-link-check]
     permissions:
       pull-requests: write
     uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main
     with:
-      GO_VERSION: 1.19
+      GO_VERSION: '1.20'
       BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/...
     secrets: inherit
 
-#   test-coverage:
-#     needs: [test_pr_checks]
-#     uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main
-#     if: |
-#       ${{ (always() &&
-#       (contains(needs.*.result, 'success')) &&
-#       !(contains(needs.*.result, 'skipped')) &&
-#       !(contains(needs.*.result, 'failure')) &&
-#       !(contains(needs.*.result, 'cancelled'))) }}
-#     with:
-#       COVERAGELIMIT: "58"
-#       SHA: ${{ github.sha }}
-
-
   build-and-rego-test:
     name: Build and test rego artifacts
     runs-on: ubuntu-latest
@@ -61,27 +34,32 @@ jobs:
         !(contains(needs.*.result, 'skipped')) && 
         !(contains(needs.*.result, 'failure')) && 
         !(contains(needs.*.result, 'cancelled'))) }}
-    # needs: [test_pr_checks]
     outputs:
       REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }}
       REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }}
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+      - uses: actions/checkout@v4
         name: checkout repo content
         with:
-          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ env.GH_ACCESS_TOKEN }}
 
       # Test using Golang OPA hot rule compilation
       - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: '1.20'
 
       # testing rego library
       - name: Test Regoes
         working-directory: testrunner
         run: |
-          apt update && apt install -y cmake
+          for i in {1..5}; do 
+              sudo apt update && break || sleep 15; 
+          done
+          for i in {1..5}; do 
+              sudo apt install -y cmake && break || sleep 15; 
+          done
+          echo "Using Go path: $(which go)"
           GOPATH=$(go env GOPATH) make
 
       - name: Set up Regal
@@ -159,9 +137,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ks-and-rego-test]
     steps:
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+      - uses: actions/checkout@v4
         name: checkout repo content
         with:
-          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ env.GH_ACCESS_TOKEN }}
       - name: Remove pre-release folder
         run: rm -r -f pre-release
diff --git a/README.md b/README.md
@@ -30,7 +30,6 @@ Example of a framework:
     "name": "DevOpsBest",
     "description": "This framework is recommended for use by devops.",
     "attributes": {
-      "armoBuiltin": true
     },
     "scanningScope": {
         "matches": [
@@ -53,7 +52,6 @@ Example of a framework:
     ]
 }
 ```
-* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects.
 * controlNames - List of controls to run, must be exact name. Use copy-paste to be sure.
 * `scanningScope` - this framework will run just if kubescape scan process match to the scope in the list.(for example the framework above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```. `cloud` meaning - will run just on managed cluster
 
@@ -67,7 +65,6 @@ Example of a control:
 {
     "name": "Pods in default namespace",
     "attributes": {
-        "armoBuiltin": true
     },
     "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.",
     "remediation": "Create necessary namespaces and move all the pods from default namespace there.",
@@ -93,7 +90,6 @@ Example of a control:
    }
 }
 ```
-* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects.
 * `rulesNames` -  List of rules to run, must be exact name. Use copy-paste to be sure.
 * `scanningScope` - this control will run just if kubescape scan process match to the scope in the list.(for example the control above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```. `cloud` meaning - will run just on managed cluster
 * `category` - The category the control belongs to. Some controls may also define a `subCategory`. The available categories/sub categories are listed under the `mapCategoryNameToID.json` file, mapped to their respective IDs
@@ -115,7 +111,6 @@ Example of rule.metadata.json:
 {
     "name": "resources-cpu-limit-and-request",
     "attributes": {
-      "armoBuiltin": true
     },
     "ruleLanguage": "Rego",
     "match": [
@@ -145,7 +140,6 @@ Example of rule.metadata.json:
     "ruleQuery": "armo_builtins"
 }
 ```
-* Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects.
 
 
 * See [rule go struct](https://github.com/kubescape/opa-utils/blob/master/reporthandling/datastructures.go#L37) for further explanations of rule fields

diff --git a/controls/C-0001-forbiddencontainerregistries.json b/controls/C-0001-forbiddencontainerregistries.json
@@ -1,7 +1,6 @@
 {
     "name": "Forbidden Container Registries",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Initial Access"
         ],

diff --git a/controls/C-0002-execintocontainer.json b/controls/C-0002-execintocontainer.json
@@ -1,7 +1,6 @@
 {
     "name": "Exec into container",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Execution"
         ],

diff --git a/controls/C-0004-resourcesmemorylimitandrequest.json b/controls/C-0004-resourcesmemorylimitandrequest.json
@@ -1,7 +1,6 @@
 {
     "name": "Resources memory limit and request",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "compliance",
             "devops"

diff --git a/controls/C-0005-apiserverinsecureportisenabled.json b/controls/C-0005-apiserverinsecureportisenabled.json
@@ -1,7 +1,6 @@
 {
     "name": "API server insecure port is enabled",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance"

diff --git a/controls/C-0007-datadestruction.json b/controls/C-0007-datadestruction.json
@@ -1,7 +1,6 @@
 {
     "name": "Data Destruction",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Impact"
         ],

diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json
@@ -1,7 +1,6 @@
 {
     "name": "Resource limits",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security"
         ],

diff --git a/controls/C-0012-applicationscredentialsinconfigurationfiles.json b/controls/C-0012-applicationscredentialsinconfigurationfiles.json
@@ -2,7 +2,6 @@
     "name": "Applications credentials in configuration files",
     "attributes": {
         "actionRequired": "configuration",
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Credential access",
             "Lateral Movement"

diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json
@@ -1,7 +1,6 @@
 {
     "name": "Non-root containers",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance"

diff --git a/controls/C-0014-accesskubernetesdashboard.json b/controls/C-0014-accesskubernetesdashboard.json
@@ -1,7 +1,6 @@
 {
     "name": "Access Kubernetes dashboard",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Discovery",
             "Lateral Movement"

diff --git a/controls/C-0015-listkubernetessecrets.json b/controls/C-0015-listkubernetessecrets.json
@@ -1,7 +1,6 @@
 {
     "name": "List Kubernetes secrets",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Credential access"
         ],

diff --git a/controls/C-0016-allowprivilegeescalation.json b/controls/C-0016-allowprivilegeescalation.json
@@ -1,7 +1,6 @@
 {
     "name": "Allow privilege escalation",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance",

diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json
@@ -1,7 +1,6 @@
 {
     "name": "Immutable container filesystem",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance",

diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json
@@ -1,7 +1,6 @@
 {
     "name": "Configured readiness probe",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "devops"
         ]

diff --git a/controls/C-0020-mountserviceprincipal.json b/controls/C-0020-mountserviceprincipal.json
@@ -1,7 +1,6 @@
 {
     "name": "Mount service principal",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Credential Access"
         ],

diff --git a/controls/C-0021-exposedsensitiveinterfaces.json b/controls/C-0021-exposedsensitiveinterfaces.json
@@ -2,7 +2,6 @@
     "name": "Exposed sensitive interfaces",
     "attributes": {
         "actionRequired": "configuration",
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Initial access"
         ],

diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json
@@ -1,7 +1,6 @@
 {
     "name": "Kubernetes CronJob",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Persistence"
         ],

diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json
@@ -1,7 +1,6 @@
 {
     "name": "Ingress and Egress blocked",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "compliance"
         ]

diff --git a/controls/C-0031-deletekubernetesevents.json b/controls/C-0031-deletekubernetesevents.json
@@ -1,7 +1,6 @@
 {
     "name": "Delete Kubernetes events",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Defense evasion"
         ],

diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json
@@ -1,7 +1,6 @@
 {
     "name": "Automatic mapping of service account",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance",

diff --git a/controls/C-0035-clusteradminbinding.json b/controls/C-0035-clusteradminbinding.json
@@ -1,7 +1,6 @@
 {
     "name": "Cluster-admin binding",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Privilege escalation"
         ],

diff --git a/controls/C-0036-maliciousadmissioncontrollervalidating.json b/controls/C-0036-maliciousadmissioncontrollervalidating.json
@@ -1,7 +1,6 @@
 {
     "name": "Validate admission controller (validating)",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Credential access"
         ],

diff --git a/controls/C-0037-corednspoisoning.json b/controls/C-0037-corednspoisoning.json
@@ -1,7 +1,6 @@
 {
     "name": "CoreDNS poisoning",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Lateral Movement"
         ],

diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json
@@ -1,7 +1,6 @@
 {
     "name": "Host PID/IPC privileges",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance"

diff --git a/controls/C-0039-maliciousadmissioncontrollermutating.json b/controls/C-0039-maliciousadmissioncontrollermutating.json
@@ -1,7 +1,6 @@
 {
     "name": "Validate admission controller (mutating)",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Persistence"
         ],

diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json
@@ -1,7 +1,6 @@
 {
     "name": "HostNetwork access",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance"

diff --git a/controls/C-0042-sshserverrunninginsidecontainer.json b/controls/C-0042-sshserverrunninginsidecontainer.json
@@ -1,7 +1,6 @@
 {
     "name": "SSH server running inside container",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Execution"
         ],

diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json
@@ -1,7 +1,6 @@
 {
     "name": "Container hostPort",
     "attributes": {
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance",

diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json
@@ -1,7 +1,6 @@
 {
     "name": "Writable hostPath mount",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Persistence",
             "Lateral Movement"

diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json
@@ -2,7 +2,6 @@
     "name": "Insecure capabilities",
     "attributes": {
         "actionRequired": "configuration",
-        "armoBuiltin": true,
         "controlTypeTags": [
             "security",
             "compliance",

diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json
@@ -1,7 +1,6 @@
 {
     "name": "HostPath mount",
     "attributes": {
-        "armoBuiltin": true,
         "microsoftMitreColumns": [
             "Privilege escalation"
         ],