id: k8s-network-ingress-rules

info:
  name: Define network ingress rules
  author: princechaddha
  severity: medium
  description: Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster.
  impact: |
    Without specific ingress rules defined in network policies, unintended traffic may access pods within the Kubernetes cluster, increasing the risk of malicious activity.
  remediation: |
    Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources.
  reference:
    - https://kubernetes.io/docs/concepts/services-networking/network-policies/
  tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let policy of template.items) {
    set("policy", policy)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get networkpolicies --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[] | {policy: .metadata.name, ingress: .spec.ingress}'

javascript:
  - code: |
        let policyData = JSON.parse(template.policy);
        if (!policyData.ingress || policyData.ingress.length === 0) {
          let result = `Network policy '${policyData.policy}' does not define any ingress rules.`;
          Export(result);
        }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022100d225b4ed37ec5deb1b364b52b2db205bffb08d4c712940221be0d4a24c471f75022025482dd2adbab336f0b0dda3ed30272390ddd93780dd1cd41d6f6e1ceea8e096:922c64590222798bb761d5b6d8e72950