feat: combine multiple image registry checks into one (#391)

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>

Author: nikpivkin

avd_docs/kubernetes/general/AVD-KSV-0125/docs.md

@@ -0,0 +1,15 @@
+
+Ensure that all containers use images only from trusted registry domains.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://cloud.google.com/container-registry/docs/overview#registries
+
+- https://docs.aws.amazon.com/general/latest/gr/ecr.html
+
+

checks/kubernetes/uses_untrusted_azure_registry.rego

@@ -10,6 +10,7 @@
 #   severity: MEDIUM
 #   short_code: use-azure-image-prefix
 #   recommended_action: "Use images from trusted Azure registries."
+#   deprecated: true
 #   input:
 #     selector:
 #     - type: kubernetes

checks/kubernetes/uses_untrusted_ecr_registry.rego

@@ -10,6 +10,7 @@
 #   severity: MEDIUM
 #   short_code: no-untrusted-ecr-domain
 #   recommended_action: "Container image should be used from Amazon container Registry"
+#   deprecated: true
 #   input:
 #     selector:
 #     - type: kubernetes

checks/kubernetes/uses_untrusted_gcr_registry.rego

@@ -10,6 +10,7 @@
 #   severity: MEDIUM
 #   short_code: use-gcr-domain
 #   recommended_action: "Use images from trusted GCR registries."
+#   deprecated: true
 #   input:
 #     selector:
 #     - type: kubernetes

checks/kubernetes/uses_untrusted_public_registries.rego

@@ -10,6 +10,7 @@
 #   severity: MEDIUM
 #   short_code: no-public-registries
 #   recommended_action: "Use images from private registries."
+#   deprecated: true
 #   input:
 #     selector:
 #     - type: kubernetes

checks/kubernetes/uses_untrusted_registry.rego

@@ -0,0 +1,96 @@
+# METADATA
+# title: Restrict container images to trusted registries
+# description: Ensure that all containers use images only from trusted registry domains.
+# scope: package
+# schemas:
+# - input: schema.kubernetes
+# related_resources:
+# - https://cloud.google.com/container-registry/docs/overview#registries
+# - https://docs.aws.amazon.com/general/latest/gr/ecr.html
+# custom:
+#   id: KSV0125
+#   avd_id: AVD-KSV-0125
+#   severity: MEDIUM
+#   short_code: use-trusted-registry
+#   recommended_action: Use images from trusted registries.
+#   input:
+#     selector:
+#     - type: kubernetes
+#       subtypes:
+#         - kind: pod
+#         - kind: replicaset
+#         - kind: replicationcontroller
+#         - kind: deployment
+#         - kind: deploymentconfig
+#         - kind: statefulset
+#         - kind: daemonset
+#         - kind: cronjob
+#         - kind: job
+package builtin.kubernetes.KSV0125
+
+import rego.v1
+
+import data.lib.kubernetes
+
+import data.ksv0125
+
+azure_registries := {"azurecr.io"}
+
+ecr_registries := {
+	"ecr.us-east-2.amazonaws.com",
+	"ecr.us-east-1.amazonaws.com",
+	"ecr.us-west-1.amazonaws.com",
+	"ecr.us-west-2.amazonaws.com",
+	"ecr.af-south-1.amazonaws.com",
+	"ecr.ap-east-1.amazonaws.com",
+	"ecr.ap-south-1.amazonaws.com",
+	"ecr.ap-northeast-2.amazonaws.com",
+	"ecr.ap-southeast-1.amazonaws.com",
+	"ecr.ap-southeast-2.amazonaws.com",
+	"ecr.ap-northeast-1.amazonaws.com",
+	"ecr.ca-central-1.amazonaws.com",
+	"ecr.cn-north-1.amazonaws.com.cn",
+	"ecr.cn-northwest-1.amazonaws.com.cn",
+	"ecr.eu-central-1.amazonaws.com",
+	"ecr.eu-west-1.amazonaws.com",
+	"ecr.eu-west-2.amazonaws.com",
+	"ecr.eu-south-1.amazonaws.com",
+	"ecr.eu-west-3.amazonaws.com",
+	"ecr.eu-north-1.amazonaws.com",
+	"ecr.me-south-1.amazonaws.com",
+	"ecr.sa-east-1.amazonaws.com",
+	"ecr.us-gov-east-1.amazonaws.com",
+	"ecr.us-gov-west-1.amazonaws.com",
+}
+
+# list of trusted GCR registries
+gcr_registries := {
+	"gcr.io",
+	"us.gcr.io",
+	"eu.gcr.io",
+	"asia.gcr.io",
+}
+
+default_trusted_registries := (azure_registries | ecr_registries) | gcr_registries
+
+all_trusted_registires := ksv0125.trusted_registries if {
+	count(ksv0125.trusted_registries) > 0
+} else := default_trusted_registries
+
+container_image_from_trusted_registry(container) if {
+	image_parts := split(container.image, "/")
+	count(image_parts) > 1
+	registry = image_parts[0]
+	some trusted in all_trusted_registires
+	endswith(registry, trusted)
+}
+
+deny contains res if {
+	some container in kubernetes.containers
+	not container_image_from_trusted_registry(container)
+	msg := kubernetes.format(sprintf(
+		"Container %s in %s %s (namespace: %s) uses an image from an untrusted registry.",
+		[container.name, lower(kubernetes.kind), kubernetes.name, kubernetes.namespace],
+	))
+	res := result.new(msg, container)
+}

checks/kubernetes/uses_untrusted_registry_test.rego

@@ -0,0 +1,66 @@
+package builtin.kubernetes.KSV0125_test
+
+import data.builtin.kubernetes.KSV0125 as check
+
+import rego.v1
+
+test_check_registry[name] if {
+	some name, tc in {
+		"trusted registry": {
+			"image": "gcr.io/test:latest",
+			"expected": 0,
+		},
+		"untrusted registry": {
+			"image": "foo.io/test:latest",
+			"expected": 1,
+		},
+	}
+
+	inp := {
+		"apiVersion": "batch/v1",
+		"kind": "Job",
+		"metadata": {
+			"name": "test",
+			"namespace": "test",
+		},
+		"spec": {"template": {"spec": {"containers": [{
+			"name": "test",
+			"image": tc.image,
+		}]}}},
+	}
+
+	res := check.deny with input as inp
+
+	count(res) == tc.expected
+}
+
+test_check_registry_custom_registries[name] if {
+	some name, tc in {
+		"trusted registry": {
+			"image": "foo.io/test:latest",
+			"expected": 0,
+		},
+		"untrusted registry": {
+			"image": "gcr.io/test:latest",
+			"expected": 1,
+		},
+	}
+
+	inp := {
+		"apiVersion": "batch/v1",
+		"kind": "Job",
+		"metadata": {
+			"name": "test",
+			"namespace": "test",
+		},
+		"spec": {"template": {"spec": {"containers": [{
+			"name": "test",
+			"image": tc.image,
+		}]}}},
+	}
+
+	res := check.deny with input as inp
+		with data.ksv0125.trusted_registries as ["foo.io"]
+
+	count(res) == tc.expected
+}