From 2e834c28939bc05fca5445a10712ff786ae2ef4e Mon Sep 17 00:00:00 2001
From: Nikita Pivkin <nikita.pivkin@smartforce.io>
Date: Tue, 14 Jan 2025 17:06:12 +0600
Subject: [PATCH] fix(checks): dedupe KSV030 results

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
---
 ...ntime_default_seccomp_profile_not_set.rego | 62 +++++--------------
 ..._default_seccomp_profile_not_set_test.rego | 25 +++++++-
 2 files changed, 40 insertions(+), 47 deletions(-)

diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego
index 6e036c7c..59d406d7 100644
--- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego
+++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set.rego
@@ -32,67 +32,37 @@ import rego.v1
 import data.lib.kubernetes
 import data.lib.utils
 
-get_seccomp_profile_type(target) := object.get(target, ["securityContext", "seccompProfile", "type"], "")
-
-is_valid_profile_type(target) if get_seccomp_profile_type(target) in {"RuntimeDefault", "Localhost"}
+seccomp_pod_annotation_key := "seccomp.security.alpha.kubernetes.io/pod"
 
-is_undefined_profile_type(target) if not is_defined_profile_type(target)
-
-is_defined_profile_type(target) if get_seccomp_profile_type(target) != ""
-
-get_annotations contains type if {
-	annotation := kubernetes.annotations[_]
-	type := annotation["seccomp.security.alpha.kubernetes.io/pod"]
-}
-
-has_annotations if count(get_annotations) > 0
-
-fail_seccomp_annotation contains annotation if {
+non_runtime_default_seccomp_annotations := {annotation |
 	some annotation in kubernetes.annotations
-	val := annotation["seccomp.security.alpha.kubernetes.io/pod"]
-	val != "runtime/default"
+	"runtime/default" != annotation[seccomp_pod_annotation_key]
 }
 
 # annotations (Kubernetes pre-v1.19)
 deny contains res if {
-	some cause in fail_seccomp_annotation
-	msg := "seccomp.security.alpha.kubernetes.io/pod should be set to 'runtime/default'"
-	res := result.new(msg, cause)
+	some cause in non_runtime_default_seccomp_annotations
+	res := result.new(
+		sprintf("%s should be set to 'runtime/default'", [seccomp_pod_annotation_key]),
+		cause,
+	)
 }
 
 # (Kubernetes post-v1.19)
 
-is_defined_on_pod if count(definedPods) > 0
+has_seccomp_annotation(pod) if pod.metadata.annotations[seccomp_pod_annotation_key]
 
-definedPods := {pod |
-	some pod in kubernetes.pods
-	not is_undefined_profile_type(pod.spec)
-}
+get_seccomp_profile_type(target) := object.get(target, ["securityContext", "seccompProfile", "type"], "")
+
+is_valid_profile_type(target) if get_seccomp_profile_type(target) in {"RuntimeDefault", "Localhost"}
 
 # deny if container-level is undefined and pod-level is undefined
 deny contains res if {
-	not has_annotations
-	not is_defined_on_pod
-	container := kubernetes.containers[_]
-	is_undefined_profile_type(container)
-	msg := "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'"
-	res := result.new(msg, container)
-}
+	some pod in kubernetes.pods
+	not has_seccomp_annotation(pod)
 
-# deny if container-level is bad
-deny contains res if {
-	container := kubernetes.containers[_]
-	not is_undefined_profile_type(container)
+	some container in kubernetes.pod_containers(pod)
 	not is_valid_profile_type(container)
-	msg := "Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'"
+	msg := "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'"
 	res := result.new(msg, container)
 }
-
-# deny if pod-level is bad
-deny contains res if {
-	pod := kubernetes.pods[_]
-	not is_undefined_profile_type(pod.spec)
-	not is_valid_profile_type(pod.spec)
-	msg := "Pod should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'"
-	res := result.new(msg, pod.spec)
-}
diff --git a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set_test.rego b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set_test.rego
index 24483d03..0ede8ea5 100644
--- a/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set_test.rego
+++ b/checks/kubernetes/pss/restricted/5_runtime_default_seccomp_profile_not_set_test.rego
@@ -23,7 +23,7 @@ test_pod_context_custom_profile_denied if {
 		},
 	}
 
-	count(r) == 2
+	count(r) == 1
 }
 
 test_both_undefined_type_denied if {
@@ -168,6 +168,29 @@ test_container_context_runtime_default_allowed if {
 	count(r) == 0
 }
 
+test_pod_context_runtime_default_is_overrided_allowed if {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {"name": "hello-seccomp"},
+		"spec": {
+			"securityContext": {"seccompProfile": {"type": "Unconfined"}},
+			"containers": [{
+				"command": [
+					"sh",
+					"-c",
+					"echo 'Hello' && sleep 1h",
+				],
+				"image": "busybox",
+				"name": "hello",
+				"securityContext": {"seccompProfile": {"type": "RuntimeDefault"}},
+			}],
+		},
+	}
+
+	count(r) == 0
+}
+
 test_annotation_allowed if {
 	r := deny with input as {
 		"apiVersion": "v1",