diff --git a/.github/workflows/01-golang-lint.yaml b/.github/workflows/01-golang-lint.yaml index 89af89d5..48f0641e 100644 --- a/.github/workflows/01-golang-lint.yaml +++ b/.github/workflows/01-golang-lint.yaml @@ -20,7 +20,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - uses: actions/checkout@v3 with: submodules: recursive diff --git a/core/cautils/getter/getpoliciesutils.go b/core/cautils/getter/getpoliciesutils.go index 0069cbcf..8a105711 100644 --- a/core/cautils/getter/getpoliciesutils.go +++ b/core/cautils/getter/getpoliciesutils.go @@ -2,7 +2,6 @@ package getter import ( "bytes" - "encoding/json" "fmt" "io" "net/http" @@ -41,13 +40,6 @@ func SaveInFile(policy interface{}, pathStr string) error { return nil } -// JSONDecoder returns JSON decoder for given string -func JSONDecoder(origin string) *json.Decoder { - dec := json.NewDecoder(strings.NewReader(origin)) - dec.UseNumber() - return dec -} - func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) { req, err := http.NewRequest("DELETE", fullURL, nil) @@ -66,6 +58,7 @@ func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]stri } return respStr, nil } + func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) { req, err := http.NewRequest("GET", fullURL, nil) diff --git a/core/cautils/getter/json.go b/core/cautils/getter/json.go new file mode 100644 index 00000000..38557ebb --- /dev/null +++ b/core/cautils/getter/json.go @@ -0,0 +1,26 @@ +package getter + +import ( + "strings" + + stdjson "encoding/json" + + jsoniter "github.com/json-iterator/go" +) + +var ( + json jsoniter.API +) + +func init() { + // NOTE(fredbi): attention, this configuration rounds floats down to 6 digits + // For finer-grained config, see: https://pkg.go.dev/github.com/json-iterator/go#section-readme + json = jsoniter.ConfigFastest +} + +// JSONDecoder returns JSON decoder for given string +func JSONDecoder(origin string) *stdjson.Decoder { + dec := stdjson.NewDecoder(strings.NewReader(origin)) + dec.UseNumber() + return dec +} diff --git a/core/cautils/getter/json_test.go b/core/cautils/getter/json_test.go new file mode 100644 index 00000000..6af037c7 --- /dev/null +++ b/core/cautils/getter/json_test.go @@ -0,0 +1,32 @@ +package getter + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestJSONDecoder(t *testing.T) { + t.Run("should decode json string", func(t *testing.T) { + const input = `"xyz"` + d := JSONDecoder(input) + var receiver string + require.NoError(t, d.Decode(&receiver)) + require.Equal(t, "xyz", receiver) + }) + + t.Run("should decode json number", func(t *testing.T) { + const input = `123.01` + d := JSONDecoder(input) + var receiver float64 + require.NoError(t, d.Decode(&receiver)) + require.Equal(t, 123.01, receiver) + }) + + t.Run("requires json quotes", func(t *testing.T) { + const input = `xyz` + d := JSONDecoder(input) + var receiver string + require.Error(t, d.Decode(&receiver)) + }) +} diff --git a/core/cautils/getter/kscloudapi.go b/core/cautils/getter/kscloudapi.go index b01ab640..210a7273 100644 --- a/core/cautils/getter/kscloudapi.go +++ b/core/cautils/getter/kscloudapi.go @@ -2,7 +2,6 @@ package getter import ( "bytes" - "encoding/json" "fmt" "io" "net/http" diff --git a/core/cautils/getter/kscloudapiutils.go b/core/cautils/getter/kscloudapiutils.go index e24d5187..68c4f2b3 100644 --- a/core/cautils/getter/kscloudapiutils.go +++ b/core/cautils/getter/kscloudapiutils.go @@ -2,7 +2,6 @@ package getter import ( "bytes" - "encoding/json" "fmt" "net/http" "net/url" diff --git a/core/cautils/getter/loadpolicy.go b/core/cautils/getter/loadpolicy.go index 975dfc33..485e6b9a 100644 --- a/core/cautils/getter/loadpolicy.go +++ b/core/cautils/getter/loadpolicy.go @@ -1,7 +1,7 @@ package getter import ( - "encoding/json" + "errors" "fmt" "os" "path/filepath" @@ -15,7 +15,19 @@ import ( // ======================================================================================================================= // ============================================== LoadPolicy ============================================================= // ======================================================================================================================= -var DefaultLocalStore = getCacheDir() +var ( + DefaultLocalStore = getCacheDir() + + ErrNotImplemented = errors.New("feature is currently not supported") + ErrNotFound = errors.New("name not found") + ErrNameRequired = errors.New("missing required input framework name") + ErrIDRequired = errors.New("missing required input control ID") + ErrFrameworkNotMatching = errors.New("framework from file not matching") + ErrControlNotMatching = errors.New("framework from file not matching") + + _ IPolicyGetter = &LoadPolicy{} + _ IExceptionsGetter = &LoadPolicy{} +) func getCacheDir() string { defaultDirPath := ".kubescape" @@ -25,11 +37,12 @@ func getCacheDir() string { return defaultDirPath } -// Load policies from a local repository +// LoadPolicy loads policies from a local repository. type LoadPolicy struct { filePaths []string } +// NewLoadPolicy builds a LoadPolicy. func NewLoadPolicy(filePaths []string) *LoadPolicy { return &LoadPolicy{ filePaths: filePaths, @@ -38,122 +51,210 @@ func NewLoadPolicy(filePaths []string) *LoadPolicy { // GetControl returns a control from the policy file. func (lp *LoadPolicy) GetControl(controlID string) (*reporthandling.Control, error) { - control := &reporthandling.Control{} - filePath := lp.filePath() + if controlID == "" { + return nil, ErrIDRequired + } - f, err := os.ReadFile(filePath) + // NOTE: this assumes that only the first path contains either a valid control descriptor or a framework descriptor + filePath := lp.filePath() + buf, err := os.ReadFile(filePath) if err != nil { return nil, err } - if err = json.Unmarshal(f, control); err != nil { - return control, err + // check if the file is a control descriptor: a ControlID field is populated. + var control reporthandling.Control + if err = json.Unmarshal(buf, &control); err == nil && control.ControlID != "" { + if strings.EqualFold(controlID, control.ControlID) { + return &control, nil + } + + return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching) } - if controlID == "" || strings.EqualFold(controlID, control.ControlID) { - return control, nil - } - - framework, err := lp.GetFramework(control.Name) - if err != nil { - return nil, fmt.Errorf("control from file not matching") + // check if the file is a framework descriptor + var framework reporthandling.Framework + if err = json.Unmarshal(buf, &framework); err != nil { + return nil, err } for _, toPin := range framework.Controls { ctrl := toPin - if strings.EqualFold(ctrl.ControlID, controlID) { - control = &ctrl - break + if strings.EqualFold(ctrl.ControlID, controlID) { + return &ctrl, nil } } - return control, nil + return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching) } -// GetFramework retrieves a framework configuration from the policy. +// GetFramework retrieves a framework configuration from the policy paths. func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) { if frameworkName == "" { - return &reporthandling.Framework{}, nil + return nil, ErrNameRequired } for _, filePath := range lp.filePaths { - f, err := os.ReadFile(filePath) + buf, err := os.ReadFile(filePath) if err != nil { return nil, err } - var fw reporthandling.Framework - if err = json.Unmarshal(f, &fw); err != nil { + var framework reporthandling.Framework + if err = json.Unmarshal(buf, &framework); err != nil { return nil, err } - if strings.EqualFold(frameworkName, fw.Name) { - return &fw, nil + if strings.EqualFold(frameworkName, framework.Name) { + return &framework, nil } } - return nil, fmt.Errorf("framework from file not matching") + return nil, fmt.Errorf("framework: %s: %w", frameworkName, ErrFrameworkNotMatching) } +// GetFrameworks returns all configured framework descriptors. func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) { - frameworks := []reporthandling.Framework{} - var err error - return frameworks, err -} - -func (lp *LoadPolicy) ListFrameworks() ([]string, error) { - fwNames := []string{} - framework := &reporthandling.Framework{} + frameworks := make([]reporthandling.Framework, 0, 10) + seenFws := make(map[string]struct{}) for _, f := range lp.filePaths { - file, err := os.ReadFile(f) - if err == nil { - if err := json.Unmarshal(file, framework); err == nil { - if !contains(fwNames, framework.Name) { - fwNames = append(fwNames, framework.Name) - } - } + buf, err := os.ReadFile(f) + if err != nil { + return nil, err } + + var framework reporthandling.Framework + if err = json.Unmarshal(buf, &framework); err != nil { + // ignore invalid framework files + continue + } + + // dedupe + _, alreadyLoaded := seenFws[framework.Name] + if alreadyLoaded { + continue + } + + seenFws[framework.Name] = struct{}{} + frameworks = append(frameworks, framework) } - return fwNames, nil + return frameworks, nil } +// ListFrameworks lists the names of all configured frameworks in this policy. +func (lp *LoadPolicy) ListFrameworks() ([]string, error) { + frameworkNames := make([]string, 0, 10) + + for _, f := range lp.filePaths { + buf, err := os.ReadFile(f) + if err != nil { + return nil, err + } + + var framework reporthandling.Framework + if err := json.Unmarshal(buf, &framework); err != nil { + continue + } + + if contains(frameworkNames, framework.Name) { + continue + } + + frameworkNames = append(frameworkNames, framework.Name) + } + + return frameworkNames, nil +} + +// ListControls returns the list of controls for this framework. +// +// At this moment, controls are listed for one single configured framework. func (lp *LoadPolicy) ListControls() ([]string, error) { - // TODO - Support - return []string{}, fmt.Errorf("loading controls list from file is not supported") -} - -func (lp *LoadPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) { + controlIDs := make([]string, 0, 100) filePath := lp.filePath() - exception := []armotypes.PostureExceptionPolicy{} - f, err := os.ReadFile(filePath) + buf, err := os.ReadFile(filePath) if err != nil { return nil, err } - err = json.Unmarshal(f, &exception) + var framework reporthandling.Framework + if err = json.Unmarshal(buf, &framework); err != nil { + return nil, err + } + + for _, ctrl := range framework.Controls { + controlIDs = append(controlIDs, ctrl.ControlID) + } + + return controlIDs, nil +} + +// GetExceptions retrieves configured exceptions. +// +// NOTE: the cluster parameter is not used at this moment. +func (lp *LoadPolicy) GetExceptions(_ /* clusterName */ string) ([]armotypes.PostureExceptionPolicy, error) { + // NOTE: this assumes that the first path contains a valid exceptions descriptor + filePath := lp.filePath() + + buf, err := os.ReadFile(filePath) + if err != nil { + return nil, err + } + + exception := make([]armotypes.PostureExceptionPolicy, 0, 300) + err = json.Unmarshal(buf, &exception) + return exception, err } -func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) { +// GetControlsInputs retrieves the map of control configs. +// +// NOTE: the cluster parameter is not used at this moment. +func (lp *LoadPolicy) GetControlsInputs(_ /* clusterName */ string) (map[string][]string, error) { + // NOTE: this assumes that only the first path contains a valid control inputs descriptor filePath := lp.filePath() - accountConfig := &armotypes.CustomerConfig{} - f, err := os.ReadFile(filePath) fileName := filepath.Base(filePath) + + buf, err := os.ReadFile(filePath) if err != nil { - formattedError := fmt.Errorf("Error opening %s file, \"controls-config\" will be downloaded from ARMO management portal", fileName) + formattedError := fmt.Errorf( + `Error opening %s file, "controls-config" will be downloaded from ARMO management portal`, + fileName, + ) + return nil, formattedError } - if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil { - return accountConfig.Settings.PostureControlInputs, nil + controlInputs := make(map[string][]string, 100) // from armotypes.Settings.PostureControlInputs + if err = json.Unmarshal(buf, &controlInputs); err != nil { + formattedError := fmt.Errorf( + `Error reading %s file, %v, "controls-config" will be downloaded from ARMO management portal`, + fileName, err, + ) + + return nil, formattedError } - formattedError := fmt.Errorf("Error reading %s file, %s, \"controls-config\" will be downloaded from ARMO management portal", fileName, err.Error()) + return controlInputs, nil +} - return nil, formattedError +// GetAttackTracks yields the attack tracks from a config file. +func (lp *LoadPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) { + attackTracks := make([]v1alpha1.AttackTrack, 0, 20) + + buf, err := os.ReadFile(lp.filePath()) + if err != nil { + return nil, err + } + + if err = json.Unmarshal(buf, &attackTracks); err != nil { + return nil, err + } + + return attackTracks, nil } // temporary support for a list of files @@ -163,18 +264,3 @@ func (lp *LoadPolicy) filePath() string { } return "" } - -func (lp *LoadPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) { - attackTracks := []v1alpha1.AttackTrack{} - - f, err := os.ReadFile(lp.filePath()) - - if err != nil { - return nil, err - } - - if err := json.Unmarshal(f, &attackTracks); err != nil { - return nil, err - } - return attackTracks, nil -} diff --git a/core/cautils/getter/loadpolicy_test.go b/core/cautils/getter/loadpolicy_test.go index af31e74a..92e38aa0 100644 --- a/core/cautils/getter/loadpolicy_test.go +++ b/core/cautils/getter/loadpolicy_test.go @@ -2,6 +2,7 @@ package getter import ( "fmt" + "os" "path/filepath" "testing" @@ -14,14 +15,13 @@ func MockNewLoadPolicy() *LoadPolicy { } } -func testFrameworkFile(framework string) string { - return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework)) -} - func TestLoadPolicy(t *testing.T) { t.Parallel() - const testFramework = "MITRE" + const ( + testFramework = "MITRE" + testControl = "C-0053" + ) t.Run("with GetFramework", func(t *testing.T) { t.Run("should retrieve named framework", func(t *testing.T) { @@ -44,16 +44,13 @@ func TestLoadPolicy(t *testing.T) { require.Nil(t, fw) }) - t.Run("edge case: should return empty framework", func(t *testing.T) { - // NOTE(fredbi): this edge case corresponds to the original working of GetFramework. - // IMHO, this is a bad request call and it should return an error. + t.Run("edge case: should error on empty framework", func(t *testing.T) { t.Parallel() p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) fw, err := p.GetFramework("") - require.NoError(t, err) - require.NotNil(t, fw) - require.Empty(t, *fw) + require.ErrorIs(t, err, ErrNameRequired) + require.Nil(t, fw) }) t.Run("edge case: corrupted json", func(t *testing.T) { @@ -77,11 +74,10 @@ func TestLoadPolicy(t *testing.T) { }) t.Run("with GetControl", func(t *testing.T) { - t.Run("should retrieve named control", func(t *testing.T) { + t.Run("should retrieve named control from framework", func(t *testing.T) { t.Parallel() const ( - testControl = "C-0053" expectedControlName = "Access container service account" ) p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) @@ -93,15 +89,44 @@ func TestLoadPolicy(t *testing.T) { require.Equal(t, expectedControlName, ctrl.Name) }) - t.Run("should fail to retrieve named control", func(t *testing.T) { - // NOTE(fredbi): IMHO, this case should bubble up an error - t.Parallel() + t.Run("with single control descriptor", func(t *testing.T) { + const ( + singleControl = "C-0001" + expectedControlName = "Forbidden Container Registries" + ) - const testControl = "wrong" - p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) - ctrl, err := p.GetControl(testControl) - require.NoError(t, err) - require.NotNil(t, ctrl) // no error, but still don't get the requested control... + t.Run("should retrieve named control from control descriptor", func(t *testing.T) { + t.Parallel() + + p := NewLoadPolicy([]string{testFrameworkFile(singleControl)}) + ctrl, err := p.GetControl(singleControl) + require.NoError(t, err) + require.NotNil(t, ctrl) + + require.Equal(t, singleControl, ctrl.ControlID) + require.Equal(t, expectedControlName, ctrl.Name) + }) + + t.Run("should fail to retrieve named control from control descriptor", func(t *testing.T) { + t.Parallel() + + p := NewLoadPolicy([]string{testFrameworkFile(singleControl)}) + ctrl, err := p.GetControl("wrong") + require.Error(t, err) + require.Nil(t, ctrl) + }) + }) + + t.Run("with framework descriptor", func(t *testing.T) { + t.Run("should fail to retrieve named control", func(t *testing.T) { + t.Parallel() + + const testControl = "wrong" + p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) + ctrl, err := p.GetControl(testControl) + require.ErrorIs(t, err, ErrControlNotMatching) + require.Nil(t, ctrl) + }) }) t.Run("edge case: corrupted json", func(t *testing.T) { @@ -122,32 +147,54 @@ func TestLoadPolicy(t *testing.T) { require.Error(t, err) }) - t.Run("edge case: should return empty control", func(t *testing.T) { - // NOTE(fredbi): this edge case corresponds to the original working of GetFramework. - // IMHO, this is a bad request call and it should return an error. + t.Run("edge case: should error on empty control", func(t *testing.T) { t.Parallel() p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) ctrl, err := p.GetControl("") - require.NoError(t, err) - require.NotNil(t, ctrl) + require.ErrorIs(t, err, ErrIDRequired) + require.Nil(t, ctrl) }) }) - t.Run("ListFrameworks should return all frameworks in the policy path", func(t *testing.T) { - t.Parallel() + t.Run("with ListFrameworks", func(t *testing.T) { + t.Run("should return all frameworks in the policy path", func(t *testing.T) { + t.Parallel() - const extraFramework = "NSA" - p := NewLoadPolicy([]string{ - testFrameworkFile(testFramework), - testFrameworkFile(extraFramework), + const ( + extraFramework = "NSA" + attackTracks = "attack-tracks" + ) + p := NewLoadPolicy([]string{ + testFrameworkFile(testFramework), + testFrameworkFile(extraFramework), + testFrameworkFile(extraFramework), // should be deduped + testFrameworkFile(attackTracks), // should be ignored + }) + fws, err := p.ListFrameworks() + require.NoError(t, err) + require.Len(t, fws, 2) + + require.Equal(t, testFramework, fws[0]) + require.Equal(t, extraFramework, fws[1]) }) - fws, err := p.ListFrameworks() - require.NoError(t, err) - require.Len(t, fws, 2) - require.Equal(t, testFramework, fws[0]) - require.Equal(t, extraFramework, fws[1]) + t.Run("should fail on file error", func(t *testing.T) { + t.Parallel() + + const ( + extraFramework = "NSA" + nowhere = "nowheretobeseen" + ) + p := NewLoadPolicy([]string{ + testFrameworkFile(testFramework), + testFrameworkFile(extraFramework), + testFrameworkFile(nowhere), // should raise an error + }) + fws, err := p.ListFrameworks() + require.Error(t, err) + require.Nil(t, fws) + }) }) t.Run("edge case: policy without path", func(t *testing.T) { @@ -157,20 +204,183 @@ func TestLoadPolicy(t *testing.T) { require.Empty(t, p.filePath()) }) - t.Run("GetFrameworks is currently stubbed", func(t *testing.T) { - t.Parallel() + t.Run("with GetFrameworks", func(t *testing.T) { + const extraFramework = "NSA" - p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) - fws, err := p.GetFrameworks() - require.NoError(t, err) - require.Empty(t, fws) + t.Run("should return all configured frameworks", func(t *testing.T) { + t.Parallel() + + p := NewLoadPolicy([]string{ + testFrameworkFile(testFramework), + testFrameworkFile(extraFramework), + }) + fws, err := p.GetFrameworks() + require.NoError(t, err) + require.Len(t, fws, 2) + + require.Equal(t, testFramework, fws[0].Name) + require.Equal(t, extraFramework, fws[1].Name) + }) + + t.Run("should return dedupe configured frameworks", func(t *testing.T) { + t.Parallel() + + const attackTracks = "attack-tracks" + p := NewLoadPolicy([]string{ + testFrameworkFile(testFramework), + testFrameworkFile(extraFramework), + testFrameworkFile(extraFramework), + testFrameworkFile(attackTracks), // should be ignored + }) + fws, err := p.GetFrameworks() + require.NoError(t, err) + require.Len(t, fws, 2) + + require.Equal(t, testFramework, fws[0].Name) + require.Equal(t, extraFramework, fws[1].Name) + }) }) - t.Run("ListControls is currently unsupported", func(t *testing.T) { - t.Parallel() + t.Run("with ListControls", func(t *testing.T) { + t.Run("should return controls", func(t *testing.T) { + t.Parallel() - p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) - _, err := p.ListControls() - require.Error(t, err) + p := NewLoadPolicy([]string{testFrameworkFile(testFramework)}) + controlIDs, err := p.ListControls() + require.NoError(t, err) + require.Greater(t, len(controlIDs), 0) + require.Equal(t, testControl, controlIDs[0]) + }) + }) + + t.Run("with GetAttackTracks", func(t *testing.T) { + t.Run("should return attack tracks", func(t *testing.T) { + t.Parallel() + + const attackTracks = "attack-tracks" + p := NewLoadPolicy([]string{testFrameworkFile(attackTracks)}) + tracks, err := p.GetAttackTracks() + require.NoError(t, err) + require.Greater(t, len(tracks), 0) + + for _, track := range tracks { + require.Equal(t, "AttackTrack", track.Kind) + } + }) + + t.Run("edge case: corrupted json", func(t *testing.T) { + t.Parallel() + + const invalidTracks = "invalid-fw" + p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)}) + _, err := p.GetAttackTracks() + require.Error(t, err) + }) + + t.Run("edge case: missing json", func(t *testing.T) { + t.Parallel() + + const invalidTracks = "nowheretobefound" + p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)}) + _, err := p.GetAttackTracks() + require.Error(t, err) + }) + }) + + t.Run("with GetControlsInputs", func(t *testing.T) { + const cluster = "dummy" // unused parameter at the moment + + t.Run("should return control inputs for a cluster", func(t *testing.T) { + t.Parallel() + + fixture, expected := writeTempJSONControlInputs(t) + t.Cleanup(func() { + _ = os.Remove(fixture) + }) + + p := NewLoadPolicy([]string{fixture}) + inputs, err := p.GetControlsInputs(cluster) + require.NoError(t, err) + require.EqualValues(t, expected, inputs) + }) + + t.Run("edge case: corrupted json", func(t *testing.T) { + t.Parallel() + + const invalidInputs = "invalid-fw" + p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)}) + _, err := p.GetControlsInputs(cluster) + require.Error(t, err) + }) + + t.Run("edge case: missing json", func(t *testing.T) { + t.Parallel() + + const invalidInputs = "nowheretobefound" + p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)}) + _, err := p.GetControlsInputs(cluster) + require.Error(t, err) + }) + }) + + t.Run("with GetExceptions", func(t *testing.T) { + const cluster = "dummy" // unused parameter at the moment + + t.Run("should return exceptions", func(t *testing.T) { + t.Parallel() + + const exceptions = "exceptions" + + p := NewLoadPolicy([]string{testFrameworkFile(exceptions)}) + exceptionPolicies, err := p.GetExceptions(cluster) + require.NoError(t, err) + + require.Greater(t, len(exceptionPolicies), 0) + t.Logf("len=%d", len(exceptionPolicies)) + for _, policy := range exceptionPolicies { + require.NotEmpty(t, policy.Name) + } + }) + + t.Run("edge case: corrupted json", func(t *testing.T) { + t.Parallel() + + const invalidInputs = "invalid-fw" + p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)}) + _, err := p.GetExceptions(cluster) + require.Error(t, err) + }) + + t.Run("edge case: missing json", func(t *testing.T) { + t.Parallel() + + const invalidInputs = "nowheretobefound" + p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)}) + _, err := p.GetExceptions(cluster) + require.Error(t, err) + }) }) } + +func testFrameworkFile(framework string) string { + return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework)) +} + +func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) { + fileName := testFrameworkFile("control-inputs") + mock := map[string][]string{ + "key1": { + "val1", "val2", + }, + "key2": { + "val3", "val4", + }, + } + + buf, err := json.Marshal(mock) + require.NoError(t, err) + + require.NoError(t, os.WriteFile(fileName, buf, 0600)) + + return fileName, mock +} diff --git a/core/cautils/getter/testdata/C-0001.json b/core/cautils/getter/testdata/C-0001.json new file mode 100644 index 00000000..17cc978f --- /dev/null +++ b/core/cautils/getter/testdata/C-0001.json @@ -0,0 +1,85 @@ +{ + "guid": "", + "name": "Forbidden Container Registries", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ], + "microsoftMitreColumns": [ + "Initial Access" + ] + }, + "id": "C-0001", + "controlID": "C-0001", + "creationTime": "", + "description": "In cases where the Kubernetes cluster is provided by a CSP (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to the cluster takeover. Attackers may abuse cloud account credentials or IAM mechanism to the cluster’s management layer.", + "remediation": "Limit the registries from which you pull container images from", + "rules": [ + { + "guid": "", + "name": "rule-identify-blocklisted-image-registries", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Initial Access::Compromised images in registry" + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data\n# Check for images from blocklisted repos\n\nuntrustedImageRepo[msga] {\n\tpod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tpath := sprintf(\"spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.jobTemplate.spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tuntrusted_registries := data.postureControlInputs.untrustedRegistries\n\trepo_prefix := untrusted_registries[_]\n\tstartswith(image, repo_prefix)\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tpublic_registries := data.postureControlInputs.publicRegistries\n\trepo_prefix := public_registries[_]\n\tstartswith(image, repo_prefix)\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Pod", + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet", + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.publicRegistries", + "settings.postureControlInputs.untrustedRegistries" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.publicRegistries", + "name": "Public registries", + "description": "Kubescape checks none of these public registries are in use." + }, + { + "path": "settings.postureControlInputs.untrustedRegistries", + "name": "Registries block list", + "description": "Kubescape checks none of the following registries are in use." + } + ], + "description": "Identifying if pod container images are from unallowed registries", + "remediation": "Use images from safe registry", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 +} \ No newline at end of file diff --git a/core/cautils/getter/testdata/attack-tracks.json b/core/cautils/getter/testdata/attack-tracks.json new file mode 100644 index 00000000..577620d7 --- /dev/null +++ b/core/cautils/getter/testdata/attack-tracks.json @@ -0,0 +1,136 @@ +[ + { + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "node" + }, + "spec": { + "data": { + "name": "Initial access", + "subSteps": [ + { + "name": "Execution", + "subSteps": [ + { + "name": "Persistence" + }, + { + "name": "Credential access" + }, + { + "name": "Defense evasion" + }, + { + "name": "Discovery" + }, + { + "name": "Lateral movement" + }, + { + "name": "Impact - data theft" + }, + { + "name": "Impact - data destruction" + }, + { + "name": "Impact - service injection" + } + ] + } + ] + } + } + }, + { + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "kubeapi" + }, + "spec": { + "data": { + "name": "Initial access", + "subSteps": [ + { + "name": "Persistence" + }, + { + "name": "Privilege escalation" + }, + { + "name": "Credential access" + }, + { + "name": "Discovery" + }, + { + "name": "Lateral movement" + }, + { + "name": "Defense evasion" + }, + { + "name": "Impact - data destruction" + }, + { + "name": "Impact - service injection" + } + ] + } + } + }, + { + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "container" + }, + "spec": { + "data": { + "name": "Initial access", + "subSteps": [ + { + "name": "Execution", + "subSteps": [ + { + "name": "Privilege escalation" + }, + { + "name": "Credential access", + "subSteps": [ + { + "name": "Impact - service access" + }, + { + "name": "Impact - K8s API access", + "subSteps": [ + { + "name": "Defense evasion - KubeAPI" + } + ] + } + ] + }, + { + "name": "Discovery" + }, + { + "name": "Lateral movement" + }, + { + "name": "Impact - Data access in container" + }, + { + "name": "Persistence" + } + ] + }, + { + "name": "Impact - service destruction" + } + ] + } + } + } +] \ No newline at end of file diff --git a/core/cautils/getter/testdata/exceptions.json b/core/cautils/getter/testdata/exceptions.json new file mode 100644 index 00000000..fd3d6743 --- /dev/null +++ b/core/cautils/getter/testdata/exceptions.json @@ -0,0 +1,6407 @@ +[ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "coredns-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "etcd-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "storage-provisioner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-scheduler-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-controller-manager-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "certificate-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "bootstrap-signer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "clusterrole-aggregation-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "root-ca-cert-publisher", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pvc-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "statefulset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-account-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "horizontal-pod-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "expand-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replicaset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replication-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "resourcequota-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpoint-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslice-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslicemirroring-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ephemeral-volume-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-21", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pv-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-23", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "job-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "daemon-set-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-25", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "deployment-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "generic-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-27", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "persistent-volume-binder", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-28", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "storage-provisioner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "token-cleaner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "namespace-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-32", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cronjob-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "attachdetach-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-35", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "disruption-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-36", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pod-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-37", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-after-finished-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "User", + "name": "system:kube-scheduler" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "User", + "name": "system:kube-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-security-context", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-deployment-allowed-registry", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-deployment-ingress-and-egress", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "aws-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "metrics-server-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "metrics-server-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "aws-cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "eks-admin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "eks-vpc-resource-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "tagging-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "vpc-resource-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:fargate-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-21", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:addon-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:certificate-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-23", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:node-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "omsagent-rs", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "azure-ip-masq-agent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "cloud-node-manager-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "coredns-autoscaler--[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "csi-azuredisk-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "csi-azurefile-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "konnectivity-agent-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "omsagent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "omsagent-rs-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-services-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-services-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "azure-ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "cloud-node-manager", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "cloud-node-manager-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azuredisk-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azuredisk-node-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azurefile-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azurefile-node-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "omsagent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "omsagent-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-autoscaler-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "konnectivity-agent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "metrics-server-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "omsagent-rs-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-namespaces-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "azure-cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cloud-node-manager", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "csi-azuredisk-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "csi-azurefile-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "omsagent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-45", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-46", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-47", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-48", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "azure-ip-masq-agent-config-reconciled", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-49", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "cluster-autoscaler-status", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-50", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "container-azm-ms-aks-k8scluster", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-51", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-52", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-53", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns-custom", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-54", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "extension-apiserver-authentication", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-55", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-56", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "omsagent-rs-config", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-57", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "overlay-upgrade-data", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-58", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "aks-webhook-admission-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-59", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "aks-node-mutating-webhook" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-60", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "aks-node-validating-webhook" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-61", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-62", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:nodes" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-63", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "clusterAdmin" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-64", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kube-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-65", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kube-scheduler" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kubescape", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-pod-kube-apiserver", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-apiserver-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0013" + }, + { + "frameworkName": "", + "controlID": "c-0077" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "c-0013 " + }, + { + "frameworkName": "", + "controlID": "c-0020" + }, + { + "frameworkName": "", + "controlID": "c-0030" + }, + { + "frameworkName": "", + "controlID": "c-0034" + }, + { + "frameworkName": "", + "controlID": "c-0016" + }, + { + "frameworkName": "", + "controlID": "c-0004" + }, + { + "frameworkName": "", + "controlID": "c-0050" + }, + { + "frameworkName": "", + "controlID": "c-0009" + }, + { + "frameworkName": "", + "controlID": "c-0048" + }, + { + "frameworkName": "", + "controlID": "c-0041" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.2" + }, + { + "frameworkName": "", + "controlID": "cis-5.7.3" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "node-local-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metrics-agent.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "anetd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "netd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-big", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-small", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-max", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "filestore-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "anetd-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metadata-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metrics-agent-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-25", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "egress-nat-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "event-exporter-gke", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-27", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "antrea-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-28", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "antrea-controller-horizontal-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-32", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentd-elasticsearch", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-38", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent-cpha", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-49", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-71", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-78", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-79", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "netd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-80", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metadata-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-81", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-82", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cilium", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-83", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-local-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-84", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "gke-metrics-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-85", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "egress-nat-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-86", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-87", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "event-exporter-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-88", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-cpha", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-89", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "fluentbit-gke", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-90", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pdcsi-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-91", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-92", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "filestorecsi-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-93", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "gke-metadata-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-users-and-groups-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:vpa-recommender", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-users-and-groups-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:anet-operator", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:clustermetrics" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:controller:glbc" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:l7-lb-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:managed-certificate-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:gke-common-webhooks" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:gcp-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:resource-tracker" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:storageversionmigrator" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kubestore-collector" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "ca-validate-cfg" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "flowcontrol-guardrails.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "validation-webhook.snapshot.storage.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "nodelimit.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "gkepolicy.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "validation-webhook.snapshot.storage.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "APIService", + "name": "v1beta1.metrics.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "pod-ready.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "ca-mutate-cfg" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "neg-annotation.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "mutate-scheduler-profile.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "sasecret-redacter.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "workload-defaulter.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "admissionwebhookcontroller.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "gke-vpa-webhook-config" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "filestorecsi-mutation-webhook.storage.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } +] \ No newline at end of file diff --git a/go.mod b/go.mod index 1524c4eb..1af6a975 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/go-git/go-git/v5 v5.5.2 github.com/google/uuid v1.3.0 github.com/johnfercher/maroto v0.37.0 + github.com/json-iterator/go v1.1.12 github.com/kubescape/go-git-url v0.0.21 github.com/kubescape/go-logger v0.0.6 github.com/kubescape/k8s-interface v0.0.94-0.20221228202834-4b64f2440950 @@ -127,7 +128,6 @@ require ( github.com/jinzhu/copier v0.3.5 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect - github.com/json-iterator/go v1.1.12 // indirect github.com/jung-kurt/gofpdf v1.16.2 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect