From 7c55420442cbd5960f3bc50125ae2164a7687fec Mon Sep 17 00:00:00 2001 From: kooomix Date: Wed, 15 Jan 2025 09:35:46 +0200 Subject: [PATCH] Add namespace check for workload connections in exposure rules --- rules/exposure-to-internet/raw.rego | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/exposure-to-internet/raw.rego b/rules/exposure-to-internet/raw.rego index f52539f0..1efd84a4 100644 --- a/rules/exposure-to-internet/raw.rego +++ b/rules/exposure-to-internet/raw.rego @@ -9,6 +9,7 @@ deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"} spec_template_spec_patterns[wl.kind] + is_same_namespace(wl.metadata, service.metadata) pod := get_pod_spec(wl)["spec"] wl_connected_to_service(pod, service) failPath := ["spec.type"]