I'm writing a python script that input a set of configuration files for kubernetes. First filter to get only files that "contain information for database". As a general template I take into consideration this Deployment file (at this page):
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
spec:
selector:
matchLabels:
app: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:5.6
name: mysql
env:
# Use secret in real usage
- name: MYSQL_ROOT_PASSWORD
value: password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
while I'm doing the tests with the sock-shop kubernetes files (here). for example 03-carts-db-dep.yaml is a file that would be fine.
My goal is to check whether or not the Data at rest encryption is present in the various DBMSs named in the files.
I found that checkov does this check but I don't understand how it does it.
Going into detail, what I would do would be:
- filter kubernetes config files and get only those (with Kind = Deployment) for the database
- Go back to the path where the DBMS configuration files mentioned in the file are contained (my application should only work with mysql, postgre, mongo).
- check if the DBMS performs data encryption at rest (for example with mysql I'm using this documentation)
what I would like to understand better is how I can use (even more general) checkov to carry out this check (again via python), and then implement it myself.
for checkov I follow this documentation for policies
