fix(checks): invert logic of AVD-KCV-0030

checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego

@@ -30,7 +30,7 @@ check_flag(container) {
 deny[res] {
  container := kubernetes.containers[_]
  kubernetes.is_apiserver(container)
- check_flag(container)
+ not check_flag(container)
  msg := "Ensure that the --encryption-provider-config argument is set as appropriate"
  res := result.new(msg, container)
 }

checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego

@@ -18,8 +18,7 @@ test_encryption_provider_config_is_set {
  }]},
  }
 
- count(r) == 1
- r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
+ count(r) == 0
 }
 
 test_encryption_provider_config_is_not_set {
@@ -40,6 +39,29 @@ test_encryption_provider_config_is_not_set {
  }]},
  }
 
+ count(r) == 1
+ r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
+}
+
+test_encryption_provider_config_is_set_args {
+ r := deny with input as {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "apiserver",
+ "labels": {
+ "component": "kube-apiserver",
+ "tier": "control-plane",
+ },
+ },
+ "spec": {"containers": [{
+ "command": ["kube-apiserver"],
+ "args": ["--advertise-address=192.168.49.2", "--encryption-provider-config=<filename>"],
+ "image": "busybox",
+ "name": "hello",
+ }]},
+ }
+
  count(r) == 0
 }
 
@@ -62,5 +84,6 @@ test_encryption_provider_config_is_not_set_args {
  }]},
  }
 
- count(r) == 0
+ count(r) == 1
+ r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
 }