From 1758c63b46f3df67c4ae2b0794bac4d591ada29b Mon Sep 17 00:00:00 2001
From: kapistka <kapistka@gmail.com>
Date: Tue, 20 Aug 2024 11:15:52 +0300
Subject: [PATCH] fix(checks): invert logic of AVD-KCV-0030

---
 .../apiserver/encryption_provider_config.rego |  2 +-
 .../encryption_provider_config_test.rego      | 29 +++++++++++++++++--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
index ee4470c7..b7e06a71 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
@@ -30,7 +30,7 @@ check_flag(container) {
 deny[res] {
 	container := kubernetes.containers[_]
 	kubernetes.is_apiserver(container)
-	check_flag(container)
+	not check_flag(container)
 	msg := "Ensure that the --encryption-provider-config argument is set as appropriate"
 	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
index cf822939..382413f9 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
@@ -18,8 +18,7 @@ test_encryption_provider_config_is_set {
 		}]},
 	}
 
-	count(r) == 1
-	r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
+	count(r) == 0
 }
 
 test_encryption_provider_config_is_not_set {
@@ -40,6 +39,29 @@ test_encryption_provider_config_is_not_set {
 		}]},
 	}
 
+	count(r) == 1
+	r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
+}
+
+test_encryption_provider_config_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--encryption-provider-config=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
 	count(r) == 0
 }
 
@@ -62,5 +84,6 @@ test_encryption_provider_config_is_not_set_args {
 		}]},
 	}
 
-	count(r) == 0
+	count(r) == 1
+	r[_].msg == "Ensure that the --encryption-provider-config argument is set as appropriate"
 }