Back to Security Rules

Rule Metadata

Last updated: 2024-01-15
🟢
Severity
LOW
⚙️
Category
Configuration & Resource Hygiene
Version
v1.0.0
Downloads
1.2K
Author: Spotter Security Team
Created: 2024-01-10
Compliance:
CIS NIST

Metadata Label Is Invalid

Resource metadata labels should follow the recommended format.

YAML Configuration

rule.yaml YAML 
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-config-008
  labels:
    severity: "low"
    category: "config"
  annotations:
    rules.spotter.dev/title: "Metadata Label Is Invalid"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-1068"
    rules.spotter.dev/description: "Resource metadata labels should follow the recommended format."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - "*"
        versions:
          - "*"
        kinds:
          - "*"
        namespaces:
          include: ["*"]
          exclude: []
  cel: |
    has(object.metadata.labels) &&
    object.metadata.labels.exists(k,
      !k.matches("^([a-zA-Z0-9]([a-zA-Z0-9\\-._]*[a-zA-Z0-9])?)?$") ||
      !object.metadata.labels[k].matches("^([a-zA-Z0-9]([a-zA-Z0-9\\-._]*[a-zA-Z0-9])?)?$") ||
      k.contains("*") || k.contains("+") ||
      object.metadata.labels[k].contains("*") || object.metadata.labels[k].contains("+")
    )
  remediation:
    manual: "Ensure that all metadata labels adhere to the recommended format, which includes only alphanumeric characters, dashes, dots, and underscores."
  references:
    - title: "Kubernetes Labels and Selectors"
      url: "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/"