docs: add security default rules

pkg/policies/rules/31.yaml

+id: 31,
+name: 'Prevent ConfigMap security vulnerability (CVE-2021-25742)'
+uniqueName: 'CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE'
+enabledByDefault: false,
+documentationUrl: 'https://hub.datree.io/-prevent-configmap-security-vulnerability-cve-2021-25742'
+messageOnFailue: Missing property object `allow-snippet-annotations` - set it to "false" to override default behaviour
+category: Security
+schema:
+  if:
+    properties:
+      kind:
+        enum:
+          - ConfigMap
+  then:
+    properties:
+      data:
+        properties:
+          allow-snippet-annotations:
+            enum:
+                - 'false'
+        required:
+          - allow-snippet-annotations

pkg/policies/rules/32.yaml

+id: 32,
+name: 'Prevent Ingress security vulnerability (CVE-2021-25742)'
+uniqueName: 'INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY'
+enabledByDefault: false,
+documentationUrl: 'https://hub.datree.io/-prevent-ingress-security-vulnerability-cve-2021-25742'
+messageOnFailue: Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed
+category: Security
+schema:
+  if:
+    properties:
+      kind:
+        enum:
+          - Ingress
+  then:
+    properties:
+      metadata:
+        properties:
+          annotations:
+            not:
+              propertyNames:
+                pattern: ^.*server-snippet$

pkg/policies/rules/33.yaml

+id: 33,
+name: 'Prevent container security vulnerability (CVE-2021-25741)'
+uniqueName: 'CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY'
+enabledByDefault: false,
+documentationUrl: 'https://hub.datree.io/-prevent-container-security-vulnerability-cve-2021-25741'
+messageOnFailue: Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume
+category: Security
+schema:
+  definitions:
+    subPathPattern:
+      properties:
+        spec:
+          properties:
+            containers:
+              type: array
+              items:
+                properties:
+                  volumeMounts:
+                    type: array
+                    items:
+                      propertyNames:
+                        not:
+                          pattern: ^subPath$
+  allOf:
+    - $ref: "#/definitions/subPathPattern"
+  additionalProperties:
+    $ref: "#"
+  items:
+    $ref: "#"

pkg/policies/rules/34.yaml

+id: 34,
+name: 'Prevent EndpointSlice security vulnerability (CVE-2021-25737)'
+uniqueName: 'ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE'
+enabledByDefault: false,
+documentationUrl: 'https://hub.datree.io/-prevent-endpointslice-validation-from-enabling-host-network-hijack-cve-2021-25737'
+messageOnFailue: Incorrect value for key `addresses` - IP address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)
+category: Security
+schema:
+  if:
+    properties:
+      kind:
+        enum:
+          - EndpointSlice
+  then:
+    properties:
+      endpoints:
+        type: array
+        items:
+          properties:
+            addresses:
+              type: array
+              items:
+                not:
+                  oneOf:
+                    - pattern: ^(169\.254\.)
+                    - pattern: ^(127\.)

pkg/policies/tests/31-fail.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  creationTimestamp: 2016-02-18T18:52:05Z
+  name: game-config
+  namespace: default
+  resourceVersion: "516"
+  uid: b4952dc3-d670-11e5-8cd0-68f728db1985
+data:
+  game.properties: |
+    enemies=aliens
+    lives=3
+    enemies.cheat=true
+    enemies.cheat.level=noGoodRotten
+    secret.code.passphrase=UUDDLRLRBABAS
+    secret.code.allowed=true
+    secret.code.lives=30
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true
+    how.nice.to.look=fairlyNice
+  allow-snippet-annotations: not-false

pkg/policies/tests/31-pass.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  creationTimestamp: 2016-02-18T18:52:05Z
+  name: game-config
+  namespace: default
+  resourceVersion: "516"
+  uid: b4952dc3-d670-11e5-8cd0-68f728db1985
+data:
+  game.properties: |
+    enemies=aliens
+    lives=3
+    enemies.cheat=true
+    enemies.cheat.level=noGoodRotten
+    secret.code.passphrase=UUDDLRLRBABAS
+    secret.code.allowed=true
+    secret.code.lives=30
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true
+    how.nice.to.look=fairlyNice
+  allow-snippet-annotations: "false"

pkg/policies/tests/32-fail.yaml

+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: simple-fanout-example
+  annotations:
+    nginx.ingress.kubernetes.io/server-snippet: dekljdkfj
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /foo
+        pathType: Prefix
+        backend:
+          service:
+            name: service1
+            port:
+              number: 4200
+      - path: /bar
+        pathType: Prefix
+        backend:
+          service:
+            name: service2
+            port:
+              number: 8080

pkg/policies/tests/32-pass.yaml

+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: simple-fanout-example
+  annotations:
+    something: abc
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /foo
+        pathType: Prefix
+        backend:
+          service:
+            name: service1
+            port:
+              number: 4200
+      - path: /bar
+        pathType: Prefix
+        backend:
+          service:
+            name: service2
+            port:
+              number: 8080

pkg/policies/tests/33-fail.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-lamp-site
+spec:
+  containers:
+  - name: mysql
+    image: mysql
+    env:
+    - name: MYSQL_ROOT_PASSWORD
+      value: "rootpasswd"
+    volumeMounts:
+    - mountPath: /var/lib/mysql
+      name: site-data
+      subPath: mysql
+  - name: php
+    image: php:7.0-apache
+    volumeMounts:
+    - mountPath: /var/www/html
+      name: site-data
+      subPath: html
+  volumes:
+  - name: site-data
+    persistentVolumeClaim:
+      claimName: my-lamp-site-data

pkg/policies/tests/33-pass.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-lamp-site
+spec:
+  containers:
+  - name: mysql
+    image: mysql
+    env:
+    - name: MYSQL_ROOT_PASSWORD
+      value: "rootpasswd"
+    volumeMounts:
+    - mountPath: /var/lib/mysql
+      name: site-data
+  - name: php
+    image: php:7.0-apache
+    volumeMounts:
+    - mountPath: /var/www/html
+      name: site-data
+  volumes:
+  - name: site-data
+    persistentVolumeClaim:
+      claimName: my-lamp-site-data

pkg/policies/tests/34-fail.yaml

+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  name: example-abc
+  labels:
+    kubernetes.io/service-name: example
+addressType: IPv4
+ports:
+  - name: http
+    protocol: TCP
+    port: 80
+endpoints:
+  - addresses:
+      - "10.1.2.3"
+      - "127.1.2.3"
+    conditions:
+      ready: true
+    hostname: pod-1
+    nodeName: node-1
+    zone: us-west2-a

pkg/policies/tests/34-pass.yaml

+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  name: example-abc
+  labels:
+    kubernetes.io/service-name: example
+addressType: IPv4
+ports:
+  - name: http
+    protocol: TCP
+    port: 80
+endpoints:
+  - addresses:
+      - "10.1.2.3"
+    conditions:
+      ready: true
+    hostname: pod-1
+    nodeName: node-1
+    zone: us-west2-a