diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..dd8858258 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..b3dbb1463 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,177 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict +policies: +- ../disallow-capabilities-strict.yaml +resources: +- ../../../../pod-security/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob01 + - addcap-badcronjob02 + - addcap-badcronjob03 + - addcap-badcronjob04 + - addcap-badcronjob05 + - addcap-badcronjob06 + - addcap-badcronjob07 + - addcap-badcronjob08 + - addcap-badcronjob09 + - addcap-badcronjob10 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment01 + - addcap-baddeployment02 + - addcap-baddeployment03 + - addcap-baddeployment04 + - addcap-baddeployment05 + - addcap-baddeployment06 + - addcap-baddeployment07 + - addcap-baddeployment08 + - addcap-baddeployment09 + - addcap-baddeployment10 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod01 + - addcap-badpod02 + - addcap-badpod03 + - addcap-badpod04 + - addcap-badpod05 + - addcap-badpod06 + - addcap-badpod07 + - addcap-badpod08 + - addcap-badpod09 + - addcap-badpod10 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob01 + - addcap-goodcronjob02 + - addcap-goodcronjob03 + - addcap-goodcronjob04 + - addcap-goodcronjob05 + - addcap-goodcronjob06 + - addcap-goodcronjob07 + - addcap-goodcronjob08 + - addcap-goodcronjob09 + - addcap-goodcronjob10 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment01 + - addcap-gooddeployment02 + - addcap-gooddeployment03 + - addcap-gooddeployment04 + - addcap-gooddeployment05 + - addcap-gooddeployment06 + - addcap-gooddeployment07 + - addcap-gooddeployment08 + - addcap-gooddeployment09 + - addcap-gooddeployment10 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod01 + - addcap-goodpod02 + - addcap-goodpod03 + - addcap-goodpod04 + - addcap-goodpod05 + - addcap-goodpod06 + - addcap-goodpod07 + - addcap-goodpod08 + - addcap-goodpod09 + - addcap-goodpod10 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass + rule: require-drop-all diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..d53a4eece --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: disallow-capabilities-strict-cel +version: 1.0.0 +displayName: Disallow Capabilities (Strict) in CEL expressions +description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 3ba20799de8e2ff846fc1e064fac7b3e0cf318f2d127161bf9e9f90d76aff4da +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml new file mode 100644 index 000000000..cfe5d55fd --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -0,0 +1,83 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict + annotations: + policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, + all containers must explicitly drop `ALL` capabilities. +spec: + validationFailureAction: Audit + background: true + rules: + - name: require-drop-all + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Containers must drop `ALL` capabilities. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + - name: adding-capabilities-strict + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5edf3d4b2 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privilege-escalation +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..30359768e --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,72 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation +policies: +- ../disallow-privilege-escalation.yaml +resources: +- ../../../../pod-security/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml new file mode 100644 index 000000000..d1d87148f --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: disallow-privilege-escalation-cel +version: 1.0.0 +displayName: Disallow Privilege Escalation in CEL expressions +description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: a656fbec861a5420caab9ad15abf28edf45b47c6d749c3d3943223dfb4d37d7a +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml new file mode 100644 index 000000000..cde75c193 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -0,0 +1,54 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation + annotations: + policies.kyverno.io/title: Disallow Privilege Escalation in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: privilege-escalation + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. + \ No newline at end of file diff --git a/pod-security-cel/restricted/kustomization.yaml b/pod-security-cel/restricted/kustomization.yaml new file mode 100644 index 000000000..6725535b9 --- /dev/null +++ b/pod-security-cel/restricted/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - disallow-capabilities-strict/disallow-capabilities-strict.yaml + - disallow-privilege-escalation/disallow-privilege-escalation.yaml + - require-run-as-non-root-user/require-run-as-non-root-user.yaml + - require-run-as-nonroot/require-run-as-nonroot.yaml + - restrict-seccomp-strict/restrict-seccomp-strict.yaml + - restrict-volume-types/restrict-volume-types.yaml diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..648a10d62 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-non-root-user +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..b980f7da0 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,87 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user +policies: +- ../require-run-as-non-root-user.yaml +resources: +- ../../../../pod-security/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml new file mode 100644 index 000000000..1e97e8811 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: require-run-as-non-root-user-cel +version: 1.0.0 +displayName: Require Run As Non-Root User in CEL expressions +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 4325ec1161eb1a2eb361eaed9618b7fe4605bfa621361064a43b4f056f03da8a +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml new file mode 100644 index 000000000..96e3e2ca7 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -0,0 +1,61 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user + annotations: + policies.kyverno.io/title: Require Run As Non-Root User in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsUser` is either unset or set to a number greater than zero. +spec: + validationFailureAction: Audit + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.runAsUser) || + object.spec.securityContext.runAsUser > 0 + message: >- + Running as root is not allowed. The field spec.securityContext.runAsUser must be unset or + set to a number greater than zero. + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser must be unset or + set to a number greater than zero + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.initContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml new file mode 100755 index 000000000..e252df8e3 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml new file mode 100644 index 000000000..51ae4a602 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml @@ -0,0 +1,90 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict +policies: +- ../restrict-seccomp-strict.yaml +resources: +- ../../../../pod-security/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: check-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..527f9037a --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: restrict-seccomp-strict-cel +version: 1.0.0 +displayName: Restrict Seccomp (Strict) in CEL expressions +description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 4deffb0a892939288dabf65e9af18732036a464ae3611028a96ae02215140e77 +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml new file mode 100644 index 000000000..ed58c9641 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -0,0 +1,72 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict + annotations: + policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined + but additionally must also not allow an unset value. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is + set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + background: true + validationFailureAction: Audit + rules: + - name: check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.seccompProfile) || + !has(object.spec.securityContext.seccompProfile.type) || + object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || + object.spec.securityContext.seccompProfile.type == 'Localhost' + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b23319825 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,49 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - restrict-voltypes-ns + entrypoint: kubectl diff --git a/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1cd4e46fd --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,126 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types +policies: +- ../restrict-volume-types.yaml +resources: +- ../../../../pod-security/restricted/restrict-volume-types/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 + - badcronjob16 + - badcronjob17 + - badcronjob18 + - badcronjob19 + - badcronjob20 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + - baddeployment16 + - baddeployment17 + - baddeployment18 + - baddeployment19 + - baddeployment20 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + - badpod16 + - badpod17 + - badpod18 + - badpod19 + - badpod20 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + result: pass + rule: restricted-volumes diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml new file mode 100644 index 000000000..f231b9264 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: restrict-volume-types-cel +version: 1.0.0 +displayName: Restrict Volume Types in CEL expressions +description: >- + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod,Volume" +digest: d5e29d1e422d57878e74db9bc93f8db1588c6dbb777e13a02d873952a5134d59 +createdAt: "2024-01-02T15:37:55Z" diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml new file mode 100644 index 000000000..7d57ec798 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types + annotations: + policies.kyverno.io/title: Restrict Volume Types in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/description: >- + In addition to restricting HostPath volumes, the restricted pod security profile + limits usage of non-core volume types to those defined through PersistentVolumes. + This policy blocks any other type of volume other than those in the allow list. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restricted-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + !has(object.spec.volumes) || + object.spec.volumes.all(vol, has(vol.configMap) || + has(vol.csi) || + has(vol.downwardAPI) || + has(vol.emptyDir) || + has(vol.ephemeral) || + has(vol.persistentVolumeClaim) || + has(vol.projected) || + has(vol.secret)) + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.