-
Notifications
You must be signed in to change notification settings - Fork 254
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into pod-security-cel-part-3
- Loading branch information
Showing
9 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| creationTimestamp: null | ||
| name: add-psa-namespace-reporting | ||
| spec: | ||
| steps: | ||
| - name: apply-policy | ||
| try: | ||
| - script: | ||
| content: | | ||
| sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../add-psa-namespace-reporting.yaml | kubectl create -f - | ||
| - assert: | ||
| file: policy-ready.yaml | ||
| - name: apply-policy-test | ||
| try: | ||
| - apply: | ||
| file: namespace-with-psa-labels.yaml | ||
| - apply: | ||
| expect: | ||
| - check: | ||
| ($error != null): true | ||
| file: namespace-without-psa-labels.yaml | ||
| - name: step-99 | ||
| try: | ||
| - delete: | ||
| ref: | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| name: add-psa-namespace-reporting | ||
|
|
||
|
|
6 changes: 6 additions & 0 deletions
6
psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: test | ||
| labels: | ||
| pod-security.kubernetes.io/enforce: "privileged" |
4 changes: 4 additions & 0 deletions
4
psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: test-fail |
9 changes: 9 additions & 0 deletions
9
psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: add-psa-namespace-reporting | ||
| status: | ||
| ready: true | ||
|
|
||
|
|
||
|
|
22 changes: 22 additions & 0 deletions
22
psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| apiVersion: cli.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| name: add-psa-namespace-reporting-tests | ||
| policies: | ||
| - ../add-psa-namespace-reporting.yaml | ||
| resources: | ||
| - namespace-with-psa-labels.yaml | ||
| - namespace-without-psa-labels.yaml | ||
| results: | ||
| - kind: Namespace | ||
| policy: add-psa-namespace-reporting | ||
| resources: | ||
| - test | ||
| rule: check-namespace-labels | ||
| result: pass | ||
| - kind: Namespace | ||
| policy: add-psa-namespace-reporting | ||
| resources: | ||
| - test-fail | ||
| rule: check-namespace-labels | ||
| result: fail |
6 changes: 6 additions & 0 deletions
6
psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: test | ||
| labels: | ||
| pod-security.kubernetes.io/enforce: "privileged" |
4 changes: 4 additions & 0 deletions
4
psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: test-fail |
39 changes: 39 additions & 0 deletions
39
psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: add-psa-namespace-reporting | ||
| annotations: | ||
| policies.kyverno.io/title: Add PSA Namespace Reporting | ||
| policies.kyverno.io/category: Pod Security Admission, EKS Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| kyverno.io/kyverno-version: 1.7.1 | ||
| policies.kyverno.io/minversion: 1.6.0 | ||
| kyverno.io/kubernetes-version: "1.24" | ||
| policies.kyverno.io/subject: Namespace | ||
| policies.kyverno.io/description: >- | ||
| This policy is valuable as it ensures that all namespaces within a Kubernetes | ||
| cluster are labeled with Pod Security Admission (PSA) labels, which are crucial | ||
| for defining security levels and ensuring that pods within a namespace operate | ||
| under the defined Pod Security Standard (PSS). By enforcing namespace labeling, | ||
| This policy audits namespaces to verify the presence of PSA labels. | ||
| If a namespace is found without the required labels, it generates and maintain | ||
| and ClusterPolicy Report in default namespace. | ||
| This helps administrators identify namespaces that do not comply with the | ||
| organization's security practices and take appropriate action to rectify the | ||
| situation. | ||
| spec: | ||
| validationFailureAction: audit | ||
| background: true | ||
| rules: | ||
| - name: check-namespace-labels | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Namespace | ||
| validate: | ||
| message: This Namespace is missing a PSA label. | ||
| pattern: | ||
| metadata: | ||
| labels: | ||
| pod-security.kubernetes.io/*: "?*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| name: add-psa-namespace-reporting | ||
| version: 1.0.0 | ||
| displayName: Add PSA Namespace Reporting | ||
| createdAt: "2024-01-04T16:10:04.000Z" | ||
| description: >- | ||
| This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. | ||
| install: |- | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml | ||
| ``` | ||
| keywords: | ||
| - kyverno | ||
| - Pod Security Admission | ||
| - EKS Best Practices | ||
| readme: | | ||
| This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. | ||
| Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
| annotations: | ||
| kyverno/category: "Pod Security Admission, EKS Best Practices" | ||
| kyverno/kubernetesVersion: "1.24" | ||
| kyverno/subject: "Namespace" | ||
| digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434 |