diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..7d09b0d11 --- /dev/null +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-psa-namespace-reporting +spec: + steps: + - name: apply-policy + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../add-psa-namespace-reporting.yaml | kubectl create -f - + - assert: + file: policy-ready.yaml + - name: apply-policy-test + try: + - apply: + file: namespace-with-psa-labels.yaml + - apply: + expect: + - check: + ($error != null): true + file: namespace-without-psa-labels.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: add-psa-namespace-reporting + + diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml new file mode 100644 index 000000000..e94a09e9a --- /dev/null +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml new file mode 100644 index 000000000..7956df12c --- /dev/null +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-fail \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..cfb6ab67a --- /dev/null +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-psa-namespace-reporting +status: + ready: true + + + diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..513ac0fe8 --- /dev/null +++ b/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-psa-namespace-reporting-tests +policies: +- ../add-psa-namespace-reporting.yaml +resources: +- namespace-with-psa-labels.yaml +- namespace-without-psa-labels.yaml +results: + - kind: Namespace + policy: add-psa-namespace-reporting + resources: + - test + rule: check-namespace-labels + result: pass + - kind: Namespace + policy: add-psa-namespace-reporting + resources: + - test-fail + rule: check-namespace-labels + result: fail \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml new file mode 100644 index 000000000..e94a09e9a --- /dev/null +++ b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml new file mode 100644 index 000000000..7956df12c --- /dev/null +++ b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-fail \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml new file mode 100644 index 000000000..15b830f10 --- /dev/null +++ b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-psa-namespace-reporting + annotations: + policies.kyverno.io/title: Add PSA Namespace Reporting + policies.kyverno.io/category: Pod Security Admission, EKS Best Practices + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.7.1 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + This policy is valuable as it ensures that all namespaces within a Kubernetes + cluster are labeled with Pod Security Admission (PSA) labels, which are crucial + for defining security levels and ensuring that pods within a namespace operate + under the defined Pod Security Standard (PSS). By enforcing namespace labeling, + This policy audits namespaces to verify the presence of PSA labels. + If a namespace is found without the required labels, it generates and maintain + and ClusterPolicy Report in default namespace. + This helps administrators identify namespaces that do not comply with the + organization's security practices and take appropriate action to rectify the + situation. +spec: + validationFailureAction: audit + background: true + rules: + - name: check-namespace-labels + match: + any: + - resources: + kinds: + - Namespace + validate: + message: This Namespace is missing a PSA label. + pattern: + metadata: + labels: + pod-security.kubernetes.io/*: "?*" \ No newline at end of file diff --git a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml new file mode 100644 index 000000000..00f936a11 --- /dev/null +++ b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: add-psa-namespace-reporting +version: 1.0.0 +displayName: Add PSA Namespace Reporting +createdAt: "2024-01-04T16:10:04.000Z" +description: >- + This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml + ``` +keywords: + - kyverno + - Pod Security Admission + - EKS Best Practices +readme: | + This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Admission, EKS Best Practices" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434