feat: add pod security standards (baseline) in CEL expressions - Part…

… 1 (#772)

* feat: add pod security standards (baseline) in CEL expressions

Signed-off-by: Mariam Fahmy <[email protected]>

* chore: add the new CEL policies directory to the CI

Signed-off-by: Mariam Fahmy <[email protected]>

* feat: add kuttl tests

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: re-use the resource.yaml from the existing pod security standard policies

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: re-use kuttl resources from the existing pod security standard policies

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: modify resource paths

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: use Audit instead of audit and fix annotations

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: use cel.expression.message instead of validate.message

Signed-off-by: Mariam Fahmy <[email protected]>

---------

Signed-off-by: Mariam Fahmy <[email protected]>

.github/workflows/test.yml

@@ -52,6 +52,7 @@ jobs:
           - other/res
           - other/s-z
           - pod-security
+          - pod-security-cel
           - psa
           - psp-migration
           # - tekton

pod-security-cel/baseline/disallow-capabilities/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+status:
+  ready: true

pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities.yaml | kubectl create -f - 

pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml

@@ -0,0 +1,11 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: ../../../pod-security/baseline/disallow-capabilities/pod-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-capabilities/pod-bad.yaml
+  shouldFail: true
+- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-bad.yaml
+  shouldFail: true

pod-security-cel/baseline/disallow-capabilities/99-delete.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: disallow-capabilities

pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+name: disallow-capabilities
+version: 1.0.0
+displayName: Disallow Capabilities in CEL expressions
+description: >-
+  Adding capabilities beyond those listed in the policy must be disallowed.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml
+  ```
+keywords:
+  - kyverno
+  - Pod Security Standards (Baseline)
+  - CEL Expressions
+readme: |
+  Adding capabilities beyond those listed in the policy must be disallowed.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Pod Security Standards (Baseline) in CEL"
+  kyverno/kubernetesVersion: "1.22-1.23"
+  kyverno/subject: "Pod"
+digest: 6a0ace9b1f5b3f25b34117db4936ba32c4fcbbdfe3d0dba9e61b6152dede3a53

pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml

@@ -0,0 +1,61 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+  annotations:
+    policies.kyverno.io/title: Disallow Capabilities in CEL expressions
+    policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Adding capabilities beyond those listed in the policy must be disallowed.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: adding-capabilities
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                object.spec.containers.all(container,
+                !has(container.securityContext) ||
+                !has(container.securityContext.capabilities) ||
+                !has(container.securityContext.capabilities.add) ||
+                container.securityContext.capabilities.add.all(capability,
+                ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.
+    
+            - expression: >-
+                !has(object.spec.initContainers) || 
+                object.spec.initContainers.all(container, !has(container.securityContext) || 
+                !has(container.securityContext.capabilities) || 
+                !has(container.securityContext.capabilities.add) || 
+                container.securityContext.capabilities.add.all(capability, 
+                ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.
+              
+            - expression: >- 
+                !has(object.spec.ephemeralContainers) ||
+                object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
+                !has(container.securityContext.capabilities) ||
+                !has(container.securityContext.capabilities.add) ||
+                container.securityContext.capabilities.add.all(capability,
+                ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.

pod-security-cel/baseline/disallow-capabilities/kyverno-test.yaml

@@ -0,0 +1,75 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-capabilities
+policies:
+- disallow-capabilities.yaml
+resources:
+- ../../../pod-security/baseline/disallow-capabilities/resource.yaml
+results:
+- kind: CronJob
+  policy: disallow-capabilities
+  resources:
+  - badcronjob01
+  - badcronjob02
+  - badcronjob03
+  - badcronjob04
+  - badcronjob05
+  - badcronjob06
+  result: fail
+  rule: adding-capabilities
+- kind: Deployment
+  policy: disallow-capabilities
+  resources:
+  - baddeployment01
+  - baddeployment02
+  - baddeployment03
+  - baddeployment04
+  - baddeployment05
+  - baddeployment06
+  result: fail
+  rule: adding-capabilities
+- kind: Pod
+  policy: disallow-capabilities
+  resources:
+  - badpod01
+  - badpod02
+  - badpod03
+  - badpod04
+  - badpod05
+  - badpod06
+  result: fail
+  rule: adding-capabilities
+- kind: CronJob
+  policy: disallow-capabilities
+  resources:
+  - goodcronjob01
+  - goodcronjob02
+  - goodcronjob03
+  - goodcronjob04
+  - goodcronjob05
+  - goodcronjob06
+  result: pass
+  rule: adding-capabilities
+- kind: Deployment
+  policy: disallow-capabilities
+  resources:
+  - gooddeployment01
+  - gooddeployment02
+  - gooddeployment03
+  - gooddeployment04
+  - gooddeployment05
+  - gooddeployment06
+  result: pass
+  rule: adding-capabilities
+- kind: Pod
+  policy: disallow-capabilities
+  resources:
+  - goodpod01
+  - goodpod02
+  - goodpod03
+  - goodpod04
+  - goodpod05
+  - goodpod06
+  result: pass
+  rule: adding-capabilities

pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-namespaces
+status:
+  ready: true

pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-namespaces.yaml | kubectl create -f - 

pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml

@@ -0,0 +1,11 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-bad.yaml
+  shouldFail: true
+- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-bad.yaml
+  shouldFail: true

pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: disallow-host-namespaces

pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+name: disallow-host-namespaces
+version: 1.0.0
+displayName: Disallow Host Namespaces in CEL expressions
+description: >-
+  Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
+  ```
+keywords:
+  - kyverno
+  - Pod Security Standards (Baseline)
+  - CEL Expressions
+readme: |
+  Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Pod Security Standards (Baseline) in CEL"
+  kyverno/kubernetesVersion: "1.22-1.23"
+  kyverno/subject: "Pod"
+digest: 82a3924f4d25ed9bfc8e49395c7b0e8922f5ad0573830747dd3cf96dfb93ad7a

pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-namespaces
+  annotations:
+    policies.kyverno.io/title: Disallow Host Namespaces in CEL expressions
+    policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
+      network namespace) allow access to shared information and can be used to elevate
+      privileges. Pods should not be allowed access to host namespaces. This policy ensures
+      fields which make use of these host namespaces are unset or set to `false`.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: host-namespaces
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) &&
+                (!has(object.spec.hostIPC) || object.spec.hostIPC == false) &&
+                (!has(object.spec.hostPID) || object.spec.hostPID == false)
+              message: >-
+                Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+                spec.hostIPC, and spec.hostPID must be unset or set to `false`.

pod-security-cel/baseline/disallow-host-namespaces/kyverno-test.yaml

@@ -0,0 +1,66 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-host-namespaces
+policies:
+- disallow-host-namespaces.yaml
+resources:
+- ../../../pod-security/baseline/disallow-host-namespaces/resource.yaml
+results:
+- kind: CronJob
+  policy: disallow-host-namespaces
+  resources:
+  - badcronjob01
+  - badcronjob02
+  - badcronjob03
+  - badcronjob04
+  result: fail
+  rule: host-namespaces
+- kind: Deployment
+  policy: disallow-host-namespaces
+  resources:
+  - baddeployment01
+  - baddeployment02
+  - baddeployment03
+  - baddeployment04
+  result: fail
+  rule: host-namespaces
+- kind: Pod
+  policy: disallow-host-namespaces
+  resources:
+  - badpod01
+  - badpod02
+  - badpod03
+  - badpod04
+  result: fail
+  rule: host-namespaces
+- kind: CronJob
+  policy: disallow-host-namespaces
+  resources:
+  - goodcronjob01
+  - goodcronjob02
+  - goodcronjob03
+  - goodcronjob04
+  - goodcronjob05
+  result: pass
+  rule: host-namespaces
+- kind: Deployment
+  policy: disallow-host-namespaces
+  resources:
+  - gooddeployment01
+  - gooddeployment02
+  - gooddeployment03
+  - gooddeployment04
+  - gooddeployment05
+  result: pass
+  rule: host-namespaces
+- kind: Pod
+  policy: disallow-host-namespaces
+  resources:
+  - goodpod01
+  - goodpod02
+  - goodpod03
+  - goodpod04
+  - goodpod05
+  result: pass
+  rule: host-namespaces

pod-security-cel/baseline/disallow-host-path/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path
+status:
+  ready: true

pod-security-cel/baseline/disallow-host-path/01-enforce.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-path.yaml | kubectl create -f - 

pod-security-cel/baseline/disallow-host-path/02-manifests.yaml

@@ -0,0 +1,11 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: ../../../pod-security/baseline/disallow-host-path/pod-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-host-path/pod-bad.yaml
+  shouldFail: true
+- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-good.yaml
+  shouldFail: false
+- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-bad.yaml
+  shouldFail: true

pod-security-cel/baseline/disallow-host-path/99-delete.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: disallow-host-path