diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 231921cb5..0222444e2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -52,6 +52,7 @@ jobs: - other/res - other/s-z - pod-security + - pod-security-cel - psa - psp-migration # - tekton diff --git a/pod-security-cel/baseline/disallow-capabilities/01-assert.yaml b/pod-security-cel/baseline/disallow-capabilities/01-assert.yaml new file mode 100644 index 000000000..5c1ca4056 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml b/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml new file mode 100644 index 000000000..f51ea9025 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml b/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml new file mode 100644 index 000000000..c9967624c --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-capabilities/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-capabilities/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml b/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml new file mode 100644 index 000000000..4dc5ad316 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities diff --git a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml new file mode 100644 index 000000000..7c0d1b0eb --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-capabilities +version: 1.0.0 +displayName: Disallow Capabilities in CEL expressions +description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + Adding capabilities beyond those listed in the policy must be disallowed. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline) in CEL" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod" +digest: 6a0ace9b1f5b3f25b34117db4936ba32c4fcbbdfe3d0dba9e61b6152dede3a53 diff --git a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml new file mode 100644 index 000000000..fc2a7e7e9 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -0,0 +1,61 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities + annotations: + policies.kyverno.io/title: Disallow Capabilities in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: Audit + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, + !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. diff --git a/pod-security-cel/baseline/disallow-capabilities/kyverno-test.yaml b/pod-security-cel/baseline/disallow-capabilities/kyverno-test.yaml new file mode 100644 index 000000000..260055315 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/kyverno-test.yaml @@ -0,0 +1,75 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities +policies: +- disallow-capabilities.yaml +resources: +- ../../../pod-security/baseline/disallow-capabilities/resource.yaml +results: +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass + rule: adding-capabilities diff --git a/pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml b/pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml new file mode 100644 index 000000000..728930b26 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml new file mode 100644 index 000000000..e3f57aa1c --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-namespaces.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml new file mode 100644 index 000000000..77a7de379 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml b/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml new file mode 100644 index 000000000..f577764c7 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml new file mode 100644 index 000000000..22f9314e1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-host-namespaces +version: 1.0.0 +displayName: Disallow Host Namespaces in CEL expressions +description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline) in CEL" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod" +digest: 82a3924f4d25ed9bfc8e49395c7b0e8922f5ad0573830747dd3cf96dfb93ad7a diff --git a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml new file mode 100644 index 000000000..99f7f13d4 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces + annotations: + policies.kyverno.io/title: Disallow Host Namespaces in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) && + (!has(object.spec.hostIPC) || object.spec.hostIPC == false) && + (!has(object.spec.hostPID) || object.spec.hostPID == false) + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/pod-security-cel/baseline/disallow-host-namespaces/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-namespaces/kyverno-test.yaml new file mode 100644 index 000000000..70b051ed8 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/kyverno-test.yaml @@ -0,0 +1,66 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-namespaces +policies: +- disallow-host-namespaces.yaml +resources: +- ../../../pod-security/baseline/disallow-host-namespaces/resource.yaml +results: +- kind: CronJob + policy: disallow-host-namespaces + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + result: fail + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + result: fail + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-path/01-assert.yaml b/pod-security-cel/baseline/disallow-host-path/01-assert.yaml new file mode 100644 index 000000000..5bc41e9b1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml new file mode 100644 index 000000000..d1affbcc6 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-path.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml new file mode 100644 index 000000000..a87b79caa --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-host-path/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-path/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-path/99-delete.yaml b/pod-security-cel/baseline/disallow-host-path/99-delete.yaml new file mode 100644 index 000000000..35071a4d8 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml new file mode 100644 index 000000000..b29344cc3 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-host-path +version: 1.0.0 +displayName: Disallow hostPath in CEL expressions +description: >- + HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline)" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod,Volume" +digest: 8f309db940eca3692840c78e2662ff0c25fa718cf0f468b58cdfd4c3d1011274 diff --git a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml new file mode 100644 index 000000000..c9a2796c5 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path + annotations: + policies.kyverno.io/title: Disallow hostPath in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges + and should not be allowed. This policy ensures no hostPath volumes are in use. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset" diff --git a/pod-security-cel/baseline/disallow-host-path/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-path/kyverno-test.yaml new file mode 100644 index 000000000..d89a58b21 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/kyverno-test.yaml @@ -0,0 +1,51 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-path +policies: +- disallow-host-path.yaml +resources: +- ../../../pod-security/baseline/disallow-host-path/resource.yaml +results: +- kind: CronJob + policy: disallow-host-path + resources: + - badcronjob01 + - badcronjob02 + result: fail + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - baddeployment01 + - baddeployment02 + result: fail + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - badpod01 + - badpod02 + result: fail + rule: host-path +- kind: CronJob + policy: disallow-host-path + resources: + - goodcronjob01 + - goodcronjob02 + result: pass + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - gooddeployment01 + - gooddeployment02 + result: pass + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - goodpod01 + - goodpod02 + result: pass + rule: host-path diff --git a/pod-security-cel/baseline/disallow-host-ports-range/01-assert.yaml b/pod-security-cel/baseline/disallow-host-ports-range/01-assert.yaml new file mode 100644 index 000000000..f4e6012b3 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports-range +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml new file mode 100644 index 000000000..6041cf0a5 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-ports-range.yaml | kubectl create -f - + \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml new file mode 100644 index 000000000..85f6ceb55 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-host-ports-range/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-ports-range/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-host-ports-range/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-ports-range/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml b/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml new file mode 100644 index 000000000..f8301db4e --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml new file mode 100644 index 000000000..67fce9d95 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-host-ports-range +version: 1.0.0 +displayName: Disallow hostPorts Range (Alternate) in CEL expressions +description: >- + Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is set to one in the designated list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is set to one in the designated list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline) in CEL" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod" +digest: 5162e3082e39a94078ee5137eb95c0230ab22def7332ff3cae007862f67f5eec diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml new file mode 100644 index 000000000..b0447c1e7 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports-range + annotations: + policies.kyverno.io/title: Disallow hostPorts Range (Alternate) in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be + allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` + field is set to one in the designated list. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-port-range + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + message: >- + The only permitted hostPorts are in the range 5000-6000. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + message: >- + The only permitted hostPorts are in the range 5000-6000. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + message: >- + The only permitted hostPorts are in the range 5000-6000. diff --git a/pod-security-cel/baseline/disallow-host-ports-range/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-ports-range/kyverno-test.yaml new file mode 100644 index 000000000..69adc43b2 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/kyverno-test.yaml @@ -0,0 +1,99 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports-range +policies: +- disallow-host-ports-range.yaml +resources: +- ../../../pod-security/baseline/disallow-host-ports-range/resource.yaml +results: +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: host-port-range diff --git a/pod-security-cel/baseline/disallow-host-ports/01-assert.yaml b/pod-security-cel/baseline/disallow-host-ports/01-assert.yaml new file mode 100644 index 000000000..7630931c6 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml new file mode 100644 index 000000000..1435eb6e1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-ports.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml new file mode 100644 index 000000000..6a5b6cd13 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-host-ports/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-ports/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-host-ports/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-ports/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml b/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml new file mode 100644 index 000000000..a77641b34 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml new file mode 100644 index 000000000..2398202a5 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-host-ports +version: 1.0.0 +displayName: Disallow hostPorts in CEL expressions +description: >- + Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline) in CEL" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod" +digest: e5c3baa87ccb5cbbaeb6594e12e4781c8fca0d72a5a513b2a6f8efc80e00b200 diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml new file mode 100644 index 000000000..cd4e0fd47 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml @@ -0,0 +1,50 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports + annotations: + policies.kyverno.io/title: Disallow hostPorts in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be + allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` + field is unset or set to `0`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-ports-none + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) + message: >- + Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort + must either be unset or set to `0`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) + message: >- + Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort + must either be unset or set to `0`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) + message: >- + Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort + must either be unset or set to `0`. diff --git a/pod-security-cel/baseline/disallow-host-ports/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-ports/kyverno-test.yaml new file mode 100644 index 000000000..bea1e7b28 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/kyverno-test.yaml @@ -0,0 +1,99 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports +policies: +- disallow-host-ports.yaml +resources: +- ../../../pod-security/baseline/disallow-host-ports/resource.yaml +results: +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: host-ports-none diff --git a/pod-security-cel/baseline/disallow-host-process/01-assert.yaml b/pod-security-cel/baseline/disallow-host-process/01-assert.yaml new file mode 100644 index 000000000..ddce453da --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml new file mode 100644 index 000000000..91be34fe8 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-process.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml new file mode 100644 index 000000000..b7564019d --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/baseline/disallow-host-process/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-process/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/baseline/disallow-host-process/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/baseline/disallow-host-process/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-process/99-delete.yaml b/pod-security-cel/baseline/disallow-host-process/99-delete.yaml new file mode 100644 index 000000000..9257c16ef --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process diff --git a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml new file mode 100644 index 000000000..d44c60b54 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-host-process +version: 1.0.0 +displayName: Disallow hostProcess in CEL expressions +description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Baseline) + - CEL Expressions +readme: | + Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Baseline) in CEL" + kyverno/kubernetesVersion: "1.22-1.23" + kyverno/subject: "Pod" +digest: 33a4b3765e2a54711df4379c41babb8b92f748d784bc79df049fb4fd225633a1 diff --git a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml new file mode 100644 index 000000000..03b389530 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml @@ -0,0 +1,57 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process + annotations: + policies.kyverno.io/title: Disallow hostProcess in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged + access to the Windows node. Privileged access to the host is disallowed in the baseline + policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures + the `hostProcess` field, if present, is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-process-containers + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) + message: >- + HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) + message: >- + HostProcess containers are disallowed. The field spec.initContainers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) + message: >- + HostProcess containers are disallowed. The field spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. diff --git a/pod-security-cel/baseline/disallow-host-process/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-process/kyverno-test.yaml new file mode 100644 index 000000000..9b5286cb1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/kyverno-test.yaml @@ -0,0 +1,72 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-process +policies: +- disallow-host-process.yaml +resources: +- ../../../pod-security/baseline/disallow-host-process/resource.yaml +results: +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass + rule: host-process-containers diff --git a/pod-security-cel/baseline/kustomization.yaml b/pod-security-cel/baseline/kustomization.yaml new file mode 100644 index 000000000..aeaf8a41d --- /dev/null +++ b/pod-security-cel/baseline/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - disallow-capabilities/disallow-capabilities.yaml + - disallow-host-namespaces/disallow-host-namespaces.yaml + - disallow-host-path/disallow-host-path.yaml + - disallow-host-ports/disallow-host-ports.yaml + - disallow-host-ports-range/disallow-host-ports-range.yaml + - disallow-host-process/disallow-host-process.yaml