Skip to content

Commit

Permalink
feat: add pod security standards (restricted) in CEL expressions
Browse files Browse the repository at this point in the history
Signed-off-by: Mariam Fahmy <[email protected]>
  • Loading branch information
MariamFahmy98 committed Nov 7, 2023
1 parent afb8094 commit fa0ab9b
Show file tree
Hide file tree
Showing 44 changed files with 1,326 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ jobs:
- other/res
- other/s-z
- pod-security
- pod-security-cel
- psa
- psp-migration
# - tekton
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-capabilities-strict
status:
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f -
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-good.yaml
shouldFail: false
- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml
shouldFail: true
- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml
shouldFail: false
- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml
shouldFail: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-capabilities-strict
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: disallow-capabilities-strict
version: 1.0.0
displayName: Disallow Capabilities (Strict) in CEL expressions
description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
```
keywords:
- kyverno
- Pod Security Standards (Restricted)
- CEL Expressions
readme: |
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-capabilities-strict
annotations:
policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
spec:
validationFailureAction: Audit
background: true
rules:
- name: require-drop-all
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Containers must drop `ALL` capabilities.
cel:
expressions:
- expression: >-
object.spec.containers.all(container, has(container.securityContext) &&
has(container.securityContext.capabilities) &&
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, has(container.securityContext) &&
has(container.securityContext.capabilities) &&
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, has(container.securityContext) &&
has(container.securityContext.capabilities) &&
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
- name: adding-capabilities-strict
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed.
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: disallow-capabilities-strict
policies:
- disallow-capabilities-strict.yaml
resources:
- ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml
results:
- kind: CronJob
policy: disallow-capabilities-strict
resources:
- addcap-badcronjob01
- addcap-badcronjob02
- addcap-badcronjob03
- addcap-badcronjob04
- addcap-badcronjob05
- addcap-badcronjob06
- addcap-badcronjob07
- addcap-badcronjob08
- addcap-badcronjob09
- addcap-badcronjob10
result: fail
rule: adding-capabilities-strict
- kind: Deployment
policy: disallow-capabilities-strict
resources:
- addcap-baddeployment01
- addcap-baddeployment02
- addcap-baddeployment03
- addcap-baddeployment04
- addcap-baddeployment05
- addcap-baddeployment06
- addcap-baddeployment07
- addcap-baddeployment08
- addcap-baddeployment09
- addcap-baddeployment10
result: fail
rule: adding-capabilities-strict
- kind: Pod
policy: disallow-capabilities-strict
resources:
- addcap-badpod01
- addcap-badpod02
- addcap-badpod03
- addcap-badpod04
- addcap-badpod05
- addcap-badpod06
- addcap-badpod07
- addcap-badpod08
- addcap-badpod09
- addcap-badpod10
result: fail
rule: adding-capabilities-strict
- kind: CronJob
policy: disallow-capabilities-strict
resources:
- addcap-goodcronjob01
- addcap-goodcronjob02
- addcap-goodcronjob03
- addcap-goodcronjob04
- addcap-goodcronjob05
- addcap-goodcronjob06
- addcap-goodcronjob07
- addcap-goodcronjob08
- addcap-goodcronjob09
- addcap-goodcronjob10
result: pass
rule: adding-capabilities-strict
- kind: Deployment
policy: disallow-capabilities-strict
resources:
- addcap-gooddeployment01
- addcap-gooddeployment02
- addcap-gooddeployment03
- addcap-gooddeployment04
- addcap-gooddeployment05
- addcap-gooddeployment06
- addcap-gooddeployment07
- addcap-gooddeployment08
- addcap-gooddeployment09
- addcap-gooddeployment10
result: pass
rule: adding-capabilities-strict
- kind: Pod
policy: disallow-capabilities-strict
resources:
- addcap-goodpod01
- addcap-goodpod02
- addcap-goodpod03
- addcap-goodpod04
- addcap-goodpod05
- addcap-goodpod06
- addcap-goodpod07
- addcap-goodpod08
- addcap-goodpod09
- addcap-goodpod10
result: pass
rule: adding-capabilities-strict
- kind: CronJob
policy: disallow-capabilities-strict
resources:
- badcronjob01
- badcronjob02
- badcronjob03
- badcronjob04
- badcronjob05
- badcronjob06
- badcronjob07
- badcronjob08
- badcronjob09
- badcronjob10
result: fail
rule: require-drop-all
- kind: Deployment
policy: disallow-capabilities-strict
resources:
- baddeployment01
- baddeployment02
- baddeployment03
- baddeployment04
- baddeployment05
- baddeployment06
- baddeployment07
- baddeployment08
- baddeployment09
- baddeployment10
result: fail
rule: require-drop-all
- kind: Pod
policy: disallow-capabilities-strict
resources:
- badpod01
- badpod02
- badpod03
- badpod04
- badpod05
- badpod06
- badpod07
- badpod08
- badpod09
- badpod10
result: fail
rule: require-drop-all
- kind: CronJob
policy: disallow-capabilities-strict
resources:
- goodcronjob01
- goodcronjob02
- goodcronjob03
- goodcronjob04
- goodcronjob05
- goodcronjob06
result: pass
rule: require-drop-all
- kind: Deployment
policy: disallow-capabilities-strict
resources:
- gooddeployment01
- gooddeployment02
- gooddeployment03
- gooddeployment04
- gooddeployment05
- gooddeployment06
result: pass
rule: require-drop-all
- kind: Pod
policy: disallow-capabilities-strict
resources:
- goodpod01
- goodpod02
- goodpod03
- goodpod04
- goodpod05
- goodpod06
result: pass
rule: require-drop-all
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privilege-escalation
status:
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f -
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-good.yaml
shouldFail: false
- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml
shouldFail: true
- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml
shouldFail: false
- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml
shouldFail: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-privilege-escalation
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: disallow-privilege-escalation
version: 1.0.0
displayName: Disallow Privilege Escalation in CEL expressions
description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
```
keywords:
- kyverno
- Pod Security Standards (Restricted)
- CEL Expressions
readme: |
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7
Loading

0 comments on commit fa0ab9b

Please sign in to comment.