Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add miscellaneous policies in CEL expressions - Part 2 #1004

Merged
Merged
Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
059efbe
copy enforce-sidecar-injection-namespace
Chandan-DK May 12, 2024
ccb21cf
add kyverno tests for enforce-sidecar-injection-namespace
Chandan-DK May 12, 2024
150dd03
convert enforce-sidecar-injection-namespace
Chandan-DK May 12, 2024
5be9651
copy enforce-strict-mtls
Chandan-DK May 12, 2024
7424d9c
add kyverno tests for enforce-strict-mtls
Chandan-DK May 12, 2024
9977271
convert enforce-strict-mtls
Chandan-DK May 12, 2024
c5605c1
copy enforce-tls-hosts-host-subnets
Chandan-DK May 12, 2024
14fe8c9
add kyverno tests for enforce-tls-hosts-host-subnets
Chandan-DK May 12, 2024
f590890
convert enforce-tls-hosts-host-subnets
Chandan-DK May 12, 2024
4b07ffe
copy prevent-disabling-injection-pods
Chandan-DK May 12, 2024
4ad24eb
make corrections in chainsaw resources
Chandan-DK May 12, 2024
5c1055d
add kyverno tests for prevent-disabling-injection-pods
Chandan-DK May 12, 2024
c0f95de
convert prevent-disabling-injection-pods
Chandan-DK May 12, 2024
7ac7be2
copy restrict-virtual-service-wildcard
Chandan-DK May 12, 2024
cd38901
convert restrict-virtual-service-wildcard
Chandan-DK May 12, 2024
e00c353
add CI tests for istio-cel
Chandan-DK May 12, 2024
a65ee2b
copy require-kubecost-labels
Chandan-DK May 12, 2024
1396439
correct chainsaw resource
Chandan-DK May 12, 2024
e870211
convert require-kubecost-labels
Chandan-DK May 12, 2024
a4d7a13
correct chainsaw resource
Chandan-DK May 12, 2024
e704c6b
copy enforce-instancetype
Chandan-DK May 12, 2024
c7cde05
convert enforce-instancetype
Chandan-DK May 12, 2024
ebe227b
copy k10-data-protection-by-label
Chandan-DK May 12, 2024
c6fe9c5
convert k10-data-protection-by-label
Chandan-DK May 12, 2024
dcadbf7
copy k10-hourly-rpo
Chandan-DK May 12, 2024
046781b
convert k10-hourly-rpo
Chandan-DK May 12, 2024
3354995
copy k10-validate-ns-by-preset-label
Chandan-DK May 12, 2024
e9958ee
convert k10-validate-ns-by-preset-label
Chandan-DK May 12, 2024
56be409
rename files for clarity
Chandan-DK May 12, 2024
21b9111
add CI tests for cel directories
Chandan-DK May 12, 2024
1976723
remove cel policies due to issue
Chandan-DK May 26, 2024
5ca1581
add CREATE and UPDATE operations explicitly
Chandan-DK Jul 9, 2024
023be1e
Merge branch 'main' into miscellaneous-policies-cel-part-2
Chandan-DK Jul 9, 2024
66a069c
Merge branch 'main' into miscellaneous-policies-cel-part-2
MariamFahmy98 Jul 10, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,12 @@ jobs:
- ^external-secret-operator$
- ^flux$
- ^istio$
- ^istio-cel$
- ^karpenter$
- ^kasten$
- ^kasten-cel$
- ^kubecost$
- ^kubecost-cel$
- ^kubeops$
- ^kubevirt$
- ^linkerd$
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: enforce-sidecar-injection-namespace
spec:
steps:
- name: step-01
try:
- apply:
file: ../enforce-sidecar-injection-namespace.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-sidecar-injection-namespace
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: ns-good.yaml
- apply:
expect:
- check:
($error != null): true
file: ns-bad-disabled.yaml
- apply:
expect:
- check:
($error != null): true
file: ns-bad-nolabel.yaml
- apply:
expect:
- check:
($error != null): true
file: ns-bad-somelabel.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: disabled
name: bad-istio-sinj01
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: bad-istio-sinj03
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
foo: enabled
name: bad-istio-sinj02
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: enabled
name: good-istio-sinj01
---
apiVersion: v1
kind: Namespace
metadata:
labels:
foo: disabled
istio-injection: enabled
bar: enabled
name: good-istio-sinj02
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-sidecar-injection-namespace
status:
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: enforce-sidecar-injection-namespace
policies:
- ../enforce-sidecar-injection-namespace.yaml
resources:
- ../.chainsaw-test/ns-bad-disabled.yaml
- ../.chainsaw-test/ns-bad-nolabel.yaml
- ../.chainsaw-test/ns-bad-somelabel.yaml
- ../.chainsaw-test/ns-good.yaml
results:
- policy: enforce-sidecar-injection-namespace
rule: check-istio-injection-enabled
kind: Namespace
resources:
- bad-istio-sinj01
- bad-istio-sinj02
- bad-istio-sinj03
result: fail
- policy: enforce-sidecar-injection-namespace
rule: check-istio-injection-enabled
kind: Namespace
resources:
- good-istio-sinj01
- good-istio-sinj02
result: pass

24 changes: 24 additions & 0 deletions istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: enforce-sidecar-injection-namespace-cel
version: 1.0.0
displayName: Enforce Istio Sidecar Injection in CEL expressions
description: >-
In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
```
keywords:
- kyverno
- Istio
- CEL Expressions
readme: |
In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Istio in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Namespace"
digest: 3083420cd7860eadc12dd313a90d20264d211e2bf3c9ade3a74cd9454d88afa9
createdAt: "2024-05-12T04:38:32Z"

Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-sidecar-injection-namespace
annotations:
policies.kyverno.io/title: Enforce Istio Sidecar Injection in CEL expressions
policies.kyverno.io/category: Istio in CEL
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.11.0
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/subject: Namespace
policies.kyverno.io/description: >-
In order for Istio to inject sidecars to workloads deployed into Namespaces, the label
`istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces
set `istio-inject` to `enabled`.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-istio-injection-enabled
match:
any:
- resources:
kinds:
- Namespace
validate:
cel:
expressions:
- expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'"
message: "All new Namespaces must have Istio sidecar injection enabled."

33 changes: 33 additions & 0 deletions istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: enforce-strict-mtls
spec:
steps:
- name: step-01
try:
- apply:
file: ../enforce-strict-mtls.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-strict-mtls
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- assert:
file: crd-assert.yaml
- name: step-02
try:
- apply:
file: pa-good.yaml
- apply:
expect:
- check:
($error != null): true
file: pa-bad.yaml
13 changes: 13 additions & 0 deletions istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: peerauthentications.security.istio.io
spec: {}
status:
acceptedNames:
kind: PeerAuthentication
listKind: PeerAuthenticationList
plural: peerauthentications
singular: peerauthentication
storedVersions:
- v1beta1
26 changes: 26 additions & 0 deletions istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: pa-bad01
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: pa-bad02
spec:
mtls:
mode: DISABLE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: pa-bad03
spec:
selector:
matchLabels:
app: finance
mtls:
mode: DISABLE
39 changes: 39 additions & 0 deletions istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: good-pa01
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: good-pa02
spec:
mtls:
mode: UNSET
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: good-pa03
spec: {}
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: good-pa04
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: good-pa05
spec:
mtls: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-strict-mtls
status:
ready: true
29 changes: 29 additions & 0 deletions istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: enforce-strict-mtls
policies:
- ../enforce-strict-mtls.yaml
resources:
- ../.chainsaw-test/pa-bad.yaml
- ../.chainsaw-test/pa-good.yaml
results:
- policy: enforce-strict-mtls
rule: validate-mtls
kind: PeerAuthentication
resources:
- pa-bad01
- pa-bad02
- pa-bad03
result: fail
- policy: enforce-strict-mtls
rule: validate-mtls
kind: PeerAuthentication
resources:
- good-pa01
- good-pa02
- good-pa03
- good-pa04
- good-pa05
result: pass

24 changes: 24 additions & 0 deletions istio-cel/enforce-strict-mtls/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: enforce-strict-mtls-cel
version: 1.0.0
displayName: Enforce Istio Strict mTLS in CEL expressions
description: >-
Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml
```
keywords:
- kyverno
- Istio
- CEL Expressions
readme: |
Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Istio in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "PeerAuthentication"
digest: 26293d242662d9575b51d80c63d8fe3add2a3cd1ce0c4e8f38aae602d8eb7e1a
createdAt: "2024-05-12T04:41:47Z"

Loading
Loading