Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add pod security standards (baseline) in CEL expressions - Part 2 #775

Merged
merged 3 commits into from
Nov 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
status:
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privileged-containers.yaml | kubectl create -f -
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: ../../../pod-security/baseline/disallow-privileged-containers/pod-good.yaml
shouldFail: false
- file: ../../../pod-security/baseline/disallow-privileged-containers/pod-bad.yaml
shouldFail: true
- file: ../../../pod-security/baseline/disallow-privileged-containers/podcontroller-good.yaml
shouldFail: false
- file: ../../../pod-security/baseline/disallow-privileged-containers/podcontroller-bad.yaml
shouldFail: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-privileged-containers
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: disallow-privileged-containers
version: 1.0.0
displayName: Disallow Privileged Containers in CEL expressions
description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
```
keywords:
- kyverno
- Pod Security Standards (Baseline)
- CEL Expressions
readme: |
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 4c48385be967ef691a8d8fc839497328e9b4cfdfdd0fd767949e9f0299ba966e
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
annotations:
policies.kyverno.io/title: Disallow Privileged Containers in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
validationFailureAction: Audit
background: true
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
must be unset or set to `false`.

- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged
must be unset or set to `false`.

- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged
must be unset or set to `false`.
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: disallow-privileged-containers
policies:
- disallow-privileged-containers.yaml
resources:
- ../../../pod-security/baseline/disallow-privileged-containers/resource.yaml
results:
- kind: CronJob
policy: disallow-privileged-containers
resources:
- badcronjob01
- badcronjob02
- badcronjob03
- badcronjob04
- badcronjob05
result: fail
rule: privileged-containers
- kind: Deployment
policy: disallow-privileged-containers
resources:
- baddeployment01
- baddeployment02
- baddeployment03
- baddeployment04
- baddeployment05
result: fail
rule: privileged-containers
- kind: Pod
policy: disallow-privileged-containers
resources:
- badpod01
- badpod02
- badpod03
- badpod04
- badpod05
result: fail
rule: privileged-containers
- kind: CronJob
policy: disallow-privileged-containers
resources:
- goodcronjob01
- goodcronjob02
- goodcronjob03
- goodcronjob04
- goodcronjob05
- goodcronjob06
result: pass
rule: privileged-containers
- kind: Deployment
policy: disallow-privileged-containers
resources:
- gooddeployment01
- gooddeployment02
- gooddeployment03
- gooddeployment04
- gooddeployment05
- gooddeployment06
result: pass
rule: privileged-containers
- kind: Pod
policy: disallow-privileged-containers
resources:
- goodpod01
- goodpod02
- goodpod03
- goodpod04
- goodpod05
- goodpod06
result: pass
rule: privileged-containers
22 changes: 22 additions & 0 deletions pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: disallow-proc-mount
version: 1.0.0
displayName: Disallow procMount in CEL expressions
description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified. Note that in order for users to deviate from the `Default` procMount requires setting a feature gate at the API server.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml
```
keywords:
- kyverno
- Pod Security Standards (Baseline)
- CEL Expressions
readme: |
The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified. Note that in order for users to deviate from the `Default` procMount requires setting a feature gate at the API server.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 48fbac14beda4385f57f55e55b84f99cfed3f8b5e88ab6c60046fdde00bf1273
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-proc-mount
annotations:
policies.kyverno.io/title: Disallow procMount in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-proc-mount
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.containers[*].securityContext.procMount must be unset or set to `Default`.

- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.initContainers[*].securityContext.procMount must be unset or set to `Default`.

- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`.
72 changes: 72 additions & 0 deletions pod-security-cel/baseline/disallow-proc-mount/kyverno-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: disallow-proc-mount
policies:
- disallow-proc-mount.yaml
resources:
- ../../../pod-security/baseline/disallow-proc-mount/resource.yaml
results:
- kind: CronJob
policy: disallow-proc-mount
resources:
- badcronjob01
- badcronjob02
- badcronjob03
- badcronjob04
- badcronjob05
result: fail
rule: check-proc-mount
- kind: Deployment
policy: disallow-proc-mount
resources:
- baddeployment01
- baddeployment02
- baddeployment03
- baddeployment04
- baddeployment05
result: fail
rule: check-proc-mount
- kind: Pod
policy: disallow-proc-mount
resources:
- badpod01
- badpod02
- badpod03
- badpod04
- badpod05
result: fail
rule: check-proc-mount
- kind: CronJob
policy: disallow-proc-mount
resources:
- goodcronjob01
- goodcronjob02
- goodcronjob03
- goodcronjob04
- goodcronjob05
- goodcronjob06
result: pass
rule: check-proc-mount
- kind: Deployment
policy: disallow-proc-mount
resources:
- gooddeployment01
- gooddeployment02
- gooddeployment03
- gooddeployment04
- gooddeployment05
- gooddeployment06
result: pass
rule: check-proc-mount
- kind: Pod
policy: disallow-proc-mount
resources:
- goodpod01
- goodpod02
- goodpod03
- goodpod04
- goodpod05
- goodpod06
result: pass
rule: check-proc-mount
6 changes: 6 additions & 0 deletions pod-security-cel/baseline/disallow-selinux/01-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-selinux
status:
ready: true
5 changes: 5 additions & 0 deletions pod-security-cel/baseline/disallow-selinux/01-enforce.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-selinux.yaml | kubectl create -f -
11 changes: 11 additions & 0 deletions pod-security-cel/baseline/disallow-selinux/02-manifests.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: ../../../pod-security/baseline/disallow-selinux/pod-good.yaml
shouldFail: false
- file: ../../../pod-security/baseline/disallow-selinux/pod-bad.yaml
shouldFail: true
- file: ../../../pod-security/baseline/disallow-selinux/podcontroller-good.yaml
shouldFail: false
- file: ../../../pod-security/baseline/disallow-selinux/podcontroller-bad.yaml
shouldFail: true
6 changes: 6 additions & 0 deletions pod-security-cel/baseline/disallow-selinux/99-delete.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-selinux
22 changes: 22 additions & 0 deletions pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: disallow-selinux
version: 1.0.0
displayName: Disallow SELinux in CEL expressions
description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml
```
keywords:
- kyverno
- Pod Security Standards (Baseline)
- CEL Expressions
readme: |
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: d6379e3637a2df6d05a1613d7a000aff5cf4f6f4cc983395574238cdd225fa39
Loading
Loading