From 96886973ce16f731ce7fbad6a0312dd9e03c8333 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 2 Oct 2023 17:53:07 +0300 Subject: [PATCH 1/9] feat: add pod security standards (restricted) in CEL expressions Signed-off-by: Mariam Fahmy --- .../01-assert.yaml | 6 + .../01-enforce.yaml | 5 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../disallow-capabilities-strict.yaml | 78 ++++++++ .../kyverno-test.yaml | 177 ++++++++++++++++++ .../01-assert.yaml | 6 + .../01-enforce.yaml | 6 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../disallow-privilege-escalation.yaml | 50 +++++ .../kyverno-test.yaml | 72 +++++++ .../restricted/kustomization.yaml | 7 + .../01-assert.yaml | 6 + .../01-enforce.yaml | 5 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../kyverno-test.yaml | 87 +++++++++ .../require-run-as-non-root-user.yaml | 53 ++++++ .../require-run-as-nonroot/01-assert.yaml | 6 + .../require-run-as-nonroot/01-enforce.yaml | 5 + .../require-run-as-nonroot/02-manifests.yaml | 11 ++ .../require-run-as-nonroot/99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../require-run-as-nonroot/kyverno-test.yaml | 114 +++++++++++ .../require-run-as-nonroot.yaml | 59 ++++++ .../restrict-seccomp-strict/01-assert.yaml | 6 + .../restrict-seccomp-strict/01-enforce.yaml | 5 + .../restrict-seccomp-strict/02-manifests.yaml | 11 ++ .../restrict-seccomp-strict/99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../restrict-seccomp-strict/kyverno-test.yaml | 90 +++++++++ .../restrict-seccomp-strict.yaml | 66 +++++++ .../restrict-volume-types/01-assert.yaml | 6 + .../restrict-volume-types/01-enforce.yaml | 7 + .../restrict-volume-types/02-manifests.yaml | 11 ++ .../restrict-volume-types/99-delete.yaml | 8 + .../restrict-volume-types/artifacthub-pkg.yml | 22 +++ .../restrict-volume-types/kyverno-test.yaml | 126 +++++++++++++ .../restrict-volume-types.yaml | 41 ++++ 43 files changed, 1325 insertions(+) create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/kustomization.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/01-assert.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/99-delete.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml new file mode 100644 index 000000000..a7bd6b8fa --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict +status: + ready: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml new file mode 100644 index 000000000..e0031c719 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml new file mode 100644 index 000000000..2c7fa9c29 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml new file mode 100644 index 000000000..9bc30b556 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..570193093 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-capabilities-strict +version: 1.0.0 +displayName: Disallow Capabilities (Strict) in CEL expressions +description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml new file mode 100644 index 000000000..279605f7d --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -0,0 +1,78 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict + annotations: + policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, + all containers must explicitly drop `ALL` capabilities. +spec: + validationFailureAction: Audit + background: true + rules: + - name: require-drop-all + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Containers must drop `ALL` capabilities. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + - name: adding-capabilities-strict + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml new file mode 100644 index 000000000..cd48af523 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml @@ -0,0 +1,177 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict +policies: +- disallow-capabilities-strict.yaml +resources: +- ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml +results: +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob01 + - addcap-badcronjob02 + - addcap-badcronjob03 + - addcap-badcronjob04 + - addcap-badcronjob05 + - addcap-badcronjob06 + - addcap-badcronjob07 + - addcap-badcronjob08 + - addcap-badcronjob09 + - addcap-badcronjob10 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment01 + - addcap-baddeployment02 + - addcap-baddeployment03 + - addcap-baddeployment04 + - addcap-baddeployment05 + - addcap-baddeployment06 + - addcap-baddeployment07 + - addcap-baddeployment08 + - addcap-baddeployment09 + - addcap-baddeployment10 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod01 + - addcap-badpod02 + - addcap-badpod03 + - addcap-badpod04 + - addcap-badpod05 + - addcap-badpod06 + - addcap-badpod07 + - addcap-badpod08 + - addcap-badpod09 + - addcap-badpod10 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob01 + - addcap-goodcronjob02 + - addcap-goodcronjob03 + - addcap-goodcronjob04 + - addcap-goodcronjob05 + - addcap-goodcronjob06 + - addcap-goodcronjob07 + - addcap-goodcronjob08 + - addcap-goodcronjob09 + - addcap-goodcronjob10 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment01 + - addcap-gooddeployment02 + - addcap-gooddeployment03 + - addcap-gooddeployment04 + - addcap-gooddeployment05 + - addcap-gooddeployment06 + - addcap-gooddeployment07 + - addcap-gooddeployment08 + - addcap-gooddeployment09 + - addcap-gooddeployment10 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod01 + - addcap-goodpod02 + - addcap-goodpod03 + - addcap-goodpod04 + - addcap-goodpod05 + - addcap-goodpod06 + - addcap-goodpod07 + - addcap-goodpod08 + - addcap-goodpod09 + - addcap-goodpod10 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass + rule: require-drop-all diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml new file mode 100644 index 000000000..30a5747c2 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +status: + ready: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml new file mode 100644 index 000000000..a92c92339 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - + \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml new file mode 100644 index 000000000..4f9c0cdd5 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml new file mode 100644 index 000000000..d298864ad --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml new file mode 100644 index 000000000..7e17fc43b --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-privilege-escalation +version: 1.0.0 +displayName: Disallow Privilege Escalation in CEL expressions +description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7 diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml new file mode 100644 index 000000000..cf6001d89 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -0,0 +1,50 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation + annotations: + policies.kyverno.io/title: Disallow Privilege Escalation in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: privilege-escalation + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Privilege escalation is disallowed. The fields + spec.containers[*].securityContext.allowPrivilegeEscalation, + spec.initContainers[*].securityContext.allowPrivilegeEscalation, + and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation + must be set to `false`. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml new file mode 100644 index 000000000..d258659db --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml @@ -0,0 +1,72 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation +policies: +- disallow-privilege-escalation.yaml +resources: +- ../../../pod-security/restricted/disallow-privilege-escalation/resource.yaml +results: +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: privilege-escalation diff --git a/pod-security-cel/restricted/kustomization.yaml b/pod-security-cel/restricted/kustomization.yaml new file mode 100644 index 000000000..6725535b9 --- /dev/null +++ b/pod-security-cel/restricted/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - disallow-capabilities-strict/disallow-capabilities-strict.yaml + - disallow-privilege-escalation/disallow-privilege-escalation.yaml + - require-run-as-non-root-user/require-run-as-non-root-user.yaml + - require-run-as-nonroot/require-run-as-nonroot.yaml + - restrict-seccomp-strict/restrict-seccomp-strict.yaml + - restrict-volume-types/restrict-volume-types.yaml diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml new file mode 100644 index 000000000..3a15a8755 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +status: + ready: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml new file mode 100644 index 000000000..6b209b3db --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml new file mode 100644 index 000000000..698d27655 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml new file mode 100644 index 000000000..aed8d3f0b --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml new file mode 100644 index 000000000..13eed5cf0 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-run-as-non-root-user +version: 1.0.0 +displayName: Require Run As Non-Root User in CEL expressions +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: d4bdf4d03257fff0dc438a14a0ff3df8b8f4bc02fec15c2d69c602421281811d diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml new file mode 100644 index 000000000..5f78b269d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml @@ -0,0 +1,87 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user +policies: +- require-run-as-non-root-user.yaml +resources: +- ../../../pod-security/restricted/require-run-as-non-root-user/resource.yaml +results: +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml new file mode 100644 index 000000000..02500dcd7 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user + annotations: + policies.kyverno.io/title: Require Run As Non-Root User in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsUser` is either unset or set to a number greater than zero. +spec: + validationFailureAction: Audit + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running as root is not allowed. The fields spec.securityContext.runAsUser, + spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, + and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero. + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.runAsUser) || + object.spec.securityContext.runAsUser > 0 + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml new file mode 100644 index 000000000..d97abc312 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot +status: + ready: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml new file mode 100644 index 000000000..05ab09701 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml new file mode 100644 index 000000000..bcda526e6 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml b/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml new file mode 100644 index 000000000..13c14c6f6 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml new file mode 100644 index 000000000..375147dcb --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-run-as-nonroot +version: 1.0.0 +displayName: Require runAsNonRoot in CEL expressions +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: b5e14351175bff55c6856c5d4251808b23144bf6f05be0c5a6b24439879a6913 diff --git a/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml new file mode 100644 index 000000000..861745f3d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml @@ -0,0 +1,114 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-nonroot +policies: +- require-run-as-nonroot.yaml +resources: +- ../../../pod-security/restricted/require-run-as-nonroot/resource.yaml +results: +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: run-as-non-root diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml new file mode 100644 index 000000000..c7c38a801 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -0,0 +1,59 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot + annotations: + policies.kyverno.io/title: Require runAsNonRoot in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + validationFailureAction: Audit + background: true + rules: + - name: run-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. + cel: + expressions: + - expression: >- + (!has(object.spec.securityContext) || + !has(object.spec.securityContext.runAsNonRoot) || + object.spec.securityContext.runAsNonRoot == true) + && + (object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + && + (!has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + && + (!has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + + - expression: >- + has(object.spec.securityContext) || + (object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)) + && + (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))) + && + (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))) diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml new file mode 100644 index 000000000..db4a4dc3a --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +status: + ready: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml new file mode 100644 index 000000000..826f02c88 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml new file mode 100644 index 000000000..70d0917ac --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml new file mode 100644 index 000000000..7ca3c4cd0 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..c8140bd0d --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: restrict-seccomp-strict +version: 1.0.0 +displayName: Restrict Seccomp (Strict) in CEL expressions +description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 4cf3da92894bc484aa353e38983fe6641b91a43d70b56fa16ce76bb22a04a7d6 diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml new file mode 100644 index 000000000..4f0fbe7ac --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml @@ -0,0 +1,90 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict +policies: +- restrict-seccomp-strict.yaml +resources: +- ../../../pod-security/restricted/restrict-seccomp-strict/resource.yaml +results: +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: check-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml new file mode 100644 index 000000000..9a0293db0 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -0,0 +1,66 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict + annotations: + policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined + but additionally must also not allow an unset value. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is + set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + background: true + validationFailureAction: Audit + rules: + - name: check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Use of custom Seccomp profiles is disallowed. The fields + spec.securityContext.seccompProfile.type, + spec.containers[*].securityContext.seccompProfile.type, + spec.initContainers[*].securityContext.seccompProfile.type, and + spec.ephemeralContainers[*].securityContext.seccompProfile.type + must be set to `RuntimeDefault` or `Localhost`. + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.seccompProfile) || + !has(object.spec.securityContext.seccompProfile.type) || + object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || + object.spec.securityContext.seccompProfile.type == 'Localhost' + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') diff --git a/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml new file mode 100644 index 000000000..417239b4b --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +status: + ready: true diff --git a/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml b/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml new file mode 100644 index 000000000..fd2e32e7d --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - +apply: +- ../../../pod-security/restricted/restrict-volume-types/ns.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml b/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml new file mode 100644 index 000000000..897e4dffd --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/restrict-volume-types/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-volume-types/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-bad.yaml + shouldFail: true \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml b/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml new file mode 100644 index 000000000..c9e317204 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml @@ -0,0 +1,8 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +commands: +- command: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml new file mode 100644 index 000000000..0dd35d251 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: restrict-volume-types +version: 1.0.0 +displayName: Restrict Volume Types in CEL expressions +description: >- + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod,Volume" +digest: 71ffcf5c417c3c71cfe6e1a1f9a36884683b876bf6ed3f5b9201d69547526583 diff --git a/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml b/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml new file mode 100644 index 000000000..56e535f97 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml @@ -0,0 +1,126 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types +policies: +- restrict-volume-types.yaml +resources: +- ../../../pod-security/restricted/restrict-volume-types/resource.yaml +results: +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 + - badcronjob16 + - badcronjob17 + - badcronjob18 + - badcronjob19 + - badcronjob20 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + - baddeployment16 + - baddeployment17 + - baddeployment18 + - baddeployment19 + - baddeployment20 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + - badpod16 + - badpod17 + - badpod18 + - badpod19 + - badpod20 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + result: pass + rule: restricted-volumes diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml new file mode 100644 index 000000000..a7e1c645a --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types + annotations: + policies.kyverno.io/title: Restrict Volume Types in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/description: >- + In addition to restricting HostPath volumes, the restricted pod security profile + limits usage of non-core volume types to those defined through PersistentVolumes. + This policy blocks any other type of volume other than those in the allow list. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restricted-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. + cel: + expressions: + - expression: >- + !has(object.spec.volumes) || + object.spec.volumes.all(vol, has(vol.configMap) || + has(vol.csi) || + has(vol.downwardAPI) || + has(vol.emptyDir) || + has(vol.ephemeral) || + has(vol.persistentVolumeClaim) || + has(vol.projected) || + has(vol.secret)) From cd018c9aebeb63a62652c062946d92ac019b97b4 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 7 Nov 2023 14:05:34 +0200 Subject: [PATCH 2/9] fix: use cel.expression.message instead of validate.message Signed-off-by: Mariam Fahmy --- .../artifacthub-pkg.yml | 2 +- .../disallow-capabilities-strict.yaml | 8 ++++++-- .../artifacthub-pkg.yml | 2 +- .../disallow-privilege-escalation.yaml | 15 +++++++++------ .../artifacthub-pkg.yml | 2 +- .../require-run-as-non-root-user.yaml | 17 ++++++++++++----- .../artifacthub-pkg.yml | 2 +- .../require-run-as-nonroot.yaml | 15 ++++++++++----- .../artifacthub-pkg.yml | 2 +- .../restrict-seccomp-strict.yaml | 19 ++++++++++++------- .../restrict-volume-types/artifacthub-pkg.yml | 2 +- .../restrict-volume-types.yaml | 6 +++--- 12 files changed, 58 insertions(+), 34 deletions(-) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 570193093..d08ffc212 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d +digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98 diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 279605f7d..95bf96b0d 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -53,8 +53,6 @@ spec: kinds: - Pod validate: - message: >- - Any capabilities added other than NET_BIND_SERVICE are disallowed. cel: expressions: - expression: >- @@ -62,6 +60,8 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. - expression: >- !has(object.spec.initContainers) || @@ -69,6 +69,8 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. - expression: >- !has(object.spec.ephemeralContainers) || @@ -76,3 +78,5 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 7e17fc43b..2162df5d0 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7 +digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index cf6001d89..c2fe5ceb9 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -23,28 +23,31 @@ spec: kinds: - Pod validate: - message: >- - Privilege escalation is disallowed. The fields - spec.containers[*].securityContext.allowPrivilegeEscalation, - spec.initContainers[*].securityContext.allowPrivilegeEscalation, - and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation - must be set to `false`. cel: expressions: - expression: >- object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - expression: >- !has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - expression: >- !has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 13eed5cf0..984a8f285 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d4bdf4d03257fff0dc438a14a0ff3df8b8f4bc02fec15c2d69c602421281811d +digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 02500dcd7..04fc0d972 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -23,31 +23,38 @@ spec: kinds: - Pod validate: - message: >- - Running as root is not allowed. The fields spec.securityContext.runAsUser, - spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, - and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or - set to a number greater than zero. cel: expressions: - expression: >- !has(object.spec.securityContext) || !has(object.spec.securityContext.runAsUser) || object.spec.securityContext.runAsUser > 0 + message: >- + Running as root is not allowed. The field spec.securityContext.runAsUser must be unset or + set to a number greater than zero. - expression: >- object.spec.containers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser must be unset or + set to a number greater than zero - expression: >- !has(object.spec.initContainers) || object.spec.initContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.initContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero - expression: >- !has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml index 375147dcb..72e568880 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b5e14351175bff55c6856c5d4251808b23144bf6f05be0c5a6b24439879a6913 +digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml index c7c38a801..f91a3fda0 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -24,11 +24,6 @@ spec: kinds: - Pod validate: - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. cel: expressions: - expression: >- @@ -49,6 +44,11 @@ spec: object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsNonRoot) || container.securityContext.runAsNonRoot == true)) + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. - expression: >- has(object.spec.securityContext) || @@ -57,3 +57,8 @@ spec: (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))) && (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))) + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index c8140bd0d..c2cb3bbe6 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 4cf3da92894bc484aa353e38983fe6641b91a43d70b56fa16ce76bb22a04a7d6 +digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358 diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 9a0293db0..ba5d790ba 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -26,13 +26,6 @@ spec: kinds: - Pod validate: - message: >- - Use of custom Seccomp profiles is disallowed. The fields - spec.securityContext.seccompProfile.type, - spec.containers[*].securityContext.seccompProfile.type, - spec.initContainers[*].securityContext.seccompProfile.type, and - spec.ephemeralContainers[*].securityContext.seccompProfile.type - must be set to `RuntimeDefault` or `Localhost`. cel: expressions: - expression: >- @@ -41,6 +34,9 @@ spec: !has(object.spec.securityContext.seccompProfile.type) || object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || object.spec.securityContext.seccompProfile.type == 'Localhost' + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- object.spec.containers.all(container, !has(container.securityContext) || @@ -48,6 +44,9 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- !has(object.spec.initContainers) || @@ -56,6 +55,9 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- !has(object.spec.ephemeralContainers) || @@ -64,3 +66,6 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 0dd35d251..3153372d3 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 71ffcf5c417c3c71cfe6e1a1f9a36884683b876bf6ed3f5b9201d69547526583 +digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677 diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml index a7e1c645a..9fb95fb57 100644 --- a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -24,9 +24,6 @@ spec: kinds: - Pod validate: - message: >- - Only the following types of volumes may be used: configMap, csi, downwardAPI, - emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. cel: expressions: - expression: >- @@ -39,3 +36,6 @@ spec: has(vol.persistentVolumeClaim) || has(vol.projected) || has(vol.secret)) + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. From 21d36424676bb4806ea4f23973ce5732e1600d2a Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 4 Dec 2023 11:14:38 +0200 Subject: [PATCH 3/9] chore: update artifacthub-pkg.yaml Signed-off-by: Mariam Fahmy --- .../restricted/disallow-capabilities-strict/artifacthub-pkg.yml | 1 + .../restricted/disallow-privilege-escalation/artifacthub-pkg.yml | 1 + .../restricted/require-run-as-non-root-user/artifacthub-pkg.yml | 1 + .../restricted/require-run-as-nonroot/artifacthub-pkg.yml | 1 + .../restricted/restrict-seccomp-strict/artifacthub-pkg.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index d08ffc212..b8ac370d4 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98 +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 2162df5d0..2958d7d7c 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 984a8f285..6124685f3 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml index 72e568880..59b54b03d 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index c2cb3bbe6..5eb936de2 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358 +createdAt: "2023-12-04T09:04:49Z" From 853bff9368a3304ad7f6fd8c936c4cbe3fa95132 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 4 Dec 2023 17:40:10 +0200 Subject: [PATCH 4/9] remove the failed policy Signed-off-by: Mariam Fahmy --- .../require-run-as-nonroot/01-assert.yaml | 6 - .../require-run-as-nonroot/01-enforce.yaml | 5 - .../require-run-as-nonroot/02-manifests.yaml | 11 -- .../require-run-as-nonroot/99-delete.yaml | 6 - .../artifacthub-pkg.yml | 23 ---- .../require-run-as-nonroot/kyverno-test.yaml | 114 ------------------ .../require-run-as-nonroot.yaml | 64 ---------- 7 files changed, 229 deletions(-) delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml deleted file mode 100644 index d97abc312..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-nonroot -status: - ready: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml deleted file mode 100644 index 05ab09701..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml deleted file mode 100644 index bcda526e6..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml b/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml deleted file mode 100644 index 13c14c6f6..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-run-as-nonroot diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml deleted file mode 100644 index 59b54b03d..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-run-as-nonroot -version: 1.0.0 -displayName: Require runAsNonRoot in CEL expressions -description: >- - Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml - ``` -keywords: - - kyverno - - Pod Security Standards (Restricted) - - CEL Expressions -readme: | - Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Pod Security Standards (Restricted)" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac -createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml deleted file mode 100644 index 861745f3d..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-run-as-nonroot -policies: -- require-run-as-nonroot.yaml -resources: -- ../../../pod-security/restricted/require-run-as-nonroot/resource.yaml -results: -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - - badcronjob04 - - badcronjob05 - - badcronjob06 - - badcronjob07 - - badcronjob08 - - badcronjob09 - - badcronjob10 - - badcronjob11 - - badcronjob12 - - badcronjob13 - - badcronjob14 - - badcronjob15 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - baddeployment01 - - baddeployment02 - - baddeployment03 - - baddeployment04 - - baddeployment05 - - baddeployment06 - - baddeployment07 - - baddeployment08 - - baddeployment09 - - baddeployment10 - - baddeployment11 - - baddeployment12 - - baddeployment13 - - baddeployment14 - - baddeployment15 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - - badpod06 - - badpod07 - - badpod08 - - badpod09 - - badpod10 - - badpod11 - - badpod12 - - badpod13 - - badpod14 - - badpod15 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - goodcronjob01 - - goodcronjob02 - - goodcronjob03 - - goodcronjob04 - - goodcronjob05 - - goodcronjob06 - - goodcronjob07 - - goodcronjob08 - - goodcronjob09 - - goodcronjob10 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment01 - - gooddeployment02 - - gooddeployment03 - - gooddeployment04 - - gooddeployment05 - - gooddeployment06 - - gooddeployment07 - - gooddeployment08 - - gooddeployment09 - - gooddeployment10 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - - goodpod05 - - goodpod06 - - goodpod07 - - goodpod08 - - goodpod09 - - goodpod10 - result: pass - rule: run-as-non-root diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml deleted file mode 100644 index f91a3fda0..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-nonroot - annotations: - policies.kyverno.io/title: Require runAsNonRoot in CEL expressions - policies.kyverno.io/category: Pod Security Standards (Restricted) - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Containers must be required to run as non-root users. This policy ensures - `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this - using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. -spec: - validationFailureAction: Audit - background: true - rules: - - name: run-as-non-root - match: - any: - - resources: - kinds: - - Pod - validate: - cel: - expressions: - - expression: >- - (!has(object.spec.securityContext) || - !has(object.spec.securityContext.runAsNonRoot) || - object.spec.securityContext.runAsNonRoot == true) - && - (object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.runAsNonRoot) || - container.securityContext.runAsNonRoot == true)) - && - (!has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.runAsNonRoot) || - container.securityContext.runAsNonRoot == true)) - && - (!has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.runAsNonRoot) || - container.securityContext.runAsNonRoot == true)) - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. - - - expression: >- - has(object.spec.securityContext) || - (object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)) - && - (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))) - && - (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))) - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. From 9086ef00ecb869c96022544a67157a0f916ea4a2 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 4 Dec 2023 17:41:57 +0200 Subject: [PATCH 5/9] fix the name field in artifacthub-pkg.yaml Signed-off-by: Mariam Fahmy --- .../restricted/disallow-capabilities-strict/artifacthub-pkg.yml | 2 +- .../disallow-privilege-escalation/artifacthub-pkg.yml | 2 +- .../restricted/require-run-as-non-root-user/artifacthub-pkg.yml | 2 +- .../restricted/restrict-seccomp-strict/artifacthub-pkg.yml | 2 +- .../restricted/restrict-volume-types/artifacthub-pkg.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index b8ac370d4..f266dcd2b 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -1,4 +1,4 @@ -name: disallow-capabilities-strict +name: disallow-capabilities-strict-cel version: 1.0.0 displayName: Disallow Capabilities (Strict) in CEL expressions description: >- diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 2958d7d7c..1441011a4 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -1,4 +1,4 @@ -name: disallow-privilege-escalation +name: disallow-privilege-escalation-cel version: 1.0.0 displayName: Disallow Privilege Escalation in CEL expressions description: >- diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 6124685f3..3eb11efc5 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -1,4 +1,4 @@ -name: require-run-as-non-root-user +name: require-run-as-non-root-user-cel version: 1.0.0 displayName: Require Run As Non-Root User in CEL expressions description: >- diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index 5eb936de2..8ed7a802e 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -1,4 +1,4 @@ -name: restrict-seccomp-strict +name: restrict-seccomp-strict-cel version: 1.0.0 displayName: Restrict Seccomp (Strict) in CEL expressions description: >- diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 3153372d3..1a83352df 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -1,4 +1,4 @@ -name: restrict-volume-types +name: restrict-volume-types-cel version: 1.0.0 displayName: Restrict Volume Types in CEL expressions description: >- From a28f75a862b769e70cef2aa189a166ef8714ffe6 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 2 Jan 2024 17:17:01 +0200 Subject: [PATCH 6/9] fix chainsaw tests Signed-off-by: Mariam Fahmy --- .../.chainsaw-test/chainsaw-test.yaml | 37 ++++++++++++++ .../{ => .kyverno-test}/kyverno-test.yaml | 4 +- .../01-assert.yaml | 6 --- .../01-enforce.yaml | 5 -- .../02-manifests.yaml | 11 ----- .../99-delete.yaml | 6 --- .../.chainsaw-test/chainsaw-test.yaml | 37 ++++++++++++++ .../{ => .kyverno-test}/kyverno-test.yaml | 4 +- .../01-assert.yaml | 6 --- .../01-enforce.yaml | 6 --- .../02-manifests.yaml | 11 ----- .../99-delete.yaml | 6 --- .../.chainsaw-test/chainsaw-test.yaml | 37 ++++++++++++++ .../{ => .kyverno-test}/kyverno-test.yaml | 4 +- .../01-assert.yaml | 6 --- .../01-enforce.yaml | 5 -- .../02-manifests.yaml | 11 ----- .../99-delete.yaml | 6 --- .../.chainsaw-test.yaml/chainsaw-test.yaml | 37 ++++++++++++++ .../kyverno-test.yaml | 4 +- .../restrict-seccomp-strict/01-assert.yaml | 6 --- .../restrict-seccomp-strict/01-enforce.yaml | 5 -- .../restrict-seccomp-strict/02-manifests.yaml | 11 ----- .../restrict-seccomp-strict/99-delete.yaml | 6 --- .../.chainsaw-test/chainsaw-test.yaml | 49 +++++++++++++++++++ .../{ => .kyverno-test}/kyverno-test.yaml | 4 +- .../restrict-volume-types/01-assert.yaml | 6 --- .../restrict-volume-types/01-enforce.yaml | 7 --- .../restrict-volume-types/02-manifests.yaml | 11 ----- .../restrict-volume-types/99-delete.yaml | 8 --- 30 files changed, 207 insertions(+), 155 deletions(-) create mode 100755 pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml rename pod-security-cel/restricted/disallow-capabilities-strict/{ => .kyverno-test}/kyverno-test.yaml (96%) delete mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml delete mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml create mode 100755 pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml rename pod-security-cel/restricted/disallow-privilege-escalation/{ => .kyverno-test}/kyverno-test.yaml (90%) delete mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml delete mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml create mode 100755 pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml rename pod-security-cel/restricted/require-run-as-non-root-user/{ => .kyverno-test}/kyverno-test.yaml (92%) delete mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml create mode 100755 pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml rename pod-security-cel/restricted/restrict-seccomp-strict/{ => .kyverno-test.yaml}/kyverno-test.yaml (92%) delete mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml delete mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml create mode 100755 pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml rename pod-security-cel/restricted/restrict-volume-types/{ => .kyverno-test}/kyverno-test.yaml (94%) delete mode 100644 pod-security-cel/restricted/restrict-volume-types/01-assert.yaml delete mode 100644 pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml delete mode 100644 pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml delete mode 100644 pod-security-cel/restricted/restrict-volume-types/99-delete.yaml diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..dd8858258 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml similarity index 96% rename from pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml rename to pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml index cd48af523..b3dbb1463 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml @@ -3,9 +3,9 @@ kind: Test metadata: name: disallow-capabilities-strict policies: -- disallow-capabilities-strict.yaml +- ../disallow-capabilities-strict.yaml resources: -- ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml +- ../../../../pod-security/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml deleted file mode 100644 index a7bd6b8fa..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-capabilities-strict -status: - ready: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml deleted file mode 100644 index e0031c719..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml deleted file mode 100644 index 2c7fa9c29..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml deleted file mode 100644 index 9bc30b556..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5edf3d4b2 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privilege-escalation +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml similarity index 90% rename from pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml rename to pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml index d258659db..30359768e 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml @@ -3,9 +3,9 @@ kind: Test metadata: name: disallow-privilege-escalation policies: -- disallow-privilege-escalation.yaml +- ../disallow-privilege-escalation.yaml resources: -- ../../../pod-security/restricted/disallow-privilege-escalation/resource.yaml +- ../../../../pod-security/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml deleted file mode 100644 index 30a5747c2..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-privilege-escalation -status: - ready: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml deleted file mode 100644 index a92c92339..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - - \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml deleted file mode 100644 index 4f9c0cdd5..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml deleted file mode 100644 index d298864ad..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..648a10d62 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-non-root-user +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml similarity index 92% rename from pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml rename to pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml index 5f78b269d..b980f7da0 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml @@ -3,9 +3,9 @@ kind: Test metadata: name: require-run-as-non-root-user policies: -- require-run-as-non-root-user.yaml +- ../require-run-as-non-root-user.yaml resources: -- ../../../pod-security/restricted/require-run-as-non-root-user/resource.yaml +- ../../../../pod-security/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml results: - kind: CronJob policy: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml deleted file mode 100644 index 3a15a8755..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-non-root-user -status: - ready: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml deleted file mode 100644 index 6b209b3db..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml deleted file mode 100644 index 698d27655..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml deleted file mode 100644 index aed8d3f0b..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml new file mode 100755 index 000000000..e252df8e3 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml similarity index 92% rename from pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml rename to pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml index 4f0fbe7ac..51ae4a602 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml @@ -3,9 +3,9 @@ kind: Test metadata: name: restrict-seccomp-strict policies: -- restrict-seccomp-strict.yaml +- ../restrict-seccomp-strict.yaml resources: -- ../../../pod-security/restricted/restrict-seccomp-strict/resource.yaml +- ../../../../pod-security/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml results: - kind: CronJob policy: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml deleted file mode 100644 index db4a4dc3a..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-seccomp-strict -status: - ready: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml deleted file mode 100644 index 826f02c88..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml deleted file mode 100644 index 70d0917ac..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml deleted file mode 100644 index 7ca3c4cd0..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b23319825 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,49 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - restrict-voltypes-ns + entrypoint: kubectl diff --git a/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml similarity index 94% rename from pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml rename to pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml index 56e535f97..1cd4e46fd 100644 --- a/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml @@ -3,9 +3,9 @@ kind: Test metadata: name: restrict-volume-types policies: -- restrict-volume-types.yaml +- ../restrict-volume-types.yaml resources: -- ../../../pod-security/restricted/restrict-volume-types/resource.yaml +- ../../../../pod-security/restricted/restrict-volume-types/.kyverno-test/resource.yaml results: - kind: CronJob policy: restrict-volume-types diff --git a/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml deleted file mode 100644 index 417239b4b..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-volume-types -status: - ready: true diff --git a/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml b/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml deleted file mode 100644 index fd2e32e7d..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - -apply: -- ../../../pod-security/restricted/restrict-volume-types/ns.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml b/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml deleted file mode 100644 index 897e4dffd..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/restricted/restrict-volume-types/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/restrict-volume-types/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml b/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml deleted file mode 100644 index c9e317204..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-volume-types -commands: -- command: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns From 18d47aa260d4952a0d2c207b05efb396e80858fa Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 2 Jan 2024 17:38:16 +0200 Subject: [PATCH 7/9] fix a lint issue Signed-off-by: Mariam Fahmy --- .../restricted/restrict-volume-types/artifacthub-pkg.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 1a83352df..3569530ff 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677 +createdAt: "2024-01-02T15:37:55Z" From d11c1c08595d0cb3e6ab6ece23584d23c95572ab Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 5 Jan 2024 09:18:28 +0200 Subject: [PATCH 8/9] fix the value of policies.kyverno.io/category Signed-off-by: Mariam Fahmy --- .../restricted/disallow-capabilities-strict/artifacthub-pkg.yml | 2 +- .../disallow-capabilities-strict.yaml | 2 +- .../disallow-privilege-escalation/artifacthub-pkg.yml | 2 +- .../disallow-privilege-escalation.yaml | 2 +- .../restricted/require-run-as-non-root-user/artifacthub-pkg.yml | 2 +- .../require-run-as-non-root-user.yaml | 2 +- .../restricted/restrict-seccomp-strict/artifacthub-pkg.yml | 2 +- .../restrict-seccomp-strict/restrict-seccomp-strict.yaml | 2 +- .../restricted/restrict-volume-types/artifacthub-pkg.yml | 2 +- .../restricted/restrict-volume-types/restrict-volume-types.yaml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index f266dcd2b..0f93822e1 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98 +digest: 0ec50dbde4490a3029a048d25060cba8ae7ecc55f48e5415178fd8a4d265b6fd createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 95bf96b0d..5586a3116 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -4,7 +4,7 @@ metadata: name: disallow-capabilities-strict annotations: policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions - policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 1441011a4..e37b76849 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d +digest: 5f575108ad93d71808c5ca6de627698060e413387b2eb48ba700c20e61d622e9 createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index c2fe5ceb9..d75db5f90 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -4,7 +4,7 @@ metadata: name: disallow-privilege-escalation annotations: policies.kyverno.io/title: Disallow Privilege Escalation in CEL - policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.11.0 diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 3eb11efc5..3995c20cb 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f +digest: 2243d0a9a528e56efba4228868956535a1c41ea8725843e733577722cf252a7a createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 04fc0d972..29abec70e 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -4,7 +4,7 @@ metadata: name: require-run-as-non-root-user annotations: policies.kyverno.io/title: Require Run As Non-Root User in CEL - policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.11.0 diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index 8ed7a802e..5234f0cd6 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358 +digest: 7968dc5740b0232e48ebf36db4115238c9895b3a0ab290dcded2b76868ee837c createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index ba5d790ba..251a4d3f1 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -4,7 +4,7 @@ metadata: name: restrict-seccomp-strict annotations: policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL - policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.11.0 diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 3569530ff..1e8e665f1 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677 +digest: af3f14adcb29e44bd0ede605280fcdbe5357003a9baa6bf81a3efe9675ea9902 createdAt: "2024-01-02T15:37:55Z" diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml index 9fb95fb57..51a0f0bc8 100644 --- a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -4,7 +4,7 @@ metadata: name: restrict-volume-types annotations: policies.kyverno.io/title: Restrict Volume Types in CEL - policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod,Volume kyverno.io/kubernetes-version: "1.26-1.27" From 3d9886ed1e60003df6326bd86d082c2e3c6e42fd Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 12 Jan 2024 15:40:39 +0200 Subject: [PATCH 9/9] fix: add the minversion annotation Signed-off-by: Mariam Fahmy --- .../restricted/disallow-capabilities-strict/artifacthub-pkg.yml | 2 +- .../disallow-capabilities-strict.yaml | 1 + .../disallow-privilege-escalation/artifacthub-pkg.yml | 2 +- .../disallow-privilege-escalation.yaml | 1 + .../restricted/require-run-as-non-root-user/artifacthub-pkg.yml | 2 +- .../require-run-as-non-root-user.yaml | 1 + .../restricted/restrict-seccomp-strict/artifacthub-pkg.yml | 2 +- .../restrict-seccomp-strict/restrict-seccomp-strict.yaml | 1 + .../restricted/restrict-volume-types/artifacthub-pkg.yml | 2 +- .../restricted/restrict-volume-types/restrict-volume-types.yaml | 1 + 10 files changed, 10 insertions(+), 5 deletions(-) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 0f93822e1..d53a4eece 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 0ec50dbde4490a3029a048d25060cba8ae7ecc55f48e5415178fd8a4d265b6fd +digest: 3ba20799de8e2ff846fc1e064fac7b3e0cf318f2d127161bf9e9f90d76aff4da createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 5586a3116..cfe5d55fd 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index e37b76849..d1d87148f 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 5f575108ad93d71808c5ca6de627698060e413387b2eb48ba700c20e61d622e9 +digest: a656fbec861a5420caab9ad15abf28edf45b47c6d749c3d3943223dfb4d37d7a createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index d75db5f90..cde75c193 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 3995c20cb..1e97e8811 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 2243d0a9a528e56efba4228868956535a1c41ea8725843e733577722cf252a7a +digest: 4325ec1161eb1a2eb361eaed9618b7fe4605bfa621361064a43b4f056f03da8a createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 29abec70e..96e3e2ca7 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index 5234f0cd6..527f9037a 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 7968dc5740b0232e48ebf36db4115238c9895b3a0ab290dcded2b76868ee837c +digest: 4deffb0a892939288dabf65e9af18732036a464ae3611028a96ae02215140e77 createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 251a4d3f1..ed58c9641 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 1e8e665f1..f231b9264 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: af3f14adcb29e44bd0ede605280fcdbe5357003a9baa6bf81a3efe9675ea9902 +digest: d5e29d1e422d57878e74db9bc93f8db1588c6dbb777e13a02d873952a5134d59 createdAt: "2024-01-02T15:37:55Z" diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml index 51a0f0bc8..7d57ec798 100644 --- a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/minversion: 1.11.0 kyverno.io/kubernetes-version: "1.26-1.27" kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/description: >-