Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add best practices policies in CEL expressions #925

Merged
merged 69 commits into from
Jun 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
747b0e8
copy restrict-node-port
Chandan-DK Mar 6, 2024
9a4eca2
convert restrict-node-port to cel
Chandan-DK Mar 6, 2024
c87dea8
move resource files to test folders to avoid cross referencing
Chandan-DK Mar 6, 2024
66550fb
copy require-labels
Chandan-DK Mar 6, 2024
a19e614
convert require-labels to cel
Chandan-DK Mar 6, 2024
793c146
copy restrict-service-external-ips
Chandan-DK Mar 6, 2024
7a0fc6a
convert restrict-service-external-ips to cel
Chandan-DK Mar 7, 2024
2466c52
copy require-ro-rootfs
Chandan-DK Mar 7, 2024
8ca2823
convert require-ro-rootfs to cel
Chandan-DK Mar 7, 2024
cc534a2
copy restrict-image-registries
Chandan-DK Mar 7, 2024
70c4712
convert restrict-image-registries to cel
Chandan-DK Mar 7, 2024
9cbc613
copy disallow-latest-tag
Chandan-DK Mar 7, 2024
7266245
convert disallow-latest-tag to cel
Chandan-DK Mar 7, 2024
56680c9
copy disallow-default-namespace
Chandan-DK Mar 8, 2024
deefeee
convert disallow-default-namespace to cel
Chandan-DK Mar 8, 2024
c0b203a
copy disallow-helm-tiller
Chandan-DK Mar 8, 2024
2908df9
convert disallow-helm-tiller to cel
Chandan-DK Mar 8, 2024
5291e6d
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 9, 2024
cc5a3da
copy disallow-empty-ingress-host
Chandan-DK Mar 9, 2024
13f8cb5
set original disallow-empty-ingress-host to Audit
Chandan-DK Mar 9, 2024
b29888f
convert disallow-empty-ingress-host to cel
Chandan-DK Mar 9, 2024
1347c26
patch cel policy to set it to Enforce in chainsaw test
Chandan-DK Mar 9, 2024
638431a
fix: update semantically wrong chainsaw test resources in original re…
Chandan-DK Mar 10, 2024
c1cf234
copy require-drop-all
Chandan-DK Mar 10, 2024
625ee8e
convert require-drop-all to cel
Chandan-DK Mar 10, 2024
0283264
update workflow to test policies in best-practices-cel folder
Chandan-DK Mar 10, 2024
e206f7c
fix duplicate container names in require-probes chainsaw test
Chandan-DK Mar 10, 2024
c3b399e
copy require-probes
Chandan-DK Mar 10, 2024
13f20c0
convert require-probes to cel
Chandan-DK Mar 10, 2024
3405d61
require-ro-rootfs: fix selector does not match template labels
Chandan-DK Mar 14, 2024
6f0f536
require-ro-rootfs: fix duplicate container names
Chandan-DK Mar 14, 2024
28a0b2b
disallow-helm-tiller: fix invalid container naming
Chandan-DK Mar 14, 2024
4deb30c
require-labels: fix selector does not match template labels
Chandan-DK Mar 14, 2024
1ee5e25
restrict-image-registries: fix selector does not match template labels
Chandan-DK Mar 14, 2024
9527da4
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 14, 2024
e809be1
rename file for clarity
Chandan-DK Mar 14, 2024
62fc668
copy disallow-cri-sock-mount
Chandan-DK Mar 14, 2024
f26b1b2
convert disallow-cri-sock-mount to cel
Chandan-DK Mar 14, 2024
9579075
remove duplicate expressins in require-drop-all
Chandan-DK Mar 14, 2024
46574a1
rename file for clarity
Chandan-DK Mar 14, 2024
2d25227
require-drop-cap-net-raw: fix duplicate container names
Chandan-DK Mar 14, 2024
de2993a
copy require-drop-cap-net-raw
Chandan-DK Mar 14, 2024
057814d
rename pods to distinguish them
Chandan-DK Mar 15, 2024
618b7c8
convert require-drop-cap-net-raw to cel
Chandan-DK Mar 15, 2024
1fc12c0
copy require-pod-requests-limits
Chandan-DK Mar 15, 2024
fdb9a00
convert require-pod-requests-limits to cel
Chandan-DK Mar 15, 2024
ffe9192
rename files for clarity
Chandan-DK Mar 15, 2024
f3f84ec
add new line at end of file where not present
Chandan-DK Mar 15, 2024
42808ba
calculate digests
Chandan-DK Mar 15, 2024
c13bf5a
add new lines
Chandan-DK Mar 15, 2024
6298f7e
update digests
Chandan-DK Mar 15, 2024
b71dc85
remove celPreconditions until it behaves as expected
Chandan-DK Mar 15, 2024
8bef250
update digests
Chandan-DK Mar 15, 2024
48675be
remove wrong test step
Chandan-DK Mar 16, 2024
8c6b717
Merge branch 'main' into convert-best-practices-to-cel
chipzoller Mar 18, 2024
db6f0a4
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Mar 25, 2024
51a0c3e
use variables to remove duplicate logic
Chandan-DK Mar 25, 2024
cc3be8a
remove unnecessary whitespace in require-ro-rootfs
Chandan-DK Mar 26, 2024
734f9f2
use namespaceObject variable
Chandan-DK Mar 26, 2024
9f493ed
Combine expressions into 1 rule to generate VAPs
Chandan-DK Apr 4, 2024
8e133b7
copy kyverno tests for disallow-default-namespace
Chandan-DK Apr 19, 2024
bc57d09
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Apr 19, 2024
044a419
Merge branch 'main' into convert-best-practices-to-cel
JimBugwadia May 15, 2024
bb48b70
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
6a71ee2
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
cad31da
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 22, 2024
3cda1d5
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 30, 2024
d6ad7cd
fix issue caused in cel policies tests due to chainsaw templating
Chandan-DK May 30, 2024
8ca2e18
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Jun 3, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ jobs:
- ^argo$
- ^aws$
- ^best-practices$
- ^best-practices-cel$
- ^castai$
- ^cert-manager$
- ^consul$
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-cri-sock-mount
spec:
steps:
- name: step-01
try:
- apply:
file: ../disallow-cri-sock-mount.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: good-pod.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-containerd-sock.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-docker-sock.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-crio-sock.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-cri-dockerd-sock.yaml
- apply:
file: pod-emptydir-vol.yaml
- apply:
file: pod-no-volumes.yaml

Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: goodpod01
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: data
hostPath:
path: /data

Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-containerd-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/containerd/containerd.sock

Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-cri-dockerd-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/cri-dockerd.sock

Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-crio-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/crio/crio.sock

Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-docker-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/docker.sock

Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-emptydir-volume
spec:
containers:
- name: busybox
image: busybox:1.35
command:
- sleep
- "3600"
volumes:
- name: mydir
emptyDir: {}

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-no-volumes
spec:
automountServiceAccountToken: false
containers:
- name: busybox
image: busybox:1.35
command:
- sleep
- "3600"

Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
status:
ready: true

Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: disallow-cri-sock-mount
policies:
- ../disallow-cri-sock-mount.yaml
resources:
- resource.yaml
results:
- kind: Pod
policy: disallow-container-sock-mounts
resources:
- pod-with-docker-sock-mount
result: fail
rule: validate-socket-mounts
- kind: Pod
policy: disallow-container-sock-mounts
resources:
- goodpod01
result: pass
rule: validate-socket-mounts

Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-docker-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/docker.sock
---
apiVersion: v1
kind: Pod
metadata:
name: goodpod01
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: data
hostPath:
path: /data

25 changes: 25 additions & 0 deletions best-practices-cel/disallow-cri-sock-mount/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: disallow-cri-sock-mount-cel
version: 1.0.0
displayName: Disallow CRI socket mounts in CEL expressions
description: >-
Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
```
keywords:
- kyverno
- Best Practices
- EKS Best Practices
- CEL Expressions
readme: |
Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Best Practices, EKS Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 0b91de77f8a6da0cafea457e0ba9eb14f0b8eb6bbcb56419a4e9de09c860753d
createdAt: "2024-03-14T15:59:52Z"

Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
annotations:
policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Container daemon socket bind mounts allows access to the container engine on the
node. This access can be used for privilege escalation and to manage containers
outside of Kubernetes, and hence should not be allowed. This policy validates that
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
to or replacement of this policy, preventing users from mounting the parent directories
(/var/run and /var) may be necessary to completely prevent socket bind mounts.
spec:
validationFailureAction: Audit
background: true
rules:
- name: validate-socket-mounts
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
variables:
- name: hasVolumes
expression: "!has(object.spec.volumes)"
- name: volumes
expression: "object.spec.volumes"
- name: volumesWithHostPath
expression: "variables.volumes.filter(volume, has(volume.hostPath))"
expressions:
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
message: "Use of the Docker Unix socket is not allowed."

- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
message: "Use of the Containerd Unix socket is not allowed."

- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
message: "Use of the CRI-O Unix socket is not allowed."

- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
message: "Use of the Docker CRI socket is not allowed."

Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-default-namespace
spec:
steps:
- name: step-01
try:
- apply:
file: ../disallow-default-namespace.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-default-namespace
spec:
validationFailureAction: Enforce
MariamFahmy98 marked this conversation as resolved.
Show resolved Hide resolved
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: ns.yaml
- name: step-03
try:
- apply:
file: good-resources.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-default.yaml
- apply:
expect:
- check:
($error != null): true
file: ds-default.yaml
- apply:
expect:
- check:
($error != null): true
file: job-default.yaml
- apply:
expect:
- check:
($error != null): true
file: ss-default.yaml
- apply:
expect:
- check:
($error != null): true
file: deploy-default.yaml

Loading
Loading