feat: add pod security standards (restricted) in CEL expressions - Pa…

…rt 3 (kyverno#776)

* feat: add pod security standards (restricted) in CEL expressions

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: use cel.expression.message instead of validate.message

Signed-off-by: Mariam Fahmy <[email protected]>

* chore: update artifacthub-pkg.yaml

Signed-off-by: Mariam Fahmy <[email protected]>

* remove the failed policy

Signed-off-by: Mariam Fahmy <[email protected]>

* fix the name field in artifacthub-pkg.yaml

Signed-off-by: Mariam Fahmy <[email protected]>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <[email protected]>

* fix a lint issue

Signed-off-by: Mariam Fahmy <[email protected]>

* fix the value of policies.kyverno.io/category

Signed-off-by: Mariam Fahmy <[email protected]>

* fix: add the minversion annotation

Signed-off-by: Mariam Fahmy <[email protected]>

---------

Signed-off-by: Mariam Fahmy <[email protected]>

pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-capabilities-strict
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: disallow-capabilities-strict

pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,177 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-capabilities-strict
+policies:
+- ../disallow-capabilities-strict.yaml
+resources:
+- ../../../../pod-security/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml
+results:
+- kind: CronJob
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-badcronjob01
+  - addcap-badcronjob02
+  - addcap-badcronjob03
+  - addcap-badcronjob04
+  - addcap-badcronjob05
+  - addcap-badcronjob06
+  - addcap-badcronjob07
+  - addcap-badcronjob08
+  - addcap-badcronjob09
+  - addcap-badcronjob10
+  result: fail
+  rule: adding-capabilities-strict
+- kind: Deployment
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-baddeployment01
+  - addcap-baddeployment02
+  - addcap-baddeployment03
+  - addcap-baddeployment04
+  - addcap-baddeployment05
+  - addcap-baddeployment06
+  - addcap-baddeployment07
+  - addcap-baddeployment08
+  - addcap-baddeployment09
+  - addcap-baddeployment10
+  result: fail
+  rule: adding-capabilities-strict
+- kind: Pod
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-badpod01
+  - addcap-badpod02
+  - addcap-badpod03
+  - addcap-badpod04
+  - addcap-badpod05
+  - addcap-badpod06
+  - addcap-badpod07
+  - addcap-badpod08
+  - addcap-badpod09
+  - addcap-badpod10
+  result: fail
+  rule: adding-capabilities-strict
+- kind: CronJob
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-goodcronjob01
+  - addcap-goodcronjob02
+  - addcap-goodcronjob03
+  - addcap-goodcronjob04
+  - addcap-goodcronjob05
+  - addcap-goodcronjob06
+  - addcap-goodcronjob07
+  - addcap-goodcronjob08
+  - addcap-goodcronjob09
+  - addcap-goodcronjob10
+  result: pass
+  rule: adding-capabilities-strict
+- kind: Deployment
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-gooddeployment01
+  - addcap-gooddeployment02
+  - addcap-gooddeployment03
+  - addcap-gooddeployment04
+  - addcap-gooddeployment05
+  - addcap-gooddeployment06
+  - addcap-gooddeployment07
+  - addcap-gooddeployment08
+  - addcap-gooddeployment09
+  - addcap-gooddeployment10
+  result: pass
+  rule: adding-capabilities-strict
+- kind: Pod
+  policy: disallow-capabilities-strict
+  resources:
+  - addcap-goodpod01
+  - addcap-goodpod02
+  - addcap-goodpod03
+  - addcap-goodpod04
+  - addcap-goodpod05
+  - addcap-goodpod06
+  - addcap-goodpod07
+  - addcap-goodpod08
+  - addcap-goodpod09
+  - addcap-goodpod10
+  result: pass
+  rule: adding-capabilities-strict
+- kind: CronJob
+  policy: disallow-capabilities-strict
+  resources:
+  - badcronjob01
+  - badcronjob02
+  - badcronjob03
+  - badcronjob04
+  - badcronjob05
+  - badcronjob06
+  - badcronjob07
+  - badcronjob08
+  - badcronjob09
+  - badcronjob10
+  result: fail
+  rule: require-drop-all
+- kind: Deployment
+  policy: disallow-capabilities-strict
+  resources:
+  - baddeployment01
+  - baddeployment02
+  - baddeployment03
+  - baddeployment04
+  - baddeployment05
+  - baddeployment06
+  - baddeployment07
+  - baddeployment08
+  - baddeployment09
+  - baddeployment10
+  result: fail
+  rule: require-drop-all
+- kind: Pod
+  policy: disallow-capabilities-strict
+  resources:
+  - badpod01
+  - badpod02
+  - badpod03
+  - badpod04
+  - badpod05
+  - badpod06
+  - badpod07
+  - badpod08
+  - badpod09
+  - badpod10
+  result: fail
+  rule: require-drop-all
+- kind: CronJob
+  policy: disallow-capabilities-strict
+  resources:
+  - goodcronjob01
+  - goodcronjob02
+  - goodcronjob03
+  - goodcronjob04
+  - goodcronjob05
+  - goodcronjob06
+  result: pass
+  rule: require-drop-all
+- kind: Deployment
+  policy: disallow-capabilities-strict
+  resources:
+  - gooddeployment01
+  - gooddeployment02
+  - gooddeployment03
+  - gooddeployment04
+  - gooddeployment05
+  - gooddeployment06
+  result: pass
+  rule: require-drop-all
+- kind: Pod
+  policy: disallow-capabilities-strict
+  resources:
+  - goodpod01
+  - goodpod02
+  - goodpod03
+  - goodpod04
+  - goodpod05
+  - goodpod06
+  result: pass
+  rule: require-drop-all

pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: disallow-capabilities-strict-cel
+version: 1.0.0
+displayName: Disallow Capabilities (Strict) in CEL expressions
+description: >-
+  Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
+  ```
+keywords:
+  - kyverno
+  - Pod Security Standards (Restricted)
+  - CEL Expressions
+readme: |
+  Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Pod Security Standards (Restricted)"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod"
+digest: 3ba20799de8e2ff846fc1e064fac7b3e0cf318f2d127161bf9e9f90d76aff4da
+createdAt: "2023-12-04T09:04:49Z"

pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml

@@ -0,0 +1,83 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities-strict
+  annotations:
+    policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions
+    policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
+      all containers must explicitly drop `ALL` capabilities.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: require-drop-all
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Containers must drop `ALL` capabilities.
+        cel: 
+          expressions:
+            - expression: >- 
+                object.spec.containers.all(container, has(container.securityContext) &&
+                has(container.securityContext.capabilities) &&
+                has(container.securityContext.capabilities.drop) &&
+                container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
+    
+            - expression: >- 
+                !has(object.spec.initContainers) ||
+                object.spec.initContainers.all(container, has(container.securityContext) &&
+                has(container.securityContext.capabilities) &&
+                has(container.securityContext.capabilities.drop) &&
+                container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
+            
+            - expression: >- 
+                !has(object.spec.ephemeralContainers) ||
+                object.spec.ephemeralContainers.all(container, has(container.securityContext) &&
+                has(container.securityContext.capabilities) &&
+                has(container.securityContext.capabilities.drop) &&
+                container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL'))
+    - name: adding-capabilities-strict
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        cel:
+          expressions:
+          - expression: >- 
+              object.spec.containers.all(container, !has(container.securityContext) ||
+              !has(container.securityContext.capabilities) ||
+              !has(container.securityContext.capabilities.add) ||
+              ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.
+    
+          - expression: >- 
+              !has(object.spec.initContainers) ||
+              object.spec.initContainers.all(container, !has(container.securityContext) ||
+              !has(container.securityContext.capabilities) ||
+              !has(container.securityContext.capabilities.add) ||
+              ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.
+          
+          - expression: >- 
+              !has(object.spec.ephemeralContainers) ||
+              object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
+              !has(container.securityContext.capabilities) ||
+              !has(container.securityContext.capabilities.add) ||
+              ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.

pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-privilege-escalation
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: disallow-privilege-escalation