From b889a514e03a9558a5c3d150d9e78d1fb339b112 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 17:47:47 +0000 Subject: [PATCH 01/19] NDEV-19285 copy restrict-binding-system-groups Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 67 ++++++++++++++++ .../e2e/chainsaw-test.yaml | 24 ++++++ .../e2e/enforce-policy-assert.yaml | 11 +++ .../e2e/good-resource.yaml | 77 +++++++++++++++++++ .../e2e/policy-assert.yaml | 11 +++ .../restrict-binding-system-groups.yaml | 31 ++++++++ 6 files changed, 221 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml new file mode 100644 index 00000000..4e7d48ee --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb02 +subjects: +- kind: Group + namespace: foo + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb02 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb03 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..a48d4aa0 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-binding-system-groups-policy +spec: + steps: + - name: test-restrict-binding-system-groups + try: + - apply: + file: ../restrict-binding-system-groups.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..d5768e9d --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml new file mode 100644 index 00000000..7e958419 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb01 +subjects: +- kind: Group + name: secret-reader + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb02 +subjects: +- kind: ServiceAccount + namespace: foo + name: foo-reader +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb03 +subjects: +- kind: ServiceAccount + namespace: foo + name: "system.foo" +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb01 +subjects: +- kind: User + name: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb02 +subjects: +- kind: ServiceAccount + name: foo + namespace: foo +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb03 +subjects: +- kind: Group + name: "system:foo" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/policy-assert.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/policy-assert.yaml new file mode 100644 index 00000000..35d048f1 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml new file mode 100644 index 00000000..e68b1977 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups + annotations: + policies.kyverno.io/title: Restrict Binding System Groups + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Certain system groups exist in Kubernetes which grant permissions that + are used for certain system-level functions yet typically never appropriate + for other users. This policy prevents creating bindings for system:masters group. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restrict-masters + match: + any: + - resources: + kinds: + - RoleBinding + - ClusterRoleBinding + validate: + message: "Binding to system:masters is not allowed." + pattern: + roleRef: + name: "!system:masters" From d67c88e9c021ef02d1d1cfd58db35e612cf950fc Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 17:55:11 +0000 Subject: [PATCH 02/19] NDEV-19285 convert restrict-binding-system-groups Signed-off-by: Chandan-DK --- .../restrict-binding-system-groups.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml index e68b1977..b73bc50d 100644 --- a/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ b/rbac-best-practices-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: restrict-binding-system-groups annotations: - policies.kyverno.io/title: Restrict Binding System Groups - policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" policies.kyverno.io/description: >- Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate @@ -25,7 +25,8 @@ spec: - RoleBinding - ClusterRoleBinding validate: - message: "Binding to system:masters is not allowed." - pattern: - roleRef: - name: "!system:masters" + cel: + expressions: + - expression: "object.roleRef.name != 'system:masters'" + message: "Binding to system:masters is not allowed." + From 0269a6344c942b2a44299cc52864750bccc210a4 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 17:55:41 +0000 Subject: [PATCH 03/19] NDEV-19285 copy restrict-clusterrole-nodesproxy Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 20 +++++++++++ .../e2e/chainsaw-test.yaml | 24 +++++++++++++ .../e2e/enforce-policy-assert.yaml | 11 ++++++ .../e2e/good-resource.yaml | 20 +++++++++++ .../e2e/policy-assert.yaml | 11 ++++++ .../restrict-clusterrole-nodesproxy.yaml | 36 +++++++++++++++++++ 6 files changed, 122 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml new file mode 100644 index 00000000..65063c9c --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["nodes/proxy", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "nodes/proxy"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..5d36c2a9 --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-nodesproxy-policy +spec: + steps: + - name: test-restrict-clusterrole-nodesproxy + try: + - apply: + file: ../restrict-clusterrole-nodesproxy.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-clusterrole-nodesproxy.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..0b7e800e --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml new file mode 100644 index 00000000..de7c8c2b --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml new file mode 100644 index 00000000..7220658d --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml new file mode 100644 index 00000000..019302c4 --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy + annotations: + policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole, RBAC + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + A ClusterRole with nodes/proxy resource access allows a user to + perform anything the kubelet API allows. It also allows users to bypass + the API server and talk directly to the kubelet potentially circumventing + audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac + for more info. This policy prevents the creation + of a ClusterRole if it contains the nodes/proxy resource. +spec: + validationFailureAction: Audit + background: true + rules: + - name: clusterrole-nodesproxy + match: + any: + - resources: + kinds: + - ClusterRole + validate: + message: "A ClusterRole containing the nodes/proxy resource is not allowed." + deny: + conditions: + any: + - key: nodes/proxy + operator: AnyIn + value: "{{ request.object.rules[].resources[] }}" From 42107d606f10de8fb73eb98cde177d92e12fe459 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:08:53 +0000 Subject: [PATCH 04/19] NDEV-19285 convert restrict-clusterrole-nodesproxy Signed-off-by: Chandan-DK --- .../restrict-clusterrole-nodesproxy.yaml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml index 019302c4..169bade9 100644 --- a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: restrict-clusterrole-nodesproxy annotations: - policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy - policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, RBAC - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" policies.kyverno.io/description: >- A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass @@ -27,10 +27,12 @@ spec: kinds: - ClusterRole validate: - message: "A ClusterRole containing the nodes/proxy resource is not allowed." - deny: - conditions: - any: - - key: nodes/proxy - operator: AnyIn - value: "{{ request.object.rules[].resources[] }}" + cel: + expressions: + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.resources.exists(resource, resource == 'nodes/proxy') && + rule.apiGroups.exists(apiGroup, apiGroup == '')) + message: "A ClusterRole containing the nodes/proxy resource is not allowed." + From 4a3ec67556fd2b306fa53dd1d615d444ccc7997d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:09:33 +0000 Subject: [PATCH 05/19] NDEV-19285 test edge cases for restrict-clusterrole-nodesproxy Signed-off-by: Chandan-DK --- .../e2e/good-resource.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml index de7c8c2b..50b49946 100644 --- a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml @@ -18,3 +18,18 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list"] +--- +# If 'rules' is specified without a value, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-empty-rules +rules: +--- +# If the 'rules' field is omitted from the manifest, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-omitted-rules From 42149b4cb877f38ec8c41c0beb24d1ac984598c8 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:10:19 +0000 Subject: [PATCH 06/19] NDEV-19285 copy restrict-escalation-verbs-roles Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 89 +++++++++++++++++++ .../e2e/chainsaw-test.yaml | 24 +++++ .../e2e/enforce-policy-assert.yaml | 11 +++ .../e2e/good-resource.yaml | 47 ++++++++++ .../e2e/policy-assert.yaml | 11 +++ .../restrict-escalation-verbs-roles.yaml | 48 ++++++++++ 6 files changed, 230 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml new file mode 100644 index 00000000..dd998b91 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml @@ -0,0 +1,89 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches"] + resources: ["jobs"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..b2cecb30 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-escalation-verbs-roles-policy +spec: + steps: + - name: test-restrict-escalation-verbs-roles + try: + - apply: + file: ../restrict-escalation-verbs-roles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-escalation-verbs-roles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..467bc1a6 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml new file mode 100644 index 00000000..a658b2a1 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/policy-assert.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/policy-assert.yaml new file mode 100644 index 00000000..56f39264 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml new file mode 100644 index 00000000..99314f7c --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles + annotations: + policies.kyverno.io/title: Restrict Escalation Verbs in Roles + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Role, ClusterRole, RBAC + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to + privilege escalation and should be tightly controlled. This policy prevents + use of these verbs in Role or ClusterRole resources. +spec: + validationFailureAction: Audit + background: true + rules: + - name: escalate + match: + any: + - resources: + kinds: + - Role + - ClusterRole + validate: + message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." + foreach: + - list: "request.object.rules[]" + deny: + conditions: + all: + - key: "{{ element.apiGroups || '' }}" + operator: AnyIn + value: + - rbac.authorization.k8s.io + - key: "{{ element.resources || '' }}" + operator: AnyIn + value: + - clusterroles + - roles + - key: "{{ element.verbs }}" + operator: AnyIn + value: + - bind + - escalate + - impersonate From d8d50bef6109c9855de3eb508d9c695fe91a14f5 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:14:49 +0000 Subject: [PATCH 07/19] NDEV-19285 add case where rules is null in restrict-clusterrole-nodesproxy Signed-off-by: Chandan-DK --- .../restrict-clusterrole-nodesproxy/e2e/good-resource.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml index 50b49946..a84a62b8 100644 --- a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml @@ -33,3 +33,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: goodcr-omitted-rules +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-null-rules + rules: null From f009ec0672671d5d5744134a351d90e42a08cb28 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:19:42 +0000 Subject: [PATCH 08/19] NDEV-19285 convert restrict-escalation-verbs-roles Signed-off-by: Chandan-DK --- .../restrict-escalation-verbs-roles.yaml | 39 +++++++------------ 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml index 99314f7c..af1ca304 100644 --- a/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: restrict-escalation-verbs-roles annotations: - policies.kyverno.io/title: Restrict Escalation Verbs in Roles - policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/title: Restrict Escalation Verbs in Roles in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" policies.kyverno.io/description: >- The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents @@ -25,24 +25,13 @@ spec: - Role - ClusterRole validate: - message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." - foreach: - - list: "request.object.rules[]" - deny: - conditions: - all: - - key: "{{ element.apiGroups || '' }}" - operator: AnyIn - value: - - rbac.authorization.k8s.io - - key: "{{ element.resources || '' }}" - operator: AnyIn - value: - - clusterroles - - roles - - key: "{{ element.verbs }}" - operator: AnyIn - value: - - bind - - escalate - - impersonate + cel: + expressions: + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.apiGroups.exists(apiGroup, apiGroup in ['*', 'rbac.authorization.k8s.io']) && + rule.resources.exists(resource, resource in ['*', 'clusterroles', 'roles']) && + rule.verbs.exists(verb, verb in ['*', 'bind', 'escalate', 'impersonate'])) + message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." + From 9057260775e0ddd173b9825ffcafbdc23ee51311 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:21:54 +0000 Subject: [PATCH 09/19] NDEV-19285 test edge cases for restrict-escalation-verbs-roles Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 18 ++++++++ .../e2e/good-resource.yaml | 43 +++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml index dd998b91..a4a57855 100644 --- a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/bad-resource.yaml @@ -44,6 +44,15 @@ rules: verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr04 +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: badrole01 @@ -87,3 +96,12 @@ rules: - apiGroups: ["batches"] resources: ["jobs"] verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole04 +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml index a658b2a1..504cad8d 100644 --- a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml @@ -22,6 +22,27 @@ rules: resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"] --- +# If 'rules' is specified without a value, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-empty-rules +rules: +--- +# If the 'rules' field is omitted from the manifest, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-omitted-rules +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-null-rules + rules: null +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -45,3 +66,25 @@ rules: - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"] +--- +# If 'rules' is specified without a value, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-empty-rules +rules: +--- +# If the 'rules' field is omitted from the manifest, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-omitted-rules +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-null-rules + rules: null +--- From 7de6a90e084cf99a0b6e09061ba43d953a06eab3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:28:36 +0000 Subject: [PATCH 10/19] NDEV-19285 copy restrict-wildcard-resources Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 65 +++++++++++++ .../e2e/chainsaw-test.yaml | 24 +++++ .../e2e/enforce-policy-assert.yaml | 11 +++ .../e2e/good-resource.yaml | 95 +++++++++++++++++++ .../e2e/policy-assert.yaml | 11 +++ .../restrict-wildcard-resources.yaml | 36 +++++++ 6 files changed, 242 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/policy-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml new file mode 100644 index 00000000..be346c23 --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..188244b5 --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-wildcard-resources-policy +spec: + steps: + - name: test-restrict-wildcard-resources + try: + - apply: + file: ../restrict-wildcard-resources.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-wildcard-resources.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..6054e24e --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml new file mode 100644 index 00000000..f79c7f36 --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml @@ -0,0 +1,95 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/policy-assert.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/policy-assert.yaml new file mode 100644 index 00000000..28a0f36f --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml new file mode 100644 index 00000000..5b3b88f8 --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources + annotations: + policies.kyverno.io/title: Restrict Wildcards in Resources + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole, Role, RBAC + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Wildcards ('*') in resources grants access to all of the resources referenced by + the given API group and does not follow the principal of least privilege. As much as possible, + avoid such open resources unless scoped to perhaps a custom API group. + This policy blocks any Role or ClusterRole that contains a wildcard entry in + the resources list found in any rule. +spec: + validationFailureAction: Audit + background: true + rules: + - name: wildcard-resources + match: + any: + - resources: + kinds: + - Role + - ClusterRole + validate: + message: "Use of a wildcard ('*') in any resources is forbidden." + deny: + conditions: + any: + - key: "{{ contains(request.object.rules[].resources[], '*') }}" + operator: Equals + value: true From 2ed34b7e2a08e81df800b548b1882f564594c3da Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:30:35 +0000 Subject: [PATCH 11/19] NDEV-19285 convert restrict-wildcard-resources Signed-off-by: Chandan-DK --- .../restrict-wildcard-resources.yaml | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml index 5b3b88f8..b22943a4 100644 --- a/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml +++ b/rbac-best-practices-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: restrict-wildcard-resources annotations: - policies.kyverno.io/title: Restrict Wildcards in Resources - policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/title: Restrict Wildcards in Resources in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, Role, RBAC - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" policies.kyverno.io/description: >- Wildcards ('*') in resources grants access to all of the resources referenced by the given API group and does not follow the principal of least privilege. As much as possible, @@ -27,10 +27,8 @@ spec: - Role - ClusterRole validate: - message: "Use of a wildcard ('*') in any resources is forbidden." - deny: - conditions: - any: - - key: "{{ contains(request.object.rules[].resources[], '*') }}" - operator: Equals - value: true + cel: + expressions: + - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)" + message: "Use of a wildcard ('*') in any resources is forbidden." + From c012a2cc59728e73da15e7ba63e2776f0ac913bd Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:33:10 +0000 Subject: [PATCH 12/19] NDEV-19285 rename roles and add extra cases for restrict-wildcard-resources Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 6 +-- .../e2e/good-resource.yaml | 52 +++++++++++++++++-- 2 files changed, 50 insertions(+), 8 deletions(-) diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml index be346c23..7180d7c2 100644 --- a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/bad-resource.yaml @@ -34,7 +34,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: badcr01 + name: badrole01 rules: - apiGroups: [""] resources: ["namespaces", "*", "pods"] @@ -46,7 +46,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: badcr02 + name: badrole02 rules: - apiGroups: ["apps"] resources: ["*"] @@ -58,7 +58,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: badcr03 + name: badrole03 rules: - apiGroups: [""] resources: ["*"] diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml index f79c7f36..eab7b8c7 100644 --- a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml @@ -46,10 +46,31 @@ rules: resources: ["secrets"] verbs: ["create", "update", "patch"] --- +# If 'rules' is specified without a value, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-empty-rules +rules: +--- +# If the 'rules' field is omitted from the manifest, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-omitted-rules +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr-null-rules + rules: null +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr01 + name: goodrole01 rules: - apiGroups: [""] resources: ["pods", "namespaces"] @@ -61,7 +82,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr02 + name: goodrole02 rules: - apiGroups: ["apps"] resources: ["deployments"] @@ -70,7 +91,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr03 + name: goodrole03 rules: - apiGroups: ["batch"] resources: ["secrets"] @@ -79,7 +100,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr04 + name: goodrole04 rules: - apiGroups: [""] resources: ["secrets"] @@ -88,8 +109,29 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr05 + name: goodrole05 rules: - apiGroups: ["*"] resources: ["secrets"] verbs: ["create", "update", "patch"] +--- +# If 'rules' is specified without a value, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-empty-rules +rules: +--- +# If the 'rules' field is omitted from the manifest, +# the field will be set to 'rules: null' by default when the resource is created in the cluster. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-omitted-rules +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr-null-rules + rules: null From b8b70294607ff020274936a87fe0ce37fe7cf0ab Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 6 Jun 2024 18:37:40 +0000 Subject: [PATCH 13/19] NDEV-19285 rename roles for clarity Signed-off-by: Chandan-DK --- .../restrict-escalation-verbs-roles/e2e/good-resource.yaml | 6 +++--- .../restrict-wildcard-resources/e2e/good-resource.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml index 504cad8d..e0a6adac 100644 --- a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/good-resource.yaml @@ -72,7 +72,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-empty-rules + name: goodrole-empty-rules rules: --- # If the 'rules' field is omitted from the manifest, @@ -80,11 +80,11 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-omitted-rules + name: goodrole-omitted-rules --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-null-rules + name: goodrole-null-rules rules: null --- diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml index eab7b8c7..fad3036f 100644 --- a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/good-resource.yaml @@ -120,7 +120,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-empty-rules + name: goodrole-empty-rules rules: --- # If the 'rules' field is omitted from the manifest, @@ -128,10 +128,10 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-omitted-rules + name: goodrole-omitted-rules --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: goodcr-null-rules + name: goodrole-null-rules rules: null From 1538c243cf3af072f1b2f71af464c27e13b72d07 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 7 Jun 2024 09:15:47 +0000 Subject: [PATCH 14/19] NDEV-19285 add vap tests for restrict-binding-system-groups Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test-vap.yaml | 28 +++++++++++++++++++ .../e2e/vap-assert.yaml | 12 ++++++++ .../e2e/vap-binding-assert.yaml | 12 ++++++++ 3 files changed, 52 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-binding-assert.yaml diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml new file mode 100644 index 00000000..c583bd9a --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-binding-system-groups-policy +spec: + steps: + - name: test-restrict-binding-system-groups + try: + - apply: + file: ../restrict-binding-system-groups.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - assert: + file: vap-assert.yaml + - assert: + file: vap-binding-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-assert.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-assert.yaml new file mode 100644 index 00000000..0d03c480 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-binding-system-groups + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-binding-system-groups +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-binding-assert.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-binding-assert.yaml new file mode 100644 index 00000000..c44d8ea6 --- /dev/null +++ b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/vap-binding-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-binding-system-groups-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-binding-system-groups +spec: + policyName: restrict-binding-system-groups \ No newline at end of file From 393d182a718ebf8eff44e23239098ae3239f3d0a Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 7 Jun 2024 09:16:07 +0000 Subject: [PATCH 15/19] NDEV-19285 add vap tests for restrict-clusterrole-nodesproxy Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test-vap.yaml | 28 +++++++++++++++++++ .../e2e/vap-assert.yaml | 12 ++++++++ .../e2e/vap-binding-assert.yaml | 12 ++++++++ 3 files changed, 52 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test-vap.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-binding-assert.yaml diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test-vap.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test-vap.yaml new file mode 100644 index 00000000..002fb48d --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/chainsaw-test-vap.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-nodesproxy-policy +spec: + steps: + - name: test-restrict-clusterrole-nodesproxy + try: + - apply: + file: ../restrict-clusterrole-nodesproxy.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-clusterrole-nodesproxy.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - assert: + file: vap-assert.yaml + - assert: + file: vap-binding-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-assert.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-assert.yaml new file mode 100644 index 00000000..d5a4acf1 --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-clusterrole-nodesproxy + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-clusterrole-nodesproxy +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-binding-assert.yaml b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-binding-assert.yaml new file mode 100644 index 00000000..94306751 --- /dev/null +++ b/rbac-best-practices-cel/restrict-clusterrole-nodesproxy/e2e/vap-binding-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-clusterrole-nodesproxy-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-clusterrole-nodesproxy +spec: + policyName: restrict-clusterrole-nodesproxy \ No newline at end of file From 36613f68521bc4aebedf4c784c61c031cb691d03 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 7 Jun 2024 09:16:23 +0000 Subject: [PATCH 16/19] NDEV-19285 add vap tests for restrict-escalation-verbs-roles Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test-vap.yaml | 28 +++++++++++++++++++ .../e2e/vap-assert.yaml | 12 ++++++++ .../e2e/vap-binding-assert.yaml | 12 ++++++++ 3 files changed, 52 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test-vap.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-binding-assert.yaml diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test-vap.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test-vap.yaml new file mode 100644 index 00000000..8e0062f4 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/chainsaw-test-vap.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-escalation-verbs-roles-policy +spec: + steps: + - name: test-restrict-escalation-verbs-roles + try: + - apply: + file: ../restrict-escalation-verbs-roles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-escalation-verbs-roles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - assert: + file: vap-assert.yaml + - assert: + file: vap-binding-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-assert.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-assert.yaml new file mode 100644 index 00000000..bff40bbc --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-escalation-verbs-roles + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-escalation-verbs-roles +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-binding-assert.yaml b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-binding-assert.yaml new file mode 100644 index 00000000..f3d4f552 --- /dev/null +++ b/rbac-best-practices-cel/restrict-escalation-verbs-roles/e2e/vap-binding-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-escalation-verbs-roles-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-escalation-verbs-roles +spec: + policyName: restrict-escalation-verbs-roles \ No newline at end of file From 80fbb5246ebdab0ddfbd0a2e5f4e55942e82f51c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 7 Jun 2024 09:16:38 +0000 Subject: [PATCH 17/19] NDEV-19285 add vap tests for restrict-wildcard-resources Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test-vap.yaml | 28 +++++++++++++++++++ .../e2e/vap-assert.yaml | 12 ++++++++ .../e2e/vap-binding-assert.yaml | 12 ++++++++ 3 files changed, 52 insertions(+) create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test-vap.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-assert.yaml create mode 100644 rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-binding-assert.yaml diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test-vap.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test-vap.yaml new file mode 100644 index 00000000..bacdb83a --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/chainsaw-test-vap.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-wildcard-resources-policy +spec: + steps: + - name: test-restrict-wildcard-resources + try: + - apply: + file: ../restrict-wildcard-resources.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-wildcard-resources.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - assert: + file: vap-assert.yaml + - assert: + file: vap-binding-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-assert.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-assert.yaml new file mode 100644 index 00000000..17cbc1b0 --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-wildcard-resources + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-wildcard-resources +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-binding-assert.yaml b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-binding-assert.yaml new file mode 100644 index 00000000..e01957af --- /dev/null +++ b/rbac-best-practices-cel/restrict-wildcard-resources/e2e/vap-binding-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-wildcard-resources-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-wildcard-resources +spec: + policyName: restrict-wildcard-resources \ No newline at end of file From 1e3a8fc40bcd4c667a14308f48385f723f7107d3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 7 Jun 2024 10:14:52 +0000 Subject: [PATCH 18/19] NDEV-19285 add vap tests in workflow Signed-off-by: Chandan-DK --- .github/scripts/config/helm/values-vap.yaml | 18 +++++ .github/scripts/config/kind/vap-v1alpha1.yaml | 9 +++ .github/scripts/config/kind/vap-v1beta1.yaml | 10 +++ .github/workflows/chainsaw-e2e.yaml | 66 +++++++++++++++++++ Makefile | 28 ++++++++ 5 files changed, 131 insertions(+) create mode 100644 .github/scripts/config/helm/values-vap.yaml create mode 100644 .github/scripts/config/kind/vap-v1alpha1.yaml create mode 100644 .github/scripts/config/kind/vap-v1beta1.yaml diff --git a/.github/scripts/config/helm/values-vap.yaml b/.github/scripts/config/helm/values-vap.yaml new file mode 100644 index 00000000..64f28aba --- /dev/null +++ b/.github/scripts/config/helm/values-vap.yaml @@ -0,0 +1,18 @@ +features: + generateValidatingAdmissionPolicy: + enabled: true + +admissionController: + rbac: + clusterRole: + extraResources: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingadmissionpolicies + - validatingadmissionpolicybindings + verbs: + - create + - update + - delete + - list \ No newline at end of file diff --git a/.github/scripts/config/kind/vap-v1alpha1.yaml b/.github/scripts/config/kind/vap-v1alpha1.yaml new file mode 100644 index 00000000..7ab36c3f --- /dev/null +++ b/.github/scripts/config/kind/vap-v1alpha1.yaml @@ -0,0 +1,9 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker \ No newline at end of file diff --git a/.github/scripts/config/kind/vap-v1beta1.yaml b/.github/scripts/config/kind/vap-v1beta1.yaml new file mode 100644 index 00000000..36609acf --- /dev/null +++ b/.github/scripts/config/kind/vap-v1beta1.yaml @@ -0,0 +1,10 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1beta1: true + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker \ No newline at end of file diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index f64208cf..b9b256c9 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -84,3 +84,69 @@ jobs: - name: Test with Chainsaw run: make test-chainsaw + + run-e2etest-vap-alpha: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + k8s-version: [v1.27.3, v1.26.3] + n4k-chart-version: [3.1.14] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Prepare environment + run: | + K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster-vap-alpha + + - name: Install kyverno + run: | + N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno-vap + + - name: Check Kyverno status + run: make wait-for-kyverno + + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@v0.1.6 + + - name: Verify Chainsaw Installation + run: chainsaw version + + - name: Test with Chainsaw + run: make test-chainsaw-vap + + run-e2etest-vap-beta: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + k8s-version: [v1.29.2, v1.28.0] + n4k-chart-version: [3.1.14] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Prepare environment + run: | + K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster-vap-beta + + - name: Install kyverno + run: | + N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno-vap + + - name: Check Kyverno status + run: make wait-for-kyverno + + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@v0.1.6 + + - name: Verify Chainsaw Installation + run: chainsaw version + + - name: Test with Chainsaw + run: make test-chainsaw-vap diff --git a/Makefile b/Makefile index 2dea7295..47c5bc68 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,9 @@ USE_CONFIG ?= standard TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind KIND_VERSION := v0.22.0 +KIND_VAP_ALPHA_CONFIG := $(PWD)/.github/scripts/config/kind/vap-v1alpha1.yaml +KIND_VAP_BETA_CONFIG := $(PWD)/.github/scripts/config/kind/vap-v1beta1.yaml +HELM_VALUES_VAP := $(PWD)/.github/scripts/config/helm/values-vap.yaml HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 TOOLS := $(KIND) $(HELM) @@ -37,12 +40,29 @@ test-chainsaw: @echo Running chainsaw tests... >&2 @chainsaw test --config .chainsaw-config.yaml +.PHONY: test-chainsaw-vap +test-chainsaw-vap: + @echo Running chainsaw tests for VAPs... >&2 + @chainsaw test --config .chainsaw-config.yaml --test-file chainsaw-test-vap.yaml + ## Create kind cluster .PHONY: kind-create-cluster kind-create-cluster: $(KIND) @echo Create kind cluster... >&2 @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) +## Create kind cluster with alpha VAP enabled +.PHONY: kind-create-cluster-vap-alpha +kind-create-cluster-vap-alpha: $(KIND) + @echo Create kind cluster... >&2 + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config $(KIND_VAP_ALPHA_CONFIG) + +## Create kind cluster with beta VAP enabled +.PHONY: kind-create-cluster-vap-beta +kind-create-cluster-vap-beta: $(KIND) + @echo Create kind cluster... >&2 + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config $(KIND_VAP_BETA_CONFIG) + ## Delete kind cluster .PHONY: kind-delete-cluster kind-delete-cluster: $(KIND) @@ -57,6 +77,14 @@ kind-deploy-kyverno: $(HELM) @$(HELM) repo update @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) +## Deploy Enterprise Kyverno with VAP generation enabled +.PHONY: kind-deploy-kyverno-vap +kind-deploy-kyverno-vap: $(HELM) + @echo Install kyverno chart... >&2 + @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts + @$(HELM) repo update + @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) --values=$(HELM_VALUES_VAP) + ## Check Kyverno status .PHONY: wait-for-kyverno wait-for-kyverno: From 102dde46e388f8abf4c7c7d69e5e935c7dc8b86f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 18 Jun 2024 06:21:37 +0000 Subject: [PATCH 19/19] exclude cel folders in chainsaw tests for kyverno version 1.10 Signed-off-by: Chandan-DK --- .github/workflows/chainsaw-e2e.yaml | 2 +- Makefile | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index d8104ab5..5b14425c 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -45,7 +45,7 @@ jobs: run: chainsaw version - name: Test with Chainsaw - run: make test-chainsaw + run: make test-chainsaw-exclude-cel run-e2etest-2: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 47c5bc68..68522dea 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,11 @@ test-chainsaw: @echo Running chainsaw tests... >&2 @chainsaw test --config .chainsaw-config.yaml +.PHONY: test-chainsaw-exclude-cel +test-chainsaw-exclude-cel: + @echo Running chainsaw tests by excluding CEL folders... >&2 + @chainsaw test --config .chainsaw-config.yaml --exclude-test-regex 'chainsaw/.*-cel' + .PHONY: test-chainsaw-vap test-chainsaw-vap: @echo Running chainsaw tests for VAPs... >&2