From 098b0ef1a6d6c68b8b867b5904edff1c019bfe0e Mon Sep 17 00:00:00 2001 From: krishbajaj1609 Date: Tue, 4 Jun 2024 21:18:25 +0530 Subject: [PATCH] feature/global-policy-set : upgrade version for test --- charts/test-krish-globalps/Chart.yaml | 2 +- .../pols/disallow-capabilities.yaml | 46 +++++++++++++++++++ .../pols/disallow-host-namespaces.yaml | 35 ++++++++++++++ .../pols/disallow-host-path.yaml | 33 +++++++++++++ .../pols/disallow-host-ports.yaml | 40 ++++++++++++++++ .../pols/disallow-host-process.yaml | 44 ++++++++++++++++++ .../pols/disallow-privileged-containers.yaml | 39 ++++++++++++++++ .../pols/disallow-proc-mount.yaml | 41 +++++++++++++++++ .../pols/restrict-apparmor-profiles.yaml | 34 ++++++++++++++ .../pols/restrict-seccomp.yaml | 45 ++++++++++++++++++ 10 files changed, 358 insertions(+), 1 deletion(-) create mode 100644 charts/test-krish-globalps/pols/disallow-capabilities.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-namespaces.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-path.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-ports.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-process.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-privileged-containers.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-proc-mount.yaml create mode 100644 charts/test-krish-globalps/pols/restrict-apparmor-profiles.yaml create mode 100644 charts/test-krish-globalps/pols/restrict-seccomp.yaml diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml index b86e929e..db4aafad 100644 --- a/charts/test-krish-globalps/Chart.yaml +++ b/charts/test-krish-globalps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: test-krish description: Pod Security Standards (baseline) policy set type: application -version: 0.5.3 +version: 0.5.4 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/test-krish-globalps/pols/disallow-capabilities.yaml b/charts/test-krish-globalps/pols/disallow-capabilities.yaml new file mode 100644 index 00000000..35d48f47 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-capabilities.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities + annotations: + policies.kyverno.io/title: Disallow Capabilities + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: Audit + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Adding capabilities beyond those listed in the policy rule is disallowed. + deny: + conditions: + all: + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" + operator: AnyNotIn + value: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT diff --git a/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml new file mode 100644 index 00000000..4d75e3ce --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces + annotations: + policies.kyverno.io/title: Disallow Host Namespaces + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml" + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/charts/test-krish-globalps/pols/disallow-host-path.yaml b/charts/test-krish-globalps/pols/disallow-host-path.yaml new file mode 100644 index 00000000..85ef354e --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-path.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path + annotations: + policies.kyverno.io/title: Disallow hostPath + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-path/remediate-disallow-host-path.yaml" + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges + and should not be allowed. This policy ensures no hostPath volumes are in use. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostPath volumes are forbidden. + pattern: + spec: + =(volumes): + - X(hostPath): "null" diff --git a/charts/test-krish-globalps/pols/disallow-host-ports.yaml b/charts/test-krish-globalps/pols/disallow-host-ports.yaml new file mode 100644 index 00000000..b007f6eb --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-ports.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports + annotations: + policies.kyverno.io/title: Disallow hostPorts + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-ports/remediate-disallow-host-ports.yaml" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be + allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` + field is unset or set to `0`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-ports-none + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Use of host ports is disallowed. + pattern: + spec: + =(ephemeralContainers): + - =(ports): + - =(hostPort): 0 + =(initContainers): + - =(ports): + - =(hostPort): 0 + containers: + - =(ports): + - =(hostPort): 0 diff --git a/charts/test-krish-globalps/pols/disallow-host-process.yaml b/charts/test-krish-globalps/pols/disallow-host-process.yaml new file mode 100644 index 00000000..b67b39b5 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-process.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process + annotations: + policies.kyverno.io/title: Disallow hostProcess + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-process/remediate-disallow-host-process.yaml" + policies.kyverno.io/description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged + access to the Windows node. Privileged access to the host is disallowed in the baseline + policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures + the `hostProcess` field, if present, is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-process-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostProcess containers are disallowed. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" diff --git a/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml b/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml new file mode 100644 index 00000000..16b6437c --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privileged-containers + annotations: + policies.kyverno.io/title: Disallow Privileged Containers + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-privileged-containers/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml" + policies.kyverno.io/description: >- + Privileged mode disables most security mechanisms and must not be allowed. This policy + ensures Pods do not call for privileged mode. +spec: + validationFailureAction: Audit + background: true + rules: + - name: privileged-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Privileged mode is disallowed. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(privileged): "false" + =(initContainers): + - =(securityContext): + =(privileged): "false" + containers: + - =(securityContext): + =(privileged): "false" diff --git a/charts/test-krish-globalps/pols/disallow-proc-mount.yaml b/charts/test-krish-globalps/pols/disallow-proc-mount.yaml new file mode 100644 index 00000000..63359cf7 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-proc-mount.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount + annotations: + policies.kyverno.io/title: Disallow procMount + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-proc-mount/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-proc-mount/remediate-disallow-proc-mount-containers.yaml" + policies.kyverno.io/description: >- + The default /proc masks are set up to reduce attack surface and should be required. This policy + ensures nothing but the default procMount can be specified. Note that in order for users + to deviate from the `Default` procMount requires setting a feature gate at the API + server. +spec: + validationFailureAction: Audit + background: true + rules: + - name: check-proc-mount + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Changing the proc mount from the default is not allowed. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(procMount): "Default" + =(initContainers): + - =(securityContext): + =(procMount): "Default" + containers: + - =(securityContext): + =(procMount): "Default" diff --git a/charts/test-krish-globalps/pols/restrict-apparmor-profiles.yaml b/charts/test-krish-globalps/pols/restrict-apparmor-profiles.yaml new file mode 100644 index 00000000..b3ad4f02 --- /dev/null +++ b/charts/test-krish-globalps/pols/restrict-apparmor-profiles.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-apparmor-profiles + annotations: + policies.kyverno.io/title: Restrict AppArmor + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Annotation + policies.kyverno.io/minversion: 1.3.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-apparmor-profiles/" + policies.kyverno.io/description: >- + On supported hosts, the 'runtime/default' AppArmor profile is applied by default. + The default policy should prevent overriding or disabling the policy, or restrict + overrides to an allowed set of profiles. This policy ensures Pods do not + specify any other AppArmor profiles than `runtime/default` or `localhost/*`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: app-armor + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Specifying other AppArmor profiles is disallowed. + pattern: + =(metadata): + =(annotations): + =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*" diff --git a/charts/test-krish-globalps/pols/restrict-seccomp.yaml b/charts/test-krish-globalps/pols/restrict-seccomp.yaml new file mode 100644 index 00000000..77c1ee13 --- /dev/null +++ b/charts/test-krish-globalps/pols/restrict-seccomp.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp + annotations: + policies.kyverno.io/title: Restrict Seccomp + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-seccomp/" + policies.kyverno.io/description: >- + The seccomp profile must not be explicitly set to Unconfined. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is unset or + set to `RuntimeDefault` or `Localhost`. +spec: + background: true + validationFailureAction: Audit + rules: + - name: check-seccomp + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Use of custom Seccomp profiles is disallowed. + pattern: + spec: + =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(ephemeralContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(initContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + containers: + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost"