-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add regular kyverno rbac policies for which an equivalent CEL convers…
…ion is not possible Signed-off-by: Chandan-DK <[email protected]>
- Loading branch information
1 parent
452c88c
commit 0dde24c
Showing
2 changed files
with
65 additions
and
0 deletions.
There are no files selected for viewing
29 changes: 29 additions & 0 deletions
29
charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disable-automount-sa-token | ||
| annotations: | ||
| policies.kyverno.io/title: Disable automountServiceAccountToken | ||
| policies.kyverno.io/category: RBAC Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: ServiceAccount | ||
| policies.kyverno.io/minversion: 1.6.0 | ||
| kyverno.io/kubernetes-version: "1.21" | ||
| policies.kyverno.io/description: >- | ||
| A new ServiceAccount called `default` is created whenever a new Namespace is created. | ||
| Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. | ||
| This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token | ||
| into Pods obviating the need to do so individually. | ||
| spec: | ||
| rules: | ||
| - name: disable-automountserviceaccounttoken | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - ServiceAccount | ||
| names: | ||
| - default | ||
| mutate: | ||
| patchStrategicMerge: | ||
| automountServiceAccountToken: false |
36 changes: 36 additions & 0 deletions
36
charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: restrict-automount-sa-token | ||
| annotations: | ||
| policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens | ||
| policies.kyverno.io/category: RBAC Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Pod,ServiceAccount | ||
| policies.kyverno.io/minversion: 1.6.0 | ||
| policies.kyverno.io/description: >- | ||
| Kubernetes automatically mounts ServiceAccount credentials in each Pod. | ||
| The ServiceAccount may be assigned roles allowing Pods to access API resources. | ||
| Blocking this ability is an extension of the least privilege best practice and should | ||
| be followed if Pods do not need to speak to the API server to function. | ||
| This policy ensures that mounting of these ServiceAccount tokens is blocked. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: validate-automountServiceAccountToken | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| preconditions: | ||
| all: | ||
| - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" | ||
| operator: NotEquals | ||
| value: policy-reporter | ||
| validate: | ||
| message: "Auto-mounting of Service Account tokens is not allowed." | ||
| pattern: | ||
| spec: | ||
| automountServiceAccountToken: "false" |