Merge pull request #74 from anusha94/add-remediation-to-chart

Revert pols
nirmata · Jun 12, 2023 · 314a1e2 · 314a1e2
2 parents d642d96 + 3cedb3c
commit 314a1e2
Show file tree

Hide file tree

Showing 22 changed files with 59 additions and 51 deletions.
diff --git a/charts/pod-security-baseline/Chart.yaml b/charts/pod-security-baseline/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-baseline-policies
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

diff --git a/charts/pod-security-baseline/pols/disallow-capabilities.yaml b/charts/pod-security-baseline/pols/disallow-capabilities.yaml
@@ -0,0 +1,49 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+  annotations:
+    policies.kyverno.io/title: Disallow Capabilities
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/"
+    policies.kyverno.io/description: >-
+      Adding capabilities beyond those listed in the policy must be disallowed.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: adding-capabilities
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+          FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+          are disallowed.
+      deny:
+        conditions:
+        all:
+          - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}"
+        operator: AnyNotIn
+        value:
+          - AUDIT_WRITE
+          - CHOWN
+          - DAC_OVERRIDE
+          - FOWNER
+          - FSETID
+          - KILL
+          - MKNOD
+          - NET_BIND_SERVICE
+          - SETFCAP
+          - SETGID
+          - SETPCAP
+          - SETUID
+          - SYS_CHROOT
diff --git a/...e/templates/disallow-host-namespaces.yaml → ...seline/pols/disallow-host-namespaces.yaml b/...e/templates/disallow-host-namespaces.yaml → ...seline/pols/disallow-host-namespaces.yaml
diff --git a/...aseline/templates/disallow-host-path.yaml → ...ity-baseline/pols/disallow-host-path.yaml b/...aseline/templates/disallow-host-path.yaml → ...ity-baseline/pols/disallow-host-path.yaml
diff --git a/...seline/templates/disallow-host-ports.yaml → ...ty-baseline/pols/disallow-host-ports.yaml b/...seline/templates/disallow-host-ports.yaml → ...ty-baseline/pols/disallow-host-ports.yaml
diff --git a/...line/templates/disallow-host-process.yaml → ...-baseline/pols/disallow-host-process.yaml b/...line/templates/disallow-host-process.yaml → ...-baseline/pols/disallow-host-process.yaml
diff --git a/...lates/disallow-privileged-containers.yaml → .../pols/disallow-privileged-containers.yaml b/...lates/disallow-privileged-containers.yaml → .../pols/disallow-privileged-containers.yaml
diff --git a/...seline/templates/disallow-proc-mount.yaml → ...ty-baseline/pols/disallow-proc-mount.yaml b/...seline/templates/disallow-proc-mount.yaml → ...ty-baseline/pols/disallow-proc-mount.yaml
diff --git a/...-baseline/templates/disallow-selinux.yaml → ...urity-baseline/pols/disallow-selinux.yaml b/...-baseline/templates/disallow-selinux.yaml → ...urity-baseline/pols/disallow-selinux.yaml
diff --git a/...templates/restrict-apparmor-profiles.yaml → ...line/pols/restrict-apparmor-profiles.yaml b/...templates/restrict-apparmor-profiles.yaml → ...line/pols/restrict-apparmor-profiles.yaml
diff --git a/...-baseline/templates/restrict-seccomp.yaml → ...urity-baseline/pols/restrict-seccomp.yaml b/...-baseline/templates/restrict-seccomp.yaml → ...urity-baseline/pols/restrict-seccomp.yaml
diff --git a/...-baseline/templates/restrict-sysctls.yaml → ...urity-baseline/pols/restrict-sysctls.yaml b/...-baseline/templates/restrict-sysctls.yaml → ...urity-baseline/pols/restrict-sysctls.yaml
diff --git a/charts/pod-security-baseline/templates/club-pols.yaml b/charts/pod-security-baseline/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}
diff --git a/charts/pod-security-baseline/templates/disallow-capabilities.yaml b/charts/pod-security-baseline/templates/disallow-capabilities.yaml
diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-restricted-policies
 description: Pod Security Standards (restricted) policy set
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

diff --git a/...mplates/disallow-capabilities-strict.yaml → ...ed/pols/disallow-capabilities-strict.yaml b/...mplates/disallow-capabilities-strict.yaml → ...ed/pols/disallow-capabilities-strict.yaml
diff --git a/...plates/disallow-privilege-escalation.yaml → ...d/pols/disallow-privilege-escalation.yaml b/...plates/disallow-privilege-escalation.yaml → ...d/pols/disallow-privilege-escalation.yaml
diff --git a/...mplates/require-run-as-non-root-user.yaml → ...ed/pols/require-run-as-non-root-user.yaml b/...mplates/require-run-as-non-root-user.yaml → ...ed/pols/require-run-as-non-root-user.yaml
diff --git a/...ted/templates/require-run-as-nonroot.yaml → ...stricted/pols/require-run-as-nonroot.yaml b/...ted/templates/require-run-as-nonroot.yaml → ...stricted/pols/require-run-as-nonroot.yaml
diff --git a/...ed/templates/restrict-seccomp-strict.yaml → ...tricted/pols/restrict-seccomp-strict.yaml b/...ed/templates/restrict-seccomp-strict.yaml → ...tricted/pols/restrict-seccomp-strict.yaml
diff --git a/...cted/templates/restrict-volume-types.yaml → ...estricted/pols/restrict-volume-types.yaml b/...cted/templates/restrict-volume-types.yaml → ...estricted/pols/restrict-volume-types.yaml
diff --git a/charts/pod-security-restricted/templates/club-pols.yaml b/charts/pod-security-restricted/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}