add istio policies

tetrate/tis0005/validate-root-ca-cert.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+    name: validate-root-ca-cert
+spec:
+    background: false
+    rules:
+        - match:
+            any:
+                - resources:
+                    kinds:
+                        - Secret
+                    names:
+                        - root-ca
+                    namespaces:
+                        - istio-system
+          name: validate-root-ca-cert
+          validate:
+            deny:
+                conditions:
+                    any:
+                        - key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n   | parse_x509(\"notAfter\") | date_before(\"now\") }}"
+                          operator: Equals
+                          value: true
+                        - key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n   | parse_x509(\"subject\") | length(@) }}"
+                          operator: Equals
+                          value: 0
+                        - key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n   | parse_x509(\"san\") | length(@) }}"
+                          operator: Equals
+                          value: 0
+            message: The root CA certificate must be valid and properly formatted
+    validationFailureAction: Enforce

tetrate/tis0101/restrict-non-existent-namespace-host-serviecentry.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+    annotations:
+        policies.kyverno.io/category: Service Mesh
+        policies.kyverno.io/description: Ensures that ServiceEntry hosts reference existing namespaces
+        policies.kyverno.io/severity: medium
+        policies.kyverno.io/subject: ServiceEntry
+        policies.kyverno.io/title: Validate ServiceEntry Host Namespace
+    name: validate-serviceentry-host-namespace
+spec:
+    background: true
+    rules:
+        - context:
+            - apiCall:
+                jmesPath: items[].metadata.name
+                urlPath: /api/v1/namespaces
+              name: namespaces
+          match:
+            any:
+                - resources:
+                    kinds:
+                        - ServiceEntry
+          name: validate-host-namespace
+          validate:
+            foreach:
+                - deny:
+                    conditions:
+                        all:
+                            - key: "{{ regex_split('^[^.]+\\.([^.]+)\\.svc\\.cluster\\.local$', \nelement)[1] }}\n"
+                              operator: AnyNotIn
+                              value: '{{ namespaces }}'
+                  list: request.object.spec.hosts[]
+          message: Host '{{ element }}' references a non-existent namespace
+    validationFailureAction: Audit

tetrate/tis0101/restrict-non-existent-namespace-host-virtual-service.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+    annotations:
+        policies.kyverno.io/category: Service Mesh
+        policies.kyverno.io/description: Ensures that VirtualService hosts reference existing namespaces
+        policies.kyverno.io/severity: medium
+        policies.kyverno.io/subject: VirtualService
+        policies.kyverno.io/title: Validate VirtualService Host Namespace
+    name: validate-virtualservice-host-namespace
+spec:
+    background: true
+    rules:
+        - context:
+            - apiCall:
+                jmesPath: items[].metadata.name
+                urlPath: /api/v1/namespaces
+              name: namespaces
+          match:
+            any:
+                - resources:
+                    kinds:
+                        - VirtualService
+          name: validate-host-namespace
+          validate:
+            foreach:
+                - deny:
+                    conditions:
+                        all:
+                            - key: "{{ regex_split('^[^.]+\\.([^.]+)\\.svc\\.cluster\\.local$', \nelement)[1] }}\n"
+                              operator: AnyNotIn
+                              value: '{{ namespaces }}'
+                  list: request.object.spec.hosts[]
+            message: Host '{{ element }}' references a non-existent namespace
+    validationFailureAction: Audit

tetrate/tis0102/restrict-invalid-http-method.yaml

@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: This policy ensures that HTTP methods specified in AuthorizationPolicy resources are valid. The policy validates that methods defined in spec.rules[].to[].operation.method[] are from the allowed set of HTTP methods.
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/title: Validate Authorization Policy HTTP Methods
+  name: validate-authz-policy-http-methods
+spec:
+  background: true
+  rules:
+      - match:
+          any:
+              - resources:
+                  kinds:
+                      - AuthorizationPolicy
+        name: validate-http-methods
+        validate:
+          foreach:
+            - deny:
+                conditions:
+                    all:
+                      - key: '{{ element }}'
+                        operator: NotIn
+                        value:
+                          - GET
+                          - HEAD
+                          - POST
+                          - PUT
+                          - DELETE
+                          - CONNECT
+                          - OPTIONS
+                          - TRACE
+                          - PATCH
+              list: request.object.spec.rules[*].to[*].operation.methods[*]
+          message: 'HTTP methods must be one of: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH'
+  validationFailureAction: Enforce