diff --git a/charts/best-practices-dockerfile/Chart.yaml b/charts/best-practices-dockerfile/Chart.yaml index ca3f4d43..9c193619 100644 --- a/charts/best-practices-dockerfile/Chart.yaml +++ b/charts/best-practices-dockerfile/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: best-practices-dockerfile description: Best practices Dockerfile policy set type: application -version: 0.1.1 -appVersion: 0.1.1 +version: 0.1.2 +appVersion: 0.1.2 keywords: - kubernetes - nirmata diff --git a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml index 1f73c101..23a74b68 100644 --- a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml +++ b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for untrusted flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-untrust-flag/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag. spec: diff --git a/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml b/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml new file mode 100644 index 00000000..0cd4e3d2 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml @@ -0,0 +1,33 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-apt-command-force-yes + annotations: + policies.kyverno.io/title: Check for overidding of safety checks in apt-get command + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-apt-command-force-yes/" + policies.kyverno.io/description: >- + The --force-yes option in apt-get is used to override some safety checks + and prompts, allowing the installation or upgrade of packages even if + they require additional user confirmation or if they conflict with other + packages. This can potentially lead to system instability or unexpected + behavior, as it bypasses certain safeguards put in place to ensure the stability + and consistency of the system. +spec: + rules: + - name: check-apt-command-force-yes + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt-get ') || contains(@, ' apt-get ')) && contains(@, ' --force-yes')): false + - message: refrain from using the '--force-yes' option with `apt` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt ') || contains(@, ' apt ')) && contains(@, ' --force-yes')): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml index 00884167..e7d4198d 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-curl/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command spec: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml new file mode 100644 index 00000000..4ff6fced --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-git-env-var + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-git-env-var/" + policies.kyverno.io/description: >- + To control SSL certificate validation in Git operations within a Docker container, + you can use the GIT_SSL_NO_VERIFY environment variable. Setting this variable to true + or 1 tells Git to bypass SSL certificate validation. +spec: + rules: + - name: check-certificate-validation-git-env-var + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by using `GIT_SSL_NO_VERIFY` env with value set to '0' or 'false' + check: + (Stages[].Commands[].Env[?Key=='GIT_SSL_NO_VERIFY' && (Value=='1' || Value=='true')][] | length(@) > `0`): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml index 8c5b3b8e..1f8fbf60 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-nodejs-env-var/" policies.kyverno.io/description: >- NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js to control TLS certificate verification behavior. This policy checks whether diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml index a7e6c59e..f156d4d0 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-pip3/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command spec: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml index 96206d13..57f79aa0 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-python-env-var/" policies.kyverno.io/description: >- The PYTHONHTTPSVERIFY environment variable is used in Python to control certificate verification when making HTTPS requests. This policy checks @@ -23,4 +24,3 @@ spec: - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1` check: (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true - \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml index f5ab4c7a..7061ad0a 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-wget/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command spec: diff --git a/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml b/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml new file mode 100644 index 00000000..36be93b3 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-label-maintainer + annotations: + policies.kyverno.io/title: Validating LABEL maintainer instruction in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-label-maintainer/" + policies.kyverno.io/description: >- + MAINTAINER instruction is deprecated for the Dockerfile. Instead, you can use the + LABEL instruction to provide the maintainer name in the Dockerfile. This policy checks + if LABEL instruction has been specified with maintainer name. +spec: + rules: + - assert: + all: + - check: + (Stages[].Commands[?Name=='MAINTAINER'][] | length(@) > `0`): false + message: MAINTAINER instruction is deprecated, use LABELS instruction to mention maintainer name + - check: + (Stages[].Commands[].Labels[?Key=='maintainer' || Key=='owner' || Key=='author'][] | length(@) > `0`): true + message: Use the LABELS instruction to set the MAINTAINER name + name: dockerfile-allow-label-maintainer-instruction + match: + all: + - ($analyzer.resource.type): dockerfile \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-last-user.yaml b/charts/best-practices-dockerfile/pols/check-last-user.yaml index c8bbf16b..e0e8efda 100644 --- a/charts/best-practices-dockerfile/pols/check-last-user.yaml +++ b/charts/best-practices-dockerfile/pols/check-last-user.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check last USER policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-last-user/" policies.kyverno.io/description: >- This policy validates that the last USER is not root. spec: diff --git a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml index 54637cad..84eefba3 100644 --- a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml +++ b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: check for missing signature options via rpm policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-missing-signature-options/" policies.kyverno.io/description: >- This policy ensures that packages with untrusted or missing signatures are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or diff --git a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml index d4bb450e..490209c8 100644 --- a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml +++ b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-nogpgcheck/" policies.kyverno.io/description: >- GPG signature checking is a security feature that verifies the authenticity and integrity of packages before they are diff --git a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml index faff2f1a..f304d5b4 100644 --- a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml +++ b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-npm-config-strict-ssl/" policies.kyverno.io/description: >- The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL certificate validation behavior in npm. This policy ensures that certificate diff --git a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml index 9b703cda..02c0d474 100644 --- a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml +++ b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-unauthentication/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag. spec: diff --git a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml index 1c1bd3a9..18ef12a8 100644 --- a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml +++ b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Detect Multiple Instructions in Single Line policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/detect-multiple-instructions/" policies.kyverno.io/description: >- This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers spec: diff --git a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml index c8df1493..4f8c374b 100644 --- a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml +++ b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for sudo operation existence policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/disallow-sudo-operations/" policies.kyverno.io/description: >- Using sudo within a Dockerfile is not recommended to avoid privilege escalation. spec: diff --git a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml index a6d83802..40329fa8 100644 --- a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml +++ b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Prefer COPY over ADD in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/prefer-copy-over-add/" policies.kyverno.io/description: >- This policy ensures that COPY instructions are used instead of ADD instructions in Dockerfiles. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml index 68d3f58a..4c746a39 100644 --- a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml +++ b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate base image tag policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-base-image-tag/" policies.kyverno.io/description: >- This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml index 935c7460..393cd0cf 100644 --- a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml +++ b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validating Exposed Port 22 in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-expose-port-22/" policies.kyverno.io/description: >- This policy checks whether Dockerfiles exposes port 22. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml index fd884132..5f8c42ac 100644 --- a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate Healthcheck Instruction policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-healthcheck-instruction/" policies.kyverno.io/description: >- This policy checks if the HEALTHCHECK instruction is defined in the Dockerfile. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml index 589e061a..8ed37b69 100644 --- a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate USER instruction in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-user-instruction/" policies.kyverno.io/description: >- This policy checks if the Dockerfile contains a USER instruction. If the USER instruction is not present, the policy fails. spec: diff --git a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml index 1f924d29..57f79aa0 100644 --- a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml +++ b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml @@ -24,4 +24,3 @@ spec: - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1` check: (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true - \ No newline at end of file diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-enforce-assert.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-enforce-assert.yaml new file mode 100644 index 00000000..c979fe5c --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-enforce-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-resource-quota-changes +spec: + validationFailureAction: Enforce diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-policy-assert.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-policy-assert.yaml new file mode 100755 index 00000000..fb5d8192 --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-policy-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-resource-quota-changes +status: + ready: true diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-test.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 00000000..a24926c4 --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-resource-quota-changes +spec: + steps: + - name: test-restrict-resource-quota-changes + try: + - apply: + file: ../restrict-resource-quota-changes.yaml + - assert: + file: chainsaw-policy-assert.yaml + - apply: + file: rq-good.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-resource-quota-changes + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-enforce-assert.yaml + - apply: + expect: + - check: + ($error != null): true + file: rq-bad.yaml + - delete: + ref: + apiVersion: v1 + kind: namespace + name: chainsaw-test diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-bad.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-bad.yaml new file mode 100644 index 00000000..bb3dc053 --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-bad.yaml @@ -0,0 +1,27 @@ +# create-resource-quota + +apiVersion: v1 +kind: ResourceQuota +metadata: + name: create-resource-quota + namespace: chainsaw-test +spec: + hard: + limits.cpu: "2" + limits.memory: 2Gi + requests.cpu: "1" + requests.memory: 1Gi + +--- + +# Update ResourceQuota + +apiVersion: v1 +kind: ResourceQuota +metadata: + name: create-resource-quota + namespace: chainsaw-test +spec: + hard: + limits.cpu: "2" + limits.memory: 2Gi diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-good.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-good.yaml new file mode 100644 index 00000000..50822e94 --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-good.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: chainsaw-test +spec: {} diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/README.md b/multitenancy-benchmarks/restrict-resource-quota-changes/README.md new file mode 100644 index 00000000..b2e74ef6 --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/README.md @@ -0,0 +1,66 @@ +# Cluster Policy - Restrict Resource Quota Changes Policy + +## Policy Overview +The `restrict-resource-quota-changes` policy ensures that tenants within Kubernetes namespaces cannot perform actions such as creating, updating, patching, deleting, or bulk-deleting operations on resource quotas. This restriction serves as a security measure to maintain control over resource management and prevent tenants from inadvertently exceeding their allocated resources or interfering with cluster stability. + +**Importance** + +This policy holds significance in enhancing the security and stability of Kubernetes clusters, particularly in multitenant environments. By limiting the ability to modify resource quotas, it helps maintain isolation between tenants and promotes fair resource usage, thereby mitigating the risk of resource exhaustion and ensuring consistent performance for all users. + +**Key Annotations:** +- **Title:** Restrict Resource Quota Changes +- **Category:** Multitenancy Benchmarks +- **Severity:** High +- **Subject:** ResourceQuota + +**Policy Configuration:** +- **Validation Failure Action:** Audit (Enforce rejection on failure) +- **Rules:** + - **Name:** restrict-resource-quota-changes + - **Match Conditions:** Applicable to resource quota modification operations within namespaces + - **Validation Message:** "ResourceQuota changes are restricted" + - **Validation Pattern:** + - Enforces restrictions on actions such as creation, updating, patching, deletion, or bulk-deletion operations on resource quotas within namespaces. + +## Finding Violations + +To identify violations of the `restrict-resource-quota-changes` policy, follow these steps: + +1. **Check Policy Status:** + - Use the following command to view the READY status of Kyverno policies in your cluster: + ```bash + kubectl get cpol + ``` + - Look for the status of the `restrict-resource-quota-changes` policy. If READY status shows `True` or the MESSAGE shows `Ready` your policy is up and running! + +2. **Check Policy Report:** + - Use the following command to view the violations if any: + ```bash + kubectl get cpolr + ``` + - Look for the status of the "require-quota-for-all-objects" policy. If it shows any violations, note the namespace(s) where the violations occurred. + +3. **Inspect ResourceQuotas:** + - Use the following command to list ResourceQuotas in the namespaces where violations were detected: + ```bash + kubectl get resourcequota -n + ``` + - Review the ResourceQuotas to identify any missing quotas for objects such as Pods, Services, Secrets, ConfigMaps, etc., listed in the policy. + +## Chainsaw Test + +To apply chainsaw test, run the following command + ```bash + chainsaw test . + ``` + +## How to Fix It + +To address violations of the `restrict-resource-quota-changes` policy, take the following corrective actions: + +1. **Revoke Unauthorized Permissions:** + - Adjust Kubernetes RBAC (Role-Based Access Control) settings to revoke permissions that allow tenants to modify resource quotas within namespaces. + +2. **References:** + - Refer to the Kubernetes documentation on [Role-Based Access Control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for guidance on configuring permissions. + - Explore additional [security best practices for Kubernetes clusters](https://github.com/kubernetes-retired/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota) to enhance overall governance and compliance. diff --git a/multitenancy-benchmarks/restrict-resource-quota-changes/restrict-resource-quota-changes.yaml b/multitenancy-benchmarks/restrict-resource-quota-changes/restrict-resource-quota-changes.yaml new file mode 100644 index 00000000..c8547e9c --- /dev/null +++ b/multitenancy-benchmarks/restrict-resource-quota-changes/restrict-resource-quota-changes.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-resource-quota-changes + annotations: + policies.kyverno.io/title: Restrict Resource Quota Changes + policies.kyverno.io/category: Multitenancy Benchmarks + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ResourceQuota + policies.kyverno.io/description: >- + This policy verifies that tenants cannot create, update, patch, delete, or perform + bulk-deletion operations on resource quotas within their namespaces. + This could be a security measure to prevent tenants from interfering with + resource management or exceeding their allocated resources. +spec: + background: false + validationFailureAction: Enforce + rules: + - name: restrict-resource-quota-changes + match: + any: + - resources: + kinds: + - ResourceQuota + validate: + message: "ResourceQuota changes are restricted" + deny: + conditions: + any: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + - DELETE + - PATCH + - DELETECOLLECTION diff --git a/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml b/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml new file mode 100644 index 00000000..831e2bed --- /dev/null +++ b/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-network + annotations: + policies.kyverno.io/title: Disallow Host Network + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" + policies.kyverno.io/description: >- + Host namespaces (network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. + policies.nirmata.io/remediation: "NA" +spec: + validationFailureAction: audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host network namespaces is disallowed. + pattern: + spec: + =(hostNetwork): "false" diff --git a/pod-security-windows/baseline/disallow-host-network/resource.yaml b/pod-security-windows/baseline/disallow-host-network/resource.yaml new file mode 100644 index 00000000..11b18bb5 --- /dev/null +++ b/pod-security-windows/baseline/disallow-host-network/resource.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml b/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml new file mode 100644 index 00000000..cd4c7d21 --- /dev/null +++ b/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-hostprocess-containers + annotations: + policies.kyverno.io/title: Disallow HostProcess Containers + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "NA" + policies.kyverno.io/description: >- + Hostprocess mode disables most security mechanisms and must not be allowed. This policy + ensures the fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.windowsOptions.hostProcess must be unset or set to `false`. + policies.nirmata.io/remediation: "NA" +spec: + validationFailureAction: audit + background: true + rules: + - name: hostprocess-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostProcess mode is disallowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" diff --git a/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml b/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml new file mode 100644 index 00000000..d4e27093 --- /dev/null +++ b/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml new file mode 100644 index 00000000..73199f0b --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user + annotations: + policies.kyverno.io/title: Require Run As Non-Root User + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "N/A" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures that the fields + spec.securityContext.windowsOptions.runAsUserName, + spec.containers[*].securityContext.windowsOptions.runAsUserName, + spec.initContainers[*].securityContext.windowsOptions.runAsUserName, + and is either unset or set to ContainerUser. +spec: + validationFailureAction: audit + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as root user is not allowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + containers: + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" diff --git a/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml b/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml new file mode 100644 index 00000000..5c7db94e --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + runAsUserName: "ContainerAdministrator" + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + runAsUserName: "ContainerUser" + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml new file mode 100644 index 00000000..4cd69e52 --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot + annotations: + policies.kyverno.io/title: Require runAsNonRoot + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/require-run-as-nonroot/remediate-require-run-as-nonroot.yaml" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures either the field + spec.securityContext.runAsNonRoot + is set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + is set to `true`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + validationFailureAction: audit + background: true + rules: + - name: run-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as root is not allowed. + anyPattern: + - spec: + securityContext: + runAsNonRoot: "true" + =(ephemeralContainers): + - =(securityContext): + =(runAsNonRoot): "true" + =(initContainers): + - =(securityContext): + =(runAsNonRoot): "true" + containers: + - =(securityContext): + =(runAsNonRoot): "true" + - spec: + =(ephemeralContainers): + - securityContext: + runAsNonRoot: "true" + =(initContainers): + - securityContext: + runAsNonRoot: "true" + containers: + - securityContext: + runAsNonRoot: "true" diff --git a/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml b/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml new file mode 100644 index 00000000..632e79ff --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + runAsNonRoot: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]