Merge pull request #83 from nirmata/NDEV-16720-helm-customize

parameterize kyverno-policies helm charts

charts/best-practices-k8s/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubernetes-best-practice-policies
 description: Kubernetes Best Practice policy set
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/best-practices-k8s/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{/*
+Validation failure action for policy or default validation failure action
+*/}}
+
+{{- define "vfa-for-pol" -}}
+
+{{- with index .Values "validationFailureActionByPolicy" .polname }}
+{{- toYaml . }}
+{{- else }}
+{{- .Values.validationFailureAction }}
+{{- end }}
+
+{{- end}}
+
+
+{{/*
+Background scan for policy or default background value
+*/}}
+{{- define "bgscan-for-pol" -}}
+{{- $flagStr := lower (toString (index .Values "backgroundByPolicy" .polname)) }}
+
+{{- if eq "false" $flagStr }}
+{{- false }}
+{{- else if eq "true" $flagStr }}
+{{- true }}
+{{- else }}
+{{- .Values.background }}
+{{- end }}
+
+{{- end}}

charts/best-practices-workload-security/pols/disallow_cri_sock_mount.yaml → charts/best-practices-k8s/templates/disallow_cri_sock_mount.yaml

@@ -1,7 +1,8 @@
+{{- $name := "disallow-container-sock-mounts" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: disallow-container-sock-mounts
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Disallow CRI socket mounts
     policies.kyverno.io/category: Best Practices, EKS Best Practices
@@ -14,8 +15,8 @@ metadata:
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-docker-sock-mount
     match:

charts/best-practices-workload-security/pols/disallow_default_namespace.yaml → charts/best-practices-k8s/templates/disallow_default_namespace.yaml

@@ -1,7 +1,8 @@
+{{- $name := "disallow-default-namespace" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: disallow-default-namespace
+  name: {{ $name }}
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/title: Disallow Default Namespace
@@ -18,8 +19,8 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-namespace
     match:

charts/best-practices-workload-security/pols/disallow_empty_ingress_host.yaml → charts/best-practices-k8s/templates/disallow_empty_ingress_host.yaml

@@ -1,7 +1,8 @@
+{{- $name := "disallow-empty-ingress-host" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: disallow-empty-ingress-host
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Disallow empty Ingress host
     policies.kyverno.io/category: Best Practices
@@ -12,8 +13,8 @@ metadata:
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: audit
-  background: false
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
     - name: disallow-empty-ingress-host
       match:
@@ -24,6 +25,6 @@ spec:
         message: "The Ingress host name must be defined, not empty."
         deny:
           conditions:
-            - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
+            - key: "{{`{{`}} request.object.spec.rules[].host || `[]` | length(@) {{`}}`}}"
               operator: NotEquals
-              value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"
+              value: "{{`{{`}} request.object.spec.rules[].http || `[]` | length(@) {{`}}`}}"

charts/best-practices-workload-security/pols/disallow_latest_tag.yaml → charts/best-practices-k8s/templates/disallow_latest_tag.yaml

@@ -1,7 +1,8 @@
+{{- $name := "disallow-latest-tag" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: disallow-latest-tag
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Disallow Latest Tag
     policies.kyverno.io/category: Best Practices
@@ -13,8 +14,8 @@ metadata:
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: require-image-tag
     match:

charts/best-practices-k8s/pols/require_drop_all.yaml → charts/best-practices-k8s/templates/require_drop_all.yaml

@@ -1,7 +1,8 @@
+{{- $name :=  "drop-all-capabilities" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: drop-all-capabilities
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Drop All Capabilities
     policies.kyverno.io/category: Best Practices
@@ -15,8 +16,8 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
     - name: require-drop-all
       match:
@@ -26,7 +27,7 @@ spec:
               - Pod
       preconditions:
         all:
-        - key: "{{ request.operation || 'BACKGROUND' }}"
+        - key: "{{`{{`}} request.operation || 'BACKGROUND' {{`}}`}}"
           operator: NotEquals
           value: DELETE
       validate:
@@ -39,4 +40,4 @@ spec:
                 all:
                 - key: ALL
                   operator: AnyNotIn
-                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+                  value: "{{`{{`}} element.securityContext.capabilities.drop[].to_upper(@) || `[]` {{`}}`}}"

charts/best-practices-workload-security/pols/require_drop_cap_net_raw.yaml → charts/best-practices-k8s/templates/require_drop_cap_net_raw.yaml

@@ -1,7 +1,8 @@
+{{- $name :=  "drop-cap-net-raw" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: drop-cap-net-raw
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Drop CAP_NET_RAW
     policies.kyverno.io/category: Best Practices
@@ -16,8 +17,8 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
     - name: require-drop-cap-net-raw
       match:
@@ -27,7 +28,7 @@ spec:
               - Pod
       preconditions:
         all:
-        - key: "{{ request.operation || 'BACKGROUND' }}"
+        - key: "{{`{{`}} request.operation || 'BACKGROUND' {{`}}`}}"
           operator: NotEquals
           value: DELETE
       validate:
@@ -40,4 +41,4 @@ spec:
                 all:
                 - key: CAP_NET_RAW
                   operator: AnyNotIn
-                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+                  value: "{{`{{`}} element.securityContext.capabilities.drop[].to_upper(@) || `[]` {{`}}`}}"

charts/best-practices-workload-security/pols/require_labels.yaml → charts/best-practices-k8s/templates/require_labels.yaml

@@ -1,7 +1,8 @@
+{{- $name := "require-labels" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: require-labels
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Require Labels
     policies.kyverno.io/category: Best Practices
@@ -13,8 +14,8 @@ metadata:
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: check-for-labels
     match:

charts/best-practices-workload-security/pols/require_pod_requests_limits.yaml → charts/best-practices-k8s/templates/require_pod_requests_limits.yaml

@@ -1,7 +1,8 @@
+{{- $name :=  "require-requests-limits" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: require-requests-limits
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Require Limits and Requests
     policies.kyverno.io/category: Best Practices, EKS Best Practices
@@ -16,8 +17,8 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-resources
     match:

charts/best-practices-k8s/pols/require_probes.yaml → charts/best-practices-k8s/templates/require_probes.yaml

@@ -1,7 +1,8 @@
+{{- $name := "require-pod-probes" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: require-pod-probes
+  name: {{ $name }}
   annotations:
     pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
     policies.kyverno.io/title: Require Pod Probes
@@ -17,8 +18,8 @@ metadata:
       This policy validates that all containers have one of livenessProbe, readinessProbe,
       or startupProbe defined.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-probes
     match:
@@ -35,10 +36,10 @@ spec:
             all:
             - key: livenessProbe
               operator: AllNotIn
-              value: "{{ element.keys(@)[] }}"
+              value: "{{`{{`}} element.keys(@)[] {{`}}`}}"
             - key: startupProbe
               operator: AllNotIn
-              value: "{{ element.keys(@)[] }}"
+              value: "{{`{{`}} element.keys(@)[] {{`}}`}}"
             - key: readinessProbe
               operator: AllNotIn
-              value: "{{ element.keys(@)[] }}"
+              value: "{{`{{`}} element.keys(@)[] {{`}}`}}"

charts/best-practices-workload-security/pols/require_ro_rootfs.yaml → charts/best-practices-k8s/templates/require_ro_rootfs.yaml

@@ -1,7 +1,8 @@
+{{- $name := "require-ro-rootfs" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: require-ro-rootfs
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Require Read-Only Root Filesystem
     policies.kyverno.io/category: Best Practices, EKS Best Practices
@@ -15,8 +16,8 @@ metadata:
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-readOnlyRootFilesystem
     match:

charts/best-practices-workload-security/pols/restrict-service-external-ips.yaml → charts/best-practices-k8s/templates/restrict-service-external-ips.yaml

@@ -1,7 +1,8 @@
+{{- $name := "restrict-external-ips" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: restrict-external-ips
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Restrict External IPs
     policies.kyverno.io/category: Best Practices
@@ -13,8 +14,8 @@ metadata:
       See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
       that the `externalIPs` field is not set on a Service.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: check-ips
     match:

charts/best-practices-workload-security/pols/restrict_node_port.yaml → charts/best-practices-k8s/templates/restrict_node_port.yaml

@@ -1,7 +1,8 @@
+{{- $name := "restrict-nodeport" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: restrict-nodeport
+  name: {{ $name }}
   annotations:
     policies.kyverno.io/title: Disallow NodePort
     policies.kyverno.io/category: Best Practices
@@ -14,8 +15,8 @@ metadata:
       with additional upstream security checks. This policy validates that any new Services
       do not use the `NodePort` type.
 spec:
-  validationFailureAction: audit
-  background: true
+  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
+  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
   rules:
   - name: validate-nodeport
     match:

charts/best-practices-k8s/values.yaml

@@ -0,0 +1,15 @@
+# -- Policies background mode
+background: true
+
+# -- Default validationFailureAction
+validationFailureAction: audit
+
+# -- Define background for specific policies.
+# Override the defined `background` with a individual background for individual Policies.
+backgroundByPolicy: {}
+  # require-labels: false
+
+# -- Define validationFailureActionByPolicy for specific policies.
+# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
+validationFailureActionByPolicy: {}
+  # require-labels: enforce

charts/best-practices-workload-security/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: workload-security-best-practice-policies
 description: Workload Security Best Practice policy set
 type: application
-version: 0.1.2
+version: 0.1.3
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/best-practices-k8s/pols/disallow_empty_ingress_host.yaml → charts/best-practices-workload-security/templates/disallow_empty_ingress_host.yaml

@@ -24,6 +24,6 @@ spec:
         message: "The Ingress host name must be defined, not empty."
         deny:
           conditions:
-            - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
+            - key: "{{`{{`}} request.object.spec.rules[].host || `[]` | length(@) {{`}}`}}"
               operator: NotEquals
-              value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"
+              value: "{{`{{`}} request.object.spec.rules[].http || `[]` | length(@) {{`}}`}}"