Merge pull request #185 from mastersans/helm-charts

feat: added cloud-controls helm-subchart for apigateway

charts/cloud-controls/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cloud-controls
 description: Cloud Controls Helm Chart
-version: 0.0.1
+version: 0.0.2
 keywords:
   - kubernetes
   - nirmata
@@ -24,3 +24,7 @@ dependencies:
     condition: aws-lambda-best-practices.enabled
     version: 0.0.1
     repository: file://charts/lambda
+  - name: aws-apigateway-best-practices
+    condition: aws-apigateway-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/apigateway

charts/cloud-controls/charts/apigateway/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cloud-controls/charts/apigateway/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: aws-apigateway-best-practices
+description: Aws ApiGateway Best Practices CloudController Policy Set
+type: application
+version: 0.0.1
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+  - cloud-controller
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/

charts/cloud-controls/charts/apigateway/templates/check-api-protocol.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkApiProtocol" }}
+{{- $name := "check-api-protocol" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API has Correct ProtocolType
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      APIs can use either the HTTP or WebSocket protocol. HTTP is generally more cost-effective as 
+      it is stateless and suitable for typical client-server interactions. WebSocket, while ideal for real-time, 
+      low-latency communication, requires persistent connections, which can increase costs. For cost-effectiveness, 
+      choose HTTP unless real-time communication is critical to your application.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.name
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGatewayV2
+        - (metadata.resource): Api
+      assert:
+        all:
+        - message: "Ensure API has Correct ProtocolType."
+          check:
+            payload:
+              protocolType: {{ if hasKey .Values $camelCaseName }}{{ $protocolType := index (index .Values $camelCaseName) "protocolType" }}{{ if or (eq $protocolType "HTTP") (eq $protocolType "WEBSOCKET") }}{{ $protocolType }}{{ else }}"HTTP"{{ end }}{{ else }}"HTTP"{{ end }}
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-method-caching-enabled.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkMethodCachingEnabled" }}
+{{- $name := "check-method-caching-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway has Caching Enabled in Method Settings.
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that caching is enabled in API Gateway method settings, 
+      which helps improve performance, reduce latency, and lower operational costs by minimizing redundant 
+      requests to the backend services. Enforcing this best practice enhances the efficiency and reliability of your API.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      assert:
+        all:
+        - message: "Ensure API Gateway has Caching Enabled in Method Settings."
+          check:
+            payload:
+              (contains(keys(@), 'methodSettings') && !contains(methodSettings[*].cachingEnabled, `false`)): true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-method-caching-encryption-enabled.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkMethodCachingEncryptionEnabled" }}
+{{- $name := "check-method-caching-encryption-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway has Caching Encryption Enabled in Method Settings.
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that caching encryption is enabled in API Gateway method settings, 
+      safeguarding sensitive data stored in the cache. Enforcing this practice enhances the security 
+      and compliance of your API by preventing unauthorized access to cached data.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      assert:
+        all:
+        - message: "Ensure API Gateway has Caching Encryption Enabled in Method Settings."
+          check:
+            payload:
+              (contains(keys(@), 'methodSettings') && !contains(methodSettings[?cachingEnabled == `true`].cacheDataEncrypted, `false`)): true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-method-data-tracing-disabled.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkMethodDataTracingDisabled" }}
+{{- $name := "check-method-data-tracing-disabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway has Caching Enabled in Method Settings.
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that data tracing is disabled in API Gateway method settings to prevent sensitive data from being logged. 
+      Enforcing this practice helps enhance security, protect user privacy, and reduce the risk of exposing sensitive information in logs.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      assert:
+        all:
+        - message: "Ensure API Gateway has Caching Enabled in Method Settings."
+          check:
+            payload:
+              (contains(keys(@), 'methodSettings') && !contains(methodSettings[*].dataTraceEnabled, `true`)): true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-method-throttling-limit.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkMethodThrottlingLimit" }}
+{{- $name := "check-method-throttling-limit" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway has Throttling Limit Set in Method Settings.
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that throttling limits, including ThrottlingBurstLimit and ThrottlingRateLimit, 
+      are properly configured in API Gateway method settings. Enforcing this practice prevents resource overuse, 
+      enhances API reliability, and ensures fair usage by controlling the request rates to backend services.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      context:
+      - name: burstLimit
+        variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "burstLimit" }}{{ index (index .Values $camelCaseName) "burstLimit" }}{{ else }}1500{{ end }}{{ else }}1500{{ end }}
+      - name: rateLimit
+        variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "rateLimit" }}{{ index (index .Values $camelCaseName) "rateLimit" }}{{ else }}2000{{ end }}{{ else }}2000{{ end }}
+      assert:
+        all:
+        - message: "Ensure ThrottlingBurstLimit is configured properly"
+          check:
+            payload:
+              (contains(keys(@), 'methodSettings') && (length(methodSettings[?throttlingBurstLimit > $burstLimit]) == `0`)): true
+
+        - message: "Ensure ThrottlingRateLimit is configured properly"
+          check:
+            payload:
+              (contains(keys(@), 'methodSettings') && (length(methodSettings[?throttlingRateLimit > $rateLimit]) == `0`)): true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-stage-access-logging-enabled.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkStageAccessLoggingEnabled" }}
+{{- $name := "check-stage-access-logging-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway has Access Logging enabled
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that access logging is enabled in API Gateway stages, 
+      which is critical for monitoring and auditing API activity. Enforcing this practice improves observability, 
+      aids in troubleshooting issues, and enhances security by maintaining a detailed record of API access and usage.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      assert:
+        all:
+        - message: "Ensure API Gateway has Access Logging enabled"
+          check:
+            payload:
+              (contains(keys(@), 'accessLogSetting') && accessLogSetting != `{}`): true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/apigateway/templates/check-stage-cache-cluster-enabled.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkStageCacheClusterEnabled" }}
+{{- $name := "check-stage-cache-cluster-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Ensure API Gateway caching is enabled
+    policies.kyverno.io/category: ApiGateway Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that caching is enabled for API Gateway stages, 
+      which enhances performance by reducing backend load and improving response times. 
+      Enforcing this best practice helps optimize resource utilization and provides a better user experience for API consumers.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.stageName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ApiGateway
+        - (metadata.resource): Stage
+      assert:
+        all:
+        - message: "Ensure API Gateway caching is enabled"
+          check:
+            payload:
+              cacheClusterEnabled: true
+{{- end }}
+{{- end }}