From 43a33174bd5065d444d4abc16ed58aa85603a11a Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Sat, 15 Jun 2024 22:23:32 +0200 Subject: [PATCH] Update dockerfile chart --- charts/best-practices-dockerfile/Chart.yaml | 4 +-- .../pols/check-allow-untrusted-flag.yaml | 1 + .../pols/check-apt-command-force-yes.yaml | 33 +++++++++++++++++++ .../check-certificate-validation-curl.yaml | 1 + ...ck-certificate-validation-git-env-var.yaml | 25 ++++++++++++++ ...certificate-validation-nodejs-env-var.yaml | 1 + .../check-certificate-validation-pip3.yaml | 1 + ...certificate-validation-python-env-var.yaml | 2 +- .../check-certificate-validation-wget.yaml | 1 + .../pols/check-label-maintainer.yaml | 27 +++++++++++++++ .../pols/check-last-user.yaml | 1 + .../pols/check-missing-signature-options.yaml | 1 + .../pols/check-nogpgcheck.yaml | 1 + .../pols/check-npm-config-strict-ssl.yaml | 1 + .../pols/check-unauthentication-install.yaml | 1 + .../pols/detect-multiple-instructions.yaml | 1 + .../pols/disallow-sudo-operations.yaml | 1 + .../pols/prefer-copy-over-add.yaml | 1 + .../pols/validate-base-image-tag.yaml | 1 + .../pols/validate-expose-port-22.yaml | 1 + .../validate-healthcheck-instruction.yaml | 1 + .../pols/validate-user-instruction.yaml | 1 + ...certificate-validation-python-env-var.yaml | 1 - 23 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml create mode 100644 charts/best-practices-dockerfile/pols/check-label-maintainer.yaml diff --git a/charts/best-practices-dockerfile/Chart.yaml b/charts/best-practices-dockerfile/Chart.yaml index ca3f4d43..9c193619 100644 --- a/charts/best-practices-dockerfile/Chart.yaml +++ b/charts/best-practices-dockerfile/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: best-practices-dockerfile description: Best practices Dockerfile policy set type: application -version: 0.1.1 -appVersion: 0.1.1 +version: 0.1.2 +appVersion: 0.1.2 keywords: - kubernetes - nirmata diff --git a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml index 1f73c101..23a74b68 100644 --- a/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml +++ b/charts/best-practices-dockerfile/pols/check-allow-untrusted-flag.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for untrusted flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-untrust-flag/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-untrusted' flag. spec: diff --git a/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml b/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml new file mode 100644 index 00000000..0cd4e3d2 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-apt-command-force-yes.yaml @@ -0,0 +1,33 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-apt-command-force-yes + annotations: + policies.kyverno.io/title: Check for overidding of safety checks in apt-get command + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-apt-command-force-yes/" + policies.kyverno.io/description: >- + The --force-yes option in apt-get is used to override some safety checks + and prompts, allowing the installation or upgrade of packages even if + they require additional user confirmation or if they conflict with other + packages. This can potentially lead to system instability or unexpected + behavior, as it bypasses certain safeguards put in place to ensure the stability + and consistency of the system. +spec: + rules: + - name: check-apt-command-force-yes + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true + assert: + all: + - message: refrain from using the '--force-yes' option with `apt-get` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt-get ') || contains(@, ' apt-get ')) && contains(@, ' --force-yes')): false + - message: refrain from using the '--force-yes' option with `apt` as it bypasses important package validation checks and can potentially compromise the stability and security of your system. + check: + ~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): + ((starts_with(@, 'apt ') || contains(@, ' apt ')) && contains(@, ' --force-yes')): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml index 00884167..e7d4198d 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-curl.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-curl/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command spec: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml new file mode 100644 index 00000000..4ff6fced --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-git-env-var.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-certificate-validation-git-env-var + annotations: + policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-git-env-var/" + policies.kyverno.io/description: >- + To control SSL certificate validation in Git operations within a Docker container, + you can use the GIT_SSL_NO_VERIFY environment variable. Setting this variable to true + or 1 tells Git to bypass SSL certificate validation. +spec: + rules: + - name: check-certificate-validation-git-env-var + match: + all: + - ($analyzer.resource.type): dockerfile + - (Stages[].Commands[?Name=='ENV'] | length(@) > `0`): true + assert: + any: + - message: Ensure certificate validation is enabled by using `GIT_SSL_NO_VERIFY` env with value set to '0' or 'false' + check: + (Stages[].Commands[].Env[?Key=='GIT_SSL_NO_VERIFY' && (Value=='1' || Value=='true')][] | length(@) > `0`): false \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml index 8c5b3b8e..1f8fbf60 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-nodejs-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Node.js environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-nodejs-env-var/" policies.kyverno.io/description: >- NODE_TLS_REJECT_UNAUTHORIZED is an environment variable used in Node.js to control TLS certificate verification behavior. This policy checks whether diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml index a7e6c59e..f156d4d0 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-pip3.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using pip3 in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-pip3/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --trusted-host option when running the pip3 command spec: diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml index 96206d13..57f79aa0 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-python-env-var.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile using Python environment variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-python-env-var/" policies.kyverno.io/description: >- The PYTHONHTTPSVERIFY environment variable is used in Python to control certificate verification when making HTTPS requests. This policy checks @@ -23,4 +24,3 @@ spec: - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1` check: (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true - \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml index f5ab4c7a..7061ad0a 100644 --- a/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml +++ b/charts/best-practices-dockerfile/pols/check-certificate-validation-wget.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation using wget in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-certificate-validation-wget/" policies.kyverno.io/description: >- This policy checks whether certificate validation is disabled in the Dockerfile using --no-check-certificate option when running the wget command spec: diff --git a/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml b/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml new file mode 100644 index 00000000..36be93b3 --- /dev/null +++ b/charts/best-practices-dockerfile/pols/check-label-maintainer.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-label-maintainer + annotations: + policies.kyverno.io/title: Validating LABEL maintainer instruction in Dockerfile + policies.kyverno.io/category: Dockerfile Best Practices + policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-label-maintainer/" + policies.kyverno.io/description: >- + MAINTAINER instruction is deprecated for the Dockerfile. Instead, you can use the + LABEL instruction to provide the maintainer name in the Dockerfile. This policy checks + if LABEL instruction has been specified with maintainer name. +spec: + rules: + - assert: + all: + - check: + (Stages[].Commands[?Name=='MAINTAINER'][] | length(@) > `0`): false + message: MAINTAINER instruction is deprecated, use LABELS instruction to mention maintainer name + - check: + (Stages[].Commands[].Labels[?Key=='maintainer' || Key=='owner' || Key=='author'][] | length(@) > `0`): true + message: Use the LABELS instruction to set the MAINTAINER name + name: dockerfile-allow-label-maintainer-instruction + match: + all: + - ($analyzer.resource.type): dockerfile \ No newline at end of file diff --git a/charts/best-practices-dockerfile/pols/check-last-user.yaml b/charts/best-practices-dockerfile/pols/check-last-user.yaml index c8bbf16b..e0e8efda 100644 --- a/charts/best-practices-dockerfile/pols/check-last-user.yaml +++ b/charts/best-practices-dockerfile/pols/check-last-user.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check last USER policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-last-user/" policies.kyverno.io/description: >- This policy validates that the last USER is not root. spec: diff --git a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml index 54637cad..84eefba3 100644 --- a/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml +++ b/charts/best-practices-dockerfile/pols/check-missing-signature-options.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: check for missing signature options via rpm policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-missing-signature-options/" policies.kyverno.io/description: >- This policy ensures that packages with untrusted or missing signatures are not used by rpm via the ‘–nodigest’, ‘–nosignature’, ‘–noverify’, or diff --git a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml index d4bb450e..490209c8 100644 --- a/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml +++ b/charts/best-practices-dockerfile/pols/check-nogpgcheck.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for GPG signature when using yum/dnf/tdnf in the Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-nogpgcheck/" policies.kyverno.io/description: >- GPG signature checking is a security feature that verifies the authenticity and integrity of packages before they are diff --git a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml index faff2f1a..f304d5b4 100644 --- a/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml +++ b/charts/best-practices-dockerfile/pols/check-npm-config-strict-ssl.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for certificate validation in the Dockerfile for npm using `NPM_CONFIG_STRICT_SSL` environemt variable policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-npm-config-strict-ssl/" policies.kyverno.io/description: >- The NPM_CONFIG_STRICT_SSL environment variable is used to control strict SSL certificate validation behavior in npm. This policy ensures that certificate diff --git a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml index 9b703cda..02c0d474 100644 --- a/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml +++ b/charts/best-practices-dockerfile/pols/check-unauthentication-install.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/check-unauthentication/" policies.kyverno.io/description: >- This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag. spec: diff --git a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml index 1c1bd3a9..18ef12a8 100644 --- a/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml +++ b/charts/best-practices-dockerfile/pols/detect-multiple-instructions.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Detect Multiple Instructions in Single Line policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/detect-multiple-instructions/" policies.kyverno.io/description: >- This policy ensures that Dockerfile Container Image Should Be Built with Minimal Cached Layers spec: diff --git a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml index c8df1493..4f8c374b 100644 --- a/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml +++ b/charts/best-practices-dockerfile/pols/disallow-sudo-operations.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Check for sudo operation existence policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/disallow-sudo-operations/" policies.kyverno.io/description: >- Using sudo within a Dockerfile is not recommended to avoid privilege escalation. spec: diff --git a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml index a6d83802..40329fa8 100644 --- a/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml +++ b/charts/best-practices-dockerfile/pols/prefer-copy-over-add.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Prefer COPY over ADD in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/prefer-copy-over-add/" policies.kyverno.io/description: >- This policy ensures that COPY instructions are used instead of ADD instructions in Dockerfiles. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml index 68d3f58a..4c746a39 100644 --- a/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml +++ b/charts/best-practices-dockerfile/pols/validate-base-image-tag.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate base image tag policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-base-image-tag/" policies.kyverno.io/description: >- This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml index 935c7460..393cd0cf 100644 --- a/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml +++ b/charts/best-practices-dockerfile/pols/validate-expose-port-22.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validating Exposed Port 22 in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-expose-port-22/" policies.kyverno.io/description: >- This policy checks whether Dockerfiles exposes port 22. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml index fd884132..5f8c42ac 100644 --- a/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-healthcheck-instruction.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate Healthcheck Instruction policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-healthcheck-instruction/" policies.kyverno.io/description: >- This policy checks if the HEALTHCHECK instruction is defined in the Dockerfile. spec: diff --git a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml index 589e061a..8ed37b69 100644 --- a/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml +++ b/charts/best-practices-dockerfile/pols/validate-user-instruction.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Validate USER instruction in Dockerfile policies.kyverno.io/category: Dockerfile Best Practices policies.kyverno.io/severity: medium + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/dockerfile_best_practices/validate-user-instruction/" policies.kyverno.io/description: >- This policy checks if the Dockerfile contains a USER instruction. If the USER instruction is not present, the policy fails. spec: diff --git a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml index 1f924d29..57f79aa0 100644 --- a/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml +++ b/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml @@ -24,4 +24,3 @@ spec: - message: Ensure certificate validation is enabled by using `PYTHONHTTPSVERIFY` env with value set to `1` check: (Stages[].Commands[].Env[?Key=='PYTHONHTTPSVERIFY' && Value=='1'][] | length(@) > `0`): true - \ No newline at end of file