diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml index 070b247f..e9e085d4 100644 --- a/charts/test-krish-globalps/Chart.yaml +++ b/charts/test-krish-globalps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: test-krish description: Pod Security Standards (baseline) policy set type: application -version: 0.6.10 +version: 0.6.11 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/test-krish-globalps/pols/disallow-capabilities.yaml b/charts/test-krish-globalps/pols/disallow-capabilities.yaml new file mode 100644 index 00000000..35d48f47 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-capabilities.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities + annotations: + policies.kyverno.io/title: Disallow Capabilities + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: Audit + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Adding capabilities beyond those listed in the policy rule is disallowed. + deny: + conditions: + all: + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" + operator: AnyNotIn + value: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT diff --git a/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml new file mode 100644 index 00000000..4d75e3ce --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces + annotations: + policies.kyverno.io/title: Disallow Host Namespaces + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml" + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false"