Skip to content

Commit

Permalink
add tetrate istio policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@anusha94
anusha94 committed Feb 25, 2025
1 parent 2385bb2 commit cf7b472
Show file tree
Hide file tree
Showing 9 changed files with 336 additions and 0 deletions.
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-peerauthentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple PeerAuthentication objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate PeerAuthentication
name: detect-duplicate-peer-authentication
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/security.istio.io/v1beta1/namespaces/{{request.namespace}}/peerauthentications
name: peerAuthList
match:
any:
- resources:
kinds:
- PeerAuthentication
name: detect-duplicate-peer-authentication
preconditions:
all:
- key: '{{ peerAuthList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ peerAuthList[].spec.selector.matchLabels.app }}"
message: When multiple PeerAuthentication objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-requestauthentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple RequestAuthentication objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate RequestAuthentication
name: detect-duplicate-request-authentication
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/security.istio.io/v1beta1/namespaces/{{request.namespace}}/requestauthentications
name: requestAuthList
match:
any:
- resources:
kinds:
- RequestAuthentication
name: detect-duplicate-request-authentication
preconditions:
all:
- key: '{{ requestAuthList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ requestAuthList[].spec.selector.matchLabels.app }}"
message: When multiple RequestAuthentication objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-telemetry.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple Telemetry objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate Telemetry
name: detect-duplicate-telemetry
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/telemetry.istio.io/v1alpha1/namespaces/{{request.namespace}}/telemetries
name: telemetryList
match:
any:
- resources:
kinds:
- Telemetry
name: detect-duplicate-telemetry
preconditions:
all:
- key: '{{ telemetryList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ telemetryList[].spec.selector.matchLabels.app }}"
message: When multiple Telemetry objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-peerauthentication-app-exists.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in PeerAuthentication's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate PeerAuthentication App Exists
name: validate-peer-auth-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- PeerAuthentication
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in PeerAuthentication selector must exist as a Pod in the cluster
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-requestauthentication-app-exists.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in RequestAuthentication's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate RequestAuthentication App Exists
name: validate-request-auth-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- RequestAuthentication
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in RequestAuthentication selector must exist as a Pod in the cluster
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-telemetry-app-exists.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in Telemetry's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate Telemetry App Exists
name: validate-telemetry-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- Telemetry
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in Telemetry selector must exist as a Pod in the cluster
validationFailureAction: Enforce
35 changes: 35 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-authorization-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Pod Security
policies.kyverno.io/description: This policy ensures that any namespace specified in the source.namespace field of an AuthorizationPolicy's rules actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: AuthorizationPolicy, Namespace
policies.kyverno.io/title: Check AuthorizationPolicy Source Namespaces Exist
name: check-authzpolicy-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- AuthorizationPolicy
name: validate-source-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.rules[].from[].source.namespaces[]
message: The namespace(s) specified in the source namespaces field must exist in the cluster.
validationFailureAction: Enforce
38 changes: 38 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-serviceentry.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Other
policies.kyverno.io/description: This policy ensures that any namespace specified in the spec.exportTo field of a ServiceEntry actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: ServiceEntry, Namespace
policies.kyverno.io/title: Check ServiceEntry ExportTo Namespace Exists
name: check-serviceentry-export-to-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- ServiceEntry
name: validate-export-to-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: NotEquals
value: "."
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.exportTo[]
message: The namespace(s) specified in the exportTo field must exist in the cluster.
validationFailureAction: Enforce
38 changes: 38 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-virtual-service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Other
policies.kyverno.io/description: This policy ensures that any namespace specified in the spec.exportTo field of a VirtualService actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: VirtualService, Namespace
policies.kyverno.io/title: Check VirtualService ExportTo Namespace Exists
name: check-virtualservice-export-to-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- VirtualService
name: validate-export-to-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: NotEquals
value: "."
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.exportTo[]
message: The namespace(s) specified in the exportTo field must exist in the cluster.
validationFailureAction: Enforce

0 comments on commit cf7b472

Please sign in to comment.