Release updates for PSS standard (#70)

* Release updates for PSS standard

- update baseline and restricted profile templates
- remove restrict-host-ports-range policy as it is redundant when
  restrict-host-ports is used

* Fix indentation

charts/pod-security-baseline/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-baseline-policies
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.1.1
+version: 0.2.0
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/pod-security-baseline/templates/disallow-capabilities.yaml

@@ -0,0 +1,49 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+  annotations:
+    policies.kyverno.io/title: Disallow Capabilities
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/"
+    policies.kyverno.io/description: >-
+    Adding capabilities beyond those listed in the policy must be disallowed.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: adding-capabilities
+    match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+    validate:
+    message: >-
+        Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+        FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+        are disallowed.
+    deny:
+        conditions:
+        all:
+        - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}"
+        operator: AnyNotIn
+        value:
+            - AUDIT_WRITE
+            - CHOWN
+            - DAC_OVERRIDE
+            - FOWNER
+            - FSETID
+            - KILL
+            - MKNOD
+            - NET_BIND_SERVICE
+            - SETFCAP
+            - SETGID
+            - SETPCAP
+            - SETUID
+            - SYS_CHROOT

charts/pod-security-baseline/pols/disallow-host-namespaces.yaml → charts/pod-security-baseline/templates/disallow-host-namespaces.yaml

@@ -9,6 +9,7 @@ metadata:
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
     policies.kyverno.io/subject: Pod
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"
     policies.kyverno.io/description: >-
       Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
       network namespace) allow access to shared information and can be used to elevate
@@ -21,9 +22,9 @@ spec:
     - name: host-namespaces
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,

charts/pod-security-baseline/pols/disallow-host-path.yaml → charts/pod-security-baseline/templates/disallow-host-path.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod,Volume
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/"
     policies.kyverno.io/description: >-
       HostPath volumes let Pods use host directories and volumes in containers.
       Using host resources can be used to access shared data or escalate privileges
@@ -20,9 +21,9 @@ spec:
     - name: host-path
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.

charts/pod-security-baseline/pols/disallow-host-ports.yaml → charts/pod-security-baseline/templates/disallow-host-ports.yaml

@@ -9,20 +9,21 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/"
     policies.kyverno.io/description: >-
       Access to host ports allows potential snooping of network traffic and should not be
       allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
-      field is unset or set to `0`. 
+      field is unset or set to `0`.
 spec:
   validationFailureAction: audit
   background: true
   rules:
     - name: host-ports-none
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort

charts/pod-security-baseline/pols/disallow-host-process.yaml → charts/pod-security-baseline/templates/disallow-host-process.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/"
     policies.kyverno.io/description: >-
       Windows pods offer the ability to run HostProcess containers which enables privileged
       access to the Windows node. Privileged access to the host is disallowed in the baseline
@@ -21,9 +22,9 @@ spec:
     - name: host-process-containers
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,

charts/pod-security-baseline/pols/disallow-privileged-containers.yaml → charts/pod-security-baseline/templates/disallow-privileged-containers.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-privileged-containers/"
     policies.kyverno.io/description: >-
       Privileged mode disables most security mechanisms and must not be allowed. This policy
       ensures Pods do not call for privileged mode.
@@ -19,9 +20,9 @@ spec:
     - name: privileged-containers
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged

charts/pod-security-baseline/pols/disallow-proc-mount.yaml → charts/pod-security-baseline/templates/disallow-proc-mount.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-proc-mount/"
     policies.kyverno.io/description: >-
       The default /proc masks are set up to reduce attack surface and should be required. This policy
       ensures nothing but the default procMount can be specified. Note that in order for users
@@ -21,9 +22,9 @@ spec:
     - name: check-proc-mount
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Changing the proc mount from the default is not allowed. The fields

charts/pod-security-baseline/pols/disallow-selinux.yaml → charts/pod-security-baseline/templates/disallow-selinux.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-selinux/"
     policies.kyverno.io/description: >-
       SELinux options can be used to escalate privileges and should not be allowed. This policy
       ensures that the `seLinuxOptions` field is undefined.
@@ -19,9 +20,9 @@ spec:
     - name: selinux-type
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Setting the SELinux type is restricted. The fields
@@ -48,9 +49,9 @@ spec:
     - name: selinux-user-role
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Setting the SELinux user or role is forbidden. The fields

charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml → charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml

@@ -10,6 +10,7 @@ metadata:
     policies.kyverno.io/minversion: 1.3.0
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-apparmor-profiles/"
     policies.kyverno.io/description: >-
       On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
       The default policy should prevent overriding or disabling the policy, or restrict
@@ -22,9 +23,9 @@ spec:
     - name: app-armor
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Specifying other AppArmor profiles is disallowed. The annotation

charts/pod-security-baseline/pols/restrict-seccomp.yaml → charts/pod-security-baseline/templates/restrict-seccomp.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kyverno-version: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-seccomp/"
     policies.kyverno.io/description: >-
       The seccomp profile must not be explicitly set to Unconfined. This policy, 
       requiring Kubernetes v1.19 or later, ensures that seccomp is unset or 
@@ -20,9 +21,9 @@ spec:
     - name: check-seccomp
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields
@@ -35,16 +36,16 @@ spec:
           spec:
             =(securityContext):
               =(seccompProfile):
-                =(type): "RuntimeDefault | Localhost"      
+                =(type): "RuntimeDefault | Localhost"
             =(ephemeralContainers):
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"
             =(initContainers):
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"
             containers:
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"