modified chainsawtests for restrict-seccomp-strict, added remediation…

… yaml for restrict-seccomp-strict and added remediation annotations yamls for disallow-capabilities and require-run-as-non-root-user Signed-off-by: anuddeeph1 <[email protected]>
nirmata · Oct 30, 2024 · e1c7e03 · e1c7e03
1 parent 245f524
commit e1c7e03
Show file tree

Hide file tree

Showing 6 changed files with 144 additions and 0 deletions.
diff --git a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml
@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kubernetes-version: "1.22-1.23"
     policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root-user/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/require-run-as-non-root-user/remediate-require-run-as-non-root-user.yaml"
     policies.kyverno.io/description: >-
       Containers must be required to run as non-root users. This policy ensures that the fields 
       spec.securityContext.runAsUser,

diff --git a/pod-security/restricted/restrict-seccomp-strict/deployment.yaml b/pod-security/restricted/restrict-seccomp-strict/deployment.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baddeployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container01
+        image: busybox
+        command:
+        - "sleep"
+        - "3600"
+        securityContext:
+          seccompProfile:
+            type: Unconfined 
diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml
@@ -10,6 +10,26 @@ spec:
         file: ../restrict-seccomp-strict.yaml
     - assert:
         file: policy-assert.yaml
+    - apply:
+        file: ../remediate-restrict-seccomp-strict.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: ../deployment.yaml
+    - sleep:
+        duration: 20s
+    - assert:
+        resource:
+          apiVersion: wgpolicyk8s.io/v1alpha2
+          kind: PolicyReport
+          summary:
+            error: 0
+            fail: 0
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: remediate-restrict-seccomp-strict
     - script:
         content: |
           sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl apply -f - 

diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/remediation-policy-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/remediation-policy-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-seccomp-strict
+spec:
+  validationFailureAction: Audit
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/pod-security/restricted/restrict-seccomp-strict/remediate-restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/remediate-restrict-seccomp-strict.yaml
@@ -0,0 +1,88 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-seccomp-strict
+  annotations:
+    annotations:
+    policies.kyverno.io/title: Restrict Seccomp (Strict)
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-seccomp-strict/"
+    policies.kyverno.io/description: >-
+      The seccomp profile in the Restricted group must not be explicitly set to Unconfined
+      but additionally must also not allow an unset value. This policy, 
+      requiring Kubernetes v1.19 or later, ensures that the fields
+      spec.securityContext.seccompProfile.type,
+      spec.containers[*].securityContext.seccompProfile.type,
+      spec.initContainers[*].securityContext.seccompProfile.type, and
+      spec.ephemeralContainers[*].securityContext.seccompProfile.type
+      is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
+      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+spec:
+  background: false
+  rules:
+    - name: add-seccomp-runtimedefault-containers
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+                - StatefulSet
+                - Job
+                - DaemonSet
+      mutate:
+        foreach:
+        - list: "request.object.spec.template.spec.[containers, initContainers, ephemeralContainers][]"
+          order: Descending
+          preconditions:
+            all:
+            - key: "{{ element.securityContext.seccompProfile.type || '' }}"
+              operator: AnyIn
+              value: "Unconfined"          
+          patchStrategicMerge:
+            spec:
+              template:
+                spec:
+                  containers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        seccompProfile:
+                          (type): "Unconfined"
+                          type: "RuntimeDefault"
+                  initContainers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        seccompProfile:
+                          (type): "Unconfined"
+                          type: "RuntimeDefault"
+                  ephemeralContainers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        seccompProfile:
+                          (type): "Unconfined"
+                          type: "RuntimeDefault"
+    - name: add-seccomp-runtimedefault-pod
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+                - StatefulSet
+                - Job
+                - DaemonSet
+      preconditions:
+        all:
+        - key: "{{ request.object.spec.template.spec.securityContext.seccompProfile.type || '' }}"
+          operator: Equals
+          value: Unconfined
+      mutate:
+        patchStrategicMerge:
+          spec:
+            template:
+              spec:
+                securityContext:
+                  seccompProfile:
+                    (type): "Unconfined"
+                    type: "RuntimeDefault"                  
diff --git a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kubernetes-version: "1.22-1.23"
     policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-seccomp-strict/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/restrict-seccomp-strict/remediate-restrict-seccomp-strict.yaml"
     policies.kyverno.io/description: >-
       The seccomp profile in the Restricted group must not be explicitly set to Unconfined
       but additionally must also not allow an unset value. This policy,