From 826150ac93a6a764fbe208c5035febea50675e26 Mon Sep 17 00:00:00 2001 From: Ishaan Date: Fri, 27 Dec 2024 18:17:42 +0000 Subject: [PATCH 1/5] updated policies in alignment with oss --- .../pols/require_drop_all.yaml | 15 +++--- .../pols/restrict-volume-types.yaml | 47 ++++++++++--------- 2 files changed, 34 insertions(+), 28 deletions(-) diff --git a/charts/best-practices-k8s/pols/require_drop_all.yaml b/charts/best-practices-k8s/pols/require_drop_all.yaml index be903d65..5dbe44ed 100644 --- a/charts/best-practices-k8s/pols/require_drop_all.yaml +++ b/charts/best-practices-k8s/pols/require_drop_all.yaml @@ -7,16 +7,15 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. + case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-drop-all @@ -25,12 +24,14 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Containers must drop `ALL` capabilities. + Containers must drop `ALL` capabilities. foreach: - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: diff --git a/charts/pod-security-restricted/pols/restrict-volume-types.yaml b/charts/pod-security-restricted/pols/restrict-volume-types.yaml index ebaaf231..99243db7 100644 --- a/charts/pod-security-restricted/pols/restrict-volume-types.yaml +++ b/charts/pod-security-restricted/pols/restrict-volume-types.yaml @@ -9,38 +9,43 @@ metadata: policies.kyverno.io/subject: Pod,Volume policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" - kyverno.io/kyverno-version: 1.10.0 - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/restricted/baseline/restrict-volume-types/" + kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. - This policy blocks any other type of volume other than those in the allow list. + This policy blocks any other type of volume other than those in the allow list. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restricted-volumes match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Using volume types beyond those listed in the policy rule is disallowed. + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. deny: conditions: all: - - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" - operator: AnyNotIn - value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - "" + - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" + operator: AnyNotIn + value: + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - '' From 61bf8d0a4b9b3f596474dcd0cd6db7c1837aabf6 Mon Sep 17 00:00:00 2001 From: Ishaan Date: Mon, 30 Dec 2024 10:05:58 +0000 Subject: [PATCH 2/5] updated kyverno version --- charts/best-practices-k8s/pols/require_drop_all.yaml | 3 ++- .../pod-security-restricted/pols/restrict-volume-types.yaml | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/best-practices-k8s/pols/require_drop_all.yaml b/charts/best-practices-k8s/pols/require_drop_all.yaml index 5dbe44ed..35d55177 100644 --- a/charts/best-practices-k8s/pols/require_drop_all.yaml +++ b/charts/best-practices-k8s/pols/require_drop_all.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. All @@ -15,7 +16,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-all diff --git a/charts/pod-security-restricted/pols/restrict-volume-types.yaml b/charts/pod-security-restricted/pols/restrict-volume-types.yaml index 99243db7..a888e806 100644 --- a/charts/pod-security-restricted/pols/restrict-volume-types.yaml +++ b/charts/pod-security-restricted/pols/restrict-volume-types.yaml @@ -9,13 +9,13 @@ metadata: policies.kyverno.io/subject: Pod,Volume policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" - kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: restricted-volumes From 2590acea7faa9bdc5993578d2eb90dff60dcb0f6 Mon Sep 17 00:00:00 2001 From: Ishaan Date: Thu, 2 Jan 2025 14:15:30 +0000 Subject: [PATCH 3/5] bumped chart versions --- .../require_drop_all/require_drop_all.yaml | 12 ++--- .../restrict-volume-types.yaml | 45 ++++++++++--------- 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/best-practices/require_drop_all/require_drop_all.yaml b/best-practices/require_drop_all/require_drop_all.yaml index be903d65..35d55177 100644 --- a/best-practices/require_drop_all/require_drop_all.yaml +++ b/best-practices/require_drop_all/require_drop_all.yaml @@ -14,7 +14,7 @@ metadata: capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. + case although this may not strictly conform to the Pod Security Standards. spec: validationFailureAction: Audit background: true @@ -25,12 +25,14 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Containers must drop `ALL` capabilities. + Containers must drop `ALL` capabilities. foreach: - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index 01c7b29e..8b0f7afd 100644 --- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -9,12 +9,11 @@ metadata: policies.kyverno.io/subject: Pod,Volume policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-volume-types/" + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. - This policy blocks any other type of volume other than those in the allow list - (configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret). + This policy blocks any other type of volume other than those in the allow list. spec: validationFailureAction: Audit background: true @@ -22,25 +21,31 @@ spec: - name: restricted-volumes match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Using volume types beyond those listed in the policy rule is disallowed. + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. deny: conditions: all: - - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" - operator: AnyNotIn - value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - "" + - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" + operator: AnyNotIn + value: + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - '' \ No newline at end of file From 9f652e1da9e913ccfe093c0b9441f307961790ea Mon Sep 17 00:00:00 2001 From: Ishaan Date: Thu, 2 Jan 2025 14:23:02 +0000 Subject: [PATCH 4/5] bumped to patch versions --- charts/best-practices-k8s/Chart.yaml | 2 +- charts/pod-security-restricted/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/best-practices-k8s/Chart.yaml b/charts/best-practices-k8s/Chart.yaml index 3c143142..2247c98c 100644 --- a/charts/best-practices-k8s/Chart.yaml +++ b/charts/best-practices-k8s/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubernetes-best-practice-policies description: Kubernetes Best Practice policy set type: application -version: 0.3.0-rc1 +version: 0.3.1-rc1 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml index 85288070..ffdcc17d 100644 --- a/charts/pod-security-restricted/Chart.yaml +++ b/charts/pod-security-restricted/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-restricted-policies description: Pod Security Standards (restricted) policy set type: application -version: 0.4.1 +version: 0.4.2 appVersion: 0.1.0 keywords: - kubernetes From 00a73098e5e2e431ab217b7fd9e4d3cff94d2626 Mon Sep 17 00:00:00 2001 From: Ishaan Date: Thu, 2 Jan 2025 17:38:58 +0000 Subject: [PATCH 5/5] updated chart version --- charts/best-practices-k8s/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/best-practices-k8s/Chart.yaml b/charts/best-practices-k8s/Chart.yaml index 2247c98c..40649efc 100644 --- a/charts/best-practices-k8s/Chart.yaml +++ b/charts/best-practices-k8s/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubernetes-best-practice-policies description: Kubernetes Best Practice policy set type: application -version: 0.3.1-rc1 +version: 0.3.1 appVersion: 0.1.0 keywords: - kubernetes