diff --git a/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml b/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml new file mode 100644 index 00000000..831e2bed --- /dev/null +++ b/pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-network + annotations: + policies.kyverno.io/title: Disallow Host Network + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" + policies.kyverno.io/description: >- + Host namespaces (network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. + policies.nirmata.io/remediation: "NA" +spec: + validationFailureAction: audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host network namespaces is disallowed. + pattern: + spec: + =(hostNetwork): "false" diff --git a/pod-security-windows/baseline/disallow-host-network/resource.yaml b/pod-security-windows/baseline/disallow-host-network/resource.yaml new file mode 100644 index 00000000..11b18bb5 --- /dev/null +++ b/pod-security-windows/baseline/disallow-host-network/resource.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml b/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml new file mode 100644 index 00000000..cd4c7d21 --- /dev/null +++ b/pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-hostprocess-containers + annotations: + policies.kyverno.io/title: Disallow HostProcess Containers + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "NA" + policies.kyverno.io/description: >- + Hostprocess mode disables most security mechanisms and must not be allowed. This policy + ensures the fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.windowsOptions.hostProcess must be unset or set to `false`. + policies.nirmata.io/remediation: "NA" +spec: + validationFailureAction: audit + background: true + rules: + - name: hostprocess-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostProcess mode is disallowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" diff --git a/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml b/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml new file mode 100644 index 00000000..d4e27093 --- /dev/null +++ b/pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml new file mode 100644 index 00000000..73199f0b --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user + annotations: + policies.kyverno.io/title: Require Run As Non-Root User + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "N/A" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures that the fields + spec.securityContext.windowsOptions.runAsUserName, + spec.containers[*].securityContext.windowsOptions.runAsUserName, + spec.initContainers[*].securityContext.windowsOptions.runAsUserName, + and is either unset or set to ContainerUser. +spec: + validationFailureAction: audit + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as root user is not allowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + containers: + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" diff --git a/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml b/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml new file mode 100644 index 00000000..5c7db94e --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + runAsUserName: "ContainerAdministrator" + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + windowsOptions: + runAsUserName: "ContainerUser" + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml new file mode 100644 index 00000000..4cd69e52 --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot + annotations: + policies.kyverno.io/title: Require runAsNonRoot + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/require-run-as-nonroot/remediate-require-run-as-nonroot.yaml" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures either the field + spec.securityContext.runAsNonRoot + is set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + is set to `true`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + validationFailureAction: audit + background: true + rules: + - name: run-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as root is not allowed. + anyPattern: + - spec: + securityContext: + runAsNonRoot: "true" + =(ephemeralContainers): + - =(securityContext): + =(runAsNonRoot): "true" + =(initContainers): + - =(securityContext): + =(runAsNonRoot): "true" + containers: + - =(securityContext): + =(runAsNonRoot): "true" + - spec: + =(ephemeralContainers): + - securityContext: + runAsNonRoot: "true" + =(initContainers): + - securityContext: + runAsNonRoot: "true" + containers: + - securityContext: + runAsNonRoot: "true" diff --git a/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml b/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml new file mode 100644 index 00000000..632e79ff --- /dev/null +++ b/pod-security-windows/restricted/require-run-as-nonroot/resource.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + deploy: windows + securityContext: + runAsNonRoot: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]