pod-security-windows

pod-security-windows/baseline/disallow-host-network/disallow-host-network.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-network
+  annotations:
+    policies.kyverno.io/title: Disallow Host Network
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"
+    policies.kyverno.io/description: >-
+      Host namespaces (network namespace) allow access to shared information and can be used to elevate
+      privileges. Pods should not be allowed access to host namespaces. This policy ensures
+      fields which make use of these host namespaces are unset or set to `false`.
+    policies.nirmata.io/remediation: "NA"
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: host-namespaces
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Sharing the host network namespaces is disallowed.
+        pattern:
+          spec:
+            =(hostNetwork): "false"

pod-security-windows/baseline/disallow-host-network/resource.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      hostNetwork: true
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      hostNetwork: false
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]

pod-security-windows/baseline/disallow-hostprocess-containers/disallow-hostprocess-containers.yaml

@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-hostprocess-containers
+  annotations:
+    policies.kyverno.io/title: Disallow HostProcess Containers
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "NA"
+    policies.kyverno.io/description: >-
+      Hostprocess mode disables most security mechanisms and must not be allowed. This policy
+      ensures the fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.windowsOptions.hostProcess must be unset or set to `false`.
+    policies.nirmata.io/remediation: "NA"
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: hostprocess-containers
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          HostProcess mode is disallowed.
+        pattern:
+          spec:
+            =(securityContext):
+              =(windowsOptions):
+                =(hostProcess): "false"
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            =(initContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            containers:
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"

pod-security-windows/baseline/disallow-hostprocess-containers/resource.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      securityContext:
+        windowsOptions:
+          hostProcess: true
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      securityContext:
+        windowsOptions:
+          hostProcess: false
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]

pod-security-windows/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-non-root-user
+  annotations:
+    policies.kyverno.io/title: Require Run As Non-Root User
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "N/A"
+    policies.kyverno.io/description: >-
+      Containers must be required to run as non-root users. This policy ensures that the fields 
+      spec.securityContext.windowsOptions.runAsUserName,
+      spec.containers[*].securityContext.windowsOptions.runAsUserName, 
+      spec.initContainers[*].securityContext.windowsOptions.runAsUserName,
+      and  is either unset or set to ContainerUser.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: run-as-non-root-user
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Running the container as root user is not allowed.
+        pattern:
+          spec:
+            =(securityContext):
+              =(windowsOptions):
+                =(runAsUserName): "ContainerUser"
+            =(initContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(runAsUserName): "ContainerUser"
+            containers:
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(runAsUserName): "ContainerUser"

pod-security-windows/restricted/require-run-as-non-root-user/resource.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      securityContext:
+        windowsOptions:
+          runAsUserName: "ContainerAdministrator"
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      securityContext:
+        windowsOptions:
+          runAsUserName: "ContainerUser"
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]

pod-security-windows/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml

@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-nonroot
+  annotations:
+    policies.kyverno.io/title: Require runAsNonRoot
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/require-run-as-nonroot/remediate-require-run-as-nonroot.yaml"
+    policies.kyverno.io/description: >-
+      Containers must be required to run as non-root users. This policy ensures either the field 
+      spec.securityContext.runAsNonRoot
+      is set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
+      spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
+      is set to `true`. A known issue prevents a policy such as this
+      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: run-as-non-root
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Running the container as root is not allowed.
+        anyPattern:
+          - spec:
+              securityContext:
+                runAsNonRoot: "true"
+              =(ephemeralContainers):
+                - =(securityContext):
+                    =(runAsNonRoot): "true"
+              =(initContainers):
+                - =(securityContext):
+                    =(runAsNonRoot): "true"
+              containers:
+                - =(securityContext):
+                    =(runAsNonRoot): "true"
+          - spec:
+              =(ephemeralContainers):
+                - securityContext:
+                    runAsNonRoot: "true"
+              =(initContainers):
+                - securityContext:
+                    runAsNonRoot: "true"
+              containers:
+                - securityContext:
+                    runAsNonRoot: "true"

pod-security-windows/restricted/require-run-as-nonroot/resource.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-windows-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: windows-app
+  template:
+    metadata:
+      labels:
+        app: windows-app
+    spec:
+      nodeSelector:
+        deploy: windows
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: windows-container
+        image: mcr.microsoft.com/windows/servercore:ltsc2019
+        command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"]