feat: add chart for rbac-best-practices in CEL

charts/rbac-best-practices-cel/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: rbac-best-practice-cel-policies
+description: Rbac Best Practice CEL policy set
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/

charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disable-automount-sa-token
+  annotations:
+    policies.kyverno.io/title: Disable automountServiceAccountToken
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ServiceAccount
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.21"
+    policies.kyverno.io/description: >-
+      A new ServiceAccount called `default` is created whenever a new Namespace is created.
+      Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount.
+      This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token
+      into Pods obviating the need to do so individually.      
+spec:
+  rules:
+  - name: disable-automountserviceaccounttoken
+    match:
+      any:
+      - resources:
+          kinds:
+          - ServiceAccount
+          names:
+          - default
+    mutate:
+      patchStrategicMerge:
+        automountServiceAccountToken: false

charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-automount-sa-token
+  annotations:
+    policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod,ServiceAccount
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      Kubernetes automatically mounts ServiceAccount credentials in each Pod.
+      The ServiceAccount may be assigned roles allowing Pods to access API resources.
+      Blocking this ability is an extension of the least privilege best practice and should
+      be followed if Pods do not need to speak to the API server to function.
+      This policy ensures that mounting of these ServiceAccount tokens is blocked.      
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-automountServiceAccountToken
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    preconditions:
+      all:
+      - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"
+        operator: NotEquals
+        value: policy-reporter
+    validate:
+      message: "Auto-mounting of Service Account tokens is not allowed."
+      pattern:
+        spec:
+          automountServiceAccountToken: "false"

charts/rbac-best-practices-cel/pols/restrict-binding-system-groups.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-binding-system-groups
+  annotations:
+    policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions
+    policies.kyverno.io/category: RBAC Best Practices in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      Certain system groups exist in Kubernetes which grant permissions that
+      are used for certain system-level functions yet typically never appropriate
+      for other users. This policy prevents creating bindings for system:masters group.      
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: restrict-masters
+      match:
+        any:
+        - resources:
+            kinds:
+              - RoleBinding
+              - ClusterRoleBinding
+      validate:
+        cel:
+          expressions:
+            - expression: "object.roleRef.name != 'system:masters'"
+              message: "Binding to system:masters is not allowed."
+

charts/rbac-best-practices-cel/pols/restrict-clusterrole-nodesproxy.yaml

@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-nodesproxy
+  annotations:
+    policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy in CEL expressions
+    policies.kyverno.io/category: RBAC Best Practices in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ClusterRole, RBAC
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      A ClusterRole with nodes/proxy resource access allows a user to
+      perform anything the kubelet API allows. It also allows users to bypass
+      the API server and talk directly to the kubelet potentially circumventing
+      audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac
+      for more info. This policy prevents the creation
+      of a ClusterRole if it contains the nodes/proxy resource.       
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: clusterrole-nodesproxy
+      match:
+        any:
+        - resources:
+            kinds:
+              - ClusterRole
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                object.rules == null || 
+                !object.rules.exists(rule, 
+                rule.resources.exists(resource, resource == 'nodes/proxy') && 
+                rule.apiGroups.exists(apiGroup, apiGroup == ''))
+              message: "A ClusterRole containing the nodes/proxy resource is not allowed."
+

charts/rbac-best-practices-cel/pols/restrict-escalation-verbs-roles.yaml

@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-escalation-verbs-roles
+  annotations:
+    policies.kyverno.io/title: Restrict Escalation Verbs in Roles in CEL expressions
+    policies.kyverno.io/category: RBAC Best Practices in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Role, ClusterRole, RBAC
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to
+      privilege escalation and should be tightly controlled. This policy prevents
+      use of these verbs in Role or ClusterRole resources.      
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: escalate
+      match:
+        any:
+        - resources:
+            kinds:
+              - Role
+              - ClusterRole
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                object.rules == null || 
+                !object.rules.exists(rule,
+                rule.apiGroups.exists(apiGroup, apiGroup in ['*', 'rbac.authorization.k8s.io']) &&
+                rule.resources.exists(resource, resource in ['*', 'clusterroles', 'roles']) &&
+                rule.verbs.exists(verb, verb in ['*', 'bind', 'escalate', 'impersonate']))
+              message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden."
+

charts/rbac-best-practices-cel/pols/restrict-wildcard-resources.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-wildcard-resources
+  annotations:
+    policies.kyverno.io/title: Restrict Wildcards in Resources in CEL expressions
+    policies.kyverno.io/category: RBAC Best Practices in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ClusterRole, Role, RBAC
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      Wildcards ('*') in resources grants access to all of the resources referenced by
+      the given API group and does not follow the principal of least privilege. As much as possible,
+      avoid such open resources unless scoped to perhaps a custom API group.
+      This policy blocks any Role or ClusterRole that contains a wildcard entry in
+      the resources list found in any rule.      
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: wildcard-resources
+      match:
+        any:
+        - resources:
+            kinds:
+              - Role
+              - ClusterRole
+      validate:
+        cel:
+          expressions:
+            - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)"
+              message: "Use of a wildcard ('*') in any resources is forbidden."
+

charts/rbac-best-practices-cel/templates/club-pols.yaml

@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}