From f2bcb8bf2f8b75cbe350a1b4e22ef684ae0f2c9c Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Fri, 9 Aug 2024 15:36:58 +0530 Subject: [PATCH 1/3] NDEV-19889: exclude the nirmata resources from the policy Signed-off-by: Ved Ratan --- .../restrict-automount-sa-token.yaml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml index 0c8bd6fa..3bd2af54 100644 --- a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml @@ -24,6 +24,62 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app: nirmata-kube-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app: otel-agent + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/name: nirmata-kyverno-operator + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: cleanup-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: background-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: reports-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + batch.kubernetes.io/job-name: "kyverno-cleanup-admission-reports-*" + - resources: + kinds: + - Pod + selector: + matchLabels: + batch.kubernetes.io/job-name=kyverno: "cleanup-cluster-admission-reports-*" preconditions: all: - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" From 459b4497a7d25c0befa30b2bd817792d8c7a0f1a Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Fri, 9 Aug 2024 16:19:37 +0530 Subject: [PATCH 2/3] chore: chart version bump Signed-off-by: Ved Ratan --- charts/rbac-best-practices/Chart.yaml | 2 +- .../pols/restrict-automount-sa-token.yaml | 56 ++++++++++++++++++ .../restrict-automount-sa-token.yaml | 58 +------------------ 3 files changed, 58 insertions(+), 58 deletions(-) diff --git a/charts/rbac-best-practices/Chart.yaml b/charts/rbac-best-practices/Chart.yaml index ed4c8274..05d315d4 100644 --- a/charts/rbac-best-practices/Chart.yaml +++ b/charts/rbac-best-practices/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: rbac-best-practice-policies description: Rbac Best Practice policy set type: application -version: 0.2.0 +version: 0.2.1 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml b/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml index 0c8bd6fa..3bd2af54 100644 --- a/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml +++ b/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml @@ -24,6 +24,62 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app: nirmata-kube-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app: otel-agent + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/name: nirmata-kyverno-operator + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: cleanup-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: background-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: reports-controller + - resources: + kinds: + - Pod + selector: + matchLabels: + batch.kubernetes.io/job-name: "kyverno-cleanup-admission-reports-*" + - resources: + kinds: + - Pod + selector: + matchLabels: + batch.kubernetes.io/job-name=kyverno: "cleanup-cluster-admission-reports-*" preconditions: all: - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" diff --git a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml index 3bd2af54..7b9b5363 100644 --- a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml @@ -24,62 +24,6 @@ spec: - resources: kinds: - Pod - exclude: - any: - - resources: - kinds: - - Pod - selector: - matchLabels: - app: nirmata-kube-controller - - resources: - kinds: - - Pod - selector: - matchLabels: - app: otel-agent - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/name: nirmata-kyverno-operator - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/component: admission-controller - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/component: cleanup-controller - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/component: background-controller - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/component: reports-controller - - resources: - kinds: - - Pod - selector: - matchLabels: - batch.kubernetes.io/job-name: "kyverno-cleanup-admission-reports-*" - - resources: - kinds: - - Pod - selector: - matchLabels: - batch.kubernetes.io/job-name=kyverno: "cleanup-cluster-admission-reports-*" preconditions: all: - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" @@ -89,4 +33,4 @@ spec: message: "Auto-mounting of Service Account tokens is not allowed." pattern: spec: - automountServiceAccountToken: "false" + automountServiceAccountToken: "false" \ No newline at end of file From 74387e8adf3b3a621d73b5ea712e35cc0296c861 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Fri, 9 Aug 2024 19:11:00 +0530 Subject: [PATCH 3/3] chore: excluded jobs and cronjobs Signed-off-by: Ved Ratan --- .../pols/restrict-automount-sa-token.yaml | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml b/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml index 3bd2af54..a7e557f4 100644 --- a/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml +++ b/charts/rbac-best-practices/pols/restrict-automount-sa-token.yaml @@ -73,13 +73,31 @@ spec: - Pod selector: matchLabels: - batch.kubernetes.io/job-name: "kyverno-cleanup-admission-reports-*" + job-name: "kyverno-cleanup-admission-reports-*" - resources: kinds: - Pod selector: matchLabels: - batch.kubernetes.io/job-name=kyverno: "cleanup-cluster-admission-reports-*" + job-name: "kyverno-cleanup-cluster-admission-reports-*" + - resources: + kinds: + - Pod + selector: + matchLabels: + job-name: "kyverno-cleanup-ephemeral-reports-*" + - resources: + kinds: + - Pod + selector: + matchLabels: + job-name: "kyverno-cleanup-cluster-ephemeral-reports-*" + - resources: + kinds: + - Pod + selector: + matchLabels: + job-name: "kyverno-cleanup-update-requests-*" preconditions: all: - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"