diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml index 57baedcb..2bf0406c 100644 --- a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml @@ -22,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-automount-sa-token.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml \ No newline at end of file diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..a35f0264 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-automount-sa-token +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml b/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml new file mode 100644 index 00000000..94b49025 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-automount-sa-token + annotations: + policies.kyverno.io/title: Remediate Restrict Auto-Mount of Service Account Tokens + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-automount-sa-token violation +spec: + background: false + rules: + - name: remediate-restrict-automount-sa-token + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" + operator: NotEquals + value: policy-reporter + mutate: + patchStrategicMerge: + spec: + automountServiceAccountToken: false + diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml index 65063c9c..75d53272 100644 --- a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml @@ -18,3 +18,12 @@ rules: - apiGroups: [""] resources: ["pods", "nodes/proxy"] verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["nodes/proxy"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml index 5d36c2a9..474d09ec 100644 --- a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml @@ -22,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-clusterrole-nodesproxy.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..7fff88f3 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-clusterrole-nodesproxy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml new file mode 100644 index 00000000..6c062f19 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-clusterrole-nodesproxy + annotations: + policies.kyverno.io/title: Remediate Restrict ClusterRole with Nodes Proxy + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-clusterrole-nodesproxy violation +spec: + background: false + rules: + - name: remediate-restrict-clusterrole-nodesproxy + match: + any: + - resources: + kinds: + - ClusterRole + mutate: + foreach: + - list: request.object.rules[] + foreach: + - list: element.resources + preconditions: + all: + - key: "{{element}}" + operator: Equals + value: "nodes/proxy" + patchesJson6902: |- + - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}} + op: replace + value: "" + + diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml index 188244b5..57c08925 100644 --- a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml @@ -22,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-wildcard-resources.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..ffed66aa --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-wildcard-resources +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml b/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml new file mode 100644 index 00000000..7c8630cf --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-wildcard-resources + annotations: + policies.kyverno.io/title: Remediate Restrict Wildcard in Resources + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-wildcard-resources violation +spec: + background: false + rules: + - name: remediate-restrict-wildcard-resources + match: + any: + - resources: + kinds: + - Role + - ClusterRole + mutate: + foreach: + - list: request.object.rules[] + foreach: + - list: element.resources + preconditions: + all: + - key: "*" + operator: Equals + value: "{{element}}" + patchesJson6902: |- + - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}} + op: replace + value: ""