NDEV-20544: add remediate policies for RBAC best practices

rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml

@@ -22,3 +22,10 @@ spec:
         - check:
             ($error != null): true
         file: bad-resource.yaml
+    # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant
+    - apply:
+        file: ../remediate-restrict-automount-sa-token.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: bad-resource.yaml

rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-automount-sa-token
+spec:
+  validationFailureAction: Audit
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-automount-sa-token
+  annotations:
+    policies.kyverno.io/title: Remediate Restrict Auto-Mount of Service Account Tokens
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/description: >-
+      This policy remediates the restrict-automount-sa-token violation
+spec:
+  background: false
+  rules:
+    - name: remediate-restrict-automount-sa-token
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+      preconditions:
+        all:
+        - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"
+          operator: NotEquals
+          value: policy-reporter
+      mutate:
+        patchStrategicMerge:
+          spec:
+            automountServiceAccountToken: false
+

rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml

@@ -18,3 +18,12 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "nodes/proxy"]
   verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: badcr03
+rules:
+- apiGroups: [""]
+  resources: ["nodes/proxy"]
+  verbs: ["get", "watch", "list"]

rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml

@@ -22,3 +22,10 @@ spec:
         - check:
             ($error != null): true
         file: bad-resource.yaml
+    # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant
+    - apply:
+        file: ../remediate-restrict-clusterrole-nodesproxy.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: bad-resource.yaml

rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-clusterrole-nodesproxy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-clusterrole-nodesproxy
+  annotations:
+    policies.kyverno.io/title: Remediate Restrict ClusterRole with Nodes Proxy
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/description: >-
+      This policy remediates the restrict-clusterrole-nodesproxy violation
+spec:
+  background: false
+  rules:
+    - name: remediate-restrict-clusterrole-nodesproxy
+      match:
+        any:
+        - resources:
+            kinds:
+              - ClusterRole
+      mutate:
+        foreach: 
+          - list: request.object.rules[]
+            foreach:
+            - list: element.resources
+              preconditions:
+                all:
+                - key: "{{element}}"
+                  operator: Equals
+                  value: "nodes/proxy"
+              patchesJson6902: |-
+                - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}}
+                  op: replace
+                  value: ""
+
+

rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml

@@ -22,3 +22,10 @@ spec:
         - check:
             ($error != null): true
         file: bad-resource.yaml
+    # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant
+    - apply:
+        file: ../remediate-restrict-wildcard-resources.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: bad-resource.yaml

rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-wildcard-resources
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-restrict-wildcard-resources
+  annotations:
+    policies.kyverno.io/title: Remediate Restrict Wildcard in Resources
+    policies.kyverno.io/category: RBAC Best Practices
+    policies.kyverno.io/description: >-
+      This policy remediates the restrict-wildcard-resources violation
+spec:
+  background: false
+  rules:
+    - name: remediate-restrict-wildcard-resources
+      match:
+        any:
+        - resources:
+            kinds:
+              - Role
+              - ClusterRole
+      mutate:
+        foreach: 
+          - list: request.object.rules[]
+            foreach:
+            - list: element.resources
+              preconditions:
+                all:
+                - key: "*"
+                  operator: Equals
+                  value: "{{element}}"
+              patchesJson6902: |-
+                - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}}
+                  op: replace
+                  value: ""