feat: added helm charts for aws services

.github/workflows/chart-lint.yaml

@@ -23,7 +23,7 @@ jobs:
           version: v3.7.2
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.7
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/[email protected]
       - name: Run chart-testing (list-changed)

charts/cloud-controls/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cloud-controls/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: cloud-controls
+description: Cloud Controls Helm Chart
+version: 0.0.1
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+  - cloud-controller
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/
+dependencies:
+  - name: aws-ecs-best-practices
+    condition: aws-ecs-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/ecs
+  - name: aws-eks-best-practices
+    condition: aws-eks-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/eks
+  - name: aws-lambda-best-practices
+    condition: aws-lambda-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/lambda

charts/cloud-controls/charts/ecs/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cloud-controls/charts/ecs/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: aws-ecs-best-practices
+description: Aws ECS Best Practices CloudController Policy Set
+type: application
+version: 0.0.1
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+  - cloud-controller
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/

charts/cloud-controls/charts/ecs/templates/check-awsvpc-network-mode.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkAwsvpcNetworkMode" }}
+{{- $name := "check-awsvpc-network-mode" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check Awsvpc Network Mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The awsvpc network mode restricts the flow of traffic between different 
+      tasks or between your tasks and other services that run within your Amazon VPC.
+      The awsvpc network mode provides task-level network isolation for tasks 
+      that run on Amazon EC2.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            ECS task definitions are required to use awsvpc network mode.
+          check:
+            payload:
+              networkMode: awsvpc
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-container-insights-enabled.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsContainerInsightsAreEnabled" }}
+{{- $name := "validate-ecs-container-insights-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate ECS Container Insights are Enabled
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Container Insights enhances the operational visibility of ECS clusters, allowing for proactive issue resolution. 
+      Enabling this feature ensures that diagnostic information is readily available, contributing to a more efficient and reliable containerized environment.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.clusterName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): Cluster
+      assert:
+        all:
+        - message: >- 
+            ECS container insights must be enabled
+          check:
+            payload:
+              ~.(clusterSettings[?name == 'containerInsights'] || settings[?name == 'containerInsights']):
+                value: enabled
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-containers-nonprivileged.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsContainersNonprivileged" }}
+{{- $name := "validate-ecs-containers-nonprivileged" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate ECS Containers Are Set to Non-Privileged
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). 
+      This policy checks that the privileged parameter in the container definition is set to false.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            The `privileged` field, if present, should be set to `false`
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!!privileged): false
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-containers-readonly.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsContainersReadonly" }}
+{{- $name := "validate-ecs-containers-readonly" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate if ECS Containers only have read-only access to its root filesystem
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When managing containers within AWS ECS, it's crucial to enforce security measures to prevent unauthorized modifications. 
+      One significant aspect is restricting write access to the containers' root filesystem.
+      This policy checks if ECS Containers have read-only access to its root filesystem.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            ECS Containers should have read-only access to its root filesystem
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  readonlyRootFilesystem: true
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-task-definition-log-configuration.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsTaskDefinitionLogConfiguration" }}
+{{- $name := "validate-ecs-task-definition-log-configuration" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Log Configuration
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The LogConfiguration property specifies log configuration options to send to a custom log driver for the container. 
+      Having all logs at a central place simplifies troubleshooting and debugging since you don't have to log into individual instances
+      to access container logs. It also allows integration with monitoring tools to set up metrics and alerts based on log data. 
+      This policy checks if ECS TaskDefinitions and Services have logConfiguration defined. 
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            logConfiguration must be set for ECS Task Definition
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!logConfiguration): false
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-task-definition-memory-hard-limit.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsTaskDefinitionMemoryHardLimit" }}
+{{- $name := "validate-ecs-task-definition-memory-hard-limit" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if Amazon Elastic Container Service
+      (ECS) task definitions and tasks have a set memory limit for its container definitions. 
+      If a memory limit is not set for a container, it can consume excessive memory, potentially starving other containers running on the same host. 
+      Therefore, it is crucial to enforce a hard memory limit on each container to prevent resource contention. 
+      If a container exceeds its memory limit, it will be terminated by ECS.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            Memory limit for container definitions should be set in the task definition
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!memory): false
+{{- end }}
+{{- end }}

charts/cloud-controls/charts/ecs/templates/validate-ecs-task-definition-nonroot-user.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "validateEcsTaskDefinitionNonrootUser" }}
+{{- $name := "validate-ecs-task-definition-nonroot-user" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Nonroot User for EC2 Instances
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if ECSTaskDefinitions specify a user for 
+      Amazon Elastic Container Service (Amazon ECS) EC2 launch type 
+      containers to run on. The rule fails if the `user` parameter is not present or is `root`.
+      Running containers as non-root users can help prevent running commands with root privileges 
+      which adds an extra layer of security by limiting the potential damage a compromised container can do. 
+      It also follows the security principle of least privilege, which dictates that applications and processes 
+      should operate with minimum privileges necessary to perform their functions.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            For ECS EC2 containers, `user` parameter should not be unset or be root
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (user == null || user == 'root' || user == '0' || starts_with(user, '0:') || ends_with(user, ':0')): false
+{{- end }}
+{{- end }}