-
Notifications
You must be signed in to change notification settings - Fork 253
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat:feat: add pod security standards (restricted) in CEL expressions
Signed-off-by: Mariam Fahmy <[email protected]>
- Loading branch information
1 parent
bc28946
commit 655029c
Showing
44 changed files
with
1,326 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -52,6 +52,7 @@ jobs: | |
| - other/res | ||
| - other/s-z | ||
| - pod-security | ||
| - pod-security-cel | ||
| - psa | ||
| - psp-migration | ||
| # - tekton | ||
|
|
||
6 changes: 6 additions & 0 deletions
6
pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-capabilities-strict | ||
| status: | ||
| ready: true |
5 changes: 5 additions & 0 deletions
5
pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| commands: | ||
| - script: | | ||
| sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - |
11 changes: 11 additions & 0 deletions
11
pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| apply: | ||
| - file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-good.yaml | ||
| shouldFail: false | ||
| - file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml | ||
| shouldFail: true | ||
| - file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml | ||
| shouldFail: false | ||
| - file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml | ||
| shouldFail: true |
6 changes: 6 additions & 0 deletions
6
pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| delete: | ||
| - apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| name: disallow-capabilities-strict |
22 changes: 22 additions & 0 deletions
22
pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| name: disallow-capabilities-strict | ||
| version: 1.0.0 | ||
| displayName: Disallow Capabilities (Strict) in CEL expressions | ||
| description: >- | ||
| Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. | ||
| install: |- | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml | ||
| ``` | ||
| keywords: | ||
| - kyverno | ||
| - Pod Security Standards (Restricted) | ||
| - CEL Expressions | ||
| readme: | | ||
| Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. | ||
| Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
| annotations: | ||
| kyverno/category: "Pod Security Standards (Restricted)" | ||
| kyverno/kubernetesVersion: "1.26-1.27" | ||
| kyverno/subject: "Pod" | ||
| digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d |
78 changes: 78 additions & 0 deletions
78
pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-capabilities-strict | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions | ||
| policies.kyverno.io/category: Pod Security Standards (Restricted) | ||
| policies.kyverno.io/severity: medium | ||
| kyverno.io/kyverno-version: 1.11.0 | ||
| kyverno.io/kubernetes-version: "1.26-1.27" | ||
| policies.kyverno.io/subject: Pod | ||
| policies.kyverno.io/description: >- | ||
| Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, | ||
| all containers must explicitly drop `ALL` capabilities. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: require-drop-all | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| Containers must drop `ALL` capabilities. | ||
| cel: | ||
| expressions: | ||
| - expression: >- | ||
| object.spec.containers.all(container, has(container.securityContext) && | ||
| has(container.securityContext.capabilities) && | ||
| has(container.securityContext.capabilities.drop) && | ||
| container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) | ||
| - expression: >- | ||
| !has(object.spec.initContainers) || | ||
| object.spec.initContainers.all(container, has(container.securityContext) && | ||
| has(container.securityContext.capabilities) && | ||
| has(container.securityContext.capabilities.drop) && | ||
| container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) | ||
| - expression: >- | ||
| !has(object.spec.ephemeralContainers) || | ||
| object.spec.ephemeralContainers.all(container, has(container.securityContext) && | ||
| has(container.securityContext.capabilities) && | ||
| has(container.securityContext.capabilities.drop) && | ||
| container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) | ||
| - name: adding-capabilities-strict | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| Any capabilities added other than NET_BIND_SERVICE are disallowed. | ||
| cel: | ||
| expressions: | ||
| - expression: >- | ||
| object.spec.containers.all(container, !has(container.securityContext) || | ||
| !has(container.securityContext.capabilities) || | ||
| !has(container.securityContext.capabilities.add) || | ||
| ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) | ||
| - expression: >- | ||
| !has(object.spec.initContainers) || | ||
| object.spec.initContainers.all(container, !has(container.securityContext) || | ||
| !has(container.securityContext.capabilities) || | ||
| !has(container.securityContext.capabilities.add) || | ||
| ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) | ||
| - expression: >- | ||
| !has(object.spec.ephemeralContainers) || | ||
| object.spec.ephemeralContainers.all(container, !has(container.securityContext) || | ||
| !has(container.securityContext.capabilities) || | ||
| !has(container.securityContext.capabilities.add) || | ||
| ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) |
177 changes: 177 additions & 0 deletions
177
pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,177 @@ | ||
| apiVersion: cli.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| name: disallow-capabilities-strict | ||
| policies: | ||
| - disallow-capabilities-strict.yaml | ||
| resources: | ||
| - ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml | ||
| results: | ||
| - kind: CronJob | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-badcronjob01 | ||
| - addcap-badcronjob02 | ||
| - addcap-badcronjob03 | ||
| - addcap-badcronjob04 | ||
| - addcap-badcronjob05 | ||
| - addcap-badcronjob06 | ||
| - addcap-badcronjob07 | ||
| - addcap-badcronjob08 | ||
| - addcap-badcronjob09 | ||
| - addcap-badcronjob10 | ||
| result: fail | ||
| rule: adding-capabilities-strict | ||
| - kind: Deployment | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-baddeployment01 | ||
| - addcap-baddeployment02 | ||
| - addcap-baddeployment03 | ||
| - addcap-baddeployment04 | ||
| - addcap-baddeployment05 | ||
| - addcap-baddeployment06 | ||
| - addcap-baddeployment07 | ||
| - addcap-baddeployment08 | ||
| - addcap-baddeployment09 | ||
| - addcap-baddeployment10 | ||
| result: fail | ||
| rule: adding-capabilities-strict | ||
| - kind: Pod | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-badpod01 | ||
| - addcap-badpod02 | ||
| - addcap-badpod03 | ||
| - addcap-badpod04 | ||
| - addcap-badpod05 | ||
| - addcap-badpod06 | ||
| - addcap-badpod07 | ||
| - addcap-badpod08 | ||
| - addcap-badpod09 | ||
| - addcap-badpod10 | ||
| result: fail | ||
| rule: adding-capabilities-strict | ||
| - kind: CronJob | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-goodcronjob01 | ||
| - addcap-goodcronjob02 | ||
| - addcap-goodcronjob03 | ||
| - addcap-goodcronjob04 | ||
| - addcap-goodcronjob05 | ||
| - addcap-goodcronjob06 | ||
| - addcap-goodcronjob07 | ||
| - addcap-goodcronjob08 | ||
| - addcap-goodcronjob09 | ||
| - addcap-goodcronjob10 | ||
| result: pass | ||
| rule: adding-capabilities-strict | ||
| - kind: Deployment | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-gooddeployment01 | ||
| - addcap-gooddeployment02 | ||
| - addcap-gooddeployment03 | ||
| - addcap-gooddeployment04 | ||
| - addcap-gooddeployment05 | ||
| - addcap-gooddeployment06 | ||
| - addcap-gooddeployment07 | ||
| - addcap-gooddeployment08 | ||
| - addcap-gooddeployment09 | ||
| - addcap-gooddeployment10 | ||
| result: pass | ||
| rule: adding-capabilities-strict | ||
| - kind: Pod | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - addcap-goodpod01 | ||
| - addcap-goodpod02 | ||
| - addcap-goodpod03 | ||
| - addcap-goodpod04 | ||
| - addcap-goodpod05 | ||
| - addcap-goodpod06 | ||
| - addcap-goodpod07 | ||
| - addcap-goodpod08 | ||
| - addcap-goodpod09 | ||
| - addcap-goodpod10 | ||
| result: pass | ||
| rule: adding-capabilities-strict | ||
| - kind: CronJob | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - badcronjob01 | ||
| - badcronjob02 | ||
| - badcronjob03 | ||
| - badcronjob04 | ||
| - badcronjob05 | ||
| - badcronjob06 | ||
| - badcronjob07 | ||
| - badcronjob08 | ||
| - badcronjob09 | ||
| - badcronjob10 | ||
| result: fail | ||
| rule: require-drop-all | ||
| - kind: Deployment | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - baddeployment01 | ||
| - baddeployment02 | ||
| - baddeployment03 | ||
| - baddeployment04 | ||
| - baddeployment05 | ||
| - baddeployment06 | ||
| - baddeployment07 | ||
| - baddeployment08 | ||
| - baddeployment09 | ||
| - baddeployment10 | ||
| result: fail | ||
| rule: require-drop-all | ||
| - kind: Pod | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - badpod01 | ||
| - badpod02 | ||
| - badpod03 | ||
| - badpod04 | ||
| - badpod05 | ||
| - badpod06 | ||
| - badpod07 | ||
| - badpod08 | ||
| - badpod09 | ||
| - badpod10 | ||
| result: fail | ||
| rule: require-drop-all | ||
| - kind: CronJob | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - goodcronjob01 | ||
| - goodcronjob02 | ||
| - goodcronjob03 | ||
| - goodcronjob04 | ||
| - goodcronjob05 | ||
| - goodcronjob06 | ||
| result: pass | ||
| rule: require-drop-all | ||
| - kind: Deployment | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - gooddeployment01 | ||
| - gooddeployment02 | ||
| - gooddeployment03 | ||
| - gooddeployment04 | ||
| - gooddeployment05 | ||
| - gooddeployment06 | ||
| result: pass | ||
| rule: require-drop-all | ||
| - kind: Pod | ||
| policy: disallow-capabilities-strict | ||
| resources: | ||
| - goodpod01 | ||
| - goodpod02 | ||
| - goodpod03 | ||
| - goodpod04 | ||
| - goodpod05 | ||
| - goodpod06 | ||
| result: pass | ||
| rule: require-drop-all |
6 changes: 6 additions & 0 deletions
6
pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-privilege-escalation | ||
| status: | ||
| ready: true |
6 changes: 6 additions & 0 deletions
6
pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| commands: | ||
| - script: | | ||
| sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - | ||
11 changes: 11 additions & 0 deletions
11
pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| apply: | ||
| - file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-good.yaml | ||
| shouldFail: false | ||
| - file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml | ||
| shouldFail: true | ||
| - file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml | ||
| shouldFail: false | ||
| - file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml | ||
| shouldFail: true |
6 changes: 6 additions & 0 deletions
6
pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| delete: | ||
| - apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| name: disallow-privilege-escalation |
22 changes: 22 additions & 0 deletions
22
pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| name: disallow-privilege-escalation | ||
| version: 1.0.0 | ||
| displayName: Disallow Privilege Escalation in CEL expressions | ||
| description: >- | ||
| Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. | ||
| install: |- | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml | ||
| ``` | ||
| keywords: | ||
| - kyverno | ||
| - Pod Security Standards (Restricted) | ||
| - CEL Expressions | ||
| readme: | | ||
| Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. | ||
| Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
| annotations: | ||
| kyverno/category: "Pod Security Standards (Restricted)" | ||
| kyverno/kubernetesVersion: "1.26-1.27" | ||
| kyverno/subject: "Pod" | ||
| digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7 |
Oops, something went wrong.