From 655029c3a358bcd489c57a2dd346381c73767b69 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 2 Oct 2023 16:25:49 +0300 Subject: [PATCH] feat:feat: add pod security standards (restricted) in CEL expressions Signed-off-by: Mariam Fahmy --- .github/workflows/test.yml | 1 + .../01-assert.yaml | 6 + .../01-enforce.yaml | 5 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../disallow-capabilities-strict.yaml | 78 ++++++++ .../kyverno-test.yaml | 177 ++++++++++++++++++ .../01-assert.yaml | 6 + .../01-enforce.yaml | 6 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../disallow-privilege-escalation.yaml | 50 +++++ .../kyverno-test.yaml | 72 +++++++ .../restricted/kustomization.yaml | 7 + .../01-assert.yaml | 6 + .../01-enforce.yaml | 5 + .../02-manifests.yaml | 11 ++ .../99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../kyverno-test.yaml | 87 +++++++++ .../require-run-as-non-root-user.yaml | 53 ++++++ .../require-run-as-nonroot/01-assert.yaml | 6 + .../require-run-as-nonroot/01-enforce.yaml | 5 + .../require-run-as-nonroot/02-manifests.yaml | 11 ++ .../require-run-as-nonroot/99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../require-run-as-nonroot/kyverno-test.yaml | 114 +++++++++++ .../require-run-as-nonroot.yaml | 59 ++++++ .../restrict-seccomp-strict/01-assert.yaml | 6 + .../restrict-seccomp-strict/01-enforce.yaml | 5 + .../restrict-seccomp-strict/02-manifests.yaml | 11 ++ .../restrict-seccomp-strict/99-delete.yaml | 6 + .../artifacthub-pkg.yml | 22 +++ .../restrict-seccomp-strict/kyverno-test.yaml | 90 +++++++++ .../restrict-seccomp-strict.yaml | 66 +++++++ .../restrict-volume-types/01-assert.yaml | 6 + .../restrict-volume-types/01-enforce.yaml | 7 + .../restrict-volume-types/02-manifests.yaml | 11 ++ .../restrict-volume-types/99-delete.yaml | 8 + .../restrict-volume-types/artifacthub-pkg.yml | 22 +++ .../restrict-volume-types/kyverno-test.yaml | 126 +++++++++++++ .../restrict-volume-types.yaml | 41 ++++ 44 files changed, 1326 insertions(+) create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml create mode 100644 pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/kustomization.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/01-assert.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/99-delete.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml create mode 100644 pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 77d6d2851..5a38aa886 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -52,6 +52,7 @@ jobs: - other/res - other/s-z - pod-security + - pod-security-cel - psa - psp-migration # - tekton diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml new file mode 100644 index 000000000..a7bd6b8fa --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict +status: + ready: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml new file mode 100644 index 000000000..e0031c719 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml new file mode 100644 index 000000000..2c7fa9c29 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml new file mode 100644 index 000000000..9bc30b556 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..570193093 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-capabilities-strict +version: 1.0.0 +displayName: Disallow Capabilities (Strict) in CEL expressions +description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml new file mode 100644 index 000000000..279605f7d --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -0,0 +1,78 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict + annotations: + policies.kyverno.io/title: Disallow Capabilities (Strict) in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, + all containers must explicitly drop `ALL` capabilities. +spec: + validationFailureAction: Audit + background: true + rules: + - name: require-drop-all + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Containers must drop `ALL` capabilities. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.capabilities) && + has(container.securityContext.capabilities.drop) && + container.securityContext.capabilities.drop.exists_one(capability, capability == 'ALL')) + - name: adding-capabilities-strict + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml new file mode 100644 index 000000000..cd48af523 --- /dev/null +++ b/pod-security-cel/restricted/disallow-capabilities-strict/kyverno-test.yaml @@ -0,0 +1,177 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict +policies: +- disallow-capabilities-strict.yaml +resources: +- ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml +results: +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob01 + - addcap-badcronjob02 + - addcap-badcronjob03 + - addcap-badcronjob04 + - addcap-badcronjob05 + - addcap-badcronjob06 + - addcap-badcronjob07 + - addcap-badcronjob08 + - addcap-badcronjob09 + - addcap-badcronjob10 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment01 + - addcap-baddeployment02 + - addcap-baddeployment03 + - addcap-baddeployment04 + - addcap-baddeployment05 + - addcap-baddeployment06 + - addcap-baddeployment07 + - addcap-baddeployment08 + - addcap-baddeployment09 + - addcap-baddeployment10 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod01 + - addcap-badpod02 + - addcap-badpod03 + - addcap-badpod04 + - addcap-badpod05 + - addcap-badpod06 + - addcap-badpod07 + - addcap-badpod08 + - addcap-badpod09 + - addcap-badpod10 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob01 + - addcap-goodcronjob02 + - addcap-goodcronjob03 + - addcap-goodcronjob04 + - addcap-goodcronjob05 + - addcap-goodcronjob06 + - addcap-goodcronjob07 + - addcap-goodcronjob08 + - addcap-goodcronjob09 + - addcap-goodcronjob10 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment01 + - addcap-gooddeployment02 + - addcap-gooddeployment03 + - addcap-gooddeployment04 + - addcap-gooddeployment05 + - addcap-gooddeployment06 + - addcap-gooddeployment07 + - addcap-gooddeployment08 + - addcap-gooddeployment09 + - addcap-gooddeployment10 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod01 + - addcap-goodpod02 + - addcap-goodpod03 + - addcap-goodpod04 + - addcap-goodpod05 + - addcap-goodpod06 + - addcap-goodpod07 + - addcap-goodpod08 + - addcap-goodpod09 + - addcap-goodpod10 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass + rule: require-drop-all diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml new file mode 100644 index 000000000..30a5747c2 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +status: + ready: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml new file mode 100644 index 000000000..a92c92339 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - + \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml new file mode 100644 index 000000000..4f9c0cdd5 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml new file mode 100644 index 000000000..d298864ad --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml new file mode 100644 index 000000000..7e17fc43b --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-privilege-escalation +version: 1.0.0 +displayName: Disallow Privilege Escalation in CEL expressions +description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7 diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml new file mode 100644 index 000000000..cf6001d89 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -0,0 +1,50 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation + annotations: + policies.kyverno.io/title: Disallow Privilege Escalation in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: privilege-escalation + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Privilege escalation is disallowed. The fields + spec.containers[*].securityContext.allowPrivilegeEscalation, + spec.initContainers[*].securityContext.allowPrivilegeEscalation, + and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation + must be set to `false`. + cel: + expressions: + - expression: >- + object.spec.containers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, has(container.securityContext) && + has(container.securityContext.allowPrivilegeEscalation) && + container.securityContext.allowPrivilegeEscalation == false) + \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml new file mode 100644 index 000000000..d258659db --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/kyverno-test.yaml @@ -0,0 +1,72 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation +policies: +- disallow-privilege-escalation.yaml +resources: +- ../../../pod-security/restricted/disallow-privilege-escalation/resource.yaml +results: +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: privilege-escalation diff --git a/pod-security-cel/restricted/kustomization.yaml b/pod-security-cel/restricted/kustomization.yaml new file mode 100644 index 000000000..6725535b9 --- /dev/null +++ b/pod-security-cel/restricted/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - disallow-capabilities-strict/disallow-capabilities-strict.yaml + - disallow-privilege-escalation/disallow-privilege-escalation.yaml + - require-run-as-non-root-user/require-run-as-non-root-user.yaml + - require-run-as-nonroot/require-run-as-nonroot.yaml + - restrict-seccomp-strict/restrict-seccomp-strict.yaml + - restrict-volume-types/restrict-volume-types.yaml diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml new file mode 100644 index 000000000..3a15a8755 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +status: + ready: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml new file mode 100644 index 000000000..6b209b3db --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml new file mode 100644 index 000000000..698d27655 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-non-root-user/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-non-root-user/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml new file mode 100644 index 000000000..aed8d3f0b --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml new file mode 100644 index 000000000..13eed5cf0 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-run-as-non-root-user +version: 1.0.0 +displayName: Require Run As Non-Root User in CEL expressions +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: d4bdf4d03257fff0dc438a14a0ff3df8b8f4bc02fec15c2d69c602421281811d diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml new file mode 100644 index 000000000..5f78b269d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/kyverno-test.yaml @@ -0,0 +1,87 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user +policies: +- require-run-as-non-root-user.yaml +resources: +- ../../../pod-security/restricted/require-run-as-non-root-user/resource.yaml +results: +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml new file mode 100644 index 000000000..02500dcd7 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user + annotations: + policies.kyverno.io/title: Require Run As Non-Root User in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsUser` is either unset or set to a number greater than zero. +spec: + validationFailureAction: Audit + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running as root is not allowed. The fields spec.securityContext.runAsUser, + spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, + and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero. + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.runAsUser) || + object.spec.securityContext.runAsUser > 0 + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsUser) || + container.securityContext.runAsUser > 0) diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml new file mode 100644 index 000000000..d97abc312 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot +status: + ready: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml new file mode 100644 index 000000000..05ab09701 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml new file mode 100644 index 000000000..bcda526e6 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-nonroot/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/require-run-as-nonroot/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml b/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml new file mode 100644 index 000000000..13c14c6f6 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml new file mode 100644 index 000000000..375147dcb --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-run-as-nonroot +version: 1.0.0 +displayName: Require runAsNonRoot in CEL expressions +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: b5e14351175bff55c6856c5d4251808b23144bf6f05be0c5a6b24439879a6913 diff --git a/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml new file mode 100644 index 000000000..861745f3d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/kyverno-test.yaml @@ -0,0 +1,114 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-nonroot +policies: +- require-run-as-nonroot.yaml +resources: +- ../../../pod-security/restricted/require-run-as-nonroot/resource.yaml +results: +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: run-as-non-root diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml new file mode 100644 index 000000000..c7c38a801 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -0,0 +1,59 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot + annotations: + policies.kyverno.io/title: Require runAsNonRoot in CEL expressions + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + validationFailureAction: Audit + background: true + rules: + - name: run-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. + cel: + expressions: + - expression: >- + (!has(object.spec.securityContext) || + !has(object.spec.securityContext.runAsNonRoot) || + object.spec.securityContext.runAsNonRoot == true) + && + (object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + && + (!has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + && + (!has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.runAsNonRoot) || + container.securityContext.runAsNonRoot == true)) + + - expression: >- + has(object.spec.securityContext) || + (object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)) + && + (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))) + && + (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))) diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml new file mode 100644 index 000000000..db4a4dc3a --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +status: + ready: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml new file mode 100644 index 000000000..826f02c88 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml new file mode 100644 index 000000000..70d0917ac --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-seccomp-strict/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-seccomp-strict/podcontroller-bad.yaml + shouldFail: true diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml new file mode 100644 index 000000000..7ca3c4cd0 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml new file mode 100644 index 000000000..c8140bd0d --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: restrict-seccomp-strict +version: 1.0.0 +displayName: Restrict Seccomp (Strict) in CEL expressions +description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 4cf3da92894bc484aa353e38983fe6641b91a43d70b56fa16ce76bb22a04a7d6 diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml new file mode 100644 index 000000000..4f0fbe7ac --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/kyverno-test.yaml @@ -0,0 +1,90 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict +policies: +- restrict-seccomp-strict.yaml +resources: +- ../../../pod-security/restricted/restrict-seccomp-strict/resource.yaml +results: +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: check-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml new file mode 100644 index 000000000..9a0293db0 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -0,0 +1,66 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict + annotations: + policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined + but additionally must also not allow an unset value. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is + set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + background: true + validationFailureAction: Audit + rules: + - name: check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Use of custom Seccomp profiles is disallowed. The fields + spec.securityContext.seccompProfile.type, + spec.containers[*].securityContext.seccompProfile.type, + spec.initContainers[*].securityContext.seccompProfile.type, and + spec.ephemeralContainers[*].securityContext.seccompProfile.type + must be set to `RuntimeDefault` or `Localhost`. + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || + !has(object.spec.securityContext.seccompProfile) || + !has(object.spec.securityContext.seccompProfile.type) || + object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || + object.spec.securityContext.seccompProfile.type == 'Localhost' + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') diff --git a/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml new file mode 100644 index 000000000..417239b4b --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +status: + ready: true diff --git a/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml b/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml new file mode 100644 index 000000000..fd2e32e7d --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/01-enforce.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - +apply: +- ../../../pod-security/restricted/restrict-volume-types/ns.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml b/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml new file mode 100644 index 000000000..897e4dffd --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/02-manifests.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: ../../../pod-security/restricted/restrict-volume-types/pod-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-volume-types/pod-bad.yaml + shouldFail: true +- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-good.yaml + shouldFail: false +- file: ../../../pod-security/restricted/restrict-volume-types/podcontroller-bad.yaml + shouldFail: true \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml b/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml new file mode 100644 index 000000000..c9e317204 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/99-delete.yaml @@ -0,0 +1,8 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +commands: +- command: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml new file mode 100644 index 000000000..0dd35d251 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: restrict-volume-types +version: 1.0.0 +displayName: Restrict Volume Types in CEL expressions +description: >- + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Restricted) + - CEL Expressions +readme: | + In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Restricted)" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod,Volume" +digest: 71ffcf5c417c3c71cfe6e1a1f9a36884683b876bf6ed3f5b9201d69547526583 diff --git a/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml b/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml new file mode 100644 index 000000000..56e535f97 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/kyverno-test.yaml @@ -0,0 +1,126 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types +policies: +- restrict-volume-types.yaml +resources: +- ../../../pod-security/restricted/restrict-volume-types/resource.yaml +results: +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 + - badcronjob16 + - badcronjob17 + - badcronjob18 + - badcronjob19 + - badcronjob20 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + - baddeployment16 + - baddeployment17 + - baddeployment18 + - baddeployment19 + - baddeployment20 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + - badpod16 + - badpod17 + - badpod18 + - badpod19 + - badpod20 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + result: pass + rule: restricted-volumes diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml new file mode 100644 index 000000000..a7e1c645a --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types + annotations: + policies.kyverno.io/title: Restrict Volume Types in CEL + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/description: >- + In addition to restricting HostPath volumes, the restricted pod security profile + limits usage of non-core volume types to those defined through PersistentVolumes. + This policy blocks any other type of volume other than those in the allow list. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restricted-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. + cel: + expressions: + - expression: >- + !has(object.spec.volumes) || + object.spec.volumes.all(vol, has(vol.configMap) || + has(vol.csi) || + has(vol.downwardAPI) || + has(vol.emptyDir) || + has(vol.ephemeral) || + has(vol.persistentVolumeClaim) || + has(vol.projected) || + has(vol.secret))