Proof of concept

common/istio-cni-1-16/kustomization.yaml

@@ -0,0 +1,47 @@
+#We have to add this as profile to the current istio instalation way and clean up a lot of deprecated stuff...
+
+#### Kubernetes 1.24+
+# install full cni enabled standalone istio
+#ISTIO_TAG=1.16.4
+#curl -L https://github.com/istio/istio/releases/download/${ISTIO_TAG}/istio-${ISTIO_TAG}-linux-amd64.tar.gz -o istio.tar.gz
+#tar xzf istio.tar.gz
+#istio-${ISTIO_TAG}/bin/istioctl manifest generate --set values.pilot.autoscaleMin=1 --set values.gateways.istio-ingressgateway.autoscaleMin=1 --set components.cni.enabled=true --set components.cni.namespace=kube-system --set components.cni.tag=${ISTIO_TAG} --set values.global.proxy.resources.requests.cpu=10m --set tag=${ISTIO_TAG} > istio.yaml
+#rm -rf istio-${ISTIO_TAG} istio.tar.gz
+
+# sadly there is a bug such that the busybox image is not configurable in a proper way
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- namespace.yaml
+- istio.yaml
+
+patchesStrategicMerge:
+# Pentest enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010 is not that problematic (only resource discovery). Other parts of the documentation also say | 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) | We have a secure network layer and only XDS is served. Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access". Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely.
+- |-
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: istiod
+    namespace: istio-system
+  spec:
+    template:
+      spec:
+        containers:
+        - name: discovery
+          env:
+          - name: ENABLE_DEBUG_ON_HTTP
+            value: 'false'
+# https://github.com/kubeflow/manifests/issues/2285
+- |-
+  apiVersion: v1
+  kind: Service
+  metadata:
+    name: istio-ingressgateway
+    namespace: istio-system
+  spec:
+    type: ClusterIP
+
+
+

common/istio-cni-1-16/namespace.yaml

@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: istio-system
+  labels:
+    istio-injection: disabled

common/podsecuritypolicies/kustomization.yaml

@@ -0,0 +1,9 @@
+# REMOVED IN KUBERNTES 1.25 https://kubernetes.io/docs/concepts/security/pod-security-policy/
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- restricted/kubeflow-restricted-usernamespace-clusterrole.yaml
+- restricted/kubeflow-restricted-psp.yaml
+- restricted/kubeflow-restricted-clusterrole.yaml
+- restricted/kubeflow-restricted-clusterrole-rolebinding.yaml
+

common/podsecuritypolicies/restricted/kubeflow-restricted-clusterrole-rolebinding.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    kubernetes.io/description: Restrictive PSP
+  name: kubeflow-restricted-clusterrole-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeflow-restricted-clusterrole
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:istio-system
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:cert-manager
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:knative-serving
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:knative-eventing
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:auth
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:kubeflow

common/podsecuritypolicies/restricted/kubeflow-restricted-clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-restricted-clusterrole
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - kubeflow-restricted-psp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+

common/podsecuritypolicies/restricted/kubeflow-restricted-psp.yaml

@@ -0,0 +1,50 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: kubeflow-restricted-psp
+spec:
+  priority: 1
+  privileged: false
+  allowPrivilegedContainer: false
+  allowPrivilegeEscalation: false
+  #readOnlyRootFilesystem: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
+  hostPorts: []
+  allowHostPorts: false
+  allowHostDirVolumePlugin: false
+  allowHostIPC: false
+  allowHostPID: false
+  allowHostNetwork: false
+  allowedCapabilities: []
+  defaultAddCapabilities: []
+  requiredDropCapabilities:
+  - ALL
+  fsGroup:
+    rule: RunAsAny
+  runAsGroup:
+    ranges:
+    - max: 65535
+      min: 0
+    rule: MustRunAs
+  runAsUser:
+    ranges:
+    - max: 65535
+      min: 1000
+    rule: MustRunAs
+    #rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret

common/podsecuritypolicies/restricted/kubeflow-restricted-usernamespace-clusterrole-.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
+  name: kubeflow-psp
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - kubeflow-restricted-psp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use

common/podsecuritystandards/kustomization.yaml

@@ -0,0 +1,5 @@
+TODO add the label `pod-security.kubernetes.io/enforce=restricted`
+to the namespace yamls of kubeflow,auth,cert-manager,istio-system,knative-serving,knative-eventing
+https://kubernetes.io/docs/tutorials/security/ns-level-pss/
+We also have to add this label to the profile controller.
+The profile contoller should take the laber from an environment variable to make it configurable