diff --git a/catalog/dockerfile/dockerfile-deny-expose-22.yaml b/catalog/dockerfile/dockerfile-deny-expose-22.yaml new file mode 100644 index 00000000..2e54cb2e --- /dev/null +++ b/catalog/dockerfile/dockerfile-deny-expose-22.yaml @@ -0,0 +1,18 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: dockerfile-deny-expose-port-22 + labels: + dockerfile.tags.kyverno.io: 'dockerfile' + annotations: + title.policy.kyverno.io: Dockerfile expose port 22 not allowed + description.policy.kyverno.io: This Policy ensures that port 22 is not exposed in Dockerfile. +spec: + rules: + - name: check-port-exposure + assert: + all: + - message: "Port 22 exposure is not allowed" + check: + ~.(Stages[].Commands[?Name=='EXPOSE'][]): + (contains(Ports, '22') || contains(Ports, '22/TCP')): false \ No newline at end of file diff --git a/catalog/dockerfile/dockerfile-deny-latest-image.yaml b/catalog/dockerfile/dockerfile-deny-latest-image.yaml new file mode 100644 index 00000000..c5c687bb --- /dev/null +++ b/catalog/dockerfile/dockerfile-deny-latest-image.yaml @@ -0,0 +1,18 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: dockerfile-deny-latest-image-tag + labels: + dockerfile.tags.kyverno.io: 'dockerfile' + annotations: + title.policy.kyverno.io: Dockerfile latest image tag not allowed + description.policy.kyverno.io: This Policy ensures that no image uses the latest tag in Dockerfile. +spec: + rules: + - name: check-latest-tag + assert: + all: + - message: "Latest tag is not allowed" + check: + ~.(Stages[].From.Image): + (contains(@, ':latest')): false \ No newline at end of file diff --git a/catalog/dockerfile/dockerfile-disallow-apt.yaml b/catalog/dockerfile/dockerfile-disallow-apt.yaml new file mode 100644 index 00000000..456e6384 --- /dev/null +++ b/catalog/dockerfile/dockerfile-disallow-apt.yaml @@ -0,0 +1,18 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: dockerfile-disallow-apt + labels: + dockerfile.tags.kyverno.io: 'dockerfile' + annotations: + title.policy.kyverno.io: Ensure apt is not used in Dockerfile + description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred. +spec: + rules: + - name: dockerfile-disallow-apt + assert: + any: + - message: "apt not allowed" + check: + ~.(Stages[].Commands[].CmdLine[]): + (contains(@, 'apt ')) : false diff --git a/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml b/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml new file mode 100644 index 00000000..3075ad5a --- /dev/null +++ b/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml @@ -0,0 +1,17 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: dockerfile-disallow-last-user-root + labels: + dockerfile.tags.kyverno.io: 'dockerfile' + annotations: + title.policy.kyverno.io: Dockerfile last user is not allowed to be root + description.policy.kyverno.io: This Policy ensures that last user in Dockerfile is not root. +spec: + rules: + - name: check-disallow-last-user-root + assert: + all: + - message: "Last user root not allowed" + check: + ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false \ No newline at end of file diff --git a/catalog/dockerfile/dockerfile-disallow-sudo.yaml b/catalog/dockerfile/dockerfile-disallow-sudo.yaml new file mode 100644 index 00000000..84202dd7 --- /dev/null +++ b/catalog/dockerfile/dockerfile-disallow-sudo.yaml @@ -0,0 +1,18 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: dockerfile-disallow-sudo + labels: + dockerfile.tags.kyverno.io: 'dockerfile' + annotations: + title.policy.kyverno.io: Ensure sudo is not used in Dockerfile + description.policy.kyverno.io: This Policy ensures that sudo isn’t used. +spec: + rules: + - name: dockerfile-disallow-sudo + assert: + all: + - message: "sudo not allowed" + check: + ~.(Stages[].Commands[].CmdLine[]): + (contains(@, 'sudo')) : false \ No newline at end of file diff --git a/website/docs/catalog/policies/dockerfile/dockerfile-deny-expose-22.md b/website/docs/catalog/policies/dockerfile/dockerfile-deny-expose-22.md new file mode 100644 index 00000000..6e975dc4 --- /dev/null +++ b/website/docs/catalog/policies/dockerfile/dockerfile-deny-expose-22.md @@ -0,0 +1,51 @@ +--- +tags: +- dockerfile +--- +# Dockerfile expose port 22 not allowed + +## Description + +This Policy ensures that port 22 is not exposed in Dockerfile. + +## Install + +### In cluster + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml +``` + +### Download locally + +```bash +curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml +``` + +## Manifest + +[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml) +[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml) + +```yaml +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + annotations: + description.policy.kyverno.io: This Policy ensures that port 22 is not exposed + in Dockerfile. + title.policy.kyverno.io: Dockerfile expose port 22 not allowed + creationTimestamp: null + labels: + dockerfile.tags.kyverno.io: dockerfile + name: dockerfile-deny-expose-port-22 +spec: + rules: + - assert: + all: + - check: + ~.(Stages[].Commands[?Name=='EXPOSE'][]): + (contains(Ports, '22') || contains(Ports, '22/TCP')): false + message: Port 22 exposure is not allowed + name: check-port-exposure +``` diff --git a/website/docs/catalog/policies/dockerfile/dockerfile-deny-latest-image.md b/website/docs/catalog/policies/dockerfile/dockerfile-deny-latest-image.md new file mode 100644 index 00000000..5c28dfdb --- /dev/null +++ b/website/docs/catalog/policies/dockerfile/dockerfile-deny-latest-image.md @@ -0,0 +1,51 @@ +--- +tags: +- dockerfile +--- +# Dockerfile latest image tag not allowed + +## Description + +This Policy ensures that no image uses the latest tag in Dockerfile. + +## Install + +### In cluster + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml +``` + +### Download locally + +```bash +curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml +``` + +## Manifest + +[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml) +[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml) + +```yaml +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + annotations: + description.policy.kyverno.io: This Policy ensures that no image uses the latest + tag in Dockerfile. + title.policy.kyverno.io: Dockerfile latest image tag not allowed + creationTimestamp: null + labels: + dockerfile.tags.kyverno.io: dockerfile + name: dockerfile-deny-latest-image-tag +spec: + rules: + - assert: + all: + - check: + ~.(Stages[].From.Image): + (contains(@, ':latest')): false + message: Latest tag is not allowed + name: check-latest-tag +``` diff --git a/website/docs/catalog/policies/dockerfile/dockerfile-disallow-apt.md b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-apt.md new file mode 100644 index 00000000..7ea19026 --- /dev/null +++ b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-apt.md @@ -0,0 +1,51 @@ +--- +tags: +- dockerfile +--- +# Ensure apt is not used in Dockerfile + +## Description + +This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred. + +## Install + +### In cluster + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml +``` + +### Download locally + +```bash +curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml +``` + +## Manifest + +[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-apt.yaml) +[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml) + +```yaml +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + annotations: + description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get + can be used as apt interface is less stable than apt-get and so this preferred. + title.policy.kyverno.io: Ensure apt is not used in Dockerfile + creationTimestamp: null + labels: + dockerfile.tags.kyverno.io: dockerfile + name: dockerfile-disallow-apt +spec: + rules: + - assert: + any: + - check: + ~.(Stages[].Commands[].CmdLine[]): + (contains(@, 'apt ')): false + message: apt not allowed + name: dockerfile-disallow-apt +``` diff --git a/website/docs/catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md new file mode 100644 index 00000000..282ec380 --- /dev/null +++ b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md @@ -0,0 +1,50 @@ +--- +tags: +- dockerfile +--- +# Dockerfile last user is not allowed to be root + +## Description + +This Policy ensures that last user in Dockerfile is not root. + +## Install + +### In cluster + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml +``` + +### Download locally + +```bash +curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml +``` + +## Manifest + +[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml) +[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml) + +```yaml +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + annotations: + description.policy.kyverno.io: This Policy ensures that last user in Dockerfile + is not root. + title.policy.kyverno.io: Dockerfile last user is not allowed to be root + creationTimestamp: null + labels: + dockerfile.tags.kyverno.io: dockerfile + name: dockerfile-disallow-last-user-root +spec: + rules: + - assert: + all: + - check: + ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false + message: Last user root not allowed + name: check-disallow-last-user-root +``` diff --git a/website/docs/catalog/policies/dockerfile/dockerfile-disallow-sudo.md b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-sudo.md new file mode 100644 index 00000000..c3c1f774 --- /dev/null +++ b/website/docs/catalog/policies/dockerfile/dockerfile-disallow-sudo.md @@ -0,0 +1,50 @@ +--- +tags: +- dockerfile +--- +# Ensure sudo is not used in Dockerfile + +## Description + +This Policy ensures that sudo isn’t used. + +## Install + +### In cluster + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml +``` + +### Download locally + +```bash +curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml +``` + +## Manifest + +[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml) +[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml) + +```yaml +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + annotations: + description.policy.kyverno.io: This Policy ensures that sudo isn’t used. + title.policy.kyverno.io: Ensure sudo is not used in Dockerfile + creationTimestamp: null + labels: + dockerfile.tags.kyverno.io: dockerfile + name: dockerfile-disallow-sudo +spec: + rules: + - assert: + all: + - check: + ~.(Stages[].Commands[].CmdLine[]): + (contains(@, 'sudo')): false + message: sudo not allowed + name: dockerfile-disallow-sudo +``` diff --git a/website/mkdocs.yaml b/website/mkdocs.yaml index f0108272..a56192db 100644 --- a/website/mkdocs.yaml +++ b/website/mkdocs.yaml @@ -39,6 +39,11 @@ nav: - Policies: - catalog/index.md - All: + - catalog/policies/dockerfile/dockerfile-deny-expose-22.md + - catalog/policies/dockerfile/dockerfile-deny-latest-image.md + - catalog/policies/dockerfile/dockerfile-disallow-apt.md + - catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md + - catalog/policies/dockerfile/dockerfile-disallow-sudo.md - catalog/policies/ecs/ecs-cluster-enable-logging.md - catalog/policies/ecs/ecs-cluster-required-container-insights.md - catalog/policies/ecs/ecs-service-public-ip.md