Skip to content

Commit

Permalink
Add policy Restrict Cluster Role CSR (#1077)
Browse files Browse the repository at this point in the history
* Added policy for restricting clusterroles for CSR's, along with unit tests, chainsaw tests and artifacthub-pkg.yaml

Signed-off-by: nsagark <[email protected]>

* updated the policy with annotations and validation failure action

Signed-off-by: nsagark <[email protected]>

* updated the sha256sum on the artifacthub-pkg.yaml

Signed-off-by: nsagark <[email protected]>

* Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml

Signed-off-by: Chip Zoller <[email protected]>

* Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml

Signed-off-by: Chip Zoller <[email protected]>

* Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml

Signed-off-by: Chip Zoller <[email protected]>

---------

Signed-off-by: nsagark <[email protected]>
Signed-off-by: Chip Zoller <[email protected]>
Co-authored-by: Chip Zoller <[email protected]>
  • Loading branch information
nsagark and chipzoller authored Aug 2, 2024
1 parent 18f71ab commit 3c6044b
Show file tree
Hide file tree
Showing 8 changed files with 190 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
status:
ready: true
29 changes: 29 additions & 0 deletions other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: restrict-clusterrole-csr
spec:
steps:
- name: step-01
try:
- apply:
file: ../restrict-clusterrole-csr.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: non-violating-clusterrole.yaml
- apply:
expect:
- check:
($error != null): true
file: violating-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: non-violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["get", "list"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["update", "approve"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["approve"]
33 changes: 33 additions & 0 deletions other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: restrict-clusterrole-csr
policies:
- ../restrict-clusterrole-csr.yaml
resources:
- resource.yaml
results:
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- violating-clusterrole
result: fail
rule: certificatesigningrequests-update-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- violating-clusterrole
result: fail
rule: signers-approve-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- non-violating-clusterrole
result: pass
rule: certificatesigningrequests-update-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- non-violating-clusterrole
result: pass
rule: signers-approve-prevention
24 changes: 24 additions & 0 deletions other/restrict-clusterrole-csr/.kyverno-test/resource.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["update", "approve"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["approve"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: non-violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["get", "list"]

21 changes: 21 additions & 0 deletions other/restrict-clusterrole-csr/artifacthub-pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: restrict-clusterrole-csr
version: 1.0.0
displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's)
createdAt: "2024-07-17T20:30:05.000Z"
description: >-
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
```
keywords:
- kyverno
- Other
readme: |
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Other"
kyverno/subject: "ClusterRole"
digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854
55 changes: 55 additions & 0 deletions other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
annotations:
policies.kyverno.io/title: Restrict Cluster Role CSR
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: ClusterRole
kyverno.io/kyverno-version: 1.11.5
kyverno.io/kubernetes-version: "1.27"
policies.kyverno.io/description: >-
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
spec:
validationFailureAction: Audit
background: true
rules:
- name: certificatesigningrequests-update-prevention
match:
any:
- resources:
kinds:
- ClusterRole
validate:
message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval."
foreach:
- list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]"
deny:
conditions:
any:
- key: ["update", "patch"]
operator: AnyIn
value: "{{ element.verbs[] }}"
- key: "{{ contains(element.verbs[], '*') }}"
operator: Equals
value: true
- name: signers-approve-prevention
match:
any:
- resources:
kinds:
- ClusterRole
validate:
message: "Use of verbs `approve` are forbidden for signers."
foreach:
- list: "request.object.rules[?resources.contains(@,'signers')]"
deny:
conditions:
any:
- key: ["approve"]
operator: AnyIn
value: "{{ element.verbs[] }}"
- key: "{{ contains(element.verbs[], '*') }}"
operator: Equals
value: true

0 comments on commit 3c6044b

Please sign in to comment.