-
Notifications
You must be signed in to change notification settings - Fork 249
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add policy Restrict Cluster Role CSR (#1077)
* Added policy for restricting clusterroles for CSR's, along with unit tests, chainsaw tests and artifacthub-pkg.yaml Signed-off-by: nsagark <[email protected]> * updated the policy with annotations and validation failure action Signed-off-by: nsagark <[email protected]> * updated the sha256sum on the artifacthub-pkg.yaml Signed-off-by: nsagark <[email protected]> * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller <[email protected]> * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller <[email protected]> * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller <[email protected]> --------- Signed-off-by: nsagark <[email protected]> Signed-off-by: Chip Zoller <[email protected]> Co-authored-by: Chip Zoller <[email protected]>
- Loading branch information
1 parent
18f71ab
commit 3c6044b
Showing
8 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-clusterrole-csr | ||
status: | ||
ready: true |
29 changes: 29 additions & 0 deletions
29
other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: restrict-clusterrole-csr | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: ../restrict-clusterrole-csr.yaml | ||
- patch: | ||
resource: | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-clusterrole-csr | ||
spec: | ||
validationFailureAction: Enforce | ||
- assert: | ||
file: chainsaw-step-01-assert-1.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: non-violating-clusterrole.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: violating-clusterrole.yaml |
11 changes: 11 additions & 0 deletions
11
other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: non-violating-clusterrole | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["certificatesigningrequests/approval"] | ||
verbs: ["get", "list"] | ||
- apiGroups: [""] | ||
resources: ["signers"] | ||
verbs: ["get", "list"] |
11 changes: 11 additions & 0 deletions
11
other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: violating-clusterrole | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["certificatesigningrequests/approval"] | ||
verbs: ["update", "approve"] | ||
- apiGroups: [""] | ||
resources: ["signers"] | ||
verbs: ["approve"] |
33 changes: 33 additions & 0 deletions
33
other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: cli.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: restrict-clusterrole-csr | ||
policies: | ||
- ../restrict-clusterrole-csr.yaml | ||
resources: | ||
- resource.yaml | ||
results: | ||
- kind: ClusterRole | ||
policy: restrict-clusterrole-csr | ||
resources: | ||
- violating-clusterrole | ||
result: fail | ||
rule: certificatesigningrequests-update-prevention | ||
- kind: ClusterRole | ||
policy: restrict-clusterrole-csr | ||
resources: | ||
- violating-clusterrole | ||
result: fail | ||
rule: signers-approve-prevention | ||
- kind: ClusterRole | ||
policy: restrict-clusterrole-csr | ||
resources: | ||
- non-violating-clusterrole | ||
result: pass | ||
rule: certificatesigningrequests-update-prevention | ||
- kind: ClusterRole | ||
policy: restrict-clusterrole-csr | ||
resources: | ||
- non-violating-clusterrole | ||
result: pass | ||
rule: signers-approve-prevention |
24 changes: 24 additions & 0 deletions
24
other/restrict-clusterrole-csr/.kyverno-test/resource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: violating-clusterrole | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["certificatesigningrequests/approval"] | ||
verbs: ["update", "approve"] | ||
- apiGroups: [""] | ||
resources: ["signers"] | ||
verbs: ["approve"] | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: non-violating-clusterrole | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["certificatesigningrequests/approval"] | ||
verbs: ["get", "list"] | ||
- apiGroups: [""] | ||
resources: ["signers"] | ||
verbs: ["get", "list"] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: restrict-clusterrole-csr | ||
version: 1.0.0 | ||
displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's) | ||
createdAt: "2024-07-17T20:30:05.000Z" | ||
description: >- | ||
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
install: |- | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml | ||
``` | ||
keywords: | ||
- kyverno | ||
- Other | ||
readme: | | ||
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
annotations: | ||
kyverno/category: "Other" | ||
kyverno/subject: "ClusterRole" | ||
digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854 |
55 changes: 55 additions & 0 deletions
55
other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-clusterrole-csr | ||
annotations: | ||
policies.kyverno.io/title: Restrict Cluster Role CSR | ||
policies.kyverno.io/category: Other | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/subject: ClusterRole | ||
kyverno.io/kyverno-version: 1.11.5 | ||
kyverno.io/kubernetes-version: "1.27" | ||
policies.kyverno.io/description: >- | ||
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
spec: | ||
validationFailureAction: Audit | ||
background: true | ||
rules: | ||
- name: certificatesigningrequests-update-prevention | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- ClusterRole | ||
validate: | ||
message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval." | ||
foreach: | ||
- list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]" | ||
deny: | ||
conditions: | ||
any: | ||
- key: ["update", "patch"] | ||
operator: AnyIn | ||
value: "{{ element.verbs[] }}" | ||
- key: "{{ contains(element.verbs[], '*') }}" | ||
operator: Equals | ||
value: true | ||
- name: signers-approve-prevention | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- ClusterRole | ||
validate: | ||
message: "Use of verbs `approve` are forbidden for signers." | ||
foreach: | ||
- list: "request.object.rules[?resources.contains(@,'signers')]" | ||
deny: | ||
conditions: | ||
any: | ||
- key: ["approve"] | ||
operator: AnyIn | ||
value: "{{ element.verbs[] }}" | ||
- key: "{{ contains(element.verbs[], '*') }}" | ||
operator: Equals | ||
value: true |