Add policy Restrict Clusterrole for Mutating and Validating Admission…

… Webhooks (#1068)

* Adding files for restrict-clusterrole-mutating-validating-admission-webhooks policy

Signed-off-by: nsagark <[email protected]>

* Updated the policy and the artifacthub-pkg.yml

Signed-off-by: nsagark <[email protected]>

* added the missing annotations and updated the artifacthub-pkg.yml

Signed-off-by: nsagark <[email protected]>

* Updated the digest in the artifacthub-pkg.yml

Signed-off-by: nsagark <[email protected]>

* Updated the digest in the artifacthub-pkg.yml

Signed-off-by: nsagark <[email protected]>

---------

Signed-off-by: nsagark <[email protected]>
Co-authored-by: Chip Zoller <[email protected]>

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+status:
+  ready: true

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-clusterrole-mutating-validating-admission-webhooks
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: non-violating-clusterrole.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: violating-clusterrole.yaml

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+policies:
+- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+resources:
+- resource.yaml
+results:
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - non-violating-clusterrole
+  result: pass
+  rule: restrict-clusterrole
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - violating-clusterrole
+  result: fail
+  rule: restrict-clusterrole

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]
+

other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: restrict-clusterrole-mutating-validating-admission-webhooks
+version: 1.0.0
+displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+createdAt: "2024-05-19T20:30:05.000Z"
+description: >-
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+  ```
+keywords:
+- kyverno
+- Other
+readme: |
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/subject: "ClusterRole"
+digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b

other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml

@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+  annotations:
+    policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.7
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/subject: ClusterRole
+    policies.kyverno.io/description: >-
+      ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: restrict-clusterrole
+    match:
+      any:
+      - resources:
+          kinds:
+          - ClusterRole
+    validate:
+      message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks"
+      foreach:
+      - list: "request.object.rules[]"
+        deny:
+          conditions:
+            all:
+            - key: "{{ element.apiGroups || '' }}"
+              operator: AnyIn
+              value:
+              - admissionregistration.k8s.io
+            - key: "{{ element.resources || '' }}"
+              operator: AnyIn
+              value:
+              - mutatingwebhookconfigurations
+              - validatingwebhookconfigurations
+            any:
+            - key: "{{ element.verbs }}"
+              operator: AnyIn
+              value:
+              - create
+              - update
+              - patch
+            - key: "{{ contains(element.verbs[], '*') }}"
+              operator: Equals
+              value: true
+