Merge branch 'main' into miscellaneous-policies-cel-part-4

best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: check-deprecated-apis
+policies:
+- ../check-deprecated-apis.yaml
+resources:
+- resource.yaml
+results:
+- kind: CronJob
+  policy: check-deprecated-apis
+  resources:
+  - bad-cronjob
+  result: fail
+  rule: validate-v1-25-removals
+- kind: CronJob
+  policy: check-deprecated-apis
+  resources:
+  - good-cronjob
+  result: skip
+  rule: validate-v1-25-removals
+- kind: FlowSchema
+  policy: check-deprecated-apis
+  resources:
+  - bad-flowschema
+  result: fail
+  rule: validate-v1-29-removals

best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml

@@ -0,0 +1,52 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: bad-cronjob
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.28
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: good-cronjob
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.28
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+
+---
+apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
+kind: FlowSchema
+metadata:
+  name: bad-flowschema
+spec:
+  matchingPrecedence: 1000
+  priorityLevelConfiguration:
+    name: exempt
+

best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: check-deprecated-apis-cel
+version: 1.0.0
+displayName: Check deprecated APIs in CEL expressions
+description: >-
+  Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. 
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml
+  ```
+keywords:
+  - kyverno
+  - Best Practices
+  - CEL Expressions
+readme: |
+  Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. 
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Best Practices in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Kubernetes APIs"
+digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e
+createdAt: "2024-05-31T09:44:23Z"

best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml

@@ -0,0 +1,95 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-deprecated-apis
+  annotations:
+    policies.kyverno.io/title: Check deprecated APIs in CEL expressions
+    policies.kyverno.io/category: Best Practices in CEL 
+    policies.kyverno.io/subject: Kubernetes APIs
+    kyverno.io/kyverno-version: 1.12.1
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      Kubernetes APIs are sometimes deprecated and removed after a few releases.
+      As a best practice, older API versions should be replaced with newer versions.
+      This policy validates for APIs that are deprecated or scheduled for removal.
+      Note that checking for some of these resources may require modifying the Kyverno
+      ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25
+      so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-v1-25-removals
+    match:
+      any:
+      - resources:
+          # NOTE: PodSecurityPolicy is completely removed in 1.25.
+          kinds:
+          - batch/*/CronJob
+          - discovery.k8s.io/*/EndpointSlice
+          - events.k8s.io/*/Event
+          - policy/*/PodDisruptionBudget
+          - policy/*/PodSecurityPolicy
+          - node.k8s.io/*/RuntimeClass
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-26-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - flowcontrol.apiserver.k8s.io/*/FlowSchema
+          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
+          - autoscaling/*/HorizontalPodAutoscaler
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-27-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - storage.k8s.io/*/CSIStorageCapacity
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['storage.k8s.io/v1beta1']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-29-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - flowcontrol.apiserver.k8s.io/*/FlowSchema
+          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
+    celPreconditions:
+      - name: "object.apiVersion"
+        expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  

best-practices/require-pod-requests-limits/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices, EKS Best Practices"
   kyverno/subject: "Pod"
-digest: 6fba669ac94197333cb28249ab01deb6461cc6f909645b721fe66bef78d674ec
+digest: bc2fa8b9aed1893274a8bc60abd34fdbe5fbc25d032b7be74214cc1496b77ce1

best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml

@@ -16,7 +16,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-resources
@@ -26,10 +26,24 @@ spec:
           kinds:
           - Pod
     validate:
-      message: "CPU and memory resource requests and limits are required."
+      message: "CPU and memory resource requests and memory limits are required for containers."
       pattern:
         spec:
           containers:
+          - resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"
+          =(initContainers):
+          - resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"
+          =(ephemeralContainers):
           - resources:
               requests:
                 memory: "?*"

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+status:
+  ready: true

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-clusterrole-mutating-validating-admission-webhooks
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: non-violating-clusterrole.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: violating-clusterrole.yaml

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+policies:
+- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+resources:
+- resource.yaml
+results:
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - non-violating-clusterrole
+  result: pass
+  rule: restrict-clusterrole
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - violating-clusterrole
+  result: fail
+  rule: restrict-clusterrole

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]
+

other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: restrict-clusterrole-mutating-validating-admission-webhooks
+version: 1.0.0
+displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+createdAt: "2024-05-19T20:30:05.000Z"
+description: >-
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+  ```
+keywords:
+- kyverno
+- Other
+readme: |
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/subject: "ClusterRole"
+digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b