diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..7b7f6b6b4 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-deprecated-apis +policies: +- ../check-deprecated-apis.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: check-deprecated-apis + resources: + - bad-cronjob + result: fail + rule: validate-v1-25-removals +- kind: CronJob + policy: check-deprecated-apis + resources: + - good-cronjob + result: skip + rule: validate-v1-25-removals +- kind: FlowSchema + policy: check-deprecated-apis + resources: + - bad-flowschema + result: fail + rule: validate-v1-29-removals diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml new file mode 100644 index 000000000..c62c18ee1 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml @@ -0,0 +1,52 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: bad-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- + +apiVersion: batch/v1 +kind: CronJob +metadata: + name: good-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- +apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 +kind: FlowSchema +metadata: + name: bad-flowschema +spec: + matchingPrecedence: 1000 + priorityLevelConfiguration: + name: exempt + \ No newline at end of file diff --git a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml new file mode 100644 index 000000000..1c20b08fa --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: check-deprecated-apis-cel +version: 1.0.0 +displayName: Check deprecated APIs in CEL expressions +description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml + ``` +keywords: + - kyverno + - Best Practices + - CEL Expressions +readme: | + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Kubernetes APIs" +digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e +createdAt: "2024-05-31T09:44:23Z" diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml new file mode 100644 index 000000000..f01488b1e --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml @@ -0,0 +1,95 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deprecated-apis + annotations: + policies.kyverno.io/title: Check deprecated APIs in CEL expressions + policies.kyverno.io/category: Best Practices in CEL + policies.kyverno.io/subject: Kubernetes APIs + kyverno.io/kyverno-version: 1.12.1 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. + As a best practice, older API versions should be replaced with newer versions. + This policy validates for APIs that are deprecated or scheduled for removal. + Note that checking for some of these resources may require modifying the Kyverno + ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 + so therefore the validate-v1-25-removals rule may not completely work on 1.25+. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-v1-25-removals + match: + any: + - resources: + # NOTE: PodSecurityPolicy is completely removed in 1.25. + kinds: + - batch/*/CronJob + - discovery.k8s.io/*/EndpointSlice + - events.k8s.io/*/Event + - policy/*/PodDisruptionBudget + - policy/*/PodSecurityPolicy + - node.k8s.io/*/RuntimeClass + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-26-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + - autoscaling/*/HorizontalPodAutoscaler + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-27-removals + match: + any: + - resources: + kinds: + - storage.k8s.io/*/CSIStorageCapacity + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['storage.k8s.io/v1beta1']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-29-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + celPreconditions: + - name: "object.apiVersion" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + diff --git a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml index d5dec6926..c09dc9d67 100644 --- a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml +++ b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 6fba669ac94197333cb28249ab01deb6461cc6f909645b721fe66bef78d674ec +digest: bc2fa8b9aed1893274a8bc60abd34fdbe5fbc25d032b7be74214cc1496b77ce1 diff --git a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml index 652e46f85..b36c4b8de 100644 --- a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml +++ b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml @@ -16,7 +16,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources @@ -26,10 +26,24 @@ spec: kinds: - Pod validate: - message: "CPU and memory resource requests and limits are required." + message: "CPU and memory resource requests and memory limits are required for containers." pattern: spec: containers: + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + =(initContainers): + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + =(ephemeralContainers): - resources: requests: memory: "?*" diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..5f5432cb0 --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-mutating-validating-admission-webhooks +status: + ready: true diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..c834989ea --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-clusterrole-mutating-validating-admission-webhooks +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-clusterrole-mutating-validating-admission-webhooks + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: non-violating-clusterrole.yaml + - apply: + expect: + - check: + ($error != null): true + file: violating-clusterrole.yaml diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml new file mode 100644 index 000000000..442ff536e --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: non-violating-clusterrole +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "watch"] diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml new file mode 100644 index 000000000..42991b97a --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: violating-clusterrole +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["create", "update", "patch"] diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..9049cfb16 --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-mutating-validating-admission-webhooks +policies: +- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml +resources: +- resource.yaml +results: +- kind: ClusterRole + policy: restrict-clusterrole-mutating-validating-admission-webhooks + resources: + - non-violating-clusterrole + result: pass + rule: restrict-clusterrole +- kind: ClusterRole + policy: restrict-clusterrole-mutating-validating-admission-webhooks + resources: + - violating-clusterrole + result: fail + rule: restrict-clusterrole diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml new file mode 100644 index 000000000..07fc9bfd9 --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: non-violating-clusterrole +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: violating-clusterrole +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["create", "update", "patch"] + diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml new file mode 100644 index 000000000..0f21b043c --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: restrict-clusterrole-mutating-validating-admission-webhooks +version: 1.0.0 +displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks +createdAt: "2024-05-19T20:30:05.000Z" +description: >- + ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml + ``` +keywords: +- kyverno +- Other +readme: | + ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/subject: "ClusterRole" +digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml new file mode 100644 index 000000000..f30b96e79 --- /dev/null +++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml @@ -0,0 +1,50 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-mutating-validating-admission-webhooks + annotations: + policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.7 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/subject: ClusterRole + policies.kyverno.io/description: >- + ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restrict-clusterrole + match: + any: + - resources: + kinds: + - ClusterRole + validate: + message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks" + foreach: + - list: "request.object.rules[]" + deny: + conditions: + all: + - key: "{{ element.apiGroups || '' }}" + operator: AnyIn + value: + - admissionregistration.k8s.io + - key: "{{ element.resources || '' }}" + operator: AnyIn + value: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + any: + - key: "{{ element.verbs }}" + operator: AnyIn + value: + - create + - update + - patch + - key: "{{ contains(element.verbs[], '*') }}" + operator: Equals + value: true + diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..9fb95c569 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-containeruser +status: + ready: true diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..93d87ea58 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-containeruser +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-containeruser.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-containeruser + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..bbade42c8 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-windows-pod +spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\Local service" + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..75c040c16 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-windows-pod +spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + runAsNonRoot: true + windowsOptions: + hostProcess: false + runAsUserName: "ContainerUser" + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..97b454eaa --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\Local service" + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..5d8bbf602 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + runAsNonRoot: true + windowsOptions: + hostProcess: false + runAsUserName: "ContainerUser" + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml new file mode 100644 index 000000000..d11205de7 --- /dev/null +++ b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: require-run-as-containeruser +version: 1.0.0 +displayName: Require runAsContainerUser (Windows) +createdAt: "2024-05-21T09:05:16.000Z" +description: >- + Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml + ``` +keywords: + - kyverno + - Windows Security +readme: | + Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Windows Security" + kyverno/kubernetesVersion: "1.22-1.28" + kyverno/subject: "Pod" +digest: e51c72783f9c92d0ba3337d8e41bb5383b7ce15f583d7e1732ef75d7c1acd811 diff --git a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml new file mode 100644 index 000000000..547bb2a34 --- /dev/null +++ b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-containeruser + annotations: + policies.kyverno.io/title: Require Run As ContainerUser (Windows) + policies.kyverno.io/category: Windows Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.28" + policies.kyverno.io/description: >- + Containers must be required to run as ContainerUser. This policy ensures that the fields + spec.securityContext.windowsOptions.runAsUserName, + spec.containers[*].securityContext.windowsOptions.runAsUserName, + spec.initContainers[*].securityContext.windowsOptions.runAsUserName, + and is either unset or set to ContainerUser. +spec: + validationFailureAction: audit + background: true + rules: + - name: require-run-as-containeruser + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as ContainerAdministrator,NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE is not allowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + containers: + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser"