From 720bc924d454042bd312c84626859201335dca21 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:38:28 +0000 Subject: [PATCH 01/43] copy prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-pod.yaml | 10 +++ .../.chainsaw-test/bad-podcontrollers.yaml | 42 ++++++++++ .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++++ .../.chainsaw-test/good-pod.yaml | 20 +++++ .../.chainsaw-test/good-podcontrollers.yaml | 80 +++++++++++++++++++ .../artifacthub-pkg.yml | 21 +++++ ...revent-linkerd-pod-injection-override.yaml | 30 +++++++ 8 files changed, 247 insertions(+) create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml create mode 100755 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml new file mode 100644 index 000000000..2ffa3ce71 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + linkerd.io/inject: disabled + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml new file mode 100644 index 000000000..0ef55981b --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + linkerd.io/inject: disabled + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + linkerd.io/inject: disabled + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..2d21edf25 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-linkerd-pod-injection-override +status: + ready: true diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..e08af48c0 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-linkerd-pod-injection-override +spec: + steps: + - name: step-01 + try: + - apply: + file: ../prevent-linkerd-pod-injection-override.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-linkerd-pod-injection-override + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + file: good-podcontrollers.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-podcontrollers.yaml diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml new file mode 100644 index 000000000..826bd837a --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + linkerd.io/inject: enabled + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + resources: {} \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml new file mode 100644 index 000000000..119385e9d --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + linkerd.io/inject: enabled + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + linkerd.io/inject: enabled + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml new file mode 100644 index 000000000..05cdd4338 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: prevent-linkerd-pod-injection-override +version: 1.0.0 +displayName: Prevent Linkerd Pod Injection Override +createdAt: "2023-04-10T20:19:58.000Z" +description: >- + Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml + ``` +keywords: + - kyverno + - Linkerd +readme: | + Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Linkerd" + kyverno/subject: "Pod" +digest: f53f4954cf983e1ffd47faf03c76fa07ca01cc2a3d3ac2118c5f77f12e6abbf7 diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml new file mode 100644 index 000000000..8b608b408 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-linkerd-pod-injection-override + annotations: + policies.kyverno.io/title: Prevent Linkerd Pod Injection Override + policies.kyverno.io/category: Linkerd + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to + `disabled` may effectively disable mesh participation for that workload reducing + security and visibility. This policy prevents setting the annotation `linkerd.io/inject` + to `disabled` for Pods. +spec: + validationFailureAction: audit + background: true + rules: + - name: pod-injection-override + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pods may not disable sidecar injection." + pattern: + metadata: + =(annotations): + =(linkerd.io/inject): "!disabled" \ No newline at end of file From 4f6ca0c359d235ffec5ff428f9fe40f701f72483 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:44:03 +0000 Subject: [PATCH 02/43] add kyverno tests for prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..123a46aa0 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,51 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-linkerd-pod-injection-override +policies: +- ../prevent-linkerd-pod-injection-override.yaml +resources: +- ../.chainsaw-test/bad-pod.yaml +- ../.chainsaw-test/bad-podcontrollers.yaml +- ../.chainsaw-test/good-pod.yaml +- ../.chainsaw-test/good-podcontrollers.yaml +results: +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Deployment + resources: + - baddeploy01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass \ No newline at end of file From a74d10bd2f1923179a2ec6f07e874693be87489c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:44:26 +0000 Subject: [PATCH 03/43] convert prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 14 ++++++++------ ...prevent-linkerd-pod-injection-override.yaml | 18 ++++++++++-------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml index 05cdd4338..e63c777ef 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: prevent-linkerd-pod-injection-override +name: prevent-linkerd-pod-injection-override-cel version: 1.0.0 -displayName: Prevent Linkerd Pod Injection Override -createdAt: "2023-04-10T20:19:58.000Z" +displayName: Prevent Linkerd Pod Injection Override in CEL expressions description: >- Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml ``` keywords: - kyverno - Linkerd + - CEL Expressions readme: | Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Linkerd" + kyverno/category: "Linkerd in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: f53f4954cf983e1ffd47faf03c76fa07ca01cc2a3d3ac2118c5f77f12e6abbf7 +digest: 476cc06454697ad17e472b7dd2c1c68542e06793961acef71ca97bf7113f7d21 +createdAt: "2024-05-21T15:39:18Z" diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml index 8b608b408..541389977 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml @@ -3,17 +3,19 @@ kind: ClusterPolicy metadata: name: prevent-linkerd-pod-injection-override annotations: - policies.kyverno.io/title: Prevent Linkerd Pod Injection Override - policies.kyverno.io/category: Linkerd + policies.kyverno.io/title: Prevent Linkerd Pod Injection Override in CEL expressions + policies.kyverno.io/category: Linkerd in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: pod-injection-override @@ -23,8 +25,8 @@ spec: kinds: - Pod validate: - message: "Pods may not disable sidecar injection." - pattern: - metadata: - =(annotations): - =(linkerd.io/inject): "!disabled" \ No newline at end of file + cel: + expressions: + - expression: "!has(object.metadata.annotations) || !('linkerd.io/inject' in object.metadata.annotations) || object.metadata.annotations['linkerd.io/inject'] != 'disabled'" + message: "Pods may not disable sidecar injection." + From dcd4ac5a5f06abf49df4204f14aa68da3df126b2 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:45:42 +0000 Subject: [PATCH 04/43] add metadata section to template This is done in order to avoid no such key: metadata error in the kyverno tests for the cel policy Signed-off-by: Chandan-DK --- .../.chainsaw-test/good-podcontrollers.yaml | 3 +++ .../.chainsaw-test/good-podcontrollers.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml index 119385e9d..876c42be2 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml @@ -49,6 +49,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: busybox spec: containers: - name: hello diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml index 119385e9d..876c42be2 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml @@ -49,6 +49,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: busybox spec: containers: - name: hello From 6ac7addbb0360bad7f49eb572516ed9ece531cee Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:53:05 +0000 Subject: [PATCH 05/43] add kyverno tests for prevent-linkerd-pod-injection-override in regular policy Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml diff --git a/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml b/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..123a46aa0 --- /dev/null +++ b/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,51 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-linkerd-pod-injection-override +policies: +- ../prevent-linkerd-pod-injection-override.yaml +resources: +- ../.chainsaw-test/bad-pod.yaml +- ../.chainsaw-test/bad-podcontrollers.yaml +- ../.chainsaw-test/good-pod.yaml +- ../.chainsaw-test/good-podcontrollers.yaml +results: +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Deployment + resources: + - baddeploy01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-linkerd-pod-injection-override + rule: pod-injection-override + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass \ No newline at end of file From 51af20709c1c64379ad0928d49df7a7652cc5918 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 15:57:26 +0000 Subject: [PATCH 06/43] copy prevent-linkerd-port-skipping Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-pod.yaml | 36 +++++ .../.chainsaw-test/bad-podcontrollers.yaml | 136 ++++++++++++++++++ .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 +++++ .../.chainsaw-test/good-pod.yaml | 20 +++ .../.chainsaw-test/good-podcontrollers.yaml | 80 +++++++++++ .../artifacthub-pkg.yml | 21 +++ .../prevent-linkerd-port-skipping.yaml | 31 ++++ 8 files changed, 368 insertions(+) create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml create mode 100755 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml new file mode 100644 index 000000000..730df5cbc --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + config.linkerd.io/skip-inbound-ports: true + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + config.linkerd.io/skip-outbound-ports: true + foo: bar + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: true + name: badpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml new file mode 100644 index 000000000..f414b7893 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + foo: bar + config.linkerd.io/skip-inbound-ports: true + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + config.linkerd.io/skip-outbound-ports: true + foo: bar + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + foo: bar + config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: true + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + config.linkerd.io/skip-outbound-ports: true + foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + config.linkerd.io/skip-inbound-ports: true + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: true + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..538df5440 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-linkerd-port-skipping +status: + ready: true diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..57e85e207 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-linkerd-port-skipping +spec: + steps: + - name: step-01 + try: + - apply: + file: ../prevent-linkerd-port-skipping.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-linkerd-port-skipping + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + file: good-podcontrollers.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-podcontrollers.yaml diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml new file mode 100644 index 000000000..feddec893 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + resources: {} \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml new file mode 100644 index 000000000..d1605961a --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + annotations: + foo: bar + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml new file mode 100644 index 000000000..5fffbddde --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: prevent-linkerd-port-skipping +version: 1.0.0 +displayName: Prevent Linkerd Port Skipping +createdAt: "2023-04-10T20:19:58.000Z" +description: >- + Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml + ``` +keywords: + - kyverno + - Linkerd +readme: | + Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Linkerd" + kyverno/subject: "Pod" +digest: eb06dd1a5965de97c84c7ca4f46d77a3d231600340a6f6f6f3369331d5fc0edc diff --git a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml new file mode 100644 index 000000000..7505e1f52 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-linkerd-port-skipping + annotations: + policies.kyverno.io/title: Prevent Linkerd Port Skipping + policies.kyverno.io/category: Linkerd + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting + them from mTLS. This can be important in some narrow use cases but + generally should be avoided. This policy prevents Pods from setting + the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. +spec: + validationFailureAction: audit + background: true + rules: + - name: pod-prevent-port-skipping + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set." + pattern: + metadata: + =(annotations): + X(config.linkerd.io/skip-inbound-ports): "null" + X(config.linkerd.io/skip-outbound-ports): "null" \ No newline at end of file From 66b483fac423800849b8f7e25e8b6486bdfcc7e1 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:01:23 +0000 Subject: [PATCH 07/43] correct invalid chainsaw test resources to remove errors Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-pod.yaml | 8 ++++---- .../.chainsaw-test/bad-podcontrollers.yaml | 16 ++++++++-------- .../.chainsaw-test/good-podcontrollers.yaml | 3 +++ .../.chainsaw-test/bad-pod.yaml | 8 ++++---- .../.chainsaw-test/bad-podcontrollers.yaml | 16 ++++++++-------- .../.chainsaw-test/good-podcontrollers.yaml | 3 +++ 6 files changed, 30 insertions(+), 24 deletions(-) diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml index 730df5cbc..1d3b1cbc3 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" name: badpod01 spec: containers: @@ -14,7 +14,7 @@ apiVersion: v1 kind: Pod metadata: annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar name: badpod02 spec: @@ -27,8 +27,8 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: true - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-inbound-ports: "true" name: badpod03 spec: containers: diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml index f414b7893..3d4093257 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml @@ -15,7 +15,7 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: busybox @@ -37,7 +37,7 @@ spec: labels: app: busybox annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar spec: containers: @@ -61,8 +61,8 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-outbound-ports: "true" spec: containers: - name: busybox @@ -79,7 +79,7 @@ spec: template: metadata: annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar spec: containers: @@ -102,7 +102,7 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: hello @@ -124,8 +124,8 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: true - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: hello diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml index d1605961a..e8c4c6706 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml @@ -49,6 +49,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: busybox spec: containers: - name: hello diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml index 730df5cbc..1d3b1cbc3 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" name: badpod01 spec: containers: @@ -14,7 +14,7 @@ apiVersion: v1 kind: Pod metadata: annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar name: badpod02 spec: @@ -27,8 +27,8 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: true - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-inbound-ports: "true" name: badpod03 spec: containers: diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml index f414b7893..3d4093257 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml @@ -15,7 +15,7 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: busybox @@ -37,7 +37,7 @@ spec: labels: app: busybox annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar spec: containers: @@ -61,8 +61,8 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-outbound-ports: "true" spec: containers: - name: busybox @@ -79,7 +79,7 @@ spec: template: metadata: annotations: - config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" foo: bar spec: containers: @@ -102,7 +102,7 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: hello @@ -124,8 +124,8 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: true - config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-inbound-ports: "true" spec: containers: - name: hello diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml index d1605961a..e8c4c6706 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml @@ -49,6 +49,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: busybox spec: containers: - name: hello From 562b82deea0a33412862a788900e129e4a6921ff Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:02:28 +0000 Subject: [PATCH 08/43] add kyverno tests Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 58 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 58 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml create mode 100644 linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..3eef768b6 --- /dev/null +++ b/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,58 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-linkerd-port-skipping +policies: +- ../prevent-linkerd-port-skipping.yaml +resources: +- ../.chainsaw-test/bad-pod.yaml +- ../.chainsaw-test/bad-podcontrollers.yaml +- ../.chainsaw-test/good-pod.yaml +- ../.chainsaw-test/good-podcontrollers.yaml +results: +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Deployment + resources: + - baddeploy01 + - baddeploy02 + - baddeploy03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: CronJob + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass + diff --git a/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml b/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..3eef768b6 --- /dev/null +++ b/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,58 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-linkerd-port-skipping +policies: +- ../prevent-linkerd-port-skipping.yaml +resources: +- ../.chainsaw-test/bad-pod.yaml +- ../.chainsaw-test/bad-podcontrollers.yaml +- ../.chainsaw-test/good-pod.yaml +- ../.chainsaw-test/good-podcontrollers.yaml +results: +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Deployment + resources: + - baddeploy01 + - baddeploy02 + - baddeploy03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: CronJob + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + result: fail +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-linkerd-port-skipping + rule: pod-prevent-port-skipping + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass + From a14f7f83b1f6920fbfd033e0f5877e5fd3000e54 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:03:05 +0000 Subject: [PATCH 09/43] convert prevent-linkerd-port-skipping Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 14 +++++++------ .../prevent-linkerd-port-skipping.yaml | 21 +++++++++++-------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml index 5fffbddde..94f8d61a4 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml +++ b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: prevent-linkerd-port-skipping +name: prevent-linkerd-port-skipping-cel version: 1.0.0 -displayName: Prevent Linkerd Port Skipping -createdAt: "2023-04-10T20:19:58.000Z" +displayName: Prevent Linkerd Port Skipping in CEL expressions description: >- Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml ``` keywords: - kyverno - Linkerd + - CEL Expressions readme: | Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Linkerd" + kyverno/category: "Linkerd in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: eb06dd1a5965de97c84c7ca4f46d77a3d231600340a6f6f6f3369331d5fc0edc +digest: dc036c443dcf910e37381f963ee0c0059c636aeea980c13c7408795c207d25c2 +createdAt: "2024-05-21T15:57:57Z" diff --git a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml index 7505e1f52..feacf400a 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml @@ -3,17 +3,19 @@ kind: ClusterPolicy metadata: name: prevent-linkerd-port-skipping annotations: - policies.kyverno.io/title: Prevent Linkerd Port Skipping - policies.kyverno.io/category: Linkerd + policies.kyverno.io/title: Prevent Linkerd Port Skipping in CEL expressions + policies.kyverno.io/category: Linkerd in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: pod-prevent-port-skipping @@ -23,9 +25,10 @@ spec: kinds: - Pod validate: - message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set." - pattern: - metadata: - =(annotations): - X(config.linkerd.io/skip-inbound-ports): "null" - X(config.linkerd.io/skip-outbound-ports): "null" \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.metadata.annotations) || + (!('config.linkerd.io/skip-inbound-ports' in object.metadata.annotations) && !('config.linkerd.io/skip-outbound-ports' in object.metadata.annotations)) + message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set." + From d7003edefda9a70f44cb9b3b515f720fe9205c8b Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:05:23 +0000 Subject: [PATCH 10/43] copy require-linkerd-mesh-injection Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-ns.yaml | 19 ++++++++++++ .../chainsaw-step-01-assert-1.yaml | 6 ++++ .../.chainsaw-test/chainsaw-test.yaml | 31 +++++++++++++++++++ .../.chainsaw-test/good-ns.yaml | 15 +++++++++ .../artifacthub-pkg.yml | 21 +++++++++++++ .../require-linkerd-mesh-injection.yaml | 29 +++++++++++++++++ 6 files changed, 121 insertions(+) create mode 100644 linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml create mode 100755 linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml create mode 100644 linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml create mode 100644 linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml create mode 100644 linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml new file mode 100644 index 000000000..211682121 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + foo: bar + linkerd.io/inject: disabled + name: ld-meshinj-badns01 +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + foo: bar + name: ld-meshinj-badns02 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ld-meshinj-badns03 \ No newline at end of file diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..0a6966bd9 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-linkerd-mesh-injection +status: + ready: true diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..8c5b31e2a --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-linkerd-mesh-injection +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-linkerd-mesh-injection.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-linkerd-mesh-injection + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-ns.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-ns.yaml diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml new file mode 100644 index 000000000..649948782 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + foo: bar + linkerd.io/inject: enabled + name: ld-meshinj-goodns01 +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + linkerd.io/inject: enabled + foo: bar + name: ld-meshinj-goodns02 \ No newline at end of file diff --git a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml new file mode 100644 index 000000000..3a4b5a7c3 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: require-linkerd-mesh-injection +version: 1.0.0 +displayName: Require Linkerd Mesh Injection +createdAt: "2023-04-10T20:19:58.000Z" +description: >- + Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml + ``` +keywords: + - kyverno + - Linkerd +readme: | + Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Linkerd" + kyverno/subject: "Namespace, Annotation" +digest: 284e774c36aae48ee175b4388c792d073897fd6e5df3645ce65682d441a35877 diff --git a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml new file mode 100644 index 000000000..9026c2f11 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-linkerd-mesh-injection + annotations: + policies.kyverno.io/title: Require Linkerd Mesh Injection + policies.kyverno.io/category: Linkerd + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace, Annotation + policies.kyverno.io/description: >- + Sidecar proxy injection in Linkerd may be handled at the Namespace level by + setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that + all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. +spec: + validationFailureAction: audit + background: true + rules: + - name: require-mesh-annotation + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`." + pattern: + metadata: + annotations: + linkerd.io/inject: enabled \ No newline at end of file From a7ffe1ea458d1e801c8f859d5b8c76d44f82be86 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:08:18 +0000 Subject: [PATCH 11/43] add kyverno tests for require-linkerd-mesh-injection Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 26 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 26 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml create mode 100644 linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml diff --git a/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml b/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8c009f0b0 --- /dev/null +++ b/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-linkerd-mesh-injection +policies: +- ../require-linkerd-mesh-injection.yaml +resources: +- ../.chainsaw-test/bad-ns.yaml +- ../.chainsaw-test/good-ns.yaml +results: +- policy: require-linkerd-mesh-injection + rule: require-mesh-annotation + kind: Namespace + resources: + - ld-meshinj-badns01 + - ld-meshinj-badns02 + - ld-meshinj-badns03 + result: fail +- policy: require-linkerd-mesh-injection + rule: require-mesh-annotation + kind: Namespace + resources: + - ld-meshinj-goodns01 + - ld-meshinj-goodns02 + result: pass + diff --git a/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml b/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8c009f0b0 --- /dev/null +++ b/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-linkerd-mesh-injection +policies: +- ../require-linkerd-mesh-injection.yaml +resources: +- ../.chainsaw-test/bad-ns.yaml +- ../.chainsaw-test/good-ns.yaml +results: +- policy: require-linkerd-mesh-injection + rule: require-mesh-annotation + kind: Namespace + resources: + - ld-meshinj-badns01 + - ld-meshinj-badns02 + - ld-meshinj-badns03 + result: fail +- policy: require-linkerd-mesh-injection + rule: require-mesh-annotation + kind: Namespace + resources: + - ld-meshinj-goodns01 + - ld-meshinj-goodns02 + result: pass + From 7acd0661ac6bad0b066ae0e4b8b24da36e7a72a9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:08:50 +0000 Subject: [PATCH 12/43] convert require-linkerd-mesh-injection Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 14 ++++++++------ .../require-linkerd-mesh-injection.yaml | 18 ++++++++++-------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml index 3a4b5a7c3..a36662ab7 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml +++ b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: require-linkerd-mesh-injection +name: require-linkerd-mesh-injection-cel version: 1.0.0 -displayName: Require Linkerd Mesh Injection -createdAt: "2023-04-10T20:19:58.000Z" +displayName: Require Linkerd Mesh Injection in CEL expressions description: >- Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml ``` keywords: - kyverno - Linkerd + - CEL Expressions readme: | Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Linkerd" + kyverno/category: "Linkerd in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace, Annotation" -digest: 284e774c36aae48ee175b4388c792d073897fd6e5df3645ce65682d441a35877 +digest: 5a3664baf5c416d009d7eefe0f45da0efb856928beb0cc299e1416de48810959 +createdAt: "2024-05-21T16:06:15Z" diff --git a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml index 9026c2f11..b4ba323f1 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml +++ b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml @@ -3,16 +3,18 @@ kind: ClusterPolicy metadata: name: require-linkerd-mesh-injection annotations: - policies.kyverno.io/title: Require Linkerd Mesh Injection - policies.kyverno.io/category: Linkerd + policies.kyverno.io/title: Require Linkerd Mesh Injection in CEL expressions + policies.kyverno.io/category: Linkerd in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Namespace, Annotation + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-mesh-annotation @@ -22,8 +24,8 @@ spec: kinds: - Namespace validate: - message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`." - pattern: - metadata: - annotations: - linkerd.io/inject: enabled \ No newline at end of file + cel: + expressions: + - expression: "has(object.metadata.annotations) && 'linkerd.io/inject' in object.metadata.annotations && object.metadata.annotations['linkerd.io/inject'] == 'enabled'" + message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`." + From 63a28e7cb28629b3ffd154b024ce93b063971516 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:13:40 +0000 Subject: [PATCH 13/43] copy disallow-ingress-nginx-custom-snippets Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 30 +++++++ .../.chainsaw-test/cm-bad.yaml | 6 ++ .../.chainsaw-test/cm-good.yaml | 18 +++++ .../.chainsaw-test/ig-bad.yaml | 63 +++++++++++++++ .../.chainsaw-test/ig-good.yaml | 50 ++++++++++++ .../.chainsaw-test/policy-ready.yaml | 6 ++ .../.kyverno-test/kyverno-test.yaml | 35 ++++++++ .../.kyverno-test/resources.yaml | 81 +++++++++++++++++++ .../artifacthub-pkg.yml | 23 ++++++ ...isallow-ingress-nginx-custom-snippets.yaml | 43 ++++++++++ 10 files changed, 355 insertions(+) create mode 100755 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml create mode 100644 nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f8d331033 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-ingress-nginx-custom-snippets +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-ingress-nginx-custom-snippets.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: cm-good.yaml + - apply: + file: ig-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: cm-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: ig-bad.yaml diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml new file mode 100644 index 000000000..177ac0678 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + name: config-map-true diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml new file mode 100644 index 000000000..6ec1541ac --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +data: + allow-snippet-annotations: "false" +kind: ConfigMap +metadata: + name: config-map-false +--- +apiVersion: v1 +data: + random: "someval" +kind: ConfigMap +metadata: + name: config-map-other +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map-empty \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml new file mode 100644 index 000000000..82c289e7c --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml @@ -0,0 +1,63 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + foo: bar + nginx.org/server-snippet: | + location / { + return 302 /coffee; + } + nginx.org/location-snippet: | + add_header my-test-header test-value; +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress + annotations: + nginx.org/server-snippet: | + location / { + return 302 /coffee; + } + nginx.org/location-snippet: | + add_header my-test-header test-value; + foo: bar +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml new file mode 100644 index 000000000..37a7cec08 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml @@ -0,0 +1,50 @@ + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + foo: bar +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..8419e2c67 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-ingress-nginx-custom-snippets +status: + ready: true \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..d668087bf --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,35 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow_nginx_custom_snippets +policies: +- ../disallow-ingress-nginx-custom-snippets.yaml +resources: +- resources.yaml +results: +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-true + result: fail + rule: check-config-map +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-false + - config-map-other + - config-map-empty + result: pass + rule: check-config-map +- kind: Ingress + policy: disallow-ingress-nginx-custom-snippets + resources: + - cafe-ingress-with-snippets + result: fail + rule: check-ingress-annotations +- kind: Ingress + policy: disallow-ingress-nginx-custom-snippets + resources: + - cafe-ingress + result: pass + rule: check-ingress-annotations diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml new file mode 100644 index 000000000..062f1f953 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: v1 +data: + allow-snippet-annotations: "false" +kind: ConfigMap +metadata: + name: config-map-false +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + name: config-map-true +--- +apiVersion: v1 +data: + random: "someval" +kind: ConfigMap +metadata: + name: config-map-other +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map-empty +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + nginx.org/server-snippet: | + location / { + return 302 /coffee; + } + nginx.org/location-snippet: | + add_header my-test-header test-value; +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml new file mode 100644 index 000000000..e6fb8f915 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: disallow-ingress-nginx-custom-snippets +version: 1.0.0 +displayName: Disallow Custom Snippets +createdAt: "2023-04-10T20:23:06.000Z" +description: >- + Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml + ``` +keywords: + - kyverno + - Security + - NGINX Ingress +readme: | + Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security, NGINX Ingress" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "ConfigMap, Ingress" +digest: f82c858055d25ed42fa4ec3104c73e59eb17411d06ee65eb78f6063497785e57 diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml new file mode 100644 index 000000000..84f3d0dd3 --- /dev/null +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-ingress-nginx-custom-snippets + annotations: + policies.kyverno.io/title: Disallow Custom Snippets + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/subject: ConfigMap, Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Users that can create or update ingress objects can use the custom snippets + feature to obtain all secrets in the cluster (CVE-2021-25742). This policy + disables allow-snippet-annotations in the ingress-nginx configuration and + blocks *-snippet annotations on an Ingress. + See: https://github.com/kubernetes/ingress-nginx/issues/7837 +spec: + validationFailureAction: enforce + rules: + - name: check-config-map + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: "ingress-nginx allow-snippet-annotations must be set to false" + pattern: + =(data): + =(allow-snippet-annotations) : "false" + - name: check-ingress-annotations + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "ingress-nginx custom snippets are not allowed" + pattern: + metadata: + =(annotations): + X(*-snippet): "?*" From 7cffb72e2f87c2391057d3c05f4f6fa0dd97d9d9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 21 May 2024 16:16:55 +0000 Subject: [PATCH 14/43] convert disallow-ingress-nginx-custom-snippets Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++++----- ...isallow-ingress-nginx-custom-snippets.yaml | 30 +++++++++---------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml index e6fb8f915..dc8d4db5c 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml @@ -1,23 +1,24 @@ -name: disallow-ingress-nginx-custom-snippets +name: disallow-ingress-nginx-custom-snippets-cel version: 1.0.0 -displayName: Disallow Custom Snippets -createdAt: "2023-04-10T20:23:06.000Z" +displayName: Disallow Custom Snippets in CEL expressions description: >- Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml ``` keywords: - kyverno - Security - NGINX Ingress + - CEL Expressions readme: | Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security, NGINX Ingress" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Security, NGINX Ingress in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ConfigMap, Ingress" -digest: f82c858055d25ed42fa4ec3104c73e59eb17411d06ee65eb78f6063497785e57 +digest: 685157a8a5012fd37f515b0e090203d0b508ff969c3298b278405063771c0b8a +createdAt: "2024-05-21T16:14:12Z" diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml index 84f3d0dd3..a6e29d4d2 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: disallow-ingress-nginx-custom-snippets annotations: - policies.kyverno.io/title: Disallow Custom Snippets - policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/title: Disallow Custom Snippets in CEL expressions + policies.kyverno.io/category: Security, NGINX Ingress in CEL policies.kyverno.io/subject: ConfigMap, Ingress - policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kyverno-version: "1.11.0" + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy @@ -16,7 +16,7 @@ metadata: blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: check-config-map match: @@ -25,10 +25,10 @@ spec: kinds: - ConfigMap validate: - message: "ingress-nginx allow-snippet-annotations must be set to false" - pattern: - =(data): - =(allow-snippet-annotations) : "false" + cel: + expressions: + - expression: "!has(object.data) || !('allow-snippet-annotations' in object.data) || object.data['allow-snippet-annotations'] == 'false'" + message: "ingress-nginx allow-snippet-annotations must be set to false" - name: check-ingress-annotations match: any: @@ -36,8 +36,8 @@ spec: kinds: - networking.k8s.io/v1/Ingress validate: - message: "ingress-nginx custom snippets are not allowed" - pattern: - metadata: - =(annotations): - X(*-snippet): "?*" + cel: + expressions: + - expression: "!has(object.metadata.annotations) || !object.metadata.annotations.exists(annotation, annotation.endsWith('-snippet'))" + message: "ingress-nginx custom snippets are not allowed" + From 9321063209a7cba09b4c11171bd583e43cd2da55 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 06:35:04 +0000 Subject: [PATCH 15/43] copy restrict-annotations Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 23 +++ .../.chainsaw-test/ig-bad.yaml | 129 +++++++++++++ .../.chainsaw-test/ig-good.yaml | 49 +++++ .../.chainsaw-test/policy-ready.yaml | 6 + .../.kyverno-test/kyverno-test.yaml | 26 +++ .../.kyverno-test/resources.yaml | 180 ++++++++++++++++++ .../restrict-annotations/artifacthub-pkg.yml | 23 +++ .../restrict-annotations.yaml | 48 +++++ 8 files changed, 484 insertions(+) create mode 100755 nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml create mode 100644 nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml create mode 100644 nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..587740382 --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-annotations +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-annotations.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ig-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ig-bad.yaml diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml new file mode 100644 index 000000000..fd98e54ca --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml @@ -0,0 +1,129 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + nginx.org/bad: "alias; " +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + nginx.org/bad: " root ;" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: etc-passwd + annotations: + nginx.org/bad: "/etc/passwd" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: var-run-secrets + annotations: + nginx.org/bad: "/var/run/secrets" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: lua + annotations: + nginx.org/bad: "*! _by_lua 8010-191091" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml new file mode 100644 index 000000000..1f0b3a8ec --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml @@ -0,0 +1,49 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress-with-snippets + annotations: + nginx.org/good: "value" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..3e2289190 --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-annotations +status: + ready: true \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..231768b29 --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-annotations +policies: +- ../restrict-annotations.yaml +resources: +- resources.yaml +results: +- kind: Ingress + policy: restrict-annotations + resources: + - alias + - root + - etc-passwd + - var-run-secrets + - lua + result: fail + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - no-annotations + - good-annotations + result: pass + rule: check-ingress diff --git a/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml b/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml new file mode 100644 index 000000000..ed12c4972 --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml @@ -0,0 +1,180 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: no-annotations +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: good-annotations + annotations: + nginx.org/good: "value" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: alias + annotations: + nginx.org/bad: "alias; " +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: root + annotations: + nginx.org/bad: " root ;" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: etc-passwd + annotations: + nginx.org/bad: "/etc/passwd" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: var-run-secrets + annotations: + nginx.org/bad: "/var/run/secrets" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: lua + annotations: + nginx.org/bad: "*! _by_lua 8010-191091" +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml new file mode 100644 index 000000000..f5d3f217b --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: restrict-annotations +version: 1.0.0 +displayName: Restrict NGINX Ingress annotation values +createdAt: "2023-04-10T20:23:06.000Z" +description: >- + This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/restrict-annotations/restrict-annotations.yaml + ``` +keywords: + - kyverno + - Security + - NGINX Ingress +readme: | + This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security, NGINX Ingress" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Ingress" +digest: 6618fb9e85f16298c93bea7acde1bd85f18457056733a861d73e555f8b935a1d diff --git a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml new file mode 100644 index 000000000..091737f32 --- /dev/null +++ b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-annotations + annotations: + policies.kyverno.io/title: Restrict NGINX Ingress annotation values + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. + See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. + This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the + "annotation-value-word-blocklist" configuration setting is also recommended. + Please refer to the CVE for details. +spec: + validationFailureAction: enforce + rules: + - name: check-ingress + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "spec.rules[].http.paths[].path value is not allowed" + deny: + conditions: + any: + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}" + operator: AnyIn + value: [true] + From afc2feabc46f01663eba3190af4fd0e69b281048 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 06:48:11 +0000 Subject: [PATCH 16/43] convert restrict-annotations Signed-off-by: Chandan-DK --- .../restrict-annotations/artifacthub-pkg.yml | 15 ++++--- .../restrict-annotations.yaml | 43 ++++++++----------- 2 files changed, 26 insertions(+), 32 deletions(-) diff --git a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml index f5d3f217b..25e747867 100644 --- a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml +++ b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml @@ -1,23 +1,24 @@ -name: restrict-annotations +name: restrict-annotations-cel version: 1.0.0 -displayName: Restrict NGINX Ingress annotation values -createdAt: "2023-04-10T20:23:06.000Z" +displayName: Restrict NGINX Ingress annotation values in CEL expressions description: >- This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/restrict-annotations/restrict-annotations.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml ``` keywords: - kyverno - Security - NGINX Ingress + - CEL Expressions readme: | This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security, NGINX Ingress" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Security, NGINX Ingress in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 6618fb9e85f16298c93bea7acde1bd85f18457056733a861d73e555f8b935a1d +digest: e48069a57eb0323df1ae0d02599603a3b9888faf5c1299ff330b8cf4208a6168 +createdAt: "2024-05-22T06:47:38Z" diff --git a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml index 091737f32..332d55ac4 100644 --- a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml +++ b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml @@ -3,13 +3,13 @@ kind: ClusterPolicy metadata: name: restrict-annotations annotations: - policies.kyverno.io/title: Restrict NGINX Ingress annotation values - policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/title: Restrict NGINX Ingress annotation values in CEL expressions + policies.kyverno.io/category: Security, NGINX Ingress in CEL policies.kyverno.io/severity: high policies.kyverno.io/subject: Ingress - policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kyverno-version: "1.11.0" + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. @@ -17,7 +17,7 @@ metadata: "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: check-ingress match: @@ -26,23 +26,16 @@ spec: kinds: - networking.k8s.io/v1/Ingress validate: - message: "spec.rules[].http.paths[].path value is not allowed" - deny: - conditions: - any: - - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}" - operator: AnyIn - value: [true] - - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}" - operator: AnyIn - value: [true] - - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}" - operator: AnyIn - value: [true] - - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}" - operator: AnyIn - value: [true] - - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}" - operator: AnyIn - value: [true] + cel: + expressions: + - expression: >- + !has(object.metadata.annotations) || + ( + !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*alias\\s*.*;')) && + !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*root\\s*.*;')) && + !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/etc/(passwd|shadow|group|nginx|ingress-controller)')) && + !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/var/run/secrets')) && + !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('.*_by_lua.*')) + ) + message: "spec.rules[].http.paths[].path value is not allowed" From abd6ab40c8e2a1f13b3df1908009372b301338f9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 06:53:00 +0000 Subject: [PATCH 17/43] copy restrict-ingress-paths Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 23 +++++ .../.chainsaw-test/ig-bad.yaml | 68 ++++++++++++++ .../.chainsaw-test/ig-good.yaml | 23 +++++ .../.chainsaw-test/policy-ready.yaml | 6 ++ .../.kyverno-test/kyverno-test.yaml | 24 +++++ .../.kyverno-test/resources.yaml | 92 +++++++++++++++++++ .../artifacthub-pkg.yml | 23 +++++ .../restrict-ingress-paths.yaml | 45 +++++++++ 8 files changed, 304 insertions(+) create mode 100755 nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml create mode 100644 nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..1a716aa8c --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-ingress-paths +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-ingress-paths.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ig-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ig-bad.yaml diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml new file mode 100644 index 000000000..b3d09bddb --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml @@ -0,0 +1,68 @@ + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-root +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /root + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-secrets +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /var/run/secrets + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /etc/kubernetes/admin.conf + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-serviceaccount +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /var/run/kubernetes/serviceaccount + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml new file mode 100644 index 000000000..a0d35da2b --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: good-paths +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..d172b2aef --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-paths +status: + ready: true \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c57aa2a7e --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,24 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-annotations +policies: +- ../restrict-ingress-paths.yaml +resources: +- resources.yaml +results: +- kind: Ingress + policy: restrict-ingress-paths + resources: + - bad-path-root + - bad-path-etc + - bad-path-serviceaccount + - bad-path-secrets + result: fail + rule: check-paths +- kind: Ingress + policy: restrict-ingress-paths + resources: + - good-paths + result: pass + rule: check-paths diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml new file mode 100644 index 000000000..849b672e9 --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: good-paths +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-root +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /root + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-secrets +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /var/run/secrets + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /etc/kubernetes/admin.conf + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-serviceaccount +spec: + rules: + - host: cafe.example.com + http: + paths: + - path: /var/run/kubernetes/serviceaccount + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml new file mode 100644 index 000000000..ce23817b0 --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: restrict-ingress-paths +version: 1.0.0 +displayName: Restrict NGINX Ingress path values +createdAt: "2023-04-10T20:23:06.000Z" +description: >- + This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml + ``` +keywords: + - kyverno + - Security + - NGINX Ingress +readme: | + This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security, NGINX Ingress" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Ingress" +digest: ab86ab56e2f637eb204896effe8bde24dc297efa7dd7557bbb497f01b364518e diff --git a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml new file mode 100644 index 000000000..c4d9d5353 --- /dev/null +++ b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-paths + annotations: + policies.kyverno.io/title: Restrict NGINX Ingress path values + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. + Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. + Please refer to the CVE for details. +spec: + validationFailureAction: enforce + rules: + - name: check-paths + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "spec.rules[].http.paths[].path value is not allowed" + deny: + conditions: + any: + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}" + operator: AnyIn + value: [true] From 0e01161f814394730e62833859aa00078400c45b Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:14:46 +0000 Subject: [PATCH 18/43] add kyverno test for one more failing condition Signed-off-by: Chandan-DK --- .../.chainsaw-test/ig-bad.yaml | 19 ++++++++++++++++++- .../.kyverno-test/kyverno-test.yaml | 1 + .../.kyverno-test/resources.yaml | 19 ++++++++++++++++++- .../.chainsaw-test/ig-bad.yaml | 19 ++++++++++++++++++- .../.kyverno-test/kyverno-test.yaml | 1 + .../.kyverno-test/resources.yaml | 19 ++++++++++++++++++- 6 files changed, 74 insertions(+), 4 deletions(-) diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml index b3d09bddb..b3874294d 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml @@ -36,7 +36,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc + name: bad-path-etc-kubernetes spec: rules: - host: cafe.example.com @@ -64,5 +64,22 @@ spec: backend: service: name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: example.com + http: + paths: + - path: /etc/config + pathType: Prefix + backend: + service: + name: nginx-service port: number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml index c57aa2a7e..bde8a7d90 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml @@ -12,6 +12,7 @@ results: resources: - bad-path-root - bad-path-etc + - bad-path-etc-kubernetes - bad-path-serviceaccount - bad-path-secrets result: fail diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml index 849b672e9..f413946e8 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml @@ -60,7 +60,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc + name: bad-path-etc-kubernetes spec: rules: - host: cafe.example.com @@ -88,5 +88,22 @@ spec: backend: service: name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: example.com + http: + paths: + - path: /etc/config + pathType: Prefix + backend: + service: + name: nginx-service port: number: 80 \ No newline at end of file diff --git a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml index b3d09bddb..b3874294d 100644 --- a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml +++ b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml @@ -36,7 +36,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc + name: bad-path-etc-kubernetes spec: rules: - host: cafe.example.com @@ -64,5 +64,22 @@ spec: backend: service: name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: example.com + http: + paths: + - path: /etc/config + pathType: Prefix + backend: + service: + name: nginx-service port: number: 80 \ No newline at end of file diff --git a/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml b/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml index c57aa2a7e..bde8a7d90 100644 --- a/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml +++ b/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml @@ -12,6 +12,7 @@ results: resources: - bad-path-root - bad-path-etc + - bad-path-etc-kubernetes - bad-path-serviceaccount - bad-path-secrets result: fail diff --git a/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml b/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml index 849b672e9..f413946e8 100644 --- a/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml +++ b/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml @@ -60,7 +60,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc + name: bad-path-etc-kubernetes spec: rules: - host: cafe.example.com @@ -88,5 +88,22 @@ spec: backend: service: name: tea-svc + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-path-etc +spec: + rules: + - host: example.com + http: + paths: + - path: /etc/config + pathType: Prefix + backend: + service: + name: nginx-service port: number: 80 \ No newline at end of file From 2788e16f186827481c7fb10ca90ba9a09b7439cb Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:15:00 +0000 Subject: [PATCH 19/43] convert restrict-ingress-paths Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++---- .../restrict-ingress-paths.yaml | 42 ++++++++----------- 2 files changed, 25 insertions(+), 32 deletions(-) diff --git a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml index ce23817b0..47570847c 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml +++ b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml @@ -1,23 +1,24 @@ -name: restrict-ingress-paths +name: restrict-ingress-paths-cel version: 1.0.0 -displayName: Restrict NGINX Ingress path values -createdAt: "2023-04-10T20:23:06.000Z" +displayName: Restrict NGINX Ingress path values in CEL expressions description: >- This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml ``` keywords: - kyverno - Security - NGINX Ingress + - CEL Expressions readme: | This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security, NGINX Ingress" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Security, NGINX Ingress in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: ab86ab56e2f637eb204896effe8bde24dc297efa7dd7557bbb497f01b364518e +digest: 3f2da9a82f334fe75c271cd4d5181d65b91a6e3688d173385364c375f34fd617 +createdAt: "2024-05-22T07:13:08Z" diff --git a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml index c4d9d5353..8973101a5 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml @@ -3,19 +3,19 @@ kind: ClusterPolicy metadata: name: restrict-ingress-paths annotations: - policies.kyverno.io/title: Restrict NGINX Ingress path values - policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/title: Restrict NGINX Ingress path values in CEL expressions + policies.kyverno.io/category: Security, NGINX Ingress in CEL policies.kyverno.io/severity: high policies.kyverno.io/subject: Ingress - policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kyverno-version: "1.11.0" + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: check-paths match: @@ -24,22 +24,14 @@ spec: kinds: - networking.k8s.io/v1/Ingress validate: - message: "spec.rules[].http.paths[].path value is not allowed" - deny: - conditions: - any: - - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}" - operator: AnyIn - value: [true] - - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}" - operator: AnyIn - value: [true] - - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}" - operator: AnyIn - value: [true] - - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}" - operator: AnyIn - value: [true] - - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}" - operator: AnyIn - value: [true] + cel: + expressions: + - expression: >- + !has(object.spec.rules) || + object.spec.rules.all(rule, !has(rule.http) || !has(rule.http.paths) || + rule.http.paths.all(p, + !p.path.contains('/etc') && !p.path.contains('/var/run/secrets') && + !p.path.contains('/root') && !p.path.contains('/var/run/kubernetes/serviceaccount') && + !p.path.contains('/etc/kubernetes/admin.conf'))) + message: "spec.rules[].http.paths[].path value is not allowed" + From 5d7f1459e623b0dc45d2388870fbf0d5247508f4 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:17:21 +0000 Subject: [PATCH 20/43] copy check-routes Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 23 ++++++ .../.chainsaw-test/policy-ready.yaml | 6 ++ .../.chainsaw-test/route-bad.yaml | 12 +++ .../.chainsaw-test/route-good.yaml | 66 ++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++ .../check-routes/.kyverno-test/resources.yaml | 78 +++++++++++++++++++ .../check-routes/artifacthub-pkg.yml | 22 ++++++ openshift-cel/check-routes/check-routes.yaml | 39 ++++++++++ 8 files changed, 269 insertions(+) create mode 100755 openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml create mode 100644 openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml create mode 100644 openshift-cel/check-routes/.chainsaw-test/route-bad.yaml create mode 100644 openshift-cel/check-routes/.chainsaw-test/route-good.yaml create mode 100644 openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/check-routes/.kyverno-test/resources.yaml create mode 100644 openshift-cel/check-routes/artifacthub-pkg.yml create mode 100644 openshift-cel/check-routes/check-routes.yaml diff --git a/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..14b19b50c --- /dev/null +++ b/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-routes +spec: + steps: + - name: step-01 + try: + - apply: + file: ../check-routes.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: route-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: route-bad.yaml diff --git a/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml b/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..7620a92af --- /dev/null +++ b/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-routes +status: + ready: true \ No newline at end of file diff --git a/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml b/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml new file mode 100644 index 000000000..9411e209e --- /dev/null +++ b/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml @@ -0,0 +1,12 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: hello-openshift-http +spec: + host: hello-openshift-hello-openshift.mydomain + port: + targetPort: 8080 + to: + kind: Service + name: hello-openshift +--- \ No newline at end of file diff --git a/openshift-cel/check-routes/.chainsaw-test/route-good.yaml b/openshift-cel/check-routes/.chainsaw-test/route-good.yaml new file mode 100644 index 000000000..c9ee97efe --- /dev/null +++ b/openshift-cel/check-routes/.chainsaw-test/route-good.yaml @@ -0,0 +1,66 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend +spec: + host: www.example.com + to: + kind: Service + name: frontend + tls: + termination: reencrypt + key: |- + -----BEGIN PRIVATE KEY----- + [...] + -----END PRIVATE KEY----- + certificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + caCertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + destinationCACertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend-edge +spec: + host: www.example.com + to: + kind: Service + name: frontend + tls: + termination: edge + key: |- + -----BEGIN PRIVATE KEY----- + [...] + -----END PRIVATE KEY----- + certificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + caCertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: route-passthrough-secured +spec: + host: www.example.com + port: + targetPort: 8080 + tls: + termination: passthrough + insecureEdgeTerminationPolicy: None + to: + kind: Service + name: frontend diff --git a/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml b/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..caf9d781b --- /dev/null +++ b/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes +policies: +- ../check-routes.yaml +resources: +- resources.yaml +results: +- kind: Route + policy: check-routes + resources: + - hello-openshift-http + result: fail + rule: require-tls-routes +- kind: Route + policy: check-routes + resources: + - frontend + - frontend-edge + - route-passthrough-secured + result: pass + rule: require-tls-routes diff --git a/openshift-cel/check-routes/.kyverno-test/resources.yaml b/openshift-cel/check-routes/.kyverno-test/resources.yaml new file mode 100644 index 000000000..dd21c42b5 --- /dev/null +++ b/openshift-cel/check-routes/.kyverno-test/resources.yaml @@ -0,0 +1,78 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: hello-openshift-http +spec: + host: hello-openshift-hello-openshift.mydomain + port: + targetPort: 8080 + to: + kind: Service + name: hello-openshift +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend +spec: + host: www.example.com + to: + kind: Service + name: frontend + tls: + termination: reencrypt + key: |- + -----BEGIN PRIVATE KEY----- + [...] + -----END PRIVATE KEY----- + certificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + caCertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + destinationCACertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend-edge +spec: + host: www.example.com + to: + kind: Service + name: frontend + tls: + termination: edge + key: |- + -----BEGIN PRIVATE KEY----- + [...] + -----END PRIVATE KEY----- + certificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- + caCertificate: |- + -----BEGIN CERTIFICATE----- + [...] + -----END CERTIFICATE----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: route-passthrough-secured +spec: + host: www.example.com + port: + targetPort: 8080 + tls: + termination: passthrough + insecureEdgeTerminationPolicy: None + to: + kind: Service + name: frontend diff --git a/openshift-cel/check-routes/artifacthub-pkg.yml b/openshift-cel/check-routes/artifacthub-pkg.yml new file mode 100644 index 000000000..4667c9650 --- /dev/null +++ b/openshift-cel/check-routes/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: check-routes +version: 1.0.0 +displayName: Require TLS routes in OpenShift +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/check-routes/check-routes.yaml + ``` +keywords: + - kyverno + - OpenShift +readme: | + HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "OpenShift" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "Route" +digest: a06ecd563e1cff566a0e9913e8f06275b802a190ed3d5d86f7cdf28b73ad4589 diff --git a/openshift-cel/check-routes/check-routes.yaml b/openshift-cel/check-routes/check-routes.yaml new file mode 100644 index 000000000..7b2291fd3 --- /dev/null +++ b/openshift-cel/check-routes/check-routes.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-routes + annotations: + policies.kyverno.io/title: Require TLS routes in OpenShift + policies.kyverno.io/category: OpenShift + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: Route + policies.kyverno.io/description: |- + HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. +spec: + validationFailureAction: enforce + background: true + rules: + - name: require-tls-routes + match: + any: + - resources: + kinds: + - route.openshift.io/v1/Route + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: ["DELETE"] + validate: + message: >- + HTTP routes are not allowed. Configure TLS for secure routes. + deny: + conditions: + all: + - key: "{{ keys(request.object.spec) | contains(@, 'tls') }}" + operator: Equals + value: false + From bc9172fc60595459fe6a5689309a5fd09fb0f6ed Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:21:41 +0000 Subject: [PATCH 21/43] convert check-routes Signed-off-by: Chandan-DK --- .../check-routes/artifacthub-pkg.yml | 15 +++++----- openshift-cel/check-routes/check-routes.yaml | 30 +++++++------------ 2 files changed, 19 insertions(+), 26 deletions(-) diff --git a/openshift-cel/check-routes/artifacthub-pkg.yml b/openshift-cel/check-routes/artifacthub-pkg.yml index 4667c9650..999bafd55 100644 --- a/openshift-cel/check-routes/artifacthub-pkg.yml +++ b/openshift-cel/check-routes/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-routes +name: check-routes-cel version: 1.0.0 -displayName: Require TLS routes in OpenShift -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Require TLS routes in OpenShift in CEL expressions description: >- HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/check-routes/check-routes.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/check-routes/check-routes.yaml ``` keywords: - kyverno - OpenShift + - CEL Expressions readme: | HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "OpenShift" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "OpenShift in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Route" -digest: a06ecd563e1cff566a0e9913e8f06275b802a190ed3d5d86f7cdf28b73ad4589 +digest: 8751755ca5082672ff48dd147957593c467cf510169d93f9bc9e1264f359ba59 +createdAt: "2024-05-22T07:21:10Z" diff --git a/openshift-cel/check-routes/check-routes.yaml b/openshift-cel/check-routes/check-routes.yaml index 7b2291fd3..501cbde55 100644 --- a/openshift-cel/check-routes/check-routes.yaml +++ b/openshift-cel/check-routes/check-routes.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: check-routes annotations: - policies.kyverno.io/title: Require TLS routes in OpenShift - policies.kyverno.io/category: OpenShift + policies.kyverno.io/title: Require TLS routes in OpenShift in CEL expressions + policies.kyverno.io/category: OpenShift in CEL expressions policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Route policies.kyverno.io/description: |- HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: require-tls-routes @@ -22,18 +22,10 @@ spec: - resources: kinds: - route.openshift.io/v1/Route - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: ["DELETE"] validate: - message: >- - HTTP routes are not allowed. Configure TLS for secure routes. - deny: - conditions: - all: - - key: "{{ keys(request.object.spec) | contains(@, 'tls') }}" - operator: Equals - value: false + cel: + expressions: + - expression: "has(object.spec.tls)" + message: >- + HTTP routes are not allowed. Configure TLS for secure routes. From 07e3081e260887e65d04e65de53b73aca31358b3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:23:06 +0000 Subject: [PATCH 22/43] copy disallow-deprecated-apis/ Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 33 +++++++ .../.kyverno-test/resources.yaml | 89 +++++++++++++++++++ .../artifacthub-pkg.yml | 22 +++++ .../disallow-deprecated-apis.yaml | 35 ++++++++ 4 files changed, 179 insertions(+) create mode 100644 openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml create mode 100644 openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml create mode 100644 openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml diff --git a/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8d17d1927 --- /dev/null +++ b/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes +policies: +- ../disallow-deprecated-apis.yaml +resources: +- resources.yaml +results: +- kind: ClusterRole + policy: disallow-deprecated-apis + resources: + - openshift-cluster-role-deprecated + result: fail + rule: check-deprecated-apis +- kind: ClusterRoleBinding + policy: disallow-deprecated-apis + resources: + - openshift-cluster-role-binding-deprecated + result: fail + rule: check-deprecated-apis +- kind: Role + policy: disallow-deprecated-apis + resources: + - openshift-role-deprecated + result: fail + rule: check-deprecated-apis +- kind: RoleBinding + policy: disallow-deprecated-apis + resources: + - openshift-role-binding-deprecated + result: fail + rule: check-deprecated-apis diff --git a/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml b/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml new file mode 100644 index 000000000..5f37e352a --- /dev/null +++ b/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml @@ -0,0 +1,89 @@ +apiVersion: authorization.openshift.io/v1 +kind: ClusterRole +metadata: + name: openshift-cluster-role-deprecated +spec: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: authorization.openshift.io/v1 +kind: ClusterRoleBinding +metadata: + name: openshift-cluster-role-binding-deprecated +subjects: +- kind: User + name: jane # "name" is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: openshift-cluster-role-deprecated + apiGroup: authorization.openshift.io/v1 +--- +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + name: openshift-role-deprecated +spec: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: authorization.openshift.io/v1 +kind: RoleBinding +metadata: + name: openshift-role-binding-deprecated + namespace: default +subjects: +- kind: User + name: jane # "name" is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: openshift-role-deprecated + apiGroup: authorization.openshift.io/v1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openshift-cluster-role-valid +spec: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openshift-cluster-role-binding +subjects: +- kind: User + name: jane # "name" is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: openshift-cluster-role + apiGroup: rbac.authorization.k8s.io/v1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openshift-role +spec: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openshift-role-binding + namespace: default +subjects: +- kind: User + name: jane # "name" is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: openshift-role + apiGroup: rbac.authorization.k8s.io/v1 diff --git a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml new file mode 100644 index 000000000..361b1c27a --- /dev/null +++ b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-deprecated-apis +version: 1.0.0 +displayName: Disallow deprecated APIs +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml + ``` +keywords: + - kyverno + - OpenShift +readme: | + OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "OpenShift" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC" +digest: 4632053b784cb8ea4e0959679a3418c429e6a97875c8acea31c62bda9e8c9f8e diff --git a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml new file mode 100644 index 000000000..8ad9a7876 --- /dev/null +++ b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-deprecated-apis + annotations: + policies.kyverno.io/title: Disallow deprecated APIs + policies.kyverno.io/category: OpenShift + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC + policies.kyverno.io/description: >- + OpenShift APIs are sometimes deprecated and removed after a few releases. + As a best practice, older API versions should be replaced with newer versions. + This policy validates for APIs that are deprecated or scheduled for removal. + Note that checking for some of these resources may require modifying the Kyverno + ConfigMap to remove filters. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-deprecated-apis + match: + any: + - resources: + kinds: + - authorization.openshift.io/v1/ClusterRole + - authorization.openshift.io/v1/ClusterRoleBinding + - authorization.openshift.io/v1/Role + - authorization.openshift.io/v1/RoleBinding + validate: + message: >- + {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated. + deny: {} From 6d334db539a62c1a7be5c17d349fc6937598bbb7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:37:20 +0000 Subject: [PATCH 23/43] convert disallow-deprecated-apis Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++------- .../disallow-deprecated-apis.yaml | 21 +++++++++++-------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml index 361b1c27a..94781fcdf 100644 --- a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml +++ b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-deprecated-apis +name: disallow-deprecated-apis-cel version: 1.0.0 -displayName: Disallow deprecated APIs -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Disallow deprecated APIs in CEL expressions description: >- OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml ``` keywords: - kyverno - OpenShift + - CEL Expressions readme: | OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "OpenShift" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "OpenShift in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC" -digest: 4632053b784cb8ea4e0959679a3418c429e6a97875c8acea31c62bda9e8c9f8e +digest: ee8485a8dc4c9c55047564ae1c8c8d608c9e8008de3aee7638c89f906ce07e29 +createdAt: "2024-05-22T07:36:55Z" diff --git a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml index 8ad9a7876..d7052be24 100644 --- a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml +++ b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: disallow-deprecated-apis annotations: - policies.kyverno.io/title: Disallow deprecated APIs - policies.kyverno.io/category: OpenShift + policies.kyverno.io/title: Disallow deprecated APIs in CEL expressions + policies.kyverno.io/category: OpenShift in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC policies.kyverno.io/description: >- OpenShift APIs are sometimes deprecated and removed after a few releases. @@ -17,7 +17,7 @@ metadata: Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: check-deprecated-apis @@ -30,6 +30,9 @@ spec: - authorization.openshift.io/v1/Role - authorization.openshift.io/v1/RoleBinding validate: - message: >- - {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated. - deny: {} + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated.' + From 9616cffd6c3c6bc2ac51f71a81b9276542648158 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:39:00 +0000 Subject: [PATCH 24/43] copy disallow-default-tlsoptions Signed-off-by: Chandan-DK --- .../chainsaw-step-00-assert-1.yaml | 12 +++ .../chainsaw-step-01-assert-1.yaml | 6 ++ .../chainsaw-step-03-apply-1.yaml | 11 +++ .../chainsaw-step-03-apply-2.yaml | 12 +++ .../.chainsaw-test/chainsaw-test.yaml | 87 +++++++++++++++++++ .../.chainsaw-test/tlsoption.yaml | 21 +++++ .../.kyverno-test/kyverno-test.yaml | 15 ++++ .../.kyverno-test/resource.yaml | 22 +++++ .../artifacthub-pkg.yml | 22 +++++ .../disallow-default-tlsoptions.yaml | 34 ++++++++ 10 files changed, 242 insertions(+) create mode 100755 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml create mode 100755 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml create mode 100755 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml create mode 100755 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml create mode 100644 traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml create mode 100644 traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml create mode 100644 traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml create mode 100644 traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml create mode 100644 traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml new file mode 100755 index 000000000..086d560e0 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us +spec: {} +status: + acceptedNames: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + storedVersions: + - v1alpha1 diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..f3e37c449 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-tlsoptions +status: + ready: true diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml new file mode 100755 index 000000000..28edd3a9a --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tlsoptions-creator +rules: +- apiGroups: + - traefik.containo.us + resources: + - tlsoptions + verbs: + - create diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml new file mode 100755 index 000000000..ffcdb7691 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tlsoptions-creator:tlsoptionsuser +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tlsoptions-creator +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: tlsoptionsuser diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..647f5fd21 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,87 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-default-tlsoptions +spec: + steps: + - name: step-00 + try: + - assert: + file: chainsaw-step-00-assert-1.yaml + - name: step-01 + try: + - apply: + file: ../disallow-default-tlsoptions.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-default-tlsoptions + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - script: + content: | + #!/bin/bash + set -eu + export USERNAME=tlsoptionsuser + export CA=ca.crt + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the context + kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER + # Delete CSR + kubectl delete csr $USERNAME + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1.yaml + - apply: + file: chainsaw-step-03-apply-2.yaml + - name: step-04 + try: + - script: + content: if kubectl create --context=tlsoptionsuser-context -f tlsoption.yaml; + then exit 1; else exit 0; fi + - script: + content: kubectl create -f tlsoption.yaml + - name: step-99 + try: + - script: + content: | + kubectl delete -f tlsoption.yaml + kubectl config unset users.tlsoptionsuser + kubectl config unset contexts.tlsoptionsuser-context diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml new file mode 100644 index 000000000..c38aa643f --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml @@ -0,0 +1,21 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default +spec: + minVersion: VersionTLS12 + maxVersion: VersionTLS13 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + clientAuth: + secretNames: + - secret-ca1 + - secret-ca2 + clientAuthType: VerifyClientCertIfGiven + sniStrict: true + alpnProtocols: + - foobar \ No newline at end of file diff --git a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..445c7aaa5 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-default-tlsoptions +policies: +- ../disallow-default-tlsoptions.yaml +resources: +- resource.yaml +results: +- kind: TLSOption + policy: disallow-default-tlsoptions + resources: + - default + result: fail + rule: disallow-default-tlsoptions diff --git a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml new file mode 100644 index 000000000..b7de0f06a --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml @@ -0,0 +1,22 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: default +spec: + minVersion: VersionTLS12 + maxVersion: VersionTLS13 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + clientAuth: + secretNames: + - secret-ca1 + - secret-ca2 + clientAuthType: VerifyClientCertIfGiven + sniStrict: true + alpnProtocols: + - foobar \ No newline at end of file diff --git a/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml b/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml new file mode 100644 index 000000000..b517b015d --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-default-tlsoptions +version: 1.0.0 +displayName: Disallow Default TLSOptions +createdAt: "2023-04-10T23:25:55.000Z" +description: >- + The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml + ``` +keywords: + - kyverno + - Traefik +readme: | + The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Traefik" + kyverno/kubernetesVersion: "1.21" + kyverno/subject: "TLSOption" +digest: 59fb6372a65f74a9857938fa4bd798b7a09f4ccc0514449c17ef61c735d24121 diff --git a/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml b/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml new file mode 100644 index 000000000..b3bccd254 --- /dev/null +++ b/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-tlsoptions + annotations: + policies.kyverno.io/title: Disallow Default TLSOptions + policies.kyverno.io/category: Traefik + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: TLSOption + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.21" + policies.kyverno.io/description: >- + The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when + none are specified in a TLS router. Since this can take effect for all Ingress resources, + creating the `default` TLSOption is a restricted operation. This policy ensures that + only a cluster-admin can create the `default` TLSOption resource. +spec: + validationFailureAction: audit + background: false + rules: + - name: disallow-default-tlsoptions + match: + any: + - resources: + names: + - default + kinds: + - TLSOption + exclude: + clusterRoles: + - cluster-admin + validate: + message: "Only cluster administrators are allowed to set default TLSOptions." + deny: {} From 63d317e9a2d41b6f94bcd04374e58bf836bd9128 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 07:44:09 +0000 Subject: [PATCH 25/43] convert disallow-default-tlsoptions Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++++------- .../disallow-default-tlsoptions.yaml | 17 ++++++++++------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml b/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml index b517b015d..bc588570b 100644 --- a/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml +++ b/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-default-tlsoptions +name: disallow-default-tlsoptions-cel version: 1.0.0 -displayName: Disallow Default TLSOptions -createdAt: "2023-04-10T23:25:55.000Z" +displayName: Disallow Default TLSOptions in CEL expressions description: >- The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml ``` keywords: - kyverno - Traefik + - CEL Expressions readme: | The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Traefik" - kyverno/kubernetesVersion: "1.21" + kyverno/category: "Traefik in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "TLSOption" -digest: 59fb6372a65f74a9857938fa4bd798b7a09f4ccc0514449c17ef61c735d24121 +digest: ddb6b4d4f7a09720499c6ad306b4ee73999003d0fde7d2feb35cb6b19d0c73df +createdAt: "2024-05-22T07:43:46Z" diff --git a/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml b/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml index b3bccd254..d09b5ad55 100644 --- a/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml +++ b/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml @@ -3,19 +3,19 @@ kind: ClusterPolicy metadata: name: disallow-default-tlsoptions annotations: - policies.kyverno.io/title: Disallow Default TLSOptions - policies.kyverno.io/category: Traefik + policies.kyverno.io/title: Disallow Default TLSOptions in CEL expressions + policies.kyverno.io/category: Traefik in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: TLSOption - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.21" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: disallow-default-tlsoptions @@ -30,5 +30,8 @@ spec: clusterRoles: - cluster-admin validate: - message: "Only cluster administrators are allowed to set default TLSOptions." - deny: {} + cel: + expressions: + - expression: "false" + message: "Only cluster administrators are allowed to set default TLSOptions." + From 4dd272db5153c2748edb75399a26cacf622f75ec Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 08:25:44 +0000 Subject: [PATCH 26/43] copy add-psa-namespace-reporting Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 31 +++++++++++++++ .../namespace-with-psa-labels.yaml | 6 +++ .../namespace-without-psa-labels.yaml | 4 ++ .../.chainsaw-test/policy-ready.yaml | 9 +++++ .../.kyverno-test/kyverno-test.yaml | 22 +++++++++++ .../namespace-with-psa-labels.yaml | 6 +++ .../namespace-without-psa-labels.yaml | 4 ++ .../add-psa-namespace-reporting.yaml | 39 +++++++++++++++++++ .../artifacthub-pkg.yml | 23 +++++++++++ 9 files changed, 144 insertions(+) create mode 100644 psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml create mode 100644 psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..ed3b2044c --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-psa-namespace-reporting +spec: + steps: + - name: apply-policy + try: + - apply: + file: ../add-psa-namespace-reporting.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: add-psa-namespace-reporting + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: apply-policy-test + try: + - apply: + file: namespace-with-psa-labels.yaml + - apply: + expect: + - check: + ($error != null): true + file: namespace-without-psa-labels.yaml diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml new file mode 100644 index 000000000..e94a09e9a --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml new file mode 100644 index 000000000..7956df12c --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..cfb6ab67a --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-psa-namespace-reporting +status: + ready: true + + + diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..513ac0fe8 --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-psa-namespace-reporting-tests +policies: +- ../add-psa-namespace-reporting.yaml +resources: +- namespace-with-psa-labels.yaml +- namespace-without-psa-labels.yaml +results: + - kind: Namespace + policy: add-psa-namespace-reporting + resources: + - test + rule: check-namespace-labels + result: pass + - kind: Namespace + policy: add-psa-namespace-reporting + resources: + - test-fail + rule: check-namespace-labels + result: fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml new file mode 100644 index 000000000..e94a09e9a --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml new file mode 100644 index 000000000..7956df12c --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml new file mode 100644 index 000000000..15b830f10 --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-psa-namespace-reporting + annotations: + policies.kyverno.io/title: Add PSA Namespace Reporting + policies.kyverno.io/category: Pod Security Admission, EKS Best Practices + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.7.1 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + This policy is valuable as it ensures that all namespaces within a Kubernetes + cluster are labeled with Pod Security Admission (PSA) labels, which are crucial + for defining security levels and ensuring that pods within a namespace operate + under the defined Pod Security Standard (PSS). By enforcing namespace labeling, + This policy audits namespaces to verify the presence of PSA labels. + If a namespace is found without the required labels, it generates and maintain + and ClusterPolicy Report in default namespace. + This helps administrators identify namespaces that do not comply with the + organization's security practices and take appropriate action to rectify the + situation. +spec: + validationFailureAction: audit + background: true + rules: + - name: check-namespace-labels + match: + any: + - resources: + kinds: + - Namespace + validate: + message: This Namespace is missing a PSA label. + pattern: + metadata: + labels: + pod-security.kubernetes.io/*: "?*" \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml new file mode 100644 index 000000000..00f936a11 --- /dev/null +++ b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: add-psa-namespace-reporting +version: 1.0.0 +displayName: Add PSA Namespace Reporting +createdAt: "2024-01-04T16:10:04.000Z" +description: >- + This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml + ``` +keywords: + - kyverno + - Pod Security Admission + - EKS Best Practices +readme: | + This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Admission, EKS Best Practices" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434 From f83665c6d1c59dc7dcd52fae9c76841e2abad6e7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 08:30:57 +0000 Subject: [PATCH 27/43] convert add-psa-namespace-reporting Signed-off-by: Chandan-DK --- .../add-psa-namespace-reporting.yaml | 22 +++++++++---------- .../artifacthub-pkg.yml | 15 +++++++------ 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml index 15b830f10..a40250716 100644 --- a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml +++ b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: add-psa-namespace-reporting annotations: - policies.kyverno.io/title: Add PSA Namespace Reporting - policies.kyverno.io/category: Pod Security Admission, EKS Best Practices + policies.kyverno.io/title: Add PSA Namespace Reporting in CEL expressions + policies.kyverno.io/category: Pod Security Admission, EKS Best Practices in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Namespace policies.kyverno.io/description: >- This policy is valuable as it ensures that all namespaces within a Kubernetes @@ -22,7 +22,7 @@ metadata: organization's security practices and take appropriate action to rectify the situation. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-namespace-labels @@ -32,8 +32,8 @@ spec: kinds: - Namespace validate: - message: This Namespace is missing a PSA label. - pattern: - metadata: - labels: - pod-security.kubernetes.io/*: "?*" \ No newline at end of file + cel: + expressions: + - expression: "has(object.metadata.labels) && object.metadata.labels.exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')" + message: This Namespace is missing a PSA label. + diff --git a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml index 00f936a11..20bcf0620 100644 --- a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml +++ b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -1,23 +1,24 @@ -name: add-psa-namespace-reporting +name: add-psa-namespace-reporting-cel version: 1.0.0 -displayName: Add PSA Namespace Reporting -createdAt: "2024-01-04T16:10:04.000Z" +displayName: Add PSA Namespace Reporting in CEL expressions description: >- This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml ``` keywords: - kyverno - Pod Security Admission - EKS Best Practices + - CEL Expressions readme: | This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Pod Security Admission, EKS Best Practices" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Pod Security Admission, EKS Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434 +digest: 4d5be89c79c008b87f6d9f0400a4b336c8a55fa84170608f1d7e3df3f4e21eba +createdAt: "2024-05-22T08:30:28Z" From 184576bd19ab6688bf8362ad98f6499eb0a1d168 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 08:31:24 +0000 Subject: [PATCH 28/43] copy deny-privileged-profile Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../chainsaw-step-03-apply-1.yaml | 11 +++ .../chainsaw-step-03-apply-2.yaml | 12 +++ .../.chainsaw-test/chainsaw-test.yaml | 98 +++++++++++++++++++ .../.chainsaw-test/ns-bad.yaml | 14 +++ .../.chainsaw-test/ns-good.yaml | 18 ++++ .../artifacthub-pkg.yml | 22 +++++ .../deny-privileged-profile.yaml | 42 ++++++++ 8 files changed, 223 insertions(+) create mode 100755 psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml create mode 100755 psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml create mode 100755 psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml create mode 100644 psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml create mode 100644 psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml create mode 100644 psa-cel/deny-privileged-profile/artifacthub-pkg.yml create mode 100644 psa-cel/deny-privileged-profile/deny-privileged-profile.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..93dfa2f2d --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-privileged-profile +status: + ready: true diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml new file mode 100755 index 000000000..f39afe9fc --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ns-deleter +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml new file mode 100755 index 000000000..1f3cc8101 --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ns-deleter:denyprivilegeduser +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ns-deleter +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: denyprivilegeduser diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..0b6b37692 --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,98 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deny-privileged-profile +spec: + steps: + - name: step-01 + try: + - apply: + file: ../deny-privileged-profile.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: deny-privileged-profile + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - script: + content: | + #!/bin/bash + set -eu + cp $KUBECONFIG temp + export KUBECONFIG=./temp + export USERNAME=denyprivilegeduser + export CA=ca.crt + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the context + kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER + # Delete CSR + kubectl delete csr $USERNAME + - apply: + file: chainsaw-step-03-apply-1.yaml + - apply: + file: chainsaw-step-03-apply-2.yaml + - script: + content: | + #!/bin/bash + set -eu + export KUBECONFIG=./temp + kubectl --context=denyprivilegeduser-context create -f ns-good.yaml + - script: + content: | + #!/bin/bash + set -eu + export KUBECONFIG=./temp + if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; then exit 1; else exit 0; fi + - sleep: + duration: 5s + finally: + - script: + content: kubectl delete -f ns-good.yaml --ignore-not-found + - script: + content: kubectl delete -f ns-bad.yaml --ignore-not-found + - script: + content: | + set -e + rm ./temp + - name: step-05 + try: + - apply: + file: ns-good.yaml + - apply: + file: ns-bad.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml new file mode 100644 index 000000000..21f29bb8b --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: deny-privileged-bad-ns01 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + foo: bar + name: deny-privileged-bad-ns02 \ No newline at end of file diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml new file mode 100644 index 000000000..f760fac2c --- /dev/null +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: baseline + name: deny-privileged-good-ns01 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: bar + name: deny-privileged-good-ns02 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: deny-privileged-good-ns03 \ No newline at end of file diff --git a/psa-cel/deny-privileged-profile/artifacthub-pkg.yml b/psa-cel/deny-privileged-profile/artifacthub-pkg.yml new file mode 100644 index 000000000..f9742ec5f --- /dev/null +++ b/psa-cel/deny-privileged-profile/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: deny-privileged-profile +version: 1.0.0 +displayName: Deny Privileged Profile +createdAt: "2023-04-10T23:21:22.000Z" +description: >- + When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/deny-privileged-profile/deny-privileged-profile.yaml + ``` +keywords: + - kyverno + - Pod Security Admission +readme: | + When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Admission" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: e417c381e1aa9fd3778b37c09cfdccb87b0de20ee16ac4034496283f4fa859ac diff --git a/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml b/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml new file mode 100644 index 000000000..a7f108555 --- /dev/null +++ b/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-privileged-profile + annotations: + policies.kyverno.io/title: Deny Privileged Profile + policies.kyverno.io/category: Pod Security Admission + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.7.1 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + When Pod Security Admission (PSA) is enforced at the cluster level + via an AdmissionConfiguration file which defines a default level at + baseline or restricted, setting of a label at the `privileged` profile + will effectively cause unrestricted workloads in that Namespace, overriding + the cluster default. This may effectively represent a circumvention attempt + and should be closely controlled. This policy ensures that only those holding + the cluster-admin ClusterRole may create Namespaces which assign the label + `pod-security.kubernetes.io/enforce=privileged`. +spec: + validationFailureAction: audit + background: false + rules: + - name: check-privileged + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + pod-security.kubernetes.io/enforce: privileged + exclude: + any: + - clusterRoles: + - cluster-admin + validate: + message: Only cluster-admins may create Namespaces that allow setting the privileged level. + deny: {} + From 03609a06b62f5072db77a7a487310ba440df89ed Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 08:36:27 +0000 Subject: [PATCH 29/43] convert deny-privileged-profile Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++++------- .../deny-privileged-profile.yaml | 18 ++++++++++-------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/psa-cel/deny-privileged-profile/artifacthub-pkg.yml b/psa-cel/deny-privileged-profile/artifacthub-pkg.yml index f9742ec5f..0a78df882 100644 --- a/psa-cel/deny-privileged-profile/artifacthub-pkg.yml +++ b/psa-cel/deny-privileged-profile/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: deny-privileged-profile +name: deny-privileged-profile-cel version: 1.0.0 -displayName: Deny Privileged Profile -createdAt: "2023-04-10T23:21:22.000Z" +displayName: Deny Privileged Profile in CEL expressions description: >- When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/deny-privileged-profile/deny-privileged-profile.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml ``` keywords: - kyverno - Pod Security Admission + - CEL Expressions readme: | When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Pod Security Admission" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Pod Security Admission in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: e417c381e1aa9fd3778b37c09cfdccb87b0de20ee16ac4034496283f4fa859ac +digest: a8eb6c291f91e8ebd2535712413432e0659f2839c0929334e5f69a883506d85a +createdAt: "2024-05-22T08:35:47Z" diff --git a/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml b/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml index a7f108555..f01dddfee 100644 --- a/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml +++ b/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: deny-privileged-profile annotations: - policies.kyverno.io/title: Deny Privileged Profile - policies.kyverno.io/category: Pod Security Admission + policies.kyverno.io/title: Deny Privileged Profile in CEL expressions + policies.kyverno.io/category: Pod Security Admission in CEL expressions policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Namespace policies.kyverno.io/description: >- When Pod Security Admission (PSA) is enforced at the cluster level @@ -20,7 +20,7 @@ metadata: the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: check-privileged @@ -37,6 +37,8 @@ spec: - clusterRoles: - cluster-admin validate: - message: Only cluster-admins may create Namespaces that allow setting the privileged level. - deny: {} + cel: + expressions: + - expression: "false" + message: Only cluster-admins may create Namespaces that allow setting the privileged level. From f3a3ca926c437a522d9f7db802528ff7dd64f9ec Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 08:57:03 +0000 Subject: [PATCH 30/43] add kyverno tests for deny-privileged-profile Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 16 ++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml create mode 100644 psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml diff --git a/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml b/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..6d26b1d82 --- /dev/null +++ b/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny-privileged-profile +policies: +- ../deny-privileged-profile.yaml +resources: +- ../.chainsaw-test/ns-bad.yaml +results: +- policy: deny-privileged-profile + rule: check-privileged + kind: Namespace + resources: + - deny-privileged-bad-ns01 + - deny-privileged-bad-ns02 + result: fail \ No newline at end of file diff --git a/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml b/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..6d26b1d82 --- /dev/null +++ b/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny-privileged-profile +policies: +- ../deny-privileged-profile.yaml +resources: +- ../.chainsaw-test/ns-bad.yaml +results: +- policy: deny-privileged-profile + rule: check-privileged + kind: Namespace + resources: + - deny-privileged-bad-ns01 + - deny-privileged-bad-ns02 + result: fail \ No newline at end of file From 2815aa547bef316fc1404d8e2b3531e071131526 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 09:32:21 +0000 Subject: [PATCH 31/43] copy disallow-jenkins-pipeline-strategy Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 23 ++++++++++ .../.kyverno-test/resources.yaml | 43 +++++++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++++++ .../disallow-jenkins-pipeline-strategy.yaml | 34 +++++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml create mode 100644 openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml create mode 100644 openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..4aadc467a --- /dev/null +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-policy +policies: +- ../disallow-jenkins-pipeline-strategy.yaml +resources: +- resources.yaml +results: +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-jenkins-pipeline + - sample-jenkins-pipeline-new + result: fail + rule: check-build-strategy +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-pipeline-no-jenkins + - sample-pipeline-no-jenkins-new + result: pass + rule: check-build-strategy diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml new file mode 100644 index 000000000..335e2e20d --- /dev/null +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml @@ -0,0 +1,43 @@ +kind: "BuildConfig" +apiVersion: "v1" +metadata: + name: "sample-jenkins-pipeline" +spec: + source: + git: + uri: "https://github.com/openshift/ruby-hello-world" + strategy: + jenkinsPipelineStrategy: + jenkinsfilePath: some/repo/dir/filename +--- +kind: "BuildConfig" +apiVersion: "v1" +metadata: + name: "sample-pipeline-no-jenkins" +spec: + source: + git: + uri: "https://github.com/openshift/ruby-hello-world" + strategy: {} +--- +kind: "BuildConfig" +apiVersion: "build.openshift.io/v1" +metadata: + name: "sample-jenkins-pipeline-new" +spec: + source: + git: + uri: "https://github.com/openshift/ruby-hello-world" + strategy: + jenkinsPipelineStrategy: + jenkinsfilePath: some/repo/dir/filename +--- +kind: "BuildConfig" +apiVersion: "build.openshift.io/v1" +metadata: + name: "sample-pipeline-no-jenkins-new" +spec: + source: + git: + uri: "https://github.com/openshift/ruby-hello-world" + strategy: {} diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml new file mode 100644 index 000000000..427d0f45a --- /dev/null +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-jenkins-pipeline-strategy +version: 1.0.0 +displayName: Disallow OpenShift Jenkins Pipeline Build Strategy +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml + ``` +keywords: + - kyverno + - OpenShift +readme: | + The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "OpenShift" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "BuildConfig" +digest: 54d8b6ca2d8a3bb07ef0e84375717f230aa1bbee36d2df8fda5563d8b828da64 diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml new file mode 100644 index 000000000..e4b6396d4 --- /dev/null +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-jenkins-pipeline-strategy + annotations: + policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy + policies.kyverno.io/category: OpenShift + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: BuildConfig + policies.kyverno.io/description: >- + The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-build-strategy + match: + any: + - resources: + kinds: + - v1/BuildConfig + - build.openshift.io/v1/BuildConfig + validate: + message: >- + Jenkins Pipeline Build Strategy has been deprecated and is not allowed + deny: + conditions: + all: + - key: "{{ keys(request.object.spec.strategy) | contains(@, 'jenkinsPipelineStrategy') }}" + operator: Equals + value: true From a7d95dd8ca3c50482d357066c81747e137ebeb46 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 09:41:09 +0000 Subject: [PATCH 32/43] convert disallow-jenkins-pipeline-strategy Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++----- .../disallow-jenkins-pipeline-strategy.yaml | 26 +++++++++---------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml index 427d0f45a..f90fc3074 100644 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-jenkins-pipeline-strategy +name: disallow-jenkins-pipeline-strategy-cel version: 1.0.0 -displayName: Disallow OpenShift Jenkins Pipeline Build Strategy -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Disallow OpenShift Jenkins Pipeline Build Strategy in CEL expressions description: >- The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml ``` keywords: - kyverno - OpenShift + - CEL Expressions readme: | The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "OpenShift" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "OpenShift in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "BuildConfig" -digest: 54d8b6ca2d8a3bb07ef0e84375717f230aa1bbee36d2df8fda5563d8b828da64 +digest: 39929037e267c6d7698695d11f084bf402cf54a21e89b95e1fc5843a5cfda240 +createdAt: "2024-05-22T09:40:45Z" diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml index e4b6396d4..c756fcb04 100644 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: disallow-jenkins-pipeline-strategy annotations: - policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy - policies.kyverno.io/category: OpenShift + policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy in CEL expressions + policies.kyverno.io/category: OpenShift in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: BuildConfig policies.kyverno.io/description: >- The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: check-build-strategy @@ -24,11 +24,9 @@ spec: - v1/BuildConfig - build.openshift.io/v1/BuildConfig validate: - message: >- - Jenkins Pipeline Build Strategy has been deprecated and is not allowed - deny: - conditions: - all: - - key: "{{ keys(request.object.spec.strategy) | contains(@, 'jenkinsPipelineStrategy') }}" - operator: Equals - value: true + cel: + expressions: + - expression: "!has(object.spec.strategy.jenkinsPipelineStrategy)" + message: >- + Jenkins Pipeline Build Strategy has been deprecated and is not allowed + From ca7ed5929aa3004bc37c687b5f0535cc2bcb1fce Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 09:42:26 +0000 Subject: [PATCH 33/43] copy disallow-security-context-constraint-anyuid Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 44 +++++ .../.chainsaw-test/clusterroles-bad.yaml | 34 ++++ .../.chainsaw-test/clusterroles-good.yaml | 8 + .../.chainsaw-test/crb-bad.yaml | 12 ++ .../.chainsaw-test/crb-good.yaml | 12 ++ .../.chainsaw-test/policy-ready.yaml | 6 + .../.chainsaw-test/rb-bad.yaml | 12 ++ .../.chainsaw-test/rb-good.yaml | 12 ++ .../.chainsaw-test/roles-bad.yaml | 35 ++++ .../.chainsaw-test/roles-good.yaml | 8 + .../.kyverno-test/kyverno-test.yaml | 59 +++++++ .../.kyverno-test/resources.yaml | 154 ++++++++++++++++++ .../artifacthub-pkg.yml | 22 +++ ...ow-security-context-constraint-anyuid.yaml | 55 +++++++ 14 files changed, 473 insertions(+) create mode 100755 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml create mode 100644 openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..2b8304268 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,44 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-security-context-constraint-anyuid +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-security-context-constraint-anyuid.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: roles-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: roles-bad.yaml + - apply: + file: clusterroles-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: clusterroles-bad.yaml + - apply: + file: rb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: rb-bad.yaml + - apply: + file: crb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: crb-bad.yaml diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml new file mode 100644 index 000000000..8c5bdbd84 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml @@ -0,0 +1,34 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: crole-bad01 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: crole-bad02 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - "*" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml new file mode 100644 index 000000000..e03d3c81d --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: crole-good01 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml new file mode 100644 index 000000000..a3ccd78f9 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clusterrolebinding-bad01 +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:openshift:scc:anyuid + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml new file mode 100644 index 000000000..b49a62cbf --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clusterrolebinding-good01 +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..ed6d92cb9 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-security-context-constraint-anyuid +status: + ready: true \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml new file mode 100644 index 000000000..378129584 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-bad01 +subjects: +- kind: User + name: dave + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:openshift:scc:anyuid + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml new file mode 100644 index 000000000..811d5d7c2 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-good01 +subjects: +- kind: User + name: dave + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml new file mode 100644 index 000000000..984b8cf8b --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-role-bad01 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: pod-role-bad02 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - "*" +--- \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml new file mode 100644 index 000000000..34c8d7a54 --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: good-role01 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..36c55e3bf --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,59 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes +policies: +- ../disallow-security-context-constraint-anyuid.yaml +resources: +- resources.yaml +results: +- kind: ClusterRole + policy: disallow-security-context-constraint-anyuid + resources: + - secret-reader-anyuid-use + - secret-reader-anyuid-all + result: fail + rule: check-security-context-constraint +- kind: Role + policy: disallow-security-context-constraint-anyuid + resources: + - pod-role-anyuid-use + - pod-role-anyuid-all + result: fail + rule: check-security-context-constraint +- kind: ClusterRole + policy: disallow-security-context-constraint-anyuid + resources: + - secret-reader + result: pass + rule: check-security-context-constraint +- kind: Role + policy: disallow-security-context-constraint-anyuid + resources: + - pod-role + result: pass + rule: check-security-context-constraint +- kind: ClusterRoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - clusterrolebinding-anyuid + result: fail + rule: check-security-context-roleref +- kind: RoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - rolebinding-anyuid + result: fail + rule: check-security-context-roleref +- kind: ClusterRoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - clusterrolebinding-test + result: pass + rule: check-security-context-roleref +- kind: RoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - rolebinding-test + result: pass + rule: check-security-context-roleref diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml new file mode 100644 index 000000000..0ce3f58be --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml @@ -0,0 +1,154 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: pod-role-anyuid-use +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: pod-role +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: pod-role-anyuid-all +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # "namespace" omitted since ClusterRoles are not namespaced + name: secret-reader-anyuid-use +rules: +- apiGroups: [""] + # + # at the HTTP level, the name of the resource for accessing Secret + # objects is "secrets" + resources: ["secrets"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # "namespace" omitted since ClusterRoles are not namespaced + name: secret-reader +rules: +- apiGroups: [""] + # + # at the HTTP level, the name of the resource for accessing Secret + # objects is "secrets" + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # "namespace" omitted since ClusterRoles are not namespaced + name: secret-reader-anyuid-all +rules: +- apiGroups: [""] + # + # at the HTTP level, the name of the resource for accessing Secret + # objects is "secrets" + resources: ["secrets"] + verbs: ["get", "watch", "list"] +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-anyuid + namespace: development +subjects: +- kind: User + name: dave # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:openshift:scc:anyuid + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clusterrolebinding-anyuid +subjects: +- kind: Group + name: manager # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:openshift:scc:anyuid + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-test + namespace: development +subjects: +- kind: User + name: dave # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clusterrolebinding-test +subjects: +- kind: Group + name: manager # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml new file mode 100644 index 000000000..57032ac9b --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-security-context-constraint-anyuid +version: 1.0.0 +displayName: Disallow use of the SecurityContextConstraint (SCC) anyuid +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml + ``` +keywords: + - kyverno + - Security +readme: | + Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "Role,ClusterRole,RBAC" +digest: 91f366a8916454b5922e91d99af42db7be144d64bfcab98a6223843fa4e2d9b5 diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml new file mode 100644 index 000000000..c444ed66f --- /dev/null +++ b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml @@ -0,0 +1,55 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-security-context-constraint-anyuid + annotations: + policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: Role,ClusterRole,RBAC + policies.kyverno.io/description: >- + Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-security-context-constraint + match: + any: + - resources: + kinds: + - ClusterRole + - Role + validate: + message: >- + Use of the SecurityContextConstraint (SCC) anyuid is not allowed + foreach: + - list: request.object.rules[] + deny: + conditions: + all: + - key: anyuid + operator: AnyIn + value: "{{element.resourceNames[]}}" + - key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}" + operator: Equals + value: true + - name: check-security-context-roleref + match: + any: + - resources: + kinds: + - ClusterRoleBinding + - RoleBinding + validate: + message: >- + Use of the SecurityContextConstraint (SCC) anyuid is not allowed + deny: + conditions: + all: + - key: system:openshift:scc:anyuid + operator: Equals + value: "{{request.object.roleRef.name}}" From 6512fba524d73277afe6b3785798706687416158 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 09:54:13 +0000 Subject: [PATCH 34/43] convert disallow-security-context-constraint-anyuid Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++--- ...ow-security-context-constraint-anyuid.yaml | 46 ++++++++----------- 2 files changed, 26 insertions(+), 35 deletions(-) diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml index 57032ac9b..caae67edc 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-security-context-constraint-anyuid +name: disallow-security-context-constraint-anyuid-cel version: 1.0.0 -displayName: Disallow use of the SecurityContextConstraint (SCC) anyuid -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions description: >- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml ``` keywords: - kyverno - Security + - CEL Expressions readme: | Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "Security in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Role,ClusterRole,RBAC" -digest: 91f366a8916454b5922e91d99af42db7be144d64bfcab98a6223843fa4e2d9b5 +digest: 29184dda9ce5c8af8622122a5ffb9c41da0937ba0c25de978248ccfdb8afdbc9 +createdAt: "2024-05-22T09:53:47Z" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml index c444ed66f..6c94c5318 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: disallow-security-context-constraint-anyuid annotations: - policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid - policies.kyverno.io/category: Security + policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions + policies.kyverno.io/category: Security in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Role,ClusterRole,RBAC policies.kyverno.io/description: >- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: check-security-context-constraint @@ -23,20 +23,12 @@ spec: kinds: - ClusterRole - Role - validate: - message: >- - Use of the SecurityContextConstraint (SCC) anyuid is not allowed - foreach: - - list: request.object.rules[] - deny: - conditions: - all: - - key: anyuid - operator: AnyIn - value: "{{element.resourceNames[]}}" - - key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}" - operator: Equals - value: true + validate: + cel: + expressions: + - expression: "!has(object.rules) || !object.rules.exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))" + message: >- + Use of the SecurityContextConstraint (SCC) anyuid is not allowed - name: check-security-context-roleref match: any: @@ -45,11 +37,9 @@ spec: - ClusterRoleBinding - RoleBinding validate: - message: >- - Use of the SecurityContextConstraint (SCC) anyuid is not allowed - deny: - conditions: - all: - - key: system:openshift:scc:anyuid - operator: Equals - value: "{{request.object.roleRef.name}}" + cel: + expressions: + - expression: "object.roleRef.name != 'system:openshift:scc:anyuid'" + message: >- + Use of the SecurityContextConstraint (SCC) anyuid is not allowed + From 77095fa6a9ea1a1cbafd1b6d76136c6ced71dd6c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 09:55:40 +0000 Subject: [PATCH 35/43] copy openshift-cel/disallow-self-provisioner-binding Signed-off-by: Chandan-DK --- .../chainsaw-step-02-apply-1.yaml | 14 +++++ .../.chainsaw-test/chainsaw-test.yaml | 32 +++++++++++ .../.chainsaw-test/crb-bad-roleref.yaml | 32 +++++++++++ .../.chainsaw-test/crb-bad-sub-update.yaml | 14 +++++ .../.chainsaw-test/crb-good.yaml | 12 ++++ .../.chainsaw-test/policy-ready.yaml | 6 ++ .../.kyverno-test/kyverno-test.yaml | 29 ++++++++++ .../.kyverno-test/resources.yaml | 56 +++++++++++++++++++ .../.kyverno-test/values.yaml | 10 ++++ .../artifacthub-pkg.yml | 22 ++++++++ .../disallow-self-provisioner-binding.yaml | 56 +++++++++++++++++++ 11 files changed, 283 insertions(+) create mode 100755 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml create mode 100755 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml create mode 100644 openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml create mode 100644 openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml new file mode 100755 index 000000000..68def7523 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- kind: ServiceAccount + name: test-kyverno + namespace: test-kyverno diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..46151df5c --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-self-provisioner-binding +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-self-provisioner-binding.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: crb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: crb-bad-roleref.yaml + - apply: + expect: + - check: + ($error != null): true + file: crb-bad-sub-update.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml new file mode 100644 index 000000000..7529e6f96 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners-crb-bad01 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: group-test +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated:oauth +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners-crb-bad02 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: group-test \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml new file mode 100644 index 000000000..c95dce7a9 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: group-test \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml new file mode 100644 index 000000000..caf2c9bfc --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:openshift:scc:privileged +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: test-kyverno + namespace: test-kyverno \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..d6f5a4f24 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-self-provisioner-binding +status: + ready: true \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..82b12eb14 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes +policies: +- ../disallow-self-provisioner-binding.yaml +resources: +- resources.yaml +results: +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - self-provisioners + result: fail + rule: check-self-provisioner-binding-no-subject +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - self-provisioners-custom + - self-provisioners-custom-test + result: fail + rule: check-self-provisioner-binding-with-subject +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - system:openshift:scc:privileged + result: pass + rule: check-self-provisioner-binding-with-subject +variables: values.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml new file mode 100644 index 000000000..e9ab76851 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml @@ -0,0 +1,56 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners-custom +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: group-test +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated:oauth +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: self-provisioners-custom-test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: group-test +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:openshift:scc:privileged +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: test-kyverno + namespace: test-kyverno diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml new file mode 100644 index 000000000..1a0f122b0 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml @@ -0,0 +1,10 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: disallow-self-provisioner-binding + resources: + - name: self-provisioners + values: + request.operation: UPDATE + rules: + - name: check-self-provisioner-binding-no-subject diff --git a/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml b/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml new file mode 100644 index 000000000..e973625d7 --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-self-provisioner-binding +version: 1.0.0 +displayName: Disallow binding to self-provisioner cluster role in OpenShift +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml + ``` +keywords: + - kyverno + - OpenShift +readme: | + This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "OpenShift" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "ClusterRoleBinding, RBAC" +digest: 1a105716e9a5d2653a6fc6eea9f46c2fa384c00586b9c4148027370e687edfc5 diff --git a/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml b/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml new file mode 100644 index 000000000..d8c7a968b --- /dev/null +++ b/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-self-provisioner-binding + annotations: + policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift + policies.kyverno.io/category: OpenShift + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: ClusterRoleBinding, RBAC + policies.kyverno.io/description: >- + This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-self-provisioner-binding-no-subject + match: + any: + - resources: + kinds: + - ClusterRoleBinding + preconditions: + all: + - key: "{{request.object.metadata.name}}" + operator: Equals + value: self-provisioners + - key: "{{request.operation || 'BACKGROUND'}}" + operator: Equals + value: UPDATE + validate: + message: >- + Modifying the self-provisioners ClusterRoleBinding is not allowed. + deny: {} + - name: check-self-provisioner-binding-with-subject + match: + any: + - resources: + kinds: + - ClusterRoleBinding + preconditions: + all: + - key: "{{request.object.metadata.name || ''}}" + operator: NotEquals + value: self-provisioners + validate: + message: >- + Binding to the self-provisioners cluster role is not allowed. + deny: + conditions: + all: + - key: self-provisioner + operator: AnyIn + value: "{{request.object.roleRef.name}}" From 5c66f1fd67e463a4eaeebcdd0c0c12369afbe632 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 10:07:09 +0000 Subject: [PATCH 36/43] convert disallow-self-provisioner-binding Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++--- .../disallow-self-provisioner-binding.yaml | 54 +++++++++---------- 2 files changed, 32 insertions(+), 37 deletions(-) diff --git a/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml b/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml index e973625d7..69bc640ec 100644 --- a/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml +++ b/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-self-provisioner-binding +name: disallow-self-provisioner-binding-cel version: 1.0.0 -displayName: Disallow binding to self-provisioner cluster role in OpenShift -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Disallow binding to self-provisioner cluster role in OpenShift in CEL expressions description: >- This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml ``` keywords: - kyverno - OpenShift + - CEL Expressions readme: | This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "OpenShift" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "OpenShift in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ClusterRoleBinding, RBAC" -digest: 1a105716e9a5d2653a6fc6eea9f46c2fa384c00586b9c4148027370e687edfc5 +digest: edd8b8f0ef18613eaed1e263c1d0140222d9dc28917e33ed843f087d98a27e99 +createdAt: "2024-05-22T10:06:31Z" diff --git a/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml b/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml index d8c7a968b..81276431a 100644 --- a/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml +++ b/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml @@ -3,17 +3,16 @@ kind: ClusterPolicy metadata: name: disallow-self-provisioner-binding annotations: - policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift - policies.kyverno.io/category: OpenShift + policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift in CEL expressions + policies.kyverno.io/category: OpenShift in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.12.1 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: ClusterRoleBinding, RBAC policies.kyverno.io/description: >- This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: check-self-provisioner-binding-no-subject @@ -22,35 +21,30 @@ spec: - resources: kinds: - ClusterRoleBinding - preconditions: - all: - - key: "{{request.object.metadata.name}}" - operator: Equals - value: self-provisioners - - key: "{{request.operation || 'BACKGROUND'}}" - operator: Equals - value: UPDATE + celPreconditions: + - name: "name-should-be-self-provisioners" + expression: "object.metadata.name == 'self-provisioners'" + - name: "operation-should-be-update" + expression: "request.operation == 'UPDATE'" validate: - message: >- - Modifying the self-provisioners ClusterRoleBinding is not allowed. - deny: {} + cel: + expressions: + - expression: "false" + message: >- + Modifying the self-provisioners ClusterRoleBinding is not allowed. - name: check-self-provisioner-binding-with-subject match: any: - resources: kinds: - ClusterRoleBinding - preconditions: - all: - - key: "{{request.object.metadata.name || ''}}" - operator: NotEquals - value: self-provisioners + celPreconditions: + - name: "name-should-not-be-self-provisioners" + expression: "object.metadata.name != 'self-provisioners'" validate: - message: >- - Binding to the self-provisioners cluster role is not allowed. - deny: - conditions: - all: - - key: self-provisioner - operator: AnyIn - value: "{{request.object.roleRef.name}}" + cel: + expressions: + - expression: "object.roleRef.name != 'self-provisioner'" + message: >- + Binding to the self-provisioners cluster role is not allowed. + From 07f18b6a3dc28874594705803e6bda341538019a Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 10:13:38 +0000 Subject: [PATCH 37/43] copy enforce-etcd-encryption Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 21 ++++++++++++ .../.kyverno-test/resources.yaml | 16 +++++++++ .../artifacthub-pkg.yml | 22 +++++++++++++ .../enforce-etcd-encryption.yaml | 33 +++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml create mode 100644 openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml create mode 100644 openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml create mode 100644 openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml diff --git a/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml b/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..2cf4b765d --- /dev/null +++ b/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-policy +policies: +- ../enforce-etcd-encryption.yaml +resources: +- resources.yaml +results: +- kind: APIServer + policy: enforce-etcd-encryption + resources: + - cluster-no-encryption + result: fail + rule: check-etcd-encryption +- kind: APIServer + policy: enforce-etcd-encryption + resources: + - cluster-with-encryption + result: pass + rule: check-etcd-encryption diff --git a/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml b/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml new file mode 100644 index 000000000..442468ad2 --- /dev/null +++ b/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml @@ -0,0 +1,16 @@ +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + annotations: + release.openshift.io/create-only: "true" + name: cluster-no-encryption +spec: {} +--- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + annotations: + release.openshift.io/create-only: "true" + name: cluster-with-encryption +spec: + encryption: {} diff --git a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml new file mode 100644 index 000000000..25e08a873 --- /dev/null +++ b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-etcd-encryption +version: 1.0.0 +displayName: Enforce etcd encryption in OpenShift +createdAt: "2023-04-10T20:26:05.000Z" +description: >- + Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml + ``` +keywords: + - kyverno + - OpenShift +readme: | + Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "OpenShift" + kyverno/kubernetesVersion: "1.20" + kyverno/subject: "APIServer" +digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3 diff --git a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml new file mode 100644 index 000000000..e80628525 --- /dev/null +++ b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-etcd-encryption + annotations: + policies.kyverno.io/title: Enforce etcd encryption in OpenShift + policies.kyverno.io/category: OpenShift + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20" + policies.kyverno.io/subject: APIServer + policies.kyverno.io/description: >- + Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-etcd-encryption + match: + any: + - resources: + kinds: + - config.openshift.io/v1/APIServer + validate: + message: >- + Encryption should be enabled for etcd + deny: + conditions: + all: + - key: "{{ keys(request.object.spec) | contains(@, 'encryption') }}" + operator: NotEquals + value: true From 4343afc9e837a3d2359eb08da92aff89ce0ce48e Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 10:15:54 +0000 Subject: [PATCH 38/43] convert enforce-etcd-encryption Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++------ .../enforce-etcd-encryption.yaml | 24 +++++++++---------- 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml index 25e08a873..20519c0c5 100644 --- a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml +++ b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: enforce-etcd-encryption +name: enforce-etcd-encryption-cel version: 1.0.0 -displayName: Enforce etcd encryption in OpenShift -createdAt: "2023-04-10T20:26:05.000Z" +displayName: Enforce etcd encryption in OpenShift in CEL expressions description: >- Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml ``` keywords: - kyverno - OpenShift + - CEL Expressions readme: | Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "OpenShift" - kyverno/kubernetesVersion: "1.20" + kyverno/category: "OpenShift in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "APIServer" -digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3 +digest: f258866754397716663fab6771d2fc6b7c3a2dcf1af99c7034dbed51a776b9d0 +createdAt: "2024-05-22T10:15:24Z" diff --git a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml index e80628525..210c3764d 100644 --- a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml +++ b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: enforce-etcd-encryption annotations: - policies.kyverno.io/title: Enforce etcd encryption in OpenShift + policies.kyverno.io/title: Enforce etcd encryption in OpenShift in CEL expressions policies.kyverno.io/category: OpenShift policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: APIServer policies.kyverno.io/description: >- Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: check-etcd-encryption @@ -23,11 +23,9 @@ spec: kinds: - config.openshift.io/v1/APIServer validate: - message: >- - Encryption should be enabled for etcd - deny: - conditions: - all: - - key: "{{ keys(request.object.spec) | contains(@, 'encryption') }}" - operator: NotEquals - value: true + cel: + expressions: + - expression: "has(object.spec.encryption)" + message: >- + Encryption should be enabled for etcd + From 5c9058e949dba10ec19cb4e3fe6bd70282bfdfc4 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 11:01:04 +0000 Subject: [PATCH 39/43] add CI tests for cel policies Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0e806fa5d..e5d9d195d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -44,8 +44,11 @@ jobs: - ^kubeops$ - ^kubevirt$ - ^linkerd$ + - ^linkerd-cel$ - ^nginx-ingress$ + - ^nginx-ingress-cel$ - ^openshift$ + - ^openshift-cel$ - ^other$/^a - ^other-cel$/^a - ^other$/^[b-d] @@ -60,9 +63,11 @@ jobs: - ^pod-security$ - ^pod-security-cel$ - ^psa$ + - ^psa-cel$ - ^psp-migration$ # - ^tekton # - ^traefik + # - ^traefik-cel # - ^velero runs-on: ubuntu-latest name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} From bb83cb3605d5b0594b797dce34a8e8f7ae8e3d09 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 11:10:31 +0000 Subject: [PATCH 40/43] remove comments for CI tests Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e5d9d195d..79ec326f1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -65,10 +65,10 @@ jobs: - ^psa$ - ^psa-cel$ - ^psp-migration$ - # - ^tekton - # - ^traefik - # - ^traefik-cel - # - ^velero + - ^tekton$ + - ^traefik$ + - ^traefik-cel$ + - ^velero$ runs-on: ubuntu-latest name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} steps: From edf8a4527fb5f7e64edbabd130d1b90af3b98631 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 22 May 2024 11:29:52 +0000 Subject: [PATCH 41/43] rename files for clarity Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-02-apply-1.yaml => crb.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 6 +++--- .../{chainsaw-step-03-apply-1.yaml => cr.yaml} | 0 .../{chainsaw-step-03-apply-2.yaml => crb.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 8 ++++---- .../{chainsaw-step-03-apply-1.yaml => cr.yaml} | 0 .../{chainsaw-step-03-apply-2.yaml => crb.yaml} | 0 .../{chainsaw-step-00-assert-1.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 17 files changed, 11 insertions(+), 11 deletions(-) rename linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/{chainsaw-step-02-apply-1.yaml => crb.yaml} (100%) rename psa-cel/deny-privileged-profile/.chainsaw-test/{chainsaw-step-03-apply-1.yaml => cr.yaml} (100%) rename psa-cel/deny-privileged-profile/.chainsaw-test/{chainsaw-step-03-apply-2.yaml => crb.yaml} (100%) rename psa-cel/deny-privileged-profile/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename traefik-cel/disallow-default-tlsoptions/.chainsaw-test/{chainsaw-step-03-apply-1.yaml => cr.yaml} (100%) rename traefik-cel/disallow-default-tlsoptions/.chainsaw-test/{chainsaw-step-03-apply-2.yaml => crb.yaml} (100%) rename traefik-cel/disallow-default-tlsoptions/.chainsaw-test/{chainsaw-step-00-assert-1.yaml => crd-assert.yaml} (100%) rename traefik-cel/disallow-default-tlsoptions/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml index e08af48c0..9051a94fb 100755 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml similarity index 100% rename from linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml index 57e85e207..c85c17614 100755 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml similarity index 100% rename from linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml index 8c5b31e2a..84d387eca 100755 --- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml similarity index 100% rename from linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml index 46151df5c..e20df0cb9 100755 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml +++ b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml @@ -15,7 +15,7 @@ spec: - name: step-02 try: - apply: - file: chainsaw-step-02-apply-1.yaml + file: crb.yaml - name: step-03 try: - apply: diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml similarity index 100% rename from openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-step-02-apply-1.yaml rename to openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml index 0b6b37692..3a62388b2 100755 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml +++ b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - script: @@ -64,9 +64,9 @@ spec: # Delete CSR kubectl delete csr $USERNAME - apply: - file: chainsaw-step-03-apply-1.yaml + file: cr.yaml - apply: - file: chainsaw-step-03-apply-2.yaml + file: crb.yaml - script: content: | #!/bin/bash diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml similarity index 100% rename from psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml rename to psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/crb.yaml similarity index 100% rename from psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml rename to psa-cel/deny-privileged-profile/.chainsaw-test/crb.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml index 647f5fd21..82d8a6f91 100755 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml +++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml @@ -9,7 +9,7 @@ spec: - name: step-00 try: - assert: - file: chainsaw-step-00-assert-1.yaml + file: crd-assert.yaml - name: step-01 try: - apply: @@ -23,7 +23,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - script: @@ -68,9 +68,9 @@ spec: - name: step-03 try: - apply: - file: chainsaw-step-03-apply-1.yaml + file: cr.yaml - apply: - file: chainsaw-step-03-apply-2.yaml + file: crb.yaml - name: step-04 try: - script: diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/cr.yaml similarity index 100% rename from traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-1.yaml rename to traefik-cel/disallow-default-tlsoptions/.chainsaw-test/cr.yaml diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crb.yaml similarity index 100% rename from traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-03-apply-2.yaml rename to traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crb.yaml diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crd-assert.yaml similarity index 100% rename from traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-00-assert-1.yaml rename to traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crd-assert.yaml diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml similarity index 100% rename from traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml From cbd81f50bbc1b0911f8b06343fd8d3ba76cc6d0f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 9 Jul 2024 15:47:35 +0000 Subject: [PATCH 42/43] specify CREATE and UPDATE operations explicitly Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 1 - .../artifacthub-pkg.yml | 2 +- .../prevent-linkerd-pod-injection-override.yaml | 3 +++ .../prevent-linkerd-port-skipping/artifacthub-pkg.yml | 2 +- .../prevent-linkerd-port-skipping.yaml | 3 +++ .../require-linkerd-mesh-injection/artifacthub-pkg.yml | 2 +- .../require-linkerd-mesh-injection.yaml | 3 +++ .../artifacthub-pkg.yml | 2 +- .../disallow-ingress-nginx-custom-snippets.yaml | 10 ++++++++-- .../restrict-annotations/artifacthub-pkg.yml | 2 +- .../restrict-annotations/restrict-annotations.yaml | 3 +++ .../restrict-ingress-paths/artifacthub-pkg.yml | 2 +- .../restrict-ingress-paths/restrict-ingress-paths.yaml | 3 +++ openshift-cel/check-routes/artifacthub-pkg.yml | 2 +- openshift-cel/check-routes/check-routes.yaml | 3 +++ .../disallow-deprecated-apis/artifacthub-pkg.yml | 2 +- .../disallow-deprecated-apis.yaml | 3 +++ .../artifacthub-pkg.yml | 2 +- .../disallow-jenkins-pipeline-strategy.yaml | 3 +++ .../artifacthub-pkg.yml | 2 +- .../disallow-security-context-constraint-anyuid.yaml | 6 ++++++ .../enforce-etcd-encryption/artifacthub-pkg.yml | 2 +- .../enforce-etcd-encryption.yaml | 3 +++ .../add-psa-namespace-reporting.yaml | 3 +++ .../add-psa-namespace-reporting/artifacthub-pkg.yml | 2 +- 25 files changed, 56 insertions(+), 15 deletions(-) diff --git a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml index 52a146446..3a0f687fc 100644 --- a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml +++ b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml @@ -8,7 +8,6 @@ description: >- Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/create-kasten-policies-clusterrole.yaml kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml ``` keywords: diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml index e63c777ef..41668ea02 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Linkerd in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 476cc06454697ad17e472b7dd2c1c68542e06793961acef71ca97bf7113f7d21 +digest: 795a7d5ae06f9720bdbcc00ced965d1f7a28540c965628a47abc5621fb8d0033 createdAt: "2024-05-21T15:39:18Z" diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml index 541389977..cbed7f953 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml @@ -24,6 +24,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml index 94f8d61a4..4ab092a6c 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml +++ b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Linkerd in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: dc036c443dcf910e37381f963ee0c0059c636aeea980c13c7408795c207d25c2 +digest: bb047cee4e04c6939ccbdafe386dc0a84ea7e7242fe476a67ab6daf93dbec98f createdAt: "2024-05-21T15:57:57Z" diff --git a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml index feacf400a..d95aca938 100644 --- a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml +++ b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml @@ -24,6 +24,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml index a36662ab7..647ab852c 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml +++ b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Linkerd in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace, Annotation" -digest: 5a3664baf5c416d009d7eefe0f45da0efb856928beb0cc299e1416de48810959 +digest: 54785b725fde31418dffca17c8b9eb619c64db8351743d370b5f628e5235fd93 createdAt: "2024-05-21T16:06:15Z" diff --git a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml index b4ba323f1..d05c38ec6 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml +++ b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml @@ -23,6 +23,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml index dc8d4db5c..1aa414fe7 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Security, NGINX Ingress in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ConfigMap, Ingress" -digest: 685157a8a5012fd37f515b0e090203d0b508ff969c3298b278405063771c0b8a +digest: aaf1d6d140eb40ced231f9b1c1e58c76eb89c1974def85df5f0152b72b8d398b createdAt: "2024-05-21T16:14:12Z" diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml index a6e29d4d2..e7a098251 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml @@ -23,7 +23,10 @@ spec: any: - resources: kinds: - - ConfigMap + - ConfigMap + operations: + - CREATE + - UPDATE validate: cel: expressions: @@ -34,7 +37,10 @@ spec: any: - resources: kinds: - - networking.k8s.io/v1/Ingress + - networking.k8s.io/v1/Ingress + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml index 25e747867..f56be90e7 100644 --- a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml +++ b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Security, NGINX Ingress in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: e48069a57eb0323df1ae0d02599603a3b9888faf5c1299ff330b8cf4208a6168 +digest: 1d65f2c381b323065215afcbc0c0dfaf42b5a3485c4b90ad8dd5035a6f331914 createdAt: "2024-05-22T06:47:38Z" diff --git a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml index 332d55ac4..cf61a4ac9 100644 --- a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml +++ b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml @@ -25,6 +25,9 @@ spec: - resources: kinds: - networking.k8s.io/v1/Ingress + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml index 47570847c..6dc7c651c 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml +++ b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Security, NGINX Ingress in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 3f2da9a82f334fe75c271cd4d5181d65b91a6e3688d173385364c375f34fd617 +digest: 1c95fe0afc73a2e5e30376d7594d98b4e58cfd21378e3ea10035742eb960220f createdAt: "2024-05-22T07:13:08Z" diff --git a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml index 8973101a5..efabf6062 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml @@ -23,6 +23,9 @@ spec: - resources: kinds: - networking.k8s.io/v1/Ingress + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/openshift-cel/check-routes/artifacthub-pkg.yml b/openshift-cel/check-routes/artifacthub-pkg.yml index 999bafd55..2eb85d6da 100644 --- a/openshift-cel/check-routes/artifacthub-pkg.yml +++ b/openshift-cel/check-routes/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "OpenShift in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Route" -digest: 8751755ca5082672ff48dd147957593c467cf510169d93f9bc9e1264f359ba59 +digest: ac5ffb379d599adbf5ec0f2b08c76539b696645f6dee7a05f4b9a75b939243f8 createdAt: "2024-05-22T07:21:10Z" diff --git a/openshift-cel/check-routes/check-routes.yaml b/openshift-cel/check-routes/check-routes.yaml index 501cbde55..7ec6e0d43 100644 --- a/openshift-cel/check-routes/check-routes.yaml +++ b/openshift-cel/check-routes/check-routes.yaml @@ -22,6 +22,9 @@ spec: - resources: kinds: - route.openshift.io/v1/Route + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml index 94781fcdf..7cf0c78f2 100644 --- a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml +++ b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "OpenShift in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC" -digest: ee8485a8dc4c9c55047564ae1c8c8d608c9e8008de3aee7638c89f906ce07e29 +digest: 8ca91e6472908c67621b07b800023ff5e93383dbd9fd2d0f90879506cec45dd7 createdAt: "2024-05-22T07:36:55Z" diff --git a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml index d7052be24..984f03178 100644 --- a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml +++ b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml @@ -29,6 +29,9 @@ spec: - authorization.openshift.io/v1/ClusterRoleBinding - authorization.openshift.io/v1/Role - authorization.openshift.io/v1/RoleBinding + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml index f90fc3074..10065d31e 100644 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "OpenShift in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "BuildConfig" -digest: 39929037e267c6d7698695d11f084bf402cf54a21e89b95e1fc5843a5cfda240 +digest: f38131a30e03d633c0745ae181e83c75ae94a180d1e0402a8cba26ccf8088f81 createdAt: "2024-05-22T09:40:45Z" diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml index c756fcb04..2857aa488 100644 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml +++ b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml @@ -23,6 +23,9 @@ spec: kinds: - v1/BuildConfig - build.openshift.io/v1/BuildConfig + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml index caae67edc..69839fe57 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Security in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Role,ClusterRole,RBAC" -digest: 29184dda9ce5c8af8622122a5ffb9c41da0937ba0c25de978248ccfdb8afdbc9 +digest: a12e5cbb7ee88722774bf06d5c086804b4e3151811088be926470b12b8920cf0 createdAt: "2024-05-22T09:53:47Z" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml index 6c94c5318..d37d4c72d 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml @@ -23,6 +23,9 @@ spec: kinds: - ClusterRole - Role + operations: + - CREATE + - UPDATE validate: cel: expressions: @@ -36,6 +39,9 @@ spec: kinds: - ClusterRoleBinding - RoleBinding + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml index 20519c0c5..a5198a02d 100644 --- a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml +++ b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "OpenShift in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "APIServer" -digest: f258866754397716663fab6771d2fc6b7c3a2dcf1af99c7034dbed51a776b9d0 +digest: 293113b4abad7fea2e4d805bc63dc23c8fad9658424353644e501ac5b0abd592 createdAt: "2024-05-22T10:15:24Z" diff --git a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml index 210c3764d..045402624 100644 --- a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml +++ b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml @@ -22,6 +22,9 @@ spec: - resources: kinds: - config.openshift.io/v1/APIServer + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml index a40250716..94f57bfd2 100644 --- a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml +++ b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -31,6 +31,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml index 20bcf0620..0f68883ae 100644 --- a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml +++ b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Pod Security Admission, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 4d5be89c79c008b87f6d9f0400a4b336c8a55fa84170608f1d7e3df3f4e21eba +digest: d624eddc7d55bcdb3129ccb57f6e7d840b6eda6cf57134ce7385b89a92ea8686 createdAt: "2024-05-22T08:30:28Z" From 18cd5510952bda314e5db4bca42c4c36b0539d88 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 9 Jul 2024 16:53:19 +0000 Subject: [PATCH 43/43] remove disallow-self-provisioner-binding as it gives errors that needs further investigation Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 32 ----------- .../.chainsaw-test/crb-bad-roleref.yaml | 32 ----------- .../.chainsaw-test/crb-bad-sub-update.yaml | 14 ----- .../.chainsaw-test/crb-good.yaml | 12 ---- .../.chainsaw-test/crb.yaml | 14 ----- .../.chainsaw-test/policy-ready.yaml | 6 -- .../.kyverno-test/kyverno-test.yaml | 29 ---------- .../.kyverno-test/resources.yaml | 56 ------------------- .../.kyverno-test/values.yaml | 10 ---- .../artifacthub-pkg.yml | 23 -------- .../disallow-self-provisioner-binding.yaml | 50 ----------------- 11 files changed, 278 deletions(-) delete mode 100755 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml delete mode 100755 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml delete mode 100644 openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e20df0cb9..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-self-provisioner-binding -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-self-provisioner-binding.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: crb.yaml - - name: step-03 - try: - - apply: - file: crb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: crb-bad-roleref.yaml - - apply: - expect: - - check: - ($error != null): true - file: crb-bad-sub-update.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml deleted file mode 100644 index 7529e6f96..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-roleref.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners-crb-bad01 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: group-test -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated:oauth ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners-crb-bad02 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: group-test \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml deleted file mode 100644 index c95dce7a9..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-bad-sub-update.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: group-test \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml deleted file mode 100644 index caf2c9bfc..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb-good.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:openshift:scc:privileged -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:privileged -subjects: - - kind: ServiceAccount - name: test-kyverno - namespace: test-kyverno \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml deleted file mode 100755 index 68def7523..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/crb.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- kind: ServiceAccount - name: test-kyverno - namespace: test-kyverno diff --git a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml b/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index d6f5a4f24..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-self-provisioner-binding -status: - ready: true \ No newline at end of file diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 82b12eb14..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-routes -policies: -- ../disallow-self-provisioner-binding.yaml -resources: -- resources.yaml -results: -- kind: ClusterRoleBinding - policy: disallow-self-provisioner-binding - resources: - - self-provisioners - result: fail - rule: check-self-provisioner-binding-no-subject -- kind: ClusterRoleBinding - policy: disallow-self-provisioner-binding - resources: - - self-provisioners-custom - - self-provisioners-custom-test - result: fail - rule: check-self-provisioner-binding-with-subject -- kind: ClusterRoleBinding - policy: disallow-self-provisioner-binding - resources: - - system:openshift:scc:privileged - result: pass - rule: check-self-provisioner-binding-with-subject -variables: values.yaml diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml deleted file mode 100644 index e9ab76851..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/resources.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners-custom -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: group-test -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated:oauth ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: self-provisioners-custom-test -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: group-test ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:openshift:scc:privileged -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:privileged -subjects: - - kind: ServiceAccount - name: test-kyverno - namespace: test-kyverno diff --git a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml b/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml deleted file mode 100644 index 1a0f122b0..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/.kyverno-test/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: disallow-self-provisioner-binding - resources: - - name: self-provisioners - values: - request.operation: UPDATE - rules: - - name: check-self-provisioner-binding-no-subject diff --git a/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml b/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml deleted file mode 100644 index 69bc640ec..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: disallow-self-provisioner-binding-cel -version: 1.0.0 -displayName: Disallow binding to self-provisioner cluster role in OpenShift in CEL expressions -description: >- - This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml - ``` -keywords: - - kyverno - - OpenShift - - CEL Expressions -readme: | - This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "OpenShift in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ClusterRoleBinding, RBAC" -digest: edd8b8f0ef18613eaed1e263c1d0140222d9dc28917e33ed843f087d98a27e99 -createdAt: "2024-05-22T10:06:31Z" diff --git a/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml b/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml deleted file mode 100644 index 81276431a..000000000 --- a/openshift-cel/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-self-provisioner-binding - annotations: - policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift in CEL expressions - policies.kyverno.io/category: OpenShift in CEL - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: ClusterRoleBinding, RBAC - policies.kyverno.io/description: >- - This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-self-provisioner-binding-no-subject - match: - any: - - resources: - kinds: - - ClusterRoleBinding - celPreconditions: - - name: "name-should-be-self-provisioners" - expression: "object.metadata.name == 'self-provisioners'" - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - validate: - cel: - expressions: - - expression: "false" - message: >- - Modifying the self-provisioners ClusterRoleBinding is not allowed. - - name: check-self-provisioner-binding-with-subject - match: - any: - - resources: - kinds: - - ClusterRoleBinding - celPreconditions: - - name: "name-should-not-be-self-provisioners" - expression: "object.metadata.name != 'self-provisioners'" - validate: - cel: - expressions: - - expression: "object.roleRef.name != 'self-provisioner'" - message: >- - Binding to the self-provisioners cluster role is not allowed. -