Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add policy Restrict Cluster Role CSR #1077

Merged
merged 8 commits into from
Aug 2, 2024
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
status:
ready: true
29 changes: 29 additions & 0 deletions other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: restrict-clusterrole-csr
spec:
steps:
- name: step-01
try:
- apply:
file: ../restrict-clusterrole-csr.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: non-violating-clusterrole.yaml
- apply:
expect:
- check:
($error != null): true
file: violating-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: non-violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["get", "list"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["update", "approve"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["approve"]
33 changes: 33 additions & 0 deletions other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: restrict-clusterrole-csr
policies:
- ../restrict-clusterrole-csr.yaml
resources:
- resource.yaml
results:
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- violating-clusterrole
result: fail
rule: certificatesigningrequests-update-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- violating-clusterrole
result: fail
rule: signers-approve-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- non-violating-clusterrole
result: pass
rule: certificatesigningrequests-update-prevention
- kind: ClusterRole
policy: restrict-clusterrole-csr
resources:
- non-violating-clusterrole
result: pass
rule: signers-approve-prevention
24 changes: 24 additions & 0 deletions other/restrict-clusterrole-csr/.kyverno-test/resource.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["update", "approve"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["approve"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: non-violating-clusterrole
rules:
- apiGroups: [""]
resources: ["certificatesigningrequests/approval"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["signers"]
verbs: ["get", "list"]

22 changes: 22 additions & 0 deletions other/restrict-clusterrole-csr/artifacthub-pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: restrict-clusterrole-csr
version: 1.0.0
displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's)
createdAt: "2024-07-17T20:30:05.000Z"
description: >-
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to
https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
chipzoller marked this conversation as resolved.
Show resolved Hide resolved
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
```
keywords:
- kyverno
- Other
readme: |
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
chipzoller marked this conversation as resolved.
Show resolved Hide resolved
annotations:
kyverno/category: "Other"
kyverno/subject: "ClusterRole"
digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854
55 changes: 55 additions & 0 deletions other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
annotations:
policies.kyverno.io/title: Restrict Cluster Role CSR
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: ClusterRole
kyverno.io/kyverno-version: 1.11.5
kyverno.io/kubernetes-version: "1.27"
policies.kyverno.io/description: >-
ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
spec:
validationFailureAction: Audit
background: true
rules:
- name: certificatesigningrequests-update-prevention
match:
any:
- resources:
kinds:
- ClusterRole
validate:
message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval."
foreach:
- list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]"
deny:
conditions:
any:
- key: ["update", "patch"]
operator: AnyIn
value: "{{ element.verbs[] }}"
- key: "{{ contains(element.verbs[], '*') }}"
operator: Equals
value: true
- name: signers-approve-prevention
match:
any:
- resources:
kinds:
- ClusterRole
validate:
message: "Use of verbs `approve` are forbidden for signers."
foreach:
- list: "request.object.rules[?resources.contains(@,'signers')]"
deny:
conditions:
any:
- key: ["approve"]
operator: AnyIn
value: "{{ element.verbs[] }}"
- key: "{{ contains(element.verbs[], '*') }}"
operator: Equals
value: true
Loading