From b20f5d66466c35e56f252d549d0a4411191e8a88 Mon Sep 17 00:00:00 2001 From: krishbajaj1609 Date: Thu, 6 Jun 2024 11:15:00 +0530 Subject: [PATCH] feature/global-policy-set : upgrade version for test --- charts/test-krish-globalps/Chart.yaml | 2 +- .../pols/disallow-capabilities.yaml | 46 +++++++++++++++++++ .../pols/disallow-host-namespaces.yaml | 35 ++++++++++++++ .../pols/disallow-host-path.yaml | 33 +++++++++++++ .../pols/disallow-host-ports.yaml | 40 ++++++++++++++++ .../pols/disallow-host-process.yaml | 44 ++++++++++++++++++ 6 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 charts/test-krish-globalps/pols/disallow-capabilities.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-namespaces.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-path.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-ports.yaml create mode 100644 charts/test-krish-globalps/pols/disallow-host-process.yaml diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml index 89eb8dea..6cea6585 100644 --- a/charts/test-krish-globalps/Chart.yaml +++ b/charts/test-krish-globalps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: test-krish description: Pod Security Standards (baseline) policy set type: application -version: 0.6.17 +version: 0.6.18 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/test-krish-globalps/pols/disallow-capabilities.yaml b/charts/test-krish-globalps/pols/disallow-capabilities.yaml new file mode 100644 index 00000000..35d48f47 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-capabilities.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities + annotations: + policies.kyverno.io/title: Disallow Capabilities + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: Audit + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Adding capabilities beyond those listed in the policy rule is disallowed. + deny: + conditions: + all: + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" + operator: AnyNotIn + value: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT diff --git a/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml new file mode 100644 index 00000000..4d75e3ce --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-namespaces.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces + annotations: + policies.kyverno.io/title: Disallow Host Namespaces + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml" + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/charts/test-krish-globalps/pols/disallow-host-path.yaml b/charts/test-krish-globalps/pols/disallow-host-path.yaml new file mode 100644 index 00000000..85ef354e --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-path.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path + annotations: + policies.kyverno.io/title: Disallow hostPath + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-path/remediate-disallow-host-path.yaml" + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges + and should not be allowed. This policy ensures no hostPath volumes are in use. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostPath volumes are forbidden. + pattern: + spec: + =(volumes): + - X(hostPath): "null" diff --git a/charts/test-krish-globalps/pols/disallow-host-ports.yaml b/charts/test-krish-globalps/pols/disallow-host-ports.yaml new file mode 100644 index 00000000..b007f6eb --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-ports.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports + annotations: + policies.kyverno.io/title: Disallow hostPorts + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-ports/remediate-disallow-host-ports.yaml" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be + allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` + field is unset or set to `0`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-ports-none + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Use of host ports is disallowed. + pattern: + spec: + =(ephemeralContainers): + - =(ports): + - =(hostPort): 0 + =(initContainers): + - =(ports): + - =(hostPort): 0 + containers: + - =(ports): + - =(hostPort): 0 diff --git a/charts/test-krish-globalps/pols/disallow-host-process.yaml b/charts/test-krish-globalps/pols/disallow-host-process.yaml new file mode 100644 index 00000000..b67b39b5 --- /dev/null +++ b/charts/test-krish-globalps/pols/disallow-host-process.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process + annotations: + policies.kyverno.io/title: Disallow hostProcess + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/" + policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-process/remediate-disallow-host-process.yaml" + policies.kyverno.io/description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged + access to the Windows node. Privileged access to the host is disallowed in the baseline + policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures + the `hostProcess` field, if present, is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: host-process-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostProcess containers are disallowed. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false"