diff --git a/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..adb952ebf --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-privilege-escalation +status: + ready: true diff --git a/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..8c93c6136 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: set-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: ../set-privilege-escalation.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: set-privilege-escalation + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-bad.yaml + - assert: + file: pod-bad-assert.yaml diff --git a/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad-assert.yaml b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad-assert.yaml new file mode 100644 index 000000000..251ab2290 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad-assert.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- \ No newline at end of file diff --git a/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad.yaml b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..28ce245f0 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- \ No newline at end of file diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/kyverno-test.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..671b32a21 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,45 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: set-privilege-escalation +policies: +- ../set-privilege-escalation.yaml +resources: +- resource.yaml +results: +- policy: set-privilege-escalation + rule: set-containers-privilege-escalation-to-false + kind: Pod + resource: badpod01 + patchedResource: patched-resource-01.yaml + result: skip +- policy: set-privilege-escalation + rule: set-containers-privilege-escalation-to-false + kind: Pod + resource: badpod02 + patchedResource: patched-resource-02.yaml + result: pass +- policy: set-privilege-escalation + rule: set-containers-privilege-escalation-to-false + kind: Pod + resource: badpod03 + patchedResource: patched-resource-03.yaml + result: skip +- policy: set-privilege-escalation + rule: set-containers-privilege-escalation-to-false + kind: Pod + resource: badpod04 + patchedResource: patched-resource-04.yaml + result: pass +- policy: set-privilege-escalation + rule: set-containers-privilege-escalation-to-false + kind: Pod + resource: badpod05 + patchedResource: patched-resource-05.yaml + result: skip +- policy: set-privilege-escalation + rule: set-initContainers-privilege-escalation-to-false + kind: Pod + resource: badpod06 + patchedResource: patched-resource-06.yaml + result: pass \ No newline at end of file diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-01.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-01.yaml new file mode 100644 index 000000000..35b52596d --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-01.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-02.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-02.yaml new file mode 100644 index 000000000..968e5107d --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-02.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-03.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-03.yaml new file mode 100644 index 000000000..761888642 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-03.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-04.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-04.yaml new file mode 100644 index 000000000..9fac8e48c --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-04.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-05.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-05.yaml new file mode 100644 index 000000000..f962ed58b --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-05.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-06.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-06.yaml new file mode 100644 index 000000000..af681d749 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-06.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/.kyverno-test/resource.yaml b/pod-security/mutate/set-privilege-escalation/.kyverno-test/resource.yaml new file mode 100644 index 000000000..57fbd49cf --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/.kyverno-test/resource.yaml @@ -0,0 +1,81 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/mutate/set-privilege-escalation/artifacthub-pkg.yml b/pod-security/mutate/set-privilege-escalation/artifacthub-pkg.yml new file mode 100644 index 000000000..5935321c4 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: set-privilege-escalation +version: 1.0.0 +displayName: Set Privilege Escalation +createdAt: "2024-08-09T00:00:00.000Z" +description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/mutate/set-privilege-escalation/set-privilege-escalation.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Mutate) +readme: | + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Mutate)" + kyverno/kubernetesVersion: "1.22-1.30" + kyverno/subject: "Pod" +digest: a07e6c733be3eab862d5f7c7d1fc1d8e79b4251d465bb2ad4dc15b9550a5f695 diff --git a/pod-security/mutate/set-privilege-escalation/set-privilege-escalation.yaml b/pod-security/mutate/set-privilege-escalation/set-privilege-escalation.yaml new file mode 100644 index 000000000..6560df0e0 --- /dev/null +++ b/pod-security/mutate/set-privilege-escalation/set-privilege-escalation.yaml @@ -0,0 +1,87 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-privilege-escalation + annotations: + policies.kyverno.io/title: Set Privilege Escalation + policies.kyverno.io/category: Pod Security Standards (Mutate) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.30" + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: set-containers-privilege-escalation-to-false + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.containers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.containers" + preconditions: + all: + - key: "{{ element.securityContext.allowPrivilegeEscalation || '' }}" + operator: Equals + value: true + patchesJson6902: |- + - path: /spec/containers/{{elementIndex}}/securityContext/allowPrivilegeEscalation + op: replace + value: false + - name: set-initContainers-privilege-escalation-to-false + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.initContainers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.initContainers" + preconditions: + all: + - key: "{{ element.securityContext.allowPrivilegeEscalation || '' }}" + operator: Equals + value: true + patchesJson6902: |- + - path: /spec/initContainers/{{elementIndex}}/securityContext/allowPrivilegeEscalation + op: replace + value: false + - name: set-ephemeralContainers-privilege-escalation-to-false + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.ephemeralContainers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers" + preconditions: + all: + - key: "{{ element.securityContext.allowPrivilegeEscalation || '' }}" + operator: Equals + value: true + patchesJson6902: |- + - path: /spec/ephemeralContainers/{{elementIndex}}/securityContext/allowPrivilegeEscalation + op: replace + value: false diff --git a/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..f6fd84a62 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-run-as-non-root +status: + ready: true diff --git a/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-test.yaml b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..d9bd7b0be --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: set-run-as-non-root +spec: + steps: + - name: step-01 + try: + - apply: + file: ../set-run-as-non-root.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: set-run-as-non-root + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-bad.yaml + - assert: + file: pod-bad-assert.yaml diff --git a/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad-assert.yaml b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad-assert.yaml new file mode 100644 index 000000000..6cf8d6652 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad-assert.yaml @@ -0,0 +1,224 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod16 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- \ No newline at end of file diff --git a/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad.yaml b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..8af6f9567 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,224 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + - name: container02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod16 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + allowPrivilegeEscalation: false +--- \ No newline at end of file diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/kyverno-test.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e4b1ca404 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,45 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: set-run-as-non-root +policies: +- ../set-run-as-non-root.yaml +resources: +- resource.yaml +results: +- policy: set-run-as-non-root + rule: set-containers-run-as-non-root-to-true + kind: Pod + resource: badpod01 + patchedResource: patched-resource-01.yaml + result: skip +- policy: set-run-as-non-root + rule: set-containers-run-as-non-root-to-true + kind: Pod + resource: badpod02 + patchedResource: patched-resource-02.yaml + result: pass +- policy: set-run-as-non-root + rule: set-containers-run-as-non-root-to-true + kind: Pod + resource: badpod03 + patchedResource: patched-resource-03.yaml + result: skip +- policy: set-run-as-non-root + rule: set-containers-run-as-non-root-to-true + kind: Pod + resource: badpod04 + patchedResource: patched-resource-04.yaml + result: pass +- policy: set-run-as-non-root + rule: set-containers-run-as-non-root-to-true + kind: Pod + resource: badpod05 + patchedResource: patched-resource-05.yaml + result: skip +- policy: set-run-as-non-root + rule: set-initContainers-run-as-non-root-to-true + kind: Pod + resource: badpod06 + patchedResource: patched-resource-06.yaml + result: pass \ No newline at end of file diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-01.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-01.yaml new file mode 100644 index 000000000..35b52596d --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-01.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-02.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-02.yaml new file mode 100644 index 000000000..6f9ee418d --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-02.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-03.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-03.yaml new file mode 100644 index 000000000..b51ee69e7 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-03.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-04.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-04.yaml new file mode 100644 index 000000000..6fcb91732 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-04.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true + - name: container02 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-05.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-05.yaml new file mode 100644 index 000000000..6a5f8d9a8 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-05.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-06.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-06.yaml new file mode 100644 index 000000000..779affe56 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/patched-resource-06.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/.kyverno-test/resource.yaml b/pod-security/mutate/set-run-as-non-root/.kyverno-test/resource.yaml new file mode 100644 index 000000000..32977ed54 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/.kyverno-test/resource.yaml @@ -0,0 +1,81 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: false + - name: container02 + image: dummyimagename + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: dummyimagename + securityContext: + runAsNonRoot: true diff --git a/pod-security/mutate/set-run-as-non-root/artifacthub-pkg.yml b/pod-security/mutate/set-run-as-non-root/artifacthub-pkg.yml new file mode 100644 index 000000000..70e988a5d --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: set-run-as-non-root +version: 1.0.0 +displayName: Set runAsNonRoot +createdAt: "2024-08-09T00:00:00.000Z" +description: >- + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/mutate/set-run-as-non-root/set-run-as-non-root.yaml + ``` +keywords: + - kyverno + - Pod Security Standards (Mutate) +readme: | + Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Pod Security Standards (Mutate)" + kyverno/kubernetesVersion: "1.22-1.30" + kyverno/subject: "Pod" +digest: 1c7b74b40da4378308fea087a5a30ae51f1ca46ae117c7c44aa846e70dd70d72 diff --git a/pod-security/mutate/set-run-as-non-root/set-run-as-non-root.yaml b/pod-security/mutate/set-run-as-non-root/set-run-as-non-root.yaml new file mode 100644 index 000000000..4ee387f01 --- /dev/null +++ b/pod-security/mutate/set-run-as-non-root/set-run-as-non-root.yaml @@ -0,0 +1,87 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-run-as-non-root + annotations: + policies.kyverno.io/title: Set runAsNonRoot + policies.kyverno.io/category: Pod Security Standards (Mutate) + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.30" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsNonRoot` is set to `true`. +spec: + validationFailureAction: Audit + background: true + rules: + - name: set-containers-run-as-non-root-to-true + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.containers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.containers" + preconditions: + all: + - key: "{{ to_string(element.securityContext.runAsNonRoot) }}" + operator: Equals + value: "false" + patchesJson6902: |- + - path: /spec/containers/{{elementIndex}}/securityContext/runAsNonRoot + op: replace + value: true + - name: set-initContainers-run-as-non-root-to-true + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.initContainers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.initContainers" + preconditions: + all: + - key: "{{ to_string(element.securityContext.runAsNonRoot) }}" + operator: Equals + value: "false" + patchesJson6902: |- + - path: /spec/initContainers/{{elementIndex}}/securityContext/runAsNonRoot + op: replace + value: true + - name: set-ephemeralContainers-run-as-non-root-to-true + match: + all: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ type(request.object.spec.ephemeralContainers) }}" + operator: Equals + value: "array" + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers" + preconditions: + all: + - key: "{{ to_string(element.securityContext.runAsNonRoot) }}" + operator: Equals + value: "false" + patchesJson6902: |- + - path: /spec/ephemeralContainers/{{elementIndex}}/securityContext/runAsNonRoot + op: replace + value: true