Skip to content

Commit

Permalink
Render policies (#1001)
Browse files Browse the repository at this point in the history 
render policies

Signed-off-by: Chip Zoller <[email protected]>
  • Loading branch information
@chipzoller
chipzoller authored Nov 8, 2023
1 parent bc05bcb commit 1c4f8b3
Show file tree
Hide file tree
Showing 10 changed files with 402 additions and 7 deletions.
14 changes: 14 additions & 0 deletions ...t/en/policies/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,4 +70,18 @@ spec:
=(volumes):
- =(hostPath):
path: "!/var/run/crio.sock"
- name: validate-dockerd-sock-mount
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Use of the Docker CRI socket is not allowed."
pattern:
spec:
=(volumes):
- =(hostPath):
path: "!/var/run/cri-dockerd.sock"

```
2 changes: 1 addition & 1 deletion ...es/other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
kinds:
- PolicyException
generate:
apiVersion: kyverno.io/v2alpha1
apiVersion: kyverno.io/v2beta1
kind: ClusterCleanupPolicy
name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
synchronize: false
Expand Down
3 changes: 3 additions & 0 deletions content/en/policies/other/m-q/pdb-minavailable/pdb-minavailable.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
value:
- CREATE
- UPDATE
- key: "{{ request.object.spec.replicas || `1` }}"
operator: GreaterThan
value: 0
context:
- name: minavailable
apiCall:
Expand Down
13 changes: 7 additions & 6 deletions ...cies/other/res/restrict-binding-system-groups/restrict-binding-system-groups.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ spec:
validate:
message: "Binding to system:anonymous is not allowed."
pattern:
roleRef:
name: "!system:anonymous"
subjects:
- name: "!system:anonymous"
- name: restrict-unauthenticated
match:
any:
Expand All @@ -55,8 +55,8 @@ spec:
validate:
message: "Binding to system:unauthenticated is not allowed."
pattern:
roleRef:
name: "!system:unauthenticated"
subjects:
- name: "!system:unauthenticated"
- name: restrict-masters
match:
any:
Expand All @@ -67,7 +67,8 @@ spec:
validate:
message: "Binding to system:masters is not allowed."
pattern:
roleRef:
name: "!system:masters"
subjects:
- name: "!system:masters"


```
77 changes: 77 additions & 0 deletions ...licies/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
title: "Disallow Capabilities in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version: 1.11.0
subject: Pod
policyType: "validate"
description: >
Adding capabilities beyond those listed in the policy must be disallowed.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml" target="-blank">/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-capabilities
annotations:
policies.kyverno.io/title: Disallow Capabilities in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
validationFailureAction: Audit
background: true
rules:
- name: adding-capabilities
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container,
!has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
```
52 changes: 52 additions & 0 deletions .../pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
title: "Disallow Host Namespaces in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version: 1.11.0
subject: Pod
policyType: "validate"
description: >
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
annotations:
policies.kyverno.io/title: Disallow Host Namespaces in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
spec:
validationFailureAction: Audit
background: true
rules:
- name: host-namespaces
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
(!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) &&
(!has(object.spec.hostIPC) || object.spec.hostIPC == false) &&
(!has(object.spec.hostPID) || object.spec.hostPID == false)
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
```
46 changes: 46 additions & 0 deletions .../en/policies/pod-security-cel/baseline/disallow-host-path/disallow-host-path.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: "Disallow hostPath in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version: 1.11.0
subject: Pod,Volume
policyType: "validate"
description: >
HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path
annotations:
policies.kyverno.io/title: Disallow hostPath in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
validationFailureAction: Audit
background: true
rules:
- name: host-path
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset"

```
63 changes: 63 additions & 0 deletions ...od-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
title: "Disallow hostPorts Range (Alternate) in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version: 1.11.0
subject: Pod
policyType: "validate"
description: >
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is set to one in the designated list.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-ports-range
annotations:
policies.kyverno.io/title: Disallow hostPorts Range (Alternate) in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is set to one in the designated list.
spec:
validationFailureAction: Audit
background: true
rules:
- name: host-port-range
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
message: >-
The only permitted hostPorts are in the range 5000-6000.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
message: >-
The only permitted hostPorts are in the range 5000-6000.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
message: >-
The only permitted hostPorts are in the range 5000-6000.
```
66 changes: 66 additions & 0 deletions ...n/policies/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
title: "Disallow hostPorts in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version: 1.11.0
subject: Pod
policyType: "validate"
description: >
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-ports
annotations:
policies.kyverno.io/title: Disallow hostPorts in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
spec:
validationFailureAction: Audit
background: true
rules:
- name: host-ports-none
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
must either be unset or set to `0`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
must either be unset or set to `0`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.
```
Loading

0 comments on commit 1c4f8b3

Please sign in to comment.