Skip to content

Commit

Permalink
Render policies (#1003)
Browse files Browse the repository at this point in the history 
render

Signed-off-by: Chip Zoller <[email protected]>
  • Loading branch information
@chipzoller
chipzoller authored Nov 8, 2023
1 parent 1c4f8b3 commit 30fb101
Show file tree
Hide file tree
Showing 5 changed files with 415 additions and 0 deletions.
68 changes: 68 additions & 0 deletions ...y-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: "Disallow Privileged Containers in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version:
subject: Pod
policyType: "validate"
description: >
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml" target="-blank">/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
annotations:
policies.kyverno.io/title: Disallow Privileged Containers in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
validationFailureAction: Audit
background: true
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
must be unset or set to `false`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged
must be unset or set to `false`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged
must be unset or set to `false`.
```
70 changes: 70 additions & 0 deletions ...n/policies/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: "Disallow procMount in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version:
subject: Pod
policyType: "validate"
description: >
The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified. Note that in order for users to deviate from the `Default` procMount requires setting a feature gate at the API server.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml" target="-blank">/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-proc-mount
annotations:
policies.kyverno.io/title: Disallow procMount in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
validationFailureAction: Audit
background: true
rules:
- name: check-proc-mount
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.containers[*].securityContext.procMount must be unset or set to `Default`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.initContainers[*].securityContext.procMount must be unset or set to `Default`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`.
```
130 changes: 130 additions & 0 deletions content/en/policies/pod-security-cel/baseline/disallow-selinux/disallow-selinux.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
---
title: "Disallow SELinux in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version:
subject: Pod
policyType: "validate"
description: >
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml" target="-blank">/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-selinux
annotations:
policies.kyverno.io/title: Disallow SELinux in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
spec:
validationFailureAction: Audit
background: true
rules:
- name: selinux-type
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
!has(object.spec.securityContext) ||
!has(object.spec.securityContext.seLinuxOptions) ||
!has(object.spec.securityContext.seLinuxOptions.type) ||
object.spec.securityContext.seLinuxOptions.type == 'container_t' ||
object.spec.securityContext.seLinuxOptions.type == 'container_init_t' ||
object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t'
message: >-
Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
message: >-
Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
message: >-
Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
message: >-
Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- name: selinux-user-role
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
!has(object.spec.securityContext) ||
!has(object.spec.securityContext.seLinuxOptions) ||
(!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset.
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset.
```
85 changes: 85 additions & 0 deletions content/en/policies/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
---
title: "Restrict Seccomp in CEL expressions"
category: Pod Security Standards (Baseline) in CEL
version:
subject: Pod
policyType: "validate"
description: >
The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.
---

## Policy Definition
<a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml" target="-blank">/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml</a>

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-seccomp
annotations:
policies.kyverno.io/title: Restrict Seccomp in CEL expressions
policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
The seccomp profile must not be explicitly set to Unconfined. This policy,
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
set to `RuntimeDefault` or `Localhost`.
spec:
background: true
validationFailureAction: Audit
rules:
- name: check-seccomp
match:
any:
- resources:
kinds:
- Pod
validate:
cel:
expressions:
- expression: >-
!has(object.spec.securityContext) ||
!has(object.spec.securityContext.seccompProfile) ||
!has(object.spec.securityContext.seccompProfile.type) ||
object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' ||
object.spec.securityContext.seccompProfile.type == 'Localhost'
message: >-
Use of custom Seccomp profiles is disallowed. The field
spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seccompProfile) ||
!has(container.securityContext.seccompProfile.type) ||
container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
container.securityContext.seccompProfile.type == 'Localhost')
message: >-
Use of custom Seccomp profiles is disallowed. The field
spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seccompProfile) ||
!has(container.securityContext.seccompProfile.type) ||
container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
container.securityContext.seccompProfile.type == 'Localhost')
message: >-
Use of custom Seccomp profiles is disallowed. The field
spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seccompProfile) ||
!has(container.securityContext.seccompProfile.type) ||
container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
container.securityContext.seccompProfile.type == 'Localhost')
message: >-
Use of custom Seccomp profiles is disallowed. The field
spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
```
Loading

0 comments on commit 30fb101

Please sign in to comment.