-
Notifications
You must be signed in to change notification settings - Fork 330
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Rita Zhang <[email protected]>
- Loading branch information
Showing
13 changed files
with
447 additions
and
115 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Forbidden Sysctls security context policy | ||
|
||
The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`. | ||
|
||
## Parameters | ||
|
||
`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. | ||
|
||
`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. | ||
|
||
## Examples | ||
|
||
```yaml | ||
parameters: | ||
allowedSysctls: ['*'] | ||
forbiddenSysctls: | ||
- kernel.msg* | ||
- net.core.somaxconn | ||
``` | ||
```yaml | ||
parameters: | ||
allowedSysctls: | ||
- kernel.shm_rmid_forced | ||
- net.ipv4.ip_local_port_range | ||
- net.ipv4.tcp_syncookies | ||
- net.ipv4.ping_group_range | ||
forbiddenSysctls: [] | ||
``` | ||
*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided. | ||
|
||
## References | ||
|
||
* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) | ||
* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core) |
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.2.0 | ||
name: k8spspforbiddensysctls | ||
displayName: Forbidden Sysctls | ||
createdAt: "2024-05-10T05:44:00Z" | ||
description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
digest: 53ce322a6055a6badb700f675cbb262a2f9e37390655460ee8a3370c39a99a80 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Forbidden Sysctls | ||
Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
15 changes: 15 additions & 0 deletions
15
...pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPForbiddenSysctls | ||
metadata: | ||
name: psp-forbidden-sysctls | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
forbiddenSysctls: | ||
# - "*" # * may be used to forbid all sysctls | ||
- kernel.* | ||
allowedSysctls: | ||
- "*" # allows all sysctls. allowedSysctls is optional. |
14 changes: 14 additions & 0 deletions
14
...ecurity-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-forbidden-sysctls-disallowed | ||
labels: | ||
app: nginx-forbidden-sysctls | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
sysctls: | ||
- name: net.core.somaxconn | ||
value: "1024" |
16 changes: 16 additions & 0 deletions
16
...rity-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-forbidden-sysctls-disallowed | ||
labels: | ||
app: nginx-forbidden-sysctls | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
sysctls: | ||
- name: kernel.msgmax | ||
value: "65536" | ||
- name: net.core.somaxconn | ||
value: "1024" |
21 changes: 21 additions & 0 deletions
21
...ary/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1beta1 | ||
request: | ||
operation: "UPDATE" | ||
object: | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-forbidden-sysctls-disallowed | ||
labels: | ||
app: nginx-forbidden-sysctls | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
sysctls: | ||
- name: kernel.msgmax | ||
value: "65536" | ||
- name: net.core.somaxconn | ||
value: "1024" |
21 changes: 21 additions & 0 deletions
21
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: forbidden-sysctls | ||
tests: | ||
- name: forbidden-sysctls | ||
template: template.yaml | ||
constraint: samples/psp-forbidden-sysctls/constraint.yaml | ||
cases: | ||
- name: example-disallowed | ||
object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-allowed | ||
object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: update | ||
object: samples/psp-forbidden-sysctls/update.yaml | ||
assertions: | ||
- violations: no |
121 changes: 121 additions & 0 deletions
121
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spspforbiddensysctls | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Forbidden Sysctls" | ||
metadata.gatekeeper.sh/version: 1.2.0 | ||
description: >- | ||
Controls the `sysctl` profile used by containers. Corresponds to the | ||
`allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. | ||
When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. | ||
The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. | ||
For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPForbiddenSysctls | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls the `sysctl` profile used by containers. Corresponds to the | ||
`allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. | ||
When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. | ||
The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. | ||
For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
properties: | ||
allowedSysctls: | ||
type: array | ||
description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter." | ||
items: | ||
type: string | ||
forbiddenSysctls: | ||
type: array | ||
description: "A disallow-list of sysctls. `*` forbids all sysctls." | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
code: | ||
- engine: K8sNativeValidation | ||
source: | ||
variables: | ||
- name: sysctls | ||
expression: '!has(object.spec.securityContext) ? [] : !has(object.spec.securityContext.sysctls) ? [] : object.spec.securityContext.sysctls' | ||
- name: forbiddenSysctls | ||
expression: | | ||
!has(variables.params.forbiddenSysctls) ? [] : | ||
variables.sysctls.filter(sysctl, | ||
variables.params.forbiddenSysctls.exists(forbiddenSysctl, sysctl.name == forbiddenSysctl || (forbiddenSysctl.endsWith("*") && string(sysctl.name).matches("^" + string(forbiddenSysctl).replace("*", ".*") + "$")))) | ||
- name: allowedSysctls | ||
expression: | | ||
!has(variables.params.allowedSysctls) ? [] : | ||
variables.sysctls.filter(sysctl, | ||
variables.params.allowedSysctls.exists(allowedSysctl, sysctl.name == allowedSysctl || (allowedSysctl == "*") || (string(sysctl.name).matches("^" + allowedSysctl + "$")))) | ||
validations: | ||
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.sysctls) == 0 || size(variables.forbiddenSysctls) == 0 && (size(variables.allowedSysctls) == 0 || size(variables.allowedSysctls) == size(variables.sysctls))' | ||
messageExpression: '"The sysctl is not allowed for pod: " + object.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c.name).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c.name).join(", ") ' | ||
- engine: Rego | ||
source: | ||
rego: | | ||
package k8spspforbiddensysctls | ||
import data.lib.exclude_update.is_update | ||
# Block if forbidden | ||
violation[{"msg": msg, "details": {}}] { | ||
# spec.securityContext.sysctls field is immutable. | ||
not is_update(input.review) | ||
sysctl := input.review.object.spec.securityContext.sysctls[_].name | ||
forbidden_sysctl(sysctl) | ||
msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) | ||
} | ||
# Block if not explicitly allowed | ||
violation[{"msg": msg, "details": {}}] { | ||
not is_update(input.review) | ||
sysctl := input.review.object.spec.securityContext.sysctls[_].name | ||
not allowed_sysctl(sysctl) | ||
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) | ||
} | ||
# * may be used to forbid all sysctls | ||
forbidden_sysctl(_) { | ||
input.parameters.forbiddenSysctls[_] == "*" | ||
} | ||
forbidden_sysctl(sysctl) { | ||
input.parameters.forbiddenSysctls[_] == sysctl | ||
} | ||
forbidden_sysctl(sysctl) { | ||
forbidden := input.parameters.forbiddenSysctls[_] | ||
endswith(forbidden, "*") | ||
startswith(sysctl, trim_suffix(forbidden, "*")) | ||
} | ||
# * may be used to allow all sysctls | ||
allowed_sysctl(_) { | ||
input.parameters.allowedSysctls[_] == "*" | ||
} | ||
allowed_sysctl(sysctl) { | ||
input.parameters.allowedSysctls[_] == sysctl | ||
} | ||
allowed_sysctl(sysctl) { | ||
allowed := input.parameters.allowedSysctls[_] | ||
endswith(allowed, "*") | ||
startswith(sysctl, trim_suffix(allowed, "*")) | ||
} | ||
libs: | ||
- | | ||
package lib.exclude_update | ||
is_update(review) { | ||
review.operation == "UPDATE" | ||
} |
Oops, something went wrong.