kyverno/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml

{{- $name := "disallow-capabilities-strict" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: {{ $name }}
  annotations:
    policies.kyverno.io/title: Disallow Capabilities (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
    {{- end }}
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
      all containers must explicitly drop `ALL` capabilities.
spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
    - name: require-drop-all
      match:
        any:
        - resources:
            kinds:
              - Pod
      {{- with merge (index .Values "policyExclude" "require-drop-all") (index .Values "policyExclude" $name) }}
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      preconditions:
        all:
        - key: "{{`{{ request.operation }}`}}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
          Containers must drop `ALL` capabilities.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: ALL
                  operator: AnyNotIn
                  value: "{{`{{ element.securityContext.capabilities.drop || '' }}`}}"
    - name: adding-capabilities-strict
      match:
        any:
        - resources:
            kinds:
              - Pod
      {{- with merge (index .Values "policyExclude" "adding-capabilities-strict") (index .Values "policyExclude" $name) }}
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      preconditions:
        all:
        - key: "{{`{{ request.operation }}`}}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
          Any capabilities added other than NET_BIND_SERVICE are disallowed.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: "{{`{{ element.securityContext.capabilities.add[] || '' }}`}}"
                  operator: AnyNotIn
                  value:
                  - NET_BIND_SERVICE
                  - ''
{{- end }}
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`{{- $name := "disallow-capabilities-strict" }}`
			`{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}`
			`{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}`
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: {{ $name }}`
			`annotations:`
			`policies.kyverno.io/title: Disallow Capabilities (Strict)`
			`policies.kyverno.io/category: Pod Security Standards (Restricted)`
			`{{- if .Values.podSecuritySeverity }}`
			`policies.kyverno.io/severity: {{ .Values.podSecuritySeverity \| quote }}`
			`{{- end }}`
			`policies.kyverno.io/minversion: 1.6.0`
			`kyverno.io/kyverno-version: 1.6.0`
			`kyverno.io/kubernetes-version: "1.22-1.23"`
			`policies.kyverno.io/subject: Pod`
			`policies.kyverno.io/description: >-`
			Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
			all containers must explicitly drop `ALL` capabilities.
			`spec:`
			`validationFailureAction: {{ .Values.validationFailureAction }}`
			`background: true`
			`rules:`
			`- name: require-drop-all`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`{{- with merge (index .Values "policyExclude" "require-drop-all") (index .Values "policyExclude" $name) }}`
			`exclude:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`preconditions:`
			`all:`
			- key: "{{`{{ request.operation }}`}}"
			`operator: NotEquals`
			`value: DELETE`
			`validate:`
			`message: >-`
			Containers must drop `ALL` capabilities.
			`foreach:`
			`- list: request.object.spec.[ephemeralContainers, initContainers, containers][]`
			`deny:`
			`conditions:`
			`all:`
			`- key: ALL`
			`operator: AnyNotIn`
			value: "{{`{{ element.securityContext.capabilities.drop \|\| '' }}`}}"
			`- name: adding-capabilities-strict`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`{{- with merge (index .Values "policyExclude" "adding-capabilities-strict") (index .Values "policyExclude" $name) }}`
			`exclude:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`preconditions:`
			`all:`
			- key: "{{`{{ request.operation }}`}}"
			`operator: NotEquals`
			`value: DELETE`
			`validate:`
			`message: >-`
			`Any capabilities added other than NET_BIND_SERVICE are disallowed.`
			`foreach:`
			`- list: request.object.spec.[ephemeralContainers, initContainers, containers][]`
			`deny:`
			`conditions:`
			`all:`
			- key: "{{`{{ element.securityContext.capabilities.add[] \|\| '' }}`}}"
			`operator: AnyNotIn`
			`value:`
			`- NET_BIND_SERVICE`
			`- ''`
			`{{- end }}`