diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 3c0552bb42..d7113e8555 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -70,6 +70,7 @@ The command removes all the Kubernetes components associated with the chart and | validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | +| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | | nameOverride | string | `nil` | Name override. | | customLabels | object | `{}` | Additional labels. | | background | bool | `true` | Policies background mode | diff --git a/charts/kyverno-policies/ci/test-preconditions.yaml b/charts/kyverno-policies/ci/test-preconditions.yaml new file mode 100644 index 0000000000..082d7c8fac --- /dev/null +++ b/charts/kyverno-policies/ci/test-preconditions.yaml @@ -0,0 +1,14 @@ +podSecurityStandard: restricted +includeOtherPolicies: +- require-non-root-groups +policyPreconditions: + require-run-as-non-root-user: + any: + - key: "{{ request.object.metadata.name }}" + operator: NotEquals + value: "dcgm-exporter*" + adding-capabilities-strict: + any: + - key: "{{ request.object.metadata.name }}" + operator: NotEquals + value: "dcgm-exporter*" diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index b9ce12e263..7395b70b89 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -34,6 +34,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index 220639c41f..6210b59d2d 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -35,6 +35,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index c9b30e4d51..4a3f270542 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -34,6 +34,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index d2ee1a3dcb..48afcc71f3 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -34,6 +34,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index af59f3b48e..b71547aab5 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -35,6 +35,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index cb62797603..c21b1e1777 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -33,6 +33,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index 20d686bab2..7336eca151 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -35,6 +35,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Changing the proc mount from the default is not allowed. The fields diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index ccd065cb0d..dfb3e64871 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -33,6 +33,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "selinux-type") (index .Values "policyPreconditions" $name) }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Setting the SELinux type is restricted. The fields @@ -66,6 +70,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "selinux-user-role") (index .Values "policyPreconditions" $name) }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Setting the SELinux user or role is forbidden. The fields diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index 60fed1d2b7..e3fc774812 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -36,6 +36,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Specifying other AppArmor profiles is disallowed. The annotation diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index a991bfb831..e593b000a0 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -34,6 +34,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Use of custom Seccomp profiles is disallowed. The fields diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index 7932aded6f..8ade370fbb 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -37,6 +37,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Setting additional sysctls above the allowed type is disallowed. diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index 717c7e16ff..3aceadf45e 100644 --- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -35,6 +35,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "check-runasgroup") (index .Values "policyPreconditions" $name) }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Running with root group IDs is disallowed. The fields @@ -75,6 +79,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "check-supplementalgroups") (index .Values "policyPreconditions" $name) }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Containers cannot run with a root primary or supplementary GID. The field diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index 8db59d8d67..39e13a4635 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -35,11 +35,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }} preconditions: - all: - - key: "{{`{{ request.operation }}`}}" - operator: NotEquals - value: DELETE + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Containers must drop `ALL` capabilities. @@ -61,11 +60,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }} preconditions: - all: - - key: "{{`{{ request.operation }}`}}" - operator: NotEquals - value: DELETE + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Any capabilities added other than NET_BIND_SERVICE are disallowed. diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index 5ea694886a..b95bf4acb0 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -33,6 +33,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Privilege escalation is disallowed. The fields diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index 89f331d694..b2b23e2e88 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -33,6 +33,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Running as root is not allowed. The fields spec.securityContext.runAsUser, diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index 9006b9216e..d632652665 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -34,6 +34,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index df03d73838..fb67c664fd 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -36,6 +36,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Use of custom Seccomp profiles is disallowed. The fields diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index 7cf3c71dbb..c5b05764c9 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -36,6 +36,10 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- with index .Values "policyPreconditions" $name }} + preconditions: + {{- toYaml . | nindent 8 }} + {{- end }} validate: message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 1f4df4d84d..c778ad63c1 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -48,6 +48,21 @@ policyExclude: {} # - Pod # namespaces: # - kube-system +# -- Add preconditions to individual policies. +# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. +policyPreconditions: {} + # # Exclude resources from individual policies + # require-run-as-non-root-user: + # any: + # - key: "{{ request.object.metadata.name }}" + # operator: NotEquals + # value: "dcgm-exporter*" + # # Policies with multiple rules can have individual rules excluded + # adding-capabilities-strict: + # any: + # - key: "{{ request.object.metadata.name }}" + # operator: NotEquals + # value: "dcgm-exporter*" # -- Name override. nameOverride: