From 9930ba249df1995547241f6a9af0dd2822b384dc Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Fri, 1 Nov 2019 13:31:08 -0700 Subject: [PATCH 1/3] add policy and test case --- pkg/testrunner/testrunner_test.go | 4 +++ samples/DisallowDockerSockMount.md | 35 +++++++++++++++++++ .../disallow_docker_sock_mount.yaml | 23 ++++++++++++ .../resources/disallow_docker_sock_mount.yaml | 15 ++++++++ ...o_validate_disallow_docker_sock_mount.yaml | 18 ++++++++++ 5 files changed, 95 insertions(+) create mode 100644 samples/DisallowDockerSockMount.md create mode 100644 samples/best_practices/disallow_docker_sock_mount.yaml create mode 100644 test/resources/disallow_docker_sock_mount.yaml create mode 100644 test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 588d13c1b2..7cc0045f9f 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -115,3 +115,7 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) { func Test_validate_disallow_host_filesystem_pass(t *testing.T) { testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml") } + +func Test_validate_disallow_docker_sock_mount(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml") +} diff --git a/samples/DisallowDockerSockMount.md b/samples/DisallowDockerSockMount.md new file mode 100644 index 0000000000..542e11b462 --- /dev/null +++ b/samples/DisallowDockerSockMount.md @@ -0,0 +1,35 @@ +# Disallow Docker socket bind mount + +The Docker socket bind mount allows access to the +Docker daemon on the node. This access can be used for privilege escalation and +to manage containers outside of Kubernetes, and hence should not be allowed. + +## Policy YAML + +[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml) + +````yaml +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-docker-sock-mount + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: The Docker socket bind mount allows access to the + Docker daemon on the node. This access can be used for privilege escalation and + to manage containers outside of Kubernetes, and hence should not be allowed. +spec: + rules: + - name: validate-docker-sock-mount + match: + resources: + kinds: + - Pod + validate: + message: "Use of the Docker Unix socket is not allowed" + pattern: + spec: + (volume): + (hostPath): + path: "!/var/run/docker.sock" +```` diff --git a/samples/best_practices/disallow_docker_sock_mount.yaml b/samples/best_practices/disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..70053f187c --- /dev/null +++ b/samples/best_practices/disallow_docker_sock_mount.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-docker-sock-mount + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: The Docker socket bind mount allows access to the + Docker daemon on the node. This access can be used for privilege escalation and + to manage containers outside of Kubernetes, and hence should not be allowed. +spec: + rules: + - name: validate-docker-sock-mount + match: + resources: + kinds: + - Pod + validate: + message: "Use of the Docker Unix socket is not allowed" + pattern: + spec: + =(volumes): + =(hostPath): + path: "!/var/run/docker.sock" \ No newline at end of file diff --git a/test/resources/disallow_docker_sock_mount.yaml b/test/resources/disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..1be907f21d --- /dev/null +++ b/test/resources/disallow_docker_sock_mount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-docker-sock-mount +spec: + containers: + - name: myshell + image: "ubuntu:18.04" + command: + - /bin/sleep + - "300" + volumes: + - name: dockersock + hostPath: + path: /var/run/docker.sock diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..c8cc01c409 --- /dev/null +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_docker_sock_mount.yaml + resource: test/resources/disallow_docker_sock_mount.yaml +expected: + validation: + policyresponse: + policy: disallow-docker-sock-mount + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: pod-with-docker-sock-mount + rules: + - name: validate-docker-sock-mount + type: Validation + message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed + success: false \ No newline at end of file From 1323a9a81e4f78e4d4bcf9f3fa89b77aea17cf97 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Fri, 1 Nov 2019 13:31:08 -0700 Subject: [PATCH 2/3] add policy and test case --- pkg/testrunner/testrunner_test.go | 5 ++- samples/DisallowDockerSockMount.md | 35 +++++++++++++++++++ .../disallow_docker_sock_mount.yaml | 23 ++++++++++++ .../resources/disallow_docker_sock_mount.yaml | 15 ++++++++ ...o_validate_disallow_docker_sock_mount.yaml | 18 ++++++++++ 5 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 samples/DisallowDockerSockMount.md create mode 100644 samples/best_practices/disallow_docker_sock_mount.yaml create mode 100644 test/resources/disallow_docker_sock_mount.yaml create mode 100644 test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index c16d42083a..6842c2c705 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -115,7 +115,10 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) { func Test_validate_disallow_host_filesystem_pass(t *testing.T) { testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml") } - func Test_validate_disallow_new_capabilities(t *testing.T) { testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml") } + +func Test_validate_disallow_docker_sock_mount(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml") +} diff --git a/samples/DisallowDockerSockMount.md b/samples/DisallowDockerSockMount.md new file mode 100644 index 0000000000..542e11b462 --- /dev/null +++ b/samples/DisallowDockerSockMount.md @@ -0,0 +1,35 @@ +# Disallow Docker socket bind mount + +The Docker socket bind mount allows access to the +Docker daemon on the node. This access can be used for privilege escalation and +to manage containers outside of Kubernetes, and hence should not be allowed. + +## Policy YAML + +[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml) + +````yaml +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-docker-sock-mount + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: The Docker socket bind mount allows access to the + Docker daemon on the node. This access can be used for privilege escalation and + to manage containers outside of Kubernetes, and hence should not be allowed. +spec: + rules: + - name: validate-docker-sock-mount + match: + resources: + kinds: + - Pod + validate: + message: "Use of the Docker Unix socket is not allowed" + pattern: + spec: + (volume): + (hostPath): + path: "!/var/run/docker.sock" +```` diff --git a/samples/best_practices/disallow_docker_sock_mount.yaml b/samples/best_practices/disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..70053f187c --- /dev/null +++ b/samples/best_practices/disallow_docker_sock_mount.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-docker-sock-mount + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: The Docker socket bind mount allows access to the + Docker daemon on the node. This access can be used for privilege escalation and + to manage containers outside of Kubernetes, and hence should not be allowed. +spec: + rules: + - name: validate-docker-sock-mount + match: + resources: + kinds: + - Pod + validate: + message: "Use of the Docker Unix socket is not allowed" + pattern: + spec: + =(volumes): + =(hostPath): + path: "!/var/run/docker.sock" \ No newline at end of file diff --git a/test/resources/disallow_docker_sock_mount.yaml b/test/resources/disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..1be907f21d --- /dev/null +++ b/test/resources/disallow_docker_sock_mount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-docker-sock-mount +spec: + containers: + - name: myshell + image: "ubuntu:18.04" + command: + - /bin/sleep + - "300" + volumes: + - name: dockersock + hostPath: + path: /var/run/docker.sock diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml new file mode 100644 index 0000000000..c8cc01c409 --- /dev/null +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_docker_sock_mount.yaml + resource: test/resources/disallow_docker_sock_mount.yaml +expected: + validation: + policyresponse: + policy: disallow-docker-sock-mount + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: pod-with-docker-sock-mount + rules: + - name: validate-docker-sock-mount + type: Validation + message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed + success: false \ No newline at end of file From 53aceab929ae95e9c821c5a6d3e325f066f7be21 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Fri, 1 Nov 2019 15:23:42 -0700 Subject: [PATCH 3/3] update README.md and markdown --- samples/DisallowDockerSockMount.md | 4 ++-- samples/README.md | 27 ++++++++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/samples/DisallowDockerSockMount.md b/samples/DisallowDockerSockMount.md index 542e11b462..330772a40f 100644 --- a/samples/DisallowDockerSockMount.md +++ b/samples/DisallowDockerSockMount.md @@ -29,7 +29,7 @@ spec: message: "Use of the Docker Unix socket is not allowed" pattern: spec: - (volume): - (hostPath): + =(volumes): + =(hostPath): path: "!/var/run/docker.sock" ```` diff --git a/samples/README.md b/samples/README.md index af19e1b491..e48921df3c 100644 --- a/samples/README.md +++ b/samples/README.md @@ -41,25 +41,26 @@ These policies are highly recommended. 3. [Disallow new capabilities](DisallowNewCapabilities.md) 4. [Require Read-only root filesystem](RequireReadOnlyFS.md) 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md) -6. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) -7. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) -8. [Disallow unknown image registries](DisallowUnknownRegistries.md) -8. [Disallow latest image tag](DisallowLatestTag.md) -10. [Disallow use of default namespace](DisallowDefaultNamespace.md) -11. [Require namespace limits and quotas](RequireNSLimitsQuotas.md) -12. [Require pod resource requests and limits](RequirePodRequestsLimits.md) -13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) -14. [Default deny all ingress traffic](DefaultDenyAllIngress.md) +6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) +7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) +8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) +9. [Disallow unknown image registries](DisallowUnknownRegistries.md) +10. [Disallow latest image tag](DisallowLatestTag.md) +11. [Disallow use of default namespace](DisallowDefaultNamespace.md) +12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md) +13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) +14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) +15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) ## Additional Policies The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. -15. [Limit use of `NodePort` services](LimitNodePort.md) -16. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md) -17. [Configure Linux Capabilities](AssignLinuxCapabilities.md) -18. [Limit Kernel parameter access](ConfigureKernelParmeters.md) +16. [Limit use of `NodePort` services](LimitNodePort.md) +17. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md) +18. [Configure Linux Capabilities](AssignLinuxCapabilities.md) +19. [Limit Kernel parameter access](ConfigureKernelParmeters.md)