Merge pull request #436 from nirmata/411_no_docker_sock_mount

411 no docker sock mount

pkg/testrunner/testrunner_test.go

@@ -115,7 +115,10 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }
-
 func Test_validate_disallow_new_capabilities(t *testing.T) {
 	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
 }
+
+func Test_validate_disallow_docker_sock_mount(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
+}

samples/DisallowDockerSockMount.md

@@ -0,0 +1,35 @@
+# Disallow Docker socket bind mount
+
+The Docker socket bind mount allows access to the 
+Docker daemon on the node. This access can be used for privilege escalation and 
+to manage containers outside of Kubernetes, and hence should not be allowed.  
+
+## Policy YAML 
+
+[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml) 
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-docker-sock-mount
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
+      Docker daemon on the node. This access can be used for privilege escalation and 
+      to manage containers outside of Kubernetes, and hence should not be allowed.  
+spec:
+  rules:
+  - name: validate-docker-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Docker Unix socket is not allowed"
+      pattern:
+        spec:
+          =(volumes):
+            =(hostPath):
+              path: "!/var/run/docker.sock"
+````

samples/README.md

@@ -41,25 +41,26 @@ These policies are highly recommended.
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Require Read-only root filesystem](RequireReadOnlyFS.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
-6. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
+6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
-7. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
+7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
-8. [Disallow unknown image registries](DisallowUnknownRegistries.md)
+8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
-8. [Disallow latest image tag](DisallowLatestTag.md)
+9. [Disallow unknown image registries](DisallowUnknownRegistries.md)
-10. [Disallow use of default namespace](DisallowDefaultNamespace.md)
+10. [Disallow latest image tag](DisallowLatestTag.md)
-11. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
+11. [Disallow use of default namespace](DisallowDefaultNamespace.md)
-12. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
-13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-14. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
+14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 
 
 ## Additional Policies
 
 The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 
 
-15. [Limit use of `NodePort` services](LimitNodePort.md)
+16. [Limit use of `NodePort` services](LimitNodePort.md)
-16. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
+17. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
-17. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
+18. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
-18. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
+19. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
 
 
 

samples/best_practices/disallow_docker_sock_mount.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-docker-sock-mount
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
+      Docker daemon on the node. This access can be used for privilege escalation and 
+      to manage containers outside of Kubernetes, and hence should not be allowed.  
+spec:
+  rules:
+  - name: validate-docker-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Docker Unix socket is not allowed"
+      pattern:
+        spec:
+          =(volumes):
+            =(hostPath):
+              path: "!/var/run/docker.sock"

test/resources/disallow_docker_sock_mount.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: pod-with-docker-sock-mount
+spec:
+  containers:
+   - name: myshell
+     image: "ubuntu:18.04"
+     command:
+       - /bin/sleep
+       - "300"
+  volumes:
+  - name: dockersock
+    hostPath:
+      path: /var/run/docker.sock

test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_docker_sock_mount.yaml
+  resource: test/resources/disallow_docker_sock_mount.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-docker-sock-mount
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: pod-with-docker-sock-mount
+      rules:
+        - name: validate-docker-sock-mount
+          type: Validation
+          message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed
+          success: false