Merge pull request #434 from nirmata/410_no_new_capabilities

410 no new capabilities

pkg/testrunner/testrunner_test.go

@@ -115,3 +115,7 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }
+
+func Test_validate_disallow_new_capabilities(t *testing.T) {
+	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
+}

samples/DisallowNewCapabilities.md

@@ -0,0 +1,45 @@
+# Disallow new capabilities
+
+Linux allows defining fine-grained permissions using
+capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+level of kernel access and allow other potentially dangerous behaviors. This policy 
+enforces that pods cannot add new capabilities. Other policies can be used to set 
+default capabilities. 
+
+## Policy YAML
+
+[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+        =(securityContext):
+          =(capabilities):
+            X(add): null
+      - spec:
+          containers:
+          - name: "*"
+            =(securityContext):
+              =(capabilities):
+                X(add): null
+````

samples/README.md

@@ -38,27 +38,28 @@ These policies are highly recommended.
 
 1. [Run as non-root user](RunAsNonRootUser.md)
 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
-3. [Require Read-only root filesystem](RequireReadOnlyFS.md)
-4. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
-5. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
-6. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
-7. [Disallow unknown image registries](DisallowUnknownRegistries.md)
+3. [Disallow new capabilities](DisallowNewCapabilities.md)
+4. [Require Read-only root filesystem](RequireReadOnlyFS.md)
+5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
+6. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
+7. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
+8. [Disallow unknown image registries](DisallowUnknownRegistries.md)
 8. [Disallow latest image tag](DisallowLatestTag.md)
-9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
-10. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
-11. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-12. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-13. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
+10. [Disallow use of default namespace](DisallowDefaultNamespace.md)
+11. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
+12. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+14. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 
 
 ## Additional Policies
 
 The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 
 
-14. [Limit use of `NodePort` services](LimitNodePort.md)
-15. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
-16. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
-17. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
+15. [Limit use of `NodePort` services](LimitNodePort.md)
+16. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
+17. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
+18. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
 
 
 

samples/best_practices/disallow_new_capabilities.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+        =(securityContext):
+          =(capabilities):
+            X(add): null
+      - spec:
+          containers:
+          - name: "*"
+            =(securityContext):
+              =(capabilities):
+                X(add): null

test/resources/disallow_new_capabilities.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: add-new-capabilities
+spec:
+ containers:
+   - name: add-new-capabilities
+     image: "ubuntu:18.04"
+     command:
+       - /bin/sleep
+       - "300"
+     securityContext:
+       capabilities:
+         add:
+           - NET_ADMIN

test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:  
+  policy: samples/best_practices/disallow_new_capabilities.yaml
+  resource: test/resources/disallow_new_capabilities.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-new-capabilities
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "add-new-capabilities"
+      rules:
+        - name: deny-new-capabilities
+          type: Validation
+          message: Validation rule 'deny-new-capabilities' failed to validate patterns defined in anyPattern. Capabilities cannot be added; anyPattern[0] failed at path /spec/; anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/
+          success: false