add disallow_sysctl and move policies

pkg/testrunner/testrunner_test.go

@@ -68,10 +68,6 @@ func Test_validate_disallow_default_serviceaccount(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")
 }
 
-func Test_validate_fsgroup(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/more/scenario_validate_fsgroup.yaml")
-}
-
 func Test_validate_selinux_context(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml")
 }
@@ -80,14 +76,6 @@ func Test_validate_proc_mount(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml")
 }
 
-func Test_validate_container_capabilities(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/more/scenario_validate_container_capabilities.yaml")
-}
-
-func Test_validate_disallow_sysctl(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml")
-}
-
 func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
 }
@@ -116,8 +104,12 @@ func Test_validate_disallow_new_capabilities(t *testing.T) {
 	testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml")
 }
 
+func Test_validate_disallow_sysctls(t *testing.T) {
+	testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml")
+}
+
 func Test_validate_disallow_docker_sock_mount(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_sysctls.yaml")
 }
 
 func Test_validate_disallow_helm_tiller(t *testing.T) {

samples/ConfigureKernelParmeters.md

@@ -1,34 +0,0 @@
-# Configure kernel parameters
-
-The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under `securityContext.sysctls`. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking net.ipv4.ip_local_port_range
-
-## Policy YAML
-
-[policy_validate_sysctl_configs.yaml](more/policy_validate_sysctl_configs.yaml)
-
-````yaml
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-allow-portrange-with-sysctl
-spec:
-  rules:
-  - name: allow-portrange-with-sysctl
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Allowed port range is from 1024 to 65535"
-      pattern:
-        spec:
-          securityContext:
-            sysctls: 
-            - name: net.ipv4.ip_local_port_range
-              value: "1024 65535"
-````
-
-
-## Additional Information
-
-* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) 

samples/DisallowSysctls.md

@@ -0,0 +1,32 @@
+# Disallow changes to kernel parameters
+
+The Sysctl interface allows modifications to kernel parameters at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. Kernel parameter modifications can be used for exploits and should be restricted.
+
+## Additional Information
+
+* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) 
+
+
+## Policy YAML
+
+[disallow_sysctl.yaml](best_practices/disallow_sysctl.yaml)
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-sysctls
+spec:
+  rules:
+  - name: validate-sysctls
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Changes to kernel paramaters are not allowed"
+      pattern:
+        spec:
+          securityContext:
+            X(sysctls): null
+````

samples/README.md

@@ -39,7 +39,7 @@ These policies are highly recommended.
 1. [Disallow root user](DisallowRootUser.md)
 2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
-4. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
+4. [Disallow kernel parameter changes](DisallowSysctls.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
@@ -47,11 +47,12 @@ These policies are highly recommended.
 9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
 10. [Disallow latest image tag](DisallowLatestTag.md)
 11. [Disallow Helm Tiller](DisallowHelmTiller.md)
-12. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-14. [Add default network policy](DefaultDenyAllIngress.md)
-15. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
-16. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
+12. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
+13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+15. [Add default network policy](DefaultDenyAllIngress.md)
+16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
+17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 
@@ -60,6 +61,4 @@ The policies provide additional best practices and are worthy of close considera
 17. [Restrict image registries](RestrictImageRegistries.md)
 18. [Restrict `NodePort` services](RestrictNodePort.md)
 19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
-20. [Restrict Linux Capabilities](RestrictLinuxCapabilities.md)
-21. [Restrict kernel parameter access](ConfigureKernelParmeters.md)
-22. [Restrict ingress classes](KnownIngressClass.md)
+20. [Restrict ingress classes](KnownIngressClass.md)

samples/RestrictLinuxCapabilities.md

@@ -1,36 +0,0 @@
-# Restrict Linux capabilities
-
-Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. A best practice is to limit the allowed capabilities to a minimal required set for each pod.
-
-## Additional Information
-
-* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h)
-
-
-## Policy YAML
-
-[restrict_capabilities.yaml](more/restrict_capabilities.yaml)
-
-````yaml
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: restrict-capabilities
-spec:
-  rules:
-  - name: validate-container-capablities
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Allow select linux capabilities"
-      pattern:
-        spec:
-          containers:
-          - securityContext:
-              capabilities:
-                add: ["NET_ADMIN"]
-
-````
-

samples/best_practices/disallow_sysctl.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-sysctls
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: The Sysctl interface allows modifications to kernel parameters 
+      at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. 
+      Kernel parameter modifications can be used for exploits and should be restricted.
+spec:
+  rules:
+  - name: validate-sysctls
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Changes to kernel paramaters are not allowed"
+      pattern:
+        spec:
+          securityContext:
+            X(sysctls): null

test/scenarios/samples/best_practices/disallow_sysctls.yaml

@@ -0,0 +1,18 @@
+
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_sysctls.yaml
+  resource: test/resources/resource_validate_sysctl_configs.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-sysctls
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: nginx
+      rules:
+        - name: validate-sysctls
+          type: Validation
+          success: false

test/scenarios/samples/more/scenario_validate_container_capabilities.yaml

@@ -1,19 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: samples/more/policy_validate_container_capabilities.yaml
-  resource: test/resources/resource_validate_container_capabilities.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-container-capablities
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: add-capabilities
-      rules:
-        - name: validate-container-capablities
-          type: Validation
-          message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/'."
-          success: false

test/scenarios/samples/more/scenario_validate_fsgroup.yaml

@@ -1,27 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: samples/more/policy_validate_user_group_fsgroup_id.yaml
-  resource: test/resources/resource_validate_fsgroup.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-userid-groupid-fsgroup
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: fsgroup-demo
-      rules:
-        - name: validate-userid
-          type: Validation
-          message: Validation rule 'validate-userid' succeeded.
-          success: true
-        - name: validate-groupid
-          type: Validation
-          message: Validation rule 'validate-groupid' succeeded.
-          success: true
-        - name: validate-fsgroup
-          type: Validation
-          message: Validation rule 'validate-fsgroup' succeeded.
-          success: true

test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml

@@ -1,19 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: samples/more/policy_validate_sysctl_configs.yaml
-  resource: test/resources/resource_validate_sysctl_configs.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-allow-portrange-with-sysctl
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: nginx
-      rules:
-        - name: allow-portrange-with-sysctl
-          type: Validation
-          message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/'."
-          success: false