add disallow Helm tiller

2024-12-15 17:51:20 +00:00 · 2019-11-03 18:19:06 -08:00 · 2019-11-03 18:19:06 -08:00 · 41afefbe8e
commit 41afefbe8e
parent 3b1143c934
6 changed files with 80 additions and 1 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -122,3 +122,7 @@ func Test_validate_disallow_new_capabilities(t *testing.T) {
 func Test_validate_disallow_docker_sock_mount(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
 }
+
+func Test_validate_disallow_helm_tiller(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")
+}
--- a/samples/DisallowHelmTiller.md
+++ b/samples/DisallowHelmTiller.md
@ -0,0 +1,30 @@
+# Disallow Helm Tiller
+
+Tiller has known security challenges. It requires adminstrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users.
+
+## Policy YAML 
+
+````yaml
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-helm-tiller
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: 
+spec:
+  rules:
+  - name: validate-helm-tiller
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Helm Tiller is not allowed"  
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            image: "!*tiller*"
+
+````
--- a/samples/README.md
+++ b/samples/README.md
@ -51,7 +51,7 @@ These policies are highly recommended.
 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
-
+16. [Disallow Helm Tiller](DisallowHelmTiller.md)

 ## Additional Policies

--- a/samples/best_practices/disallow_helm_tiller.yaml
+++ b/samples/best_practices/disallow_helm_tiller.yaml
@ -0,0 +1,21 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-helm-tiller
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: 
+spec:
+  rules:
+  - name: validate-helm-tiller
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Helm Tiller is not allowed"  
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            image: "!*tiller*"
--- a/test/resources/disallow_helm_tiller.yaml
+++ b/test/resources/disallow_helm_tiller.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-helm-tiller
+spec:
+  containers:
+  - name: helm-tiller
+    image: docker.io/tiller:latest
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml
@ -0,0 +1,16 @@
+# file paths are relative to project root
+input:
+  policy: samples/best_practices/disallow_helm_tiller.yaml
+  resource: test/resources/disallow_helm_tiller.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-helm-tiller
+      resource:
+        kind: Pod
+        name: pod-helm-tiller
+      rules:
+        - name: validate-helm-tiller
+          type: Validation
+          message: "Validation rule 'validate-helm-tiller' failed at '/spec/containers/0/image/' for resource Pod//pod-helm-tiller. Helm Tiller is not allowed."
+          success: false