From 48f0d90dd106f504951e44d86b7325beac8d9d0e Mon Sep 17 00:00:00 2001
From: treydock <treydock@gmail.com>
Date: Thu, 18 Feb 2021 14:50:35 -0500
Subject: [PATCH] Allow some helm policies to be excluded (#1611)
* Allow some helm policies to be excluded
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Make Helm security policies opt-in when podSecurityStandard=custom
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
---
charts/kyverno/README.md | 3 ++-
charts/kyverno/templates/_helpers.tpl | 22 +++++++++++++++++++
.../default/disallow-adding-capabilities.yaml | 5 +++--
.../default/disallow-host-namespaces.yaml | 5 +++--
.../policies/default/disallow-host-path.yaml | 5 +++--
.../policies/default/disallow-host-ports.yaml | 5 +++--
.../disallow-privileged-containers.yaml | 5 +++--
.../policies/default/disallow-proc-mount.yaml | 5 +++--
.../policies/default/disallow-selinux.yaml | 5 +++--
.../default/restrict-apparmor-profiles.yaml | 5 +++--
.../policies/default/restrict-sysctls.yaml | 5 +++--
.../restricted/deny-privilege-escalation.yaml | 5 +++--
.../restricted/require-non-root-groups.yaml | 5 +++--
.../restricted/require-run-as-nonroot.yaml | 5 +++--
.../policies/restricted/restrict-seccomp.yaml | 5 +++--
.../restricted/restrict-volume-types.yaml | 5 +++--
charts/kyverno/values.yaml | 4 +++-
17 files changed, 69 insertions(+), 30 deletions(-)
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index f1cc22d1f9..07fb94d74e 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -101,7 +101,8 @@ Parameter | Description | Default
`service.type` | type of service | `ClusterIP`
`tolerations` | list of node taints to tolerate | `[]`
`securityContext` | security context configuration | `{}`
-`podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default`
+`podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default`
+`podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]`
`validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit`
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index 7a4108f600..9deb537961 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -70,3 +70,25 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
+
+{{/* Set if a default policy is managed */}}
+{{- define "kyverno.podSecurityDefault" -}}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{- true }}
+{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
+{{- true }}
+{{- else -}}
+{{- false }}
+{{- end -}}
+{{- end -}}
+
+{{/* Set if a restricted policy is managed */}}
+{{- define "kyverno.podSecurityRestricted" -}}
+{{- if eq .Values.podSecurityStandard "restricted" }}
+{{- true }}
+{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
+{{- true }}
+{{- else -}}
+{{- false }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
index 147b48fdca..802f1adf98 100644
--- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{ $name := "disallow-add-capabilities" -}}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-add-capabilities
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
index 53bda87217..b99076ffeb 100644
--- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{ $name := "disallow-host-namespaces" -}}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-host-namespaces
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-host-path.yaml b/charts/kyverno/templates/policies/default/disallow-host-path.yaml
index c85a2c2787..f0ae2f13ab 100644
--- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{ $name := "disallow-host-path" -}}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-host-path
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
index b8cef57300..ac71ce3cc6 100644
--- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{- $name := "disallow-host-ports" }}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-host-ports
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
index 1326b7074f..80e7c7eb30 100644
--- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{- $name := "disallow-privileged-containers" }}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-privileged-containers
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
index b2bd8eedbc..0a0589ea30 100644
--- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{- $name := "require-default-proc-mount" }}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: require-default-proc-mount
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/default/disallow-selinux.yaml b/charts/kyverno/templates/policies/default/disallow-selinux.yaml
index e063504c39..ab9eab833f 100644
--- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{- $name := "disallow-selinux" }}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: disallow-selinux
+ name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Default)
diff --git a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
index 2bbc7a0eaf..792adc36e7 100644
--- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{ $name := "restrict-apparmor-profiles" -}}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: restrict-apparmor-profiles
+ name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Default)
diff --git a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
index 6571c3d202..ab3d2d7e92 100644
--- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
@@ -1,8 +1,9 @@
-{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
+{{ $name := "restrict-sysctls" -}}
+{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: restrict-sysctls
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
index c12d89e58f..9177b2f1a1 100644
--- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
+++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
@@ -1,8 +1,9 @@
-{{- if eq .Values.podSecurityStandard "restricted" }}
+{{ $name := "deny-privilege-escalation" -}}
+{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: deny-privilege-escalation
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
index 572f33b430..2fd0cc121e 100644
--- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@@ -1,8 +1,9 @@
-{{- if eq .Values.podSecurityStandard "restricted" }}
+{{ $name := "require-non-root-groups" -}}
+{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: require-non-root-groups
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
index cd84fc7cf4..0d6eaba155 100644
--- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
@@ -1,8 +1,9 @@
-{{- if eq .Values.podSecurityStandard "restricted" }}
+{{ $name := "require-run-as-non-root" -}}
+{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: require-run-as-non-root
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: Containers must be required to run as non-root users.
diff --git a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
index 513d382d96..5b96246ab1 100644
--- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
@@ -1,8 +1,9 @@
-{{- if eq .Values.podSecurityStandard "restricted" }}
+{{ $name := "restrict-seccomp" -}}
+{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: restrict-seccomp
+ name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Restricted)
diff --git a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
index a5d64421ac..8ef906a5bb 100644
--- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
@@ -1,8 +1,9 @@
-{{- if eq .Values.podSecurityStandard "restricted" }}
+{{ $name := "restrict-volume-types" -}}
+{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: restrict-volume-types
+ name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: >-
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 34bbca4132..a868132b48 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -1,9 +1,11 @@
nameOverride:
fullnameOverride:
namespace:
-# Supported- default/restricted/privileged
+# Supported- default/restricted/privileged/custom
# For more info- https://kyverno.io/policies/pod-security
podSecurityStandard: default
+# Policies to include when podSecurityStandard is custom
+podSecurityPolicies: []
# Supported values- `audit`, `enforce`
# For more info- https://kyverno.io/docs/writing-policies/validate/
validationFailureAction: audit