diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7d7c63e49b..84b0b14610 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -111,10 +111,7 @@ jobs: - name: Update chart values run: | - sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml - sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml - sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml - sed -i -e "s|tag:.*|tag: $(git describe --tag)|" charts/kyverno/values.yaml + make helm-test-values cat charts/kyverno/values.yaml - name: Run chart-testing (install) @@ -125,7 +122,7 @@ jobs: - name: Run chart-testing (policies) run: | helm install kyverno charts/kyverno -n kyverno - ct install --target-branch=main --namespace=kyverno --charts charts/kyverno-policies + ct install --target-branch=main --namespace=kyverno --charts charts/kyverno-policies - name: Debug failure if: failure() diff --git a/Makefile b/Makefile index 87267a8de2..b42f029e71 100644 --- a/Makefile +++ b/Makefile @@ -251,6 +251,12 @@ test-e2e-local: kill $! $(eval export E2E="") +helm-test-values: + sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml + sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml + sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml + sed -i -e "s|tag:.*|tag: $(GIT_VERSION_DEV)|" charts/kyverno/values.yaml + # godownloader create downloading script for kyverno-cli godownloader: godownloader .goreleaser.yml --repo kyverno/kyverno -o ./scripts/install-cli.sh --source="raw" diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 226be33552..58f8ad64be 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -3,18 +3,18 @@ name: kyverno-policies version: v2.2.0-rc2 appVersion: v1.6.0-rc2 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png -description: Kubernetes Native Policy Management Policies +description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: - kubernetes - nirmata - policy agent - validating webhook - admissions controller -home: https://kyverno.io/ +home: https://kyverno.io/policies/ sources: - - https://github.com/kyverno/kyverno + - https://github.com/kyverno/policies maintainers: - name: Nirmata url: https://kyverno.io/ engine: gotpl -kubeVersion: ">=1.10.0-0" +kubeVersion: ">=1.16.0-0" diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 62b37412e8..964dfb18a4 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -1,6 +1,41 @@ # Kyverno Policies -## TL;DR +## About + +This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline. + +The following policies are included in each profile. + +**Baseline** + +* disallow-capabilities +* disallow-host-namespaces +* disallow-host-path +* disallow-host-ports +* disallow-host-process +* disallow-privileged-containers +* disallow-proc-mount +* disallow-selinux +* restrict-apparmor-profiles +* restrict-seccomp +* restrict-sysctls + +**Restricted** + +* disallow-capabilities-strict +* disallow-privilege-escalation +* require-run-as-non-root-user +* require-run-as-nonroot +* restrict-seccomp-strict +* restrict-volume-types + +An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed. + +For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security. + +## TL;DR Instructions + +These PSS policies presently have a minimum requirement of Kyverno 1.6.0. ```console ## Add the Kyverno Helm repository @@ -26,9 +61,11 @@ The following table lists the configurable parameters of the kyverno chart and t | Parameter | Description | Default | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `includeOtherPolicies` | Additional policies to include from `other` directory | `[]` | | `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` | | `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` | | `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` | +| `policyExclude` | Exclude resources from individual policies | `{}` | | `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/kyverno-policies/ci/test-rule-values.yaml b/charts/kyverno-policies/ci/test-rule-values.yaml new file mode 100644 index 0000000000..34b26cdb86 --- /dev/null +++ b/charts/kyverno-policies/ci/test-rule-values.yaml @@ -0,0 +1,25 @@ +podSecurityStandard: restricted +includeOtherPolicies: +- require-non-root-groups +policyExclude: + disallow-host-path: + any: + - resources: + kinds: + - Pod + namespaces: + - fluent + require-non-root-groups: + any: + - resources: + kinds: + - Pod + namespaces: + - fluent + check-runasgroup: + any: + - resources: + kinds: + - Pod + namespaces: + - kube-system diff --git a/charts/kyverno-policies/ci/test-values.yaml b/charts/kyverno-policies/ci/test-values.yaml new file mode 100644 index 0000000000..9788cebfe0 --- /dev/null +++ b/charts/kyverno-policies/ci/test-values.yaml @@ -0,0 +1,18 @@ +podSecurityStandard: restricted +includeOtherPolicies: +- require-non-root-groups +policyExclude: + disallow-host-path: + any: + - resources: + kinds: + - Pod + namespaces: + - fluent + require-non-root-groups: + any: + - resources: + kinds: + - Pod + namespaces: + - fluent diff --git a/charts/kyverno-policies/templates/_helpers.tpl b/charts/kyverno-policies/templates/_helpers.tpl index cde1a7d5c9..5ec06ce086 100644 --- a/charts/kyverno-policies/templates/_helpers.tpl +++ b/charts/kyverno-policies/templates/_helpers.tpl @@ -44,3 +44,35 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }} {{- false }} {{- end -}} {{- end -}} + +{{/* Set if a other policies are managed */}} +{{- define "kyverno-policies.podSecurityOther" -}} +{{- if has .name .Values.includeOtherPolicies }} +{{- true }} +{{- else -}} +{{- false }} +{{- end -}} +{{- end -}} + +{{/* Get deployed Kyverno version from Kubernetes */}} +{{- define "kyverno-policies.kyvernoVersion" -}} +{{- $version := "" -}} +{{- with (lookup "apps/v1" "Deployment" .Release.Namespace "kyverno") -}} + {{- with (first .spec.template.spec.containers) -}} + {{- $imageTag := (split ":" .image)._1 -}} + {{- $version = trimPrefix "v" $imageTag -}} + {{- end -}} +{{- end -}} +{{ $version }} +{{- end -}} + +{{/* Fail if deployed Kyverno does not match */}} +{{- define "kyverno-policies.supportedKyvernoCheck" -}} +{{- $supportedKyverno := index . "ver" -}} +{{- $top := index . "top" }} +{{- if (include "kyverno-policies.kyvernoVersion" $top) -}} + {{- if not ( semverCompare $supportedKyverno (include "kyverno-policies.kyvernoVersion" $top) ) -}} + {{- fail (printf "Kyverno version is too low, expected %s" $supportedKyverno) -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml new file mode 100644 index 0000000000..f8923f2364 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -0,0 +1,58 @@ +{{- $name := "disallow-capabilities" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow Capabilities + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + deny: + conditions: + all: + - key: "{{`{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}`}}" + operator: AnyNotIn + value: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml new file mode 100644 index 0000000000..bfb4053b72 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -0,0 +1,44 @@ +{{- $name := "disallow-host-namespaces" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow Host Namespaces + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml new file mode 100644 index 0000000000..d16219fcac --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -0,0 +1,41 @@ +{{- $name := "disallow-host-path" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow hostPath + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod,Volume + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges + and should not be allowed. This policy ensures no hostPath volumes are in use. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. + pattern: + spec: + =(volumes): + - X(hostPath): "null" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml new file mode 100644 index 0000000000..a91b7a275e --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -0,0 +1,50 @@ +{{- $name := "disallow-host-ports" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow hostPorts + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be + allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` + field is unset or set to `0`. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: host-ports-none + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort + , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort + must either be unset or set to `0`. + pattern: + spec: + =(ephemeralContainers): + - =(ports): + - =(hostPort): 0 + =(initContainers): + - =(ports): + - =(hostPort): 0 + containers: + - =(ports): + - =(hostPort): 0 +{{- end }} \ No newline at end of file diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml new file mode 100644 index 0000000000..7f834fb229 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -0,0 +1,55 @@ +{{- $name := "disallow-host-process" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow hostProcess + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged + access to the Windows node. Privileged access to the host is disallowed in the baseline + policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures + the `hostProcess` field, if present, is set to `false`. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: host-process-containers + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, + spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, + and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined + or set to `false`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml new file mode 100644 index 0000000000..539e05ea17 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -0,0 +1,48 @@ +{{- $name := "disallow-privileged-containers" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow Privileged Containers + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Privileged mode disables most security mechanisms and must not be allowed. This policy + ensures Pods do not call for privileged mode. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: privileged-containers + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged + and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(privileged): "false" + =(initContainers): + - =(securityContext): + =(privileged): "false" + containers: + - =(securityContext): + =(privileged): "false" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml new file mode 100644 index 0000000000..2978933308 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -0,0 +1,52 @@ +{{- $name := "disallow-proc-mount" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow procMount + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + The default /proc masks are set up to reduce attack surface and should be required. This policy + ensures nothing but the default procMount can be specified. Note that in order for users + to deviate from the `Default` procMount requires setting a feature gate at the API + server. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: check-proc-mount + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Changing the proc mount from the default is not allowed. The fields + spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, + and spec.ephemeralContainers[*].securityContext.procMount must be unset or + set to `Default`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(procMount): "Default" + =(initContainers): + - =(securityContext): + =(procMount): "Default" + containers: + - =(securityContext): + =(procMount): "Default" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml new file mode 100644 index 0000000000..77332903a5 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -0,0 +1,95 @@ +{{- $name := "disallow-selinux" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow SELinux + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + SELinux options can be used to escalate privileges and should not be allowed. This policy + ensures that the `seLinuxOptions` field is undefined. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: selinux-type + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "selinux-type") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Setting the SELinux type is restricted. The fields + spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, + , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type + must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + pattern: + spec: + =(securityContext): + =(seLinuxOptions): + =(type): "container_t | container_init_t | container_kvm_t" + =(ephemeralContainers): + - =(securityContext): + =(seLinuxOptions): + =(type): "container_t | container_init_t | container_kvm_t" + =(initContainers): + - =(securityContext): + =(seLinuxOptions): + =(type): "container_t | container_init_t | container_kvm_t" + containers: + - =(securityContext): + =(seLinuxOptions): + =(type): "container_t | container_init_t | container_kvm_t" + - name: selinux-user-role + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "selinux-user-role") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Setting the SELinux user or role is forbidden. The fields + spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, + spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role, + spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role, + spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role + must be unset. + pattern: + spec: + =(securityContext): + =(seLinuxOptions): + X(user): "null" + X(role): "null" + =(ephemeralContainers): + - =(securityContext): + =(seLinuxOptions): + X(user): "null" + X(role): "null" + =(initContainers): + - =(securityContext): + =(seLinuxOptions): + X(user): "null" + X(role): "null" + containers: + - =(securityContext): + =(seLinuxOptions): + X(user): "null" + X(role): "null" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml new file mode 100644 index 0000000000..43b9d1a171 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -0,0 +1,45 @@ +{{- $name := "restrict-apparmor-profiles" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Restrict AppArmor + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod, Annotation + policies.kyverno.io/minversion: 1.3.0 + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + On supported hosts, the 'runtime/default' AppArmor profile is applied by default. + The default policy should prevent overriding or disabling the policy, or restrict + overrides to an allowed set of profiles. This policy ensures Pods do not + specify any other AppArmor profiles than `runtime/default` or `localhost/*`. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: app-armor + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Specifying other AppArmor profiles is disallowed. The annotation + `container.apparmor.security.beta.kubernetes.io` if defined + must not be set to anything other than `runtime/default` or `localhost/*`. + pattern: + =(metadata): + =(annotations): + =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml new file mode 100644 index 0000000000..bab2e57c46 --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -0,0 +1,59 @@ +{{- $name := "restrict-seccomp" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Restrict Seccomp + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + The seccomp profile must not be explicitly set to Unconfined. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is unset or + set to `RuntimeDefault` or `Localhost`. +spec: + background: true + validationFailureAction: {{ .Values.validationFailureAction }} + rules: + - name: check-seccomp + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Use of custom Seccomp profiles is disallowed. The fields + spec.securityContext.seccompProfile.type, + spec.containers[*].securityContext.seccompProfile.type, + spec.initContainers[*].securityContext.seccompProfile.type, and + spec.ephemeralContainers[*].securityContext.seccompProfile.type + must be unset or set to `RuntimeDefault` or `Localhost`. + pattern: + spec: + =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(ephemeralContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(initContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + containers: + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml new file mode 100644 index 0000000000..fcf36d598b --- /dev/null +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -0,0 +1,49 @@ +{{- $name := "restrict-sysctls" }} +{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Restrict sysctls + policies.kyverno.io/category: Pod Security Standards (Baseline) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Sysctls can disable security mechanisms or affect all containers on a + host, and should be disallowed except for an allowed "safe" subset. A + sysctl is considered safe if it is namespaced in the container or the + Pod, and it is isolated from other Pods or processes on the same Node. + This policy ensures that only those "safe" subsets can be specified in + a Pod. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: check-sysctls + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Setting additional sysctls above the allowed type is disallowed. + The field spec.securityContext.sysctls must be unset or not use any other names + than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, + net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and + net.ipv4.ping_group_range. + pattern: + spec: + =(securityContext): + =(sysctls): + - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range" +{{- end }} diff --git a/charts/kyverno-policies/templates/default/disallow-adding-capabilities.yaml b/charts/kyverno-policies/templates/default/disallow-adding-capabilities.yaml deleted file mode 100644 index 1405f91e68..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-adding-capabilities.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- $name := "disallow-add-capabilities" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Capabilities permit privileged actions without giving full root access. - Adding capabilities beyond the default set must not be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: capabilities - match: - resources: - kinds: - - Pod - validate: - message: >- - Adding of additional capabilities beyond the default set is not allowed. - The fields spec.containers[*].securityContext.capabilities.add and - spec.initContainers[*].securityContext.capabilities.add must be empty. - pattern: - spec: - containers: - - =(securityContext): - =(capabilities): - X(add): null - =(initContainers): - - =(securityContext): - =(capabilities): - X(add): null -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/default/disallow-host-namespaces.yaml deleted file mode 100644 index 44af945405..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-host-namespaces.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- $name := "disallow-host-namespaces" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Host namespaces (Process ID namespace, Inter-Process Communication namespace, and - network namespace) allow access to shared information and can be used to elevate - privileges. Pods should not be allowed access to host namespaces. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: host-namespaces - match: - resources: - kinds: - - Pod - validate: - message: >- - Sharing the host namespaces is disallowed. The fields spec.hostNetwork, - spec.hostIPC, and spec.hostPID must not be set to true. - pattern: - spec: - =(hostPID): "false" - =(hostIPC): "false" - =(hostNetwork): "false" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-host-path.yaml b/charts/kyverno-policies/templates/default/disallow-host-path.yaml deleted file mode 100644 index b09aa068d9..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-host-path.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- $name := "disallow-host-path" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - HostPath volumes let pods use host directories and volumes in containers. - Using host resources can be used to access shared data or escalate privileges - and should not be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: host-path - match: - resources: - kinds: - - Pod - validate: - message: >- - HostPath volumes are forbidden. The fields spec.volumes[*].hostPath must not be set. - pattern: - spec: - =(volumes): - - X(hostPath): "null" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-host-ports.yaml b/charts/kyverno-policies/templates/default/disallow-host-ports.yaml deleted file mode 100644 index 3df228294b..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-host-ports.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- $name := "disallow-host-ports" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Access to host ports allows potential snooping of network traffic and should not be - allowed, or at minimum restricted to a known list. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: host-ports - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort - and spec.initContainers[*].ports[*].hostPort must be empty. - pattern: - spec: - =(initContainers): - - =(ports): - - X(hostPort): 0 - containers: - - =(ports): - - X(hostPort): 0 -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/default/disallow-privileged-containers.yaml deleted file mode 100644 index cd7de1016f..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-privileged-containers.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- $name := "disallow-privileged-containers" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Privileged mode disables most security mechanisms and must not be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: priviledged-containers - match: - resources: - kinds: - - Pod - validate: - message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged - and spec.initContainers[*].securityContext.privileged must not be set to true. - pattern: - spec: - =(initContainers): - - =(securityContext): - =(privileged): "false" - containers: - - =(securityContext): - =(privileged): "false" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/default/disallow-proc-mount.yaml deleted file mode 100644 index 36dbc276e2..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-proc-mount.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- $name := "require-default-proc-mount" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - The default /proc masks are set up to reduce attack surface and should be required. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: check-proc-mount - match: - resources: - kinds: - - Pod - validate: - message: >- - Changing the proc mount from the default is not allowed. The fields - spec.containers[*].securityContext.procMount and - spec.initContainers[*].securityContext.procMount must not be changed - from `Default`. - pattern: - spec: - =(initContainers): - - =(securityContext): - =(procMount): "Default" - containers: - - =(securityContext): - =(procMount): "Default" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/disallow-selinux.yaml b/charts/kyverno-policies/templates/default/disallow-selinux.yaml deleted file mode 100644 index 6a20a7d283..0000000000 --- a/charts/kyverno-policies/templates/default/disallow-selinux.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- $name := "disallow-selinux" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/title: Disallow SELinux - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - SELinux options can be used to escalate privileges and should not be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: seLinux - match: - resources: - kinds: - - Pod - validate: - message: >- - Setting custom SELinux options is disallowed. The fields - spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions, - and spec.initContainers[*].securityContext.seLinuxOptions must be empty. - pattern: - spec: - =(securityContext): - X(seLinuxOptions): "null" - =(initContainers): - - =(securityContext): - X(seLinuxOptions): "null" - containers: - - =(securityContext): - X(seLinuxOptions): "null" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/default/restrict-apparmor-profiles.yaml deleted file mode 100644 index 105f37d9de..0000000000 --- a/charts/kyverno-policies/templates/default/restrict-apparmor-profiles.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- $name := "restrict-apparmor-profiles" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/title: Restrict AppArmor - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - On supported hosts, the 'runtime/default' AppArmor profile is applied by default. - The default policy should prevent overriding or disabling the policy, or restrict - overrides to an allowed set of profiles. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: app-armor - match: - resources: - kinds: - - Pod - validate: - message: >- - Specifying other AppArmor profiles is disallowed. The annotation - container.apparmor.security.beta.kubernetes.io must not be defined, - or must not be set to anything other than `runtime/default`. - pattern: - metadata: - =(annotations): - =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default" -{{- end -}} diff --git a/charts/kyverno-policies/templates/default/restrict-sysctls.yaml b/charts/kyverno-policies/templates/default/restrict-sysctls.yaml deleted file mode 100644 index 7988c76d8a..0000000000 --- a/charts/kyverno-policies/templates/default/restrict-sysctls.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- $name := "restrict-sysctls" }} -{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Default) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Sysctls can disable security mechanisms or affect all containers on a - host, and should be disallowed except for an allowed "safe" subset. A - sysctl is considered safe if it is namespaced in the container or the - Pod, and it is isolated from other Pods or processes on the same Node. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - validationFailureAction: {{ .Values.validationFailureAction }} - background: true - rules: - - name: sysctls - match: - resources: - kinds: - - Pod - validate: - message: >- - Setting additional sysctls above the allowed type is disallowed. - The field spec.securityContext.sysctls must not use any other names - than 'kernel.shm_rmid_forced', 'net.ipv4.ip_local_port_range', - 'net.ipv4.tcp_syncookies' and 'net.ipv4.ping_group_range'. - pattern: - spec: - =(securityContext): - =(sysctls): - - name: "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range" - value: "?*" -{{- end -}} diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml new file mode 100644 index 0000000000..b1c776c652 --- /dev/null +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -0,0 +1,102 @@ +{{- $name := "require-non-root-groups" }} +{{- if eq (include "kyverno-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/category: Sample + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end }} + policies.kyverno.io/minversion: 1.3.6 + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Containers should be forbidden from running with a root primary or supplementary GID. + This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number + greater than zero (i.e., non root). A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: check-runasgroup + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "check-runasgroup") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Running with root group IDs is disallowed. The fields + spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, + spec.initContainers[*].securityContext.runAsGroup, and + spec.ephemeralContainers[*].securityContext.runAsGroup must be + set to a value greater than zero. + anyPattern: + - spec: + securityContext: + runAsGroup: ">0" + =(ephemeralContainers): + - =(securityContext): + =(runAsGroup): ">0" + =(initContainers): + - =(securityContext): + =(runAsGroup): ">0" + containers: + - =(securityContext): + =(runAsGroup): ">0" + - spec: + =(ephemeralContainers): + - securityContext: + runAsGroup: ">0" + =(initContainers): + - securityContext: + runAsGroup: ">0" + containers: + - securityContext: + runAsGroup: ">0" + - name: check-supplementalgroups + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "check-supplementalgroups") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Containers cannot run with a root primary or supplementary GID. The field + spec.securityContext.supplementalGroups must be unset or + set to a value greater than zero. + pattern: + spec: + =(securityContext): + =(supplementalGroups): ">0" + - name: check-fsgroup + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "check-fsgroup") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Containers cannot run with a root primary or supplementary GID. The field + spec.securityContext.fsGroup must be unset or set to a value greater than zero. + pattern: + spec: + =(securityContext): + =(fsGroup): ">0" +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/deny-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/deny-privilege-escalation.yaml deleted file mode 100644 index ace894f3aa..0000000000 --- a/charts/kyverno-policies/templates/restricted/deny-privilege-escalation.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- $name := "deny-privilege-escalation" }} -{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - background: true - validationFailureAction: {{ .Values.validationFailureAction }} - rules: - - name: deny-privilege-escalation - match: - resources: - kinds: - - Pod - validate: - message: >- - Privilege escalation is disallowed. The fields - spec.containers[*].securityContext.allowPrivilegeEscalation, and - spec.initContainers[*].securityContext.allowPrivilegeEscalation must - be undefined or set to `false`. - pattern: - spec: - =(initContainers): - - =(securityContext): - =(allowPrivilegeEscalation): "false" - containers: - - =(securityContext): - =(allowPrivilegeEscalation): "false" -{{- end -}} diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml new file mode 100644 index 0000000000..6655b071eb --- /dev/null +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -0,0 +1,79 @@ +{{- $name := "disallow-capabilities-strict" }} +{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} +{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow Capabilities (Strict) + policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end }} + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, + all containers must explicitly drop `ALL` capabilities. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: require-drop-all + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "require-drop-all") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + preconditions: + all: + - key: "{{`{{ request.operation }}`}}" + operator: NotEquals + value: DELETE + validate: + message: >- + Containers must drop `ALL` capabilities. + foreach: + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + deny: + conditions: + all: + - key: ALL + operator: AnyNotIn + value: "{{`{{ element.securityContext.capabilities.drop || '' }}`}}" + - name: adding-capabilities-strict + match: + any: + - resources: + kinds: + - Pod + {{- with merge (index .Values "policyExclude" "adding-capabilities-strict") (index .Values "policyExclude" $name) }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + preconditions: + all: + - key: "{{`{{ request.operation }}`}}" + operator: NotEquals + value: DELETE + validate: + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. + foreach: + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + deny: + conditions: + all: + - key: "{{`{{ element.securityContext.capabilities.add[] || '' }}`}}" + operator: AnyNotIn + value: + - NET_BIND_SERVICE + - '' +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml new file mode 100644 index 0000000000..264b5df41b --- /dev/null +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -0,0 +1,51 @@ +{{- $name := "disallow-privilege-escalation" }} +{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Disallow Privilege Escalation + policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + This policy ensures the `allowPrivilegeEscalation` field is set to `false`. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: privilege-escalation + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Privilege escalation is disallowed. The fields + spec.containers[*].securityContext.allowPrivilegeEscalation, + spec.initContainers[*].securityContext.allowPrivilegeEscalation, + and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation + must be set to `false`. + pattern: + spec: + =(ephemeralContainers): + - securityContext: + allowPrivilegeEscalation: "false" + =(initContainers): + - securityContext: + allowPrivilegeEscalation: "false" + containers: + - securityContext: + allowPrivilegeEscalation: "false" +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/require-non-root-groups.yaml b/charts/kyverno-policies/templates/restricted/require-non-root-groups.yaml deleted file mode 100644 index 81958fe392..0000000000 --- a/charts/kyverno-policies/templates/restricted/require-non-root-groups.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- $name := "require-non-root-groups" }} -{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - Containers should be forbidden from running with a root primary or supplementary GID. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - background: true - validationFailureAction: {{ .Values.validationFailureAction }} - rules: - - name: check-runasgroup - match: - resources: - kinds: - - Pod - validate: - message: >- - Running with root group IDs is disallowed. The fields - spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, - and spec.initContainers[*].securityContext.runAsGroup must be empty - or greater than zero. - pattern: - spec: - =(securityContext): - =(runAsGroup): ">0" - =(initContainers): - - =(securityContext): - =(runAsGroup): ">0" - containers: - - =(securityContext): - =(runAsGroup): ">0" - - name: check-supplementalGroups - match: - resources: - kinds: - - Pod - validate: - message: >- - Adding of supplemental group IDs is not allowed. The field - spec.securityContext.supplementalGroups must not be defined. - pattern: - spec: - =(securityContext): - =(supplementalGroups): ">0" - - name: check-fsGroup - match: - resources: - kinds: - - Pod - validate: - message: >- - Changing to root group ID is disallowed. The field - spec.securityContext.fsGroup must be empty or greater than zero. - pattern: - spec: - =(securityContext): - =(fsGroup): ">0" -{{- end -}} diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml new file mode 100644 index 0000000000..2ceba4feaf --- /dev/null +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -0,0 +1,52 @@ +{{- $name := "require-run-as-non-root-user" }} +{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Require Run As Non-Root User + policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsUser` is either unset or set to a number greater than zero. +spec: + validationFailureAction: {{ .Values.validationFailureAction }} + background: true + rules: + - name: run-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Running as root is not allowed. The fields spec.securityContext.runAsUser, + spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, + and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero. + pattern: + spec: + =(securityContext): + =(runAsUser): ">0" + =(ephemeralContainers): + - =(securityContext): + =(runAsUser): ">0" + =(initContainers): + - =(securityContext): + =(runAsUser): ">0" + containers: + - =(securityContext): + =(runAsUser): ">0" +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index 8982e91df1..f64acdad2f 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -1,46 +1,63 @@ -{{- $name := "require-run-as-non-root" }} +{{- $name := "require-run-as-nonroot" }} {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: {{ $name }} annotations: + policies.kyverno.io/title: Require runAsNonRoot policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} {{- end }} - policies.kyverno.io/description: Containers must be required to run as non-root users. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + Containers must be required to run as non-root users. This policy ensures + `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - background: true validationFailureAction: {{ .Values.validationFailureAction }} + background: true rules: - - name: check-containers - match: - resources: - kinds: - - Pod - validate: - message: >- - Running as root is not allowed. The fields spec.securityContext.runAsNonRoot, - spec.containers[*].securityContext.runAsNonRoot, and - spec.initContainers[*].securityContext.runAsNonRoot must be `true`. - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - containers: - - =(securityContext): - =(runAsNonRoot): true - =(initContainers): - - =(securityContext): - =(runAsNonRoot): true - - spec: - containers: - - securityContext: + - name: run-as-non-root + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. + anyPattern: + - spec: + securityContext: runAsNonRoot: true - =(initContainers): - - securityContext: - runAsNonRoot: true -{{- end -}} + =(ephemeralContainers): + - =(securityContext): + =(runAsNonRoot): true + =(initContainers): + - =(securityContext): + =(runAsNonRoot): true + containers: + - =(securityContext): + =(runAsNonRoot): true + - spec: + =(ephemeralContainers): + - securityContext: + runAsNonRoot: true + =(initContainers): + - securityContext: + runAsNonRoot: true + containers: + - securityContext: + runAsNonRoot: true +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml new file mode 100644 index 0000000000..e6962ec1bc --- /dev/null +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -0,0 +1,74 @@ +{{- $name := "restrict-seccomp-strict" }} +{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Restrict Seccomp (Strict) + policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end }} + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/description: >- + The seccomp profile in the Restricted group must not be explicitly set to Unconfined + but additionally must also not allow an unset value. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is + set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this + using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. +spec: + background: true + validationFailureAction: {{ .Values.validationFailureAction }} + rules: + - name: check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Use of custom Seccomp profiles is disallowed. The fields + spec.securityContext.seccompProfile.type, + spec.containers[*].securityContext.seccompProfile.type, + spec.initContainers[*].securityContext.seccompProfile.type, and + spec.ephemeralContainers[*].securityContext.seccompProfile.type + must be set to `RuntimeDefault` or `Localhost`. + anyPattern: + - spec: + securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + =(ephemeralContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(initContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + containers: + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + - spec: + =(ephemeralContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + =(initContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + containers: + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" +{{- end }} diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp.yaml deleted file mode 100644 index bfe9085308..0000000000 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- $name := "restrict-seccomp" }} -{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - policies.kyverno.io/title: Restrict Seccomp - policies.kyverno.io/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.kyverno.io/description: >- - The runtime default seccomp profile must be required, or only specific - additional profiles should be allowed. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno -spec: - background: true - validationFailureAction: {{ .Values.validationFailureAction }} - rules: - - name: seccomp - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of custom Seccomp profiles is disallowed. The fields - spec.securityContext.seccompProfile.type, - spec.containers[*].securityContext.seccompProfile.type, and - spec.initContainers[*].securityContext.seccompProfile.type - must be unset or set to `runtime/default`. - pattern: - spec: - =(securityContext): - =(seccompProfile): - =(type): "runtime/default" - =(initContainers): - - =(securityContext): - =(seccompProfile): - =(type): "runtime/default" - containers: - - =(securityContext): - =(seccompProfile): - =(type): "runtime/default" -{{- end -}} diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index abb0c55a41..9352f281b7 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -1,281 +1,56 @@ {{- $name := "restrict-volume-types" }} {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} +{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: {{ $name }} annotations: + policies.kyverno.io/title: Restrict Volume Types policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} {{- end }} + policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. - labels: {{ include "kyverno-policies.labels" . | nindent 4 }} - app: kyverno + This policy blocks any other type of volume other than those in the allow list. spec: - background: true validationFailureAction: {{ .Values.validationFailureAction }} + background: true rules: - - name: restricted-vol-gcePersistentDisk - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the gcePersistentDisk type volume is disallowed. - The fields spec.volumes[*].gcePersistentDisk must not be set. - pattern: - spec: - =(volumes): - - X(gcePersistentDisk): "null" - - name: restricted-vol-awsElasticBlockStore - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the awsElasticBlockStore type volume is disallowed. - The fields spec.volumes[*].awsElasticBlockStore must not be set. - pattern: - spec: - =(volumes): - - X(awsElasticBlockStore): "null" - - name: restricted-vol-gitRepo - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the gitRepo type volume is disallowed. - The fields spec.volumes[*].gitRepo must not be set. - pattern: - spec: - =(volumes): - - X(gitRepo): "null" - - name: restricted-vol-nfs - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the nfs type volume is disallowed. - The fields spec.volumes[*].nfs must not be set. - pattern: - spec: - =(volumes): - - X(nfs): "null" - - name: restricted-vol-iscsi - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the iscsi type volume is disallowed. - The fields spec.volumes[*].iscsi must not be set. - pattern: - spec: - =(volumes): - - X(iscsi): "null" - - name: restricted-vol-glusterfs - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the glusterfs type volume is disallowed. - The fields spec.volumes[*].glusterfs must not be set. - pattern: - spec: - =(volumes): - - X(glusterfs): "null" - - name: restricted-vol-rbd - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the rbd type volume is disallowed. - The fields spec.volumes[*].rbd must not be set. - pattern: - spec: - =(volumes): - - X(rbd): "null" - - name: restricted-vol-flexVolume - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the flexVolume type volume is disallowed. - The fields spec.volumes[*].flexVolume must not be set. - pattern: - spec: - =(volumes): - - X(flexVolume): "null" - - name: restricted-vol-cinder - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the cinder type volume is disallowed. - The fields spec.volumes[*].cinder must not be set. - pattern: - spec: - =(volumes): - - X(cinder): "null" - - name: restricted-vol-cephfs - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the cephfs type volume is disallowed. - The fields spec.volumes[*].cephfs must not be set. - pattern: - spec: - =(volumes): - - X(cephfs): "null" - - name: restricted-vol-flocker - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the flocker type volume is disallowed. - The fields spec.volumes[*].flocker must not be set. - pattern: - spec: - =(volumes): - - X(flocker): "null" - - name: restricted-vol-fc - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the fc type volume is disallowed. - The fields spec.volumes[*].fc must not be set. - pattern: - spec: - =(volumes): - - X(fc): "null" - - name: restricted-vol-azureFile - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the azureFile type volume is disallowed. - The fields spec.volumes[*].azureFile must not be set. - pattern: - spec: - =(volumes): - - X(azureFile): "null" - - name: restricted-vol-vsphereVolume - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the vsphereVolume type volume is disallowed. - The fields spec.volumes[*].vsphereVolume must not be set. - pattern: - spec: - =(volumes): - - X(vsphereVolume): "null" - - name: restricted-vol-quobyte - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the quobyte type volume is disallowed. - The fields spec.volumes[*].quobyte must not be set. - pattern: - spec: - =(volumes): - - X(quobyte): "null" - - name: restricted-vol-azureDisk - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the azureDisk type volume is disallowed. - The fields spec.volumes[*].azureDisk must not be set. - pattern: - spec: - =(volumes): - - X(azureDisk): "null" - - name: restricted-vol-portworxVolume - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the portworxVolume type volume is disallowed. - The fields spec.volumes[*].portworxVolume must not be set. - pattern: - spec: - =(volumes): - - X(portworxVolume): "null" - - name: restricted-vol-scaleIO - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the scaleIO type volume is disallowed. - The fields spec.volumes[*].scaleIO must not be set. - pattern: - spec: - =(volumes): - - X(scaleIO): "null" - - name: restricted-vol-storageos - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the storageos type volume is disallowed. - The fields spec.volumes[*].storageos must not be set. - pattern: - spec: - =(volumes): - - X(storageos): "null" - - name: restricted-vol-csi - match: - resources: - kinds: - - Pod - validate: - message: >- - Use of the csi type volume is disallowed. - The fields spec.volumes[*].csi must not be set. - pattern: - spec: - =(volumes): - - X(csi): "null" -{{- end -}} + - name: restricted-volumes + match: + any: + - resources: + kinds: + - Pod + {{- with index .Values "policyExclude" $name }} + exclude: + {{- toYaml . | nindent 8 }} + {{- end }} + validate: + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. + deny: + conditions: + all: + - key: "{{`{{ request.object.spec.volumes[].keys(@)[] || '' }}`}}" + operator: AnyNotIn + value: + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - '' +{{- end }} diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 2398e66cbe..9269cfdada 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -5,9 +5,35 @@ podSecurityStandard: baseline podSecuritySeverity: medium # Policies to include when podSecurityStandard is custom podSecurityPolicies: [] +# Additional policies to include from "other" +# Example: +# includeOtherPolicies: +# - require-non-root-groups +includeOtherPolicies: [] # Supported values- `audit`, `enforce` # For more info- https://kyverno.io/docs/writing-policies/validate/ validationFailureAction: audit +# Exclude resources from individual policies +# Eg: +# policyExclude: +# disallow-host-path: +# any: +# - resources: +# kinds: +# - Pod +# namespaces: +# - fluent +# +# Policies with multiple rules can have individual rules excluded: +# policyExclude: +# adding-capabilities-strict: +# any: +# - resources: +# kinds: +# - Pod +# namespaces: +# - kube-system +policyExclude: {} nameOverride: # -- Additional labels diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index d877db9be1..a24fedcb85 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - name: Nirmata url: https://kyverno.io/ engine: gotpl -kubeVersion: ">=1.10.0-0" +kubeVersion: ">=1.16.0-0" diff --git a/charts/kyverno/ci/test-networkpolicy.yaml b/charts/kyverno/ci/networkpolicy-values.yaml similarity index 100% rename from charts/kyverno/ci/test-networkpolicy.yaml rename to charts/kyverno/ci/networkpolicy-values.yaml diff --git a/charts/kyverno/templates/networkpolicy.yaml b/charts/kyverno/templates/networkpolicy.yaml index edfbf20086..0f3c8e46e8 100644 --- a/charts/kyverno/templates/networkpolicy.yaml +++ b/charts/kyverno/templates/networkpolicy.yaml @@ -50,6 +50,6 @@ spec: port: {{ .Values.metricsService.port }} {{- end }} {{- else }} - ingress: {} + ingress: [] {{- end }} {{- end }}