diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 6842c2c705..09df29a465 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -122,3 +122,7 @@ func Test_validate_disallow_new_capabilities(t *testing.T) { func Test_validate_disallow_docker_sock_mount(t *testing.T) { testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml") } + +func Test_validate_disallow_helm_tiller(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml") +} diff --git a/samples/DisallowHelmTiller.md b/samples/DisallowHelmTiller.md new file mode 100644 index 0000000000..424ac67c6f --- /dev/null +++ b/samples/DisallowHelmTiller.md @@ -0,0 +1,30 @@ +# Disallow Helm Tiller + +Tiller has known security challenges. It requires adminstrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users. + +## Policy YAML + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-helm-tiller + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: +spec: + rules: + - name: validate-helm-tiller + match: + resources: + kinds: + - Pod + validate: + message: "Helm Tiller is not allowed" + pattern: + spec: + containers: + - name: "*" + image: "!*tiller*" + +```` \ No newline at end of file diff --git a/samples/README.md b/samples/README.md index e48921df3c..5f13e4bcf3 100644 --- a/samples/README.md +++ b/samples/README.md @@ -51,7 +51,7 @@ These policies are highly recommended. 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) - +16. [Disallow Helm Tiller](DisallowHelmTiller.md) ## Additional Policies diff --git a/samples/best_practices/disallow_helm_tiller.yaml b/samples/best_practices/disallow_helm_tiller.yaml new file mode 100644 index 0000000000..b1186389a0 --- /dev/null +++ b/samples/best_practices/disallow_helm_tiller.yaml @@ -0,0 +1,21 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-helm-tiller + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: +spec: + rules: + - name: validate-helm-tiller + match: + resources: + kinds: + - Pod + validate: + message: "Helm Tiller is not allowed" + pattern: + spec: + containers: + - name: "*" + image: "!*tiller*" diff --git a/test/resources/disallow_helm_tiller.yaml b/test/resources/disallow_helm_tiller.yaml new file mode 100644 index 0000000000..5fb1683b32 --- /dev/null +++ b/test/resources/disallow_helm_tiller.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-helm-tiller +spec: + containers: + - name: helm-tiller + image: docker.io/tiller:latest diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml new file mode 100644 index 0000000000..52fbedbf7f --- /dev/null +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml @@ -0,0 +1,16 @@ +# file paths are relative to project root +input: + policy: samples/best_practices/disallow_helm_tiller.yaml + resource: test/resources/disallow_helm_tiller.yaml +expected: + validation: + policyresponse: + policy: disallow-helm-tiller + resource: + kind: Pod + name: pod-helm-tiller + rules: + - name: validate-helm-tiller + type: Validation + message: "Validation rule 'validate-helm-tiller' failed at '/spec/containers/0/image/' for resource Pod//pod-helm-tiller. Helm Tiller is not allowed." + success: false