From b04626a5f879afd053ff016bcb64e621ea1279d5 Mon Sep 17 00:00:00 2001 From: Raj Babu Das Date: Wed, 10 Feb 2021 03:33:52 +0530 Subject: [PATCH] Adding default policies for restricted mode and adding notes to helm install (#1556) * Adding default policies for restricted mode, taking validationFailureAction from values.yaml and adding notes on helm install Signed-off-by: Raj Das * Adding emoji Signed-off-by: Raj Das * Update NOTES.txt * minor fix Signed-off-by: Raj Das * adding to readme Signed-off-by: Raj Das --- charts/kyverno/README.md | 1 + charts/kyverno/templates/NOTES.txt | 8 ++++++++ .../policies/default/disallow-adding-capabilities.yaml | 4 ++-- .../policies/default/disallow-host-namespaces.yaml | 4 ++-- .../templates/policies/default/disallow-host-path.yaml | 4 ++-- .../templates/policies/default/disallow-host-ports.yaml | 4 ++-- .../policies/default/disallow-privileged-containers.yaml | 4 ++-- .../templates/policies/default/disallow-proc-mount.yaml | 4 ++-- .../templates/policies/default/disallow-selinux.yaml | 4 ++-- .../policies/default/restrict-apparmor-profiles.yaml | 4 ++-- .../templates/policies/default/restrict-sysctls.yaml | 4 ++-- .../policies/restricted/deny-privilege-escalation.yaml | 2 +- .../policies/restricted/require-non-root-groups.yaml | 2 +- .../policies/restricted/require-run-as-nonroot.yaml | 2 +- .../templates/policies/restricted/restrict-seccomp.yaml | 2 +- .../policies/restricted/restrict-volume-types.yaml | 2 +- charts/kyverno/values.yaml | 3 +++ 17 files changed, 35 insertions(+), 23 deletions(-) create mode 100644 charts/kyverno/templates/NOTES.txt diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 641997f3c6..f1cc22d1f9 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -102,6 +102,7 @@ Parameter | Description | Default `tolerations` | list of node taints to tolerate | `[]` `securityContext` | security context configuration | `{}` `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` +`validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt new file mode 100644 index 0000000000..9acc7b61b5 --- /dev/null +++ b/charts/kyverno/templates/NOTES.txt @@ -0,0 +1,8 @@ +Thank you for installing {{ .Chart.Name }} 😀 + +Your release is named {{ .Release.Name }}. + +We have installed the "default" profile of Pod Security Standards and set them in audit mode. + +Visit https://kyverno.io/policies/ to find more sample policies. + diff --git a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml index 0127a8e0a9..147b48fdca 100644 --- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml +++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -9,7 +9,7 @@ metadata: Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: capabilities diff --git a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml index 79b0861917..53bda87217 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -10,7 +10,7 @@ metadata: network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: host-namespaces diff --git a/charts/kyverno/templates/policies/default/disallow-host-path.yaml b/charts/kyverno/templates/policies/default/disallow-host-path.yaml index 92cec7443f..c85a2c2787 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -10,7 +10,7 @@ metadata: Using host resources can be used to access shared data or escalate privileges and should not be allowed. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: host-path diff --git a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml index dabcb2730e..b8cef57300 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -9,7 +9,7 @@ metadata: Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: host-ports diff --git a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml index 96545eacd6..1326b7074f 100644 --- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml +++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: priviledged-containers diff --git a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml index 142c328405..b2bd8eedbc 100644 --- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml +++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/description: >- The default /proc masks are set up to reduce attack surface and should be required. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: check-proc-mount diff --git a/charts/kyverno/templates/policies/default/disallow-selinux.yaml b/charts/kyverno/templates/policies/default/disallow-selinux.yaml index d288481ce8..e063504c39 100644 --- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml +++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -9,7 +9,7 @@ metadata: policies.kyverno.io/description: >- SELinux options can be used to escalate privileges and should not be allowed. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: seLinux diff --git a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml index f8c6389702..2bbc7a0eaf 100644 --- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml +++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -11,7 +11,7 @@ metadata: The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: app-armor diff --git a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml index 2d5589a399..6571c3d202 100644 --- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml +++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.podSecurityStandard "default" }} +{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -11,7 +11,7 @@ metadata: sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. spec: - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} background: true rules: - name: sysctls diff --git a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml index 99266c44e7..c12d89e58f 100644 --- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml +++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml @@ -9,7 +9,7 @@ metadata: Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. spec: background: true - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} rules: - name: deny-privilege-escalation match: diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml index f7c53bf607..572f33b430 100644 --- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml +++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml @@ -9,7 +9,7 @@ metadata: Containers should be forbidden from running with a root primary or supplementary GID. spec: background: true - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} rules: - name: check-runasgroup match: diff --git a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml index 21b870cdec..cd84fc7cf4 100644 --- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/description: Containers must be required to run as non-root users. spec: background: true - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} rules: - name: check-containers match: diff --git a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml index 9af9849bd9..513d382d96 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml @@ -11,7 +11,7 @@ metadata: additional profiles should be allowed. spec: background: true - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} rules: - name: seccomp match: diff --git a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml index 2c6b80d74e..a5d64421ac 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml @@ -10,7 +10,7 @@ metadata: limits usage of non-core volume types to those defined through PersistentVolumes. spec: background: true - validationFailureAction: audit + validationFailureAction: {{ .Values.validationFailureAction }} rules: - name: restricted-vol-gcePersistentDisk match: diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index a3a3b8f13e..34bbca4132 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -4,6 +4,9 @@ namespace: # Supported- default/restricted/privileged # For more info- https://kyverno.io/policies/pod-security podSecurityStandard: default +# Supported values- `audit`, `enforce` +# For more info- https://kyverno.io/docs/writing-policies/validate/ +validationFailureAction: audit rbac: create: true