From bb3e7d9ddc1c08a11045eff9c4e9aad4983d5985 Mon Sep 17 00:00:00 2001 From: Matthias Weilinger Date: Mon, 2 Dec 2024 04:50:26 +0100 Subject: [PATCH] add allowExistingViolations option in policy chart (#11656) Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field. Signed-off-by: ProbstenHias Co-authored-by: Vishal Choudhary --- charts/kyverno-policies/README.md | 1 + .../templates/baseline/disallow-capabilities.yaml | 1 + .../templates/baseline/disallow-host-namespaces.yaml | 1 + .../templates/baseline/disallow-host-path.yaml | 1 + .../templates/baseline/disallow-host-ports.yaml | 1 + .../templates/baseline/disallow-host-process.yaml | 1 + .../templates/baseline/disallow-privileged-containers.yaml | 1 + .../templates/baseline/disallow-proc-mount.yaml | 1 + .../kyverno-policies/templates/baseline/disallow-selinux.yaml | 2 ++ .../templates/baseline/restrict-apparmor-profiles.yaml | 1 + .../kyverno-policies/templates/baseline/restrict-seccomp.yaml | 1 + .../kyverno-policies/templates/baseline/restrict-sysctls.yaml | 1 + .../templates/other/require-non-root-groups.yaml | 3 +++ .../templates/restricted/disallow-capabilities-strict.yaml | 2 ++ .../templates/restricted/disallow-privilege-escalation.yaml | 1 + .../templates/restricted/require-run-as-non-root-user.yaml | 1 + .../templates/restricted/require-run-as-nonroot.yaml | 1 + .../templates/restricted/restrict-seccomp-strict.yaml | 1 + .../templates/restricted/restrict-volume-types.yaml | 1 + charts/kyverno-policies/values.yaml | 4 ++++ 20 files changed, 27 insertions(+) diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 313e0da5c1..f002891a3b 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and | validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. | | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | +| validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. | | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | | autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. | diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index e6b2c53239..505517c2a9 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -68,6 +68,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index da0bb51a1d..972df72b4e 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -52,6 +52,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index e670fd2461..a62c7fadb4 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -51,6 +51,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. pattern: diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index 203fe67dcd..44a9c6c817 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -51,6 +51,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index 2d845acbef..3625ec66d4 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -52,6 +52,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index 4a96d0f3d7..2de16774a8 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -50,6 +50,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index ada3a6f29a..181f4677b6 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -52,6 +52,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Changing the proc mount from the default is not allowed. The fields spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index 1a5d10c5b7..7378998a86 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -50,6 +50,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Setting the SELinux type is restricted. The fields spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, @@ -98,6 +99,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Setting the SELinux user or role is forbidden. The fields spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index 39540da08d..4aa1034216 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -53,6 +53,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Specifying other AppArmor profiles is disallowed. The annotation `container.apparmor.security.beta.kubernetes.io` if defined diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index 2f3a501018..4cb3f48fdf 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -51,6 +51,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index 70694def34..a269ddbd8a 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -54,6 +54,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index afaea52269..77e7324f6f 100644 --- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -52,6 +52,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Running with root group IDs is disallowed. The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, @@ -107,6 +108,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.supplementalGroups must be unset or @@ -137,6 +139,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.fsGroup must be unset or set to a value greater than zero. diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index e1667d408e..a26cc8649a 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -69,6 +69,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Containers must drop `ALL` capabilities. foreach: @@ -122,6 +123,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Any capabilities added other than NET_BIND_SERVICE are disallowed. foreach: diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index 4e57bfbb85..6c89d28dc7 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -50,6 +50,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index 3e4719cf14..b116bd6897 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -50,6 +50,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index 545cfbc831..50b1fe9019 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -51,6 +51,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index 5e27e293a4..149f5cad73 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -53,6 +53,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index d5f524ee32..d511312114 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -70,6 +70,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} failureActionOverrides: {{ toYaml . | nindent 8 }} {{- end }} + allowExistingViolations: {{ .Values.validationAllowExistingViolations }} message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 47b548aafd..a0e15c6ed9 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -55,6 +55,10 @@ validationFailureActionOverrides: # namespaces: # - fluent +# -- Validate already existing resources. +# For more info https://kyverno.io/docs/writing-policies/validate. +validationAllowExistingViolations: true + # -- Exclude resources from individual policies. # Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. policyExclude: {}