diff --git a/security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml b/security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml new file mode 100644 index 0000000..16e3495 --- /dev/null +++ b/security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: allow-add-capabilities + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Provides a list of capabilities that are allowed to be added to a container. +spec: + validationFailureAction: audit + background: true + rules: + - name: capabilities + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which uses container runtime apis + app.kubernetes.io/runtime-api-usage: "true" + validate: + message: >- + The provided capabilities are not allowed at securityContext.capabilities.add + pattern: + spec: + containers: + - =(securityContext): + =(capabilities): + # allow only NET_ADMIN and SYS_ADMIN capabilities + =(add): + - "NET_ADMIN | SYS_ADMIN" diff --git a/security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml b/security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml new file mode 100644 index 0000000..af752a8 --- /dev/null +++ b/security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: allow-host-namespaces + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should allowed access to host namespaces. +spec: + validationFailureAction: audit + background: true + rules: + - name: host-namespaces + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which usage container runtime apis + app.kubernetes.io/runtime-api-usage: "true" + validate: + message: >- + The spec.hostNetwork should be false, spec.hostIPC should be false, and spec.hostPID should be true. + pattern: + spec: + =(hostPID): "true" + =(hostIPC): "false" + =(hostNetwork): "false" + \ No newline at end of file diff --git a/security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml b/security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml new file mode 100644 index 0000000..8b70685 --- /dev/null +++ b/security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml @@ -0,0 +1,71 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: allow-host-path + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges +spec: + validationFailureAction: audit + background: true + rules: + - name: check socket host-path + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which usage container runtime apis + app.kubernetes.io/runtime-api-usage: "true" + validate: + message: >- + Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath. + pattern: + spec: + =(volumes): + # substitutes this path with an appropriate socket path + # ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock' + - =(hostPath): + path: "/var/run/docker.sock" + - name: check container host-path + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which needs container path + app.kubernetes.io/host-path-usage: "true" + validate: + message: >- + Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath. + pattern: + spec: + =(volumes): + # substitutes this path with an appropriate container path + # ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/' + - =(hostPath): + path: "/var/lib/docker/containers" + - name: check service-kill host-path + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for service-kill experiments + app.kubernetes.io/service-kill: "true" + validate: + message: >- + Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath. + pattern: + spec: + =(volumes): + - =(hostPath): + path: "/ | /var/run" + \ No newline at end of file diff --git a/security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml b/security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml new file mode 100644 index 0000000..feed615 --- /dev/null +++ b/security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: allow-privileged-escalation + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Privilege escalation, such as via set-user-ID or set-group-ID file mode, should be allowed. +spec: + validationFailureAction: audit + background: true + rules: + - name: priviledged-escalation + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which usage container runtime apis + app.kubernetes.io/runtime-api-usage: "true" + validate: + message: >- + allowPrivilegeEscalation should be set to true. It can be defined at spec.containers[*].securityContext.allowPrivilegeEscalation + pattern: + spec: + containers: + - =(securityContext): + =(allowPrivilegeEscalation): true \ No newline at end of file diff --git a/security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml b/security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml new file mode 100644 index 0000000..6b18596 --- /dev/null +++ b/security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: allow-privileged-containers + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Privileged policies only allow the litmus containers to use privileged mode. +spec: + validationFailureAction: audit + background: true + rules: + - name: priviledged-containers + match: + resources: + kinds: + - Pod + selector: + matchLabels: + # applicable for experiments which usage container runtime apis + app.kubernetes.io/runtime-api-usage: "true" + validate: + message: >- + It should be run in privileged mode. It can be defined at spec.containers[*].securityContext.privileged. + pattern: + spec: + containers: + - =(securityContext): + =(privileged): true \ No newline at end of file diff --git a/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml b/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml new file mode 100644 index 0000000..a248e34 --- /dev/null +++ b/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-user-groups + annotations: + policies.kyverno.io/category: Pod Security Standards + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Containers should allow to run with a root primary or supplementary GID. +spec: + validationFailureAction: audit + background: true + rules: + - name: allow users + match: + resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: experiment-job + validate: + message: >- + Running the user IDs are allowed. + pattern: + spec: + =(securityContext): + =(runAsUser): '>=0' + containers: + - =(securityContext): + =(runAsUser): ">=0" + - name: allow supplementary groups + match: + resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: experiment-job + validate: + message: >- + Adding of supplemental group IDs is allowed. + pattern: + spec: + =(securityContext): + =(supplementalGroups): + - ">=0" + - name: allow gs groups + match: + resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/component: experiment-job + validate: + message: >- + Changing to root group ID is allowed. + pattern: + spec: + =(securityContext): + =(fsGroup): ">=0" \ No newline at end of file diff --git a/security/kyverno-policies/kustomization.yaml b/security/kyverno-policies/kustomization.yaml new file mode 100644 index 0000000..cf8cb17 --- /dev/null +++ b/security/kyverno-policies/kustomization.yaml @@ -0,0 +1,14 @@ +resources: + - allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml + - allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml + - allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml + - allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml + - allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml + - allow-user-groups-for-litmus-experiments.yaml +patches: + - patch: |- + - op: replace + path: /spec/validationFailureAction + value: enforce + target: + kind: Policy diff --git a/pod-security-policy/psp-litmus.yaml b/security/pod-security-policy/psp-litmus.yaml similarity index 100% rename from pod-security-policy/psp-litmus.yaml rename to security/pod-security-policy/psp-litmus.yaml