ivanch/litmus-hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(kyverno): Adding kyverno pod security policies for litmus pods (#504)

Browse Source 
* chore(kyverno): Adding security policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): updating policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): updating policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): changed the file names

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>
This commit is contained in:
Shubham Chaudhary
2021-10-13 16:00:11 +05:30
committed by GitHub
parent aff27bc0ee
commit 14c472265f
8 changed files with 278 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-add-capabilities
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Provides a list of capabilities that are allowed to be added to a container.
spec:
validationFailureAction: audit
background: true
rules:
- name: capabilities
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which uses container runtime apis
app.kubernetes.io/runtime-api-usage: "true"
validate:
message: >-
The provided capabilities are not allowed at securityContext.capabilities.add
pattern:
spec:
containers:
- =(securityContext):
=(capabilities):
# allow only NET_ADMIN and SYS_ADMIN capabilities
=(add):
- "NET_ADMIN | SYS_ADMIN"

34
security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-namespaces
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should allowed access to host namespaces.
spec:
validationFailureAction: audit
background: true
rules:
- name: host-namespaces
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which usage container runtime apis
app.kubernetes.io/runtime-api-usage: "true"
validate:
message: >-
The spec.hostNetwork should be false, spec.hostIPC should be false, and spec.hostPID should be true.
pattern:
spec:
=(hostPID): "true"
=(hostIPC): "false"
=(hostNetwork): "false"

71
security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-path
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
spec:
validationFailureAction: audit
background: true
rules:
- name: check socket host-path
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which usage container runtime apis
app.kubernetes.io/runtime-api-usage: "true"
validate:
message: >-
Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
pattern:
spec:
=(volumes):
# substitutes this path with an appropriate socket path
# ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock'
- =(hostPath):
path: "/var/run/docker.sock"
- name: check container host-path
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which needs container path
app.kubernetes.io/host-path-usage: "true"
validate:
message: >-
Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
pattern:
spec:
=(volumes):
# substitutes this path with an appropriate container path
# ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/'
- =(hostPath):
path: "/var/lib/docker/containers"
- name: check service-kill host-path
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for service-kill experiments
app.kubernetes.io/service-kill: "true"
validate:
message: >-
Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
pattern:
spec:
=(volumes):
- =(hostPath):
path: "/ | /var/run"

31
security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-escalation
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should be allowed.
spec:
validationFailureAction: audit
background: true
rules:
- name: priviledged-escalation
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which usage container runtime apis
app.kubernetes.io/runtime-api-usage: "true"
validate:
message: >-
allowPrivilegeEscalation should be set to true. It can be defined at spec.containers[*].securityContext.allowPrivilegeEscalation
pattern:
spec:
containers:
- =(securityContext):
=(allowPrivilegeEscalation): true

31
security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-containers
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privileged policies only allow the litmus containers to use privileged mode.
spec:
validationFailureAction: audit
background: true
rules:
- name: priviledged-containers
match:
resources:
kinds:
- Pod
selector:
matchLabels:
# applicable for experiments which usage container runtime apis
app.kubernetes.io/runtime-api-usage: "true"
validate:
message: >-
It should be run in privileged mode. It can be defined at spec.containers[*].securityContext.privileged.
pattern:
spec:
containers:
- =(securityContext):
=(privileged): true

63
security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-user-groups
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should allow to run with a root primary or supplementary GID.
spec:
validationFailureAction: audit
background: true
rules:
- name: allow users
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Running the user IDs are allowed.
pattern:
spec:
=(securityContext):
=(runAsUser): '>=0'
containers:
- =(securityContext):
=(runAsUser): ">=0"
- name: allow supplementary groups
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Adding of supplemental group IDs is allowed.
pattern:
spec:
=(securityContext):
=(supplementalGroups):
- ">=0"
- name: allow gs groups
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Changing to root group ID is allowed.
pattern:
spec:
=(securityContext):
=(fsGroup): ">=0"

14
security/kyverno-policies/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
resources:
- allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml
- allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml
- allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml
- allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml
- allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml
- allow-user-groups-for-litmus-experiments.yaml
patches:
- patch: |-
- op: replace
path: /spec/validationFailureAction
value: enforce
target:
kind: Policy

48
security/pod-security-policy/psp-litmus.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: litmus
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
# Required to prevent escalations to root.
allowPrivilegeEscalation: true
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
allowedHostPaths:
# substitutes this path with an appropriate socket path
# ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock'
- pathPrefix: "/var/run/docker.sock"
# substitutes this path with an appropriate container path
# ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/'
- pathPrefix: "/var/lib/docker/containers"
allowedCapabilities:
- "NET_ADMIN"
- "SYS_ADMIN"
hostNetwork: false
hostIPC: false
hostPID: true
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false