chore(kyverno): Adding kyverno pod security policies for litmus pods (#504)

* chore(kyverno): Adding security policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): updating policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): updating policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): changed the file names Signed-off-by: shubham chaudhary <shubham@chaosnative.com>
2021-10-13 16:00:11 +05:30
parent aff27bc0ee
commit 14c472265f
8 changed files with 278 additions and 0 deletions
--- a/security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml
+++ b/security/kyverno-policies/allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml
@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: allow-add-capabilities
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Provides a list of capabilities that are allowed to be added to a container.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: capabilities
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which uses container runtime apis
+              app.kubernetes.io/runtime-api-usage: "true"
+      validate:
+        message: >-
+          The provided capabilities are not allowed at securityContext.capabilities.add     
+        pattern:
+          spec:
+            containers:
+              - =(securityContext):
+                  =(capabilities):
+                    # allow only NET_ADMIN and SYS_ADMIN capabilities
+                    =(add):
+                      - "NET_ADMIN | SYS_ADMIN"
--- a/security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml
+++ b/security/kyverno-policies/allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml
@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: allow-host-namespaces
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
+      network namespace) allow access to shared information and can be used to elevate
+      privileges. Pods should  allowed access to host namespaces.      
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: host-namespaces
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which usage container runtime apis
+              app.kubernetes.io/runtime-api-usage: "true" 
+      validate:
+        message: >-
+          The spec.hostNetwork should be false, spec.hostIPC should be false, and spec.hostPID should be true.          
+        pattern:
+          spec:
+            =(hostPID): "true"
+            =(hostIPC): "false"
+            =(hostNetwork): "false"
+            
--- a/security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml
+++ b/security/kyverno-policies/allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml
@@ -0,0 +1,71 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: allow-host-path
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      HostPath volumes let Pods use host directories and volumes in containers.
+      Using host resources can be used to access shared data or escalate privileges
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check socket host-path
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which usage container runtime apis
+              app.kubernetes.io/runtime-api-usage: "true" 
+      validate:
+        message: >-
+          Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
+        pattern:
+          spec:
+            =(volumes):
+            # substitutes this path with an appropriate socket path
+            # ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock'
+            - =(hostPath):
+                path: "/var/run/docker.sock"     
+    - name: check container host-path
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which needs container path
+              app.kubernetes.io/host-path-usage: "true" 
+      validate:
+        message: >-
+          Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
+        pattern:
+          spec:
+            =(volumes):
+             # substitutes this path with an appropriate container path
+             # ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/'
+            - =(hostPath):
+                path: "/var/lib/docker/containers"
+    - name: check service-kill host-path
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for service-kill experiments
+              app.kubernetes.io/service-kill: "true" 
+      validate:
+        message: >-
+          Hostpath is restricted to use only specific path. It can be set at spec.volumes[*].hostPath.
+        pattern:
+          spec:
+            =(volumes):
+            - =(hostPath):
+                path: "/ | /var/run"
+    
--- a/security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml
+++ b/security/kyverno-policies/allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: allow-privileged-escalation
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should be allowed.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: priviledged-escalation
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which usage container runtime apis
+              app.kubernetes.io/runtime-api-usage: "true"
+      validate:
+        message: >-
+          allowPrivilegeEscalation should be set to true. It can be defined at spec.containers[*].securityContext.allowPrivilegeEscalation
+        pattern:
+          spec:
+            containers:
+              - =(securityContext):
+                  =(allowPrivilegeEscalation): true
--- a/security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml
+++ b/security/kyverno-policies/allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: allow-privileged-containers
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Privileged policies only allow the litmus containers to use privileged mode.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: priviledged-containers
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              # applicable for experiments which usage container runtime apis
+              app.kubernetes.io/runtime-api-usage: "true"
+      validate:
+        message: >-
+          It should be run in privileged mode. It can be defined at spec.containers[*].securityContext.privileged.
+        pattern:
+          spec:
+            containers:
+              - =(securityContext):
+                  =(privileged): true
--- a/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml
+++ b/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml
@@ -0,0 +1,63 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: require-user-groups
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Containers should allow to run with a root primary or supplementary GID.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: allow users
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+          Running the user IDs are allowed.
+        pattern:
+          spec:
+            =(securityContext):
+              =(runAsUser): '>=0'
+            containers:
+            - =(securityContext):
+                =(runAsUser): ">=0"
+    - name: allow supplementary groups 
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+           Adding of supplemental group IDs is allowed.
+        pattern:
+          spec:
+             =(securityContext):
+               =(supplementalGroups):
+               - ">=0"
+    - name: allow gs groups
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+          Changing to root group ID is allowed.
+        pattern:
+           spec:
+             =(securityContext):
+               =(fsGroup): ">=0"
--- a/security/kyverno-policies/kustomization.yaml
+++ b/security/kyverno-policies/kustomization.yaml
@@ -0,0 +1,14 @@
+resources:
+  - allow-capabilities-for-litmus-experiments-which-uses-runtime-api.yaml
+  - allow-host-namespaces-for-litmus-experiments-which-uses-runtime-api.yaml
+  - allow-privileged-containers-for-litmus-experiments-which-uses-runtime-api.yaml
+  - allow-privilege-escalation-for-litmus-experiments-which-uses-runtime-api.yaml
+  - allow-host-paths-for-litmus-experiments-which-uses-hostPaths.yaml
+  - allow-user-groups-for-litmus-experiments.yaml
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/validationFailureAction
+        value: enforce
+    target:
+      kind: Policy