-
Notifications
You must be signed in to change notification settings - Fork 240
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into simplify-cel-sysctls-policy
- Loading branch information
Showing
8 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: restrict-clusterrole-csr | ||
| status: | ||
| ready: true |
29 changes: 29 additions & 0 deletions
29
other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| name: restrict-clusterrole-csr | ||
| spec: | ||
| steps: | ||
| - name: step-01 | ||
| try: | ||
| - apply: | ||
| file: ../restrict-clusterrole-csr.yaml | ||
| - patch: | ||
| resource: | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: restrict-clusterrole-csr | ||
| spec: | ||
| validationFailureAction: Enforce | ||
| - assert: | ||
| file: chainsaw-step-01-assert-1.yaml | ||
| - name: step-02 | ||
| try: | ||
| - apply: | ||
| file: non-violating-clusterrole.yaml | ||
| - apply: | ||
| expect: | ||
| - check: | ||
| ($error != null): true | ||
| file: violating-clusterrole.yaml |
11 changes: 11 additions & 0 deletions
11
other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: non-violating-clusterrole | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["certificatesigningrequests/approval"] | ||
| verbs: ["get", "list"] | ||
| - apiGroups: [""] | ||
| resources: ["signers"] | ||
| verbs: ["get", "list"] |
11 changes: 11 additions & 0 deletions
11
other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: violating-clusterrole | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["certificatesigningrequests/approval"] | ||
| verbs: ["update", "approve"] | ||
| - apiGroups: [""] | ||
| resources: ["signers"] | ||
| verbs: ["approve"] |
33 changes: 33 additions & 0 deletions
33
other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| apiVersion: cli.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| name: restrict-clusterrole-csr | ||
| policies: | ||
| - ../restrict-clusterrole-csr.yaml | ||
| resources: | ||
| - resource.yaml | ||
| results: | ||
| - kind: ClusterRole | ||
| policy: restrict-clusterrole-csr | ||
| resources: | ||
| - violating-clusterrole | ||
| result: fail | ||
| rule: certificatesigningrequests-update-prevention | ||
| - kind: ClusterRole | ||
| policy: restrict-clusterrole-csr | ||
| resources: | ||
| - violating-clusterrole | ||
| result: fail | ||
| rule: signers-approve-prevention | ||
| - kind: ClusterRole | ||
| policy: restrict-clusterrole-csr | ||
| resources: | ||
| - non-violating-clusterrole | ||
| result: pass | ||
| rule: certificatesigningrequests-update-prevention | ||
| - kind: ClusterRole | ||
| policy: restrict-clusterrole-csr | ||
| resources: | ||
| - non-violating-clusterrole | ||
| result: pass | ||
| rule: signers-approve-prevention |
24 changes: 24 additions & 0 deletions
24
other/restrict-clusterrole-csr/.kyverno-test/resource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: violating-clusterrole | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["certificatesigningrequests/approval"] | ||
| verbs: ["update", "approve"] | ||
| - apiGroups: [""] | ||
| resources: ["signers"] | ||
| verbs: ["approve"] | ||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: non-violating-clusterrole | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["certificatesigningrequests/approval"] | ||
| verbs: ["get", "list"] | ||
| - apiGroups: [""] | ||
| resources: ["signers"] | ||
| verbs: ["get", "list"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: restrict-clusterrole-csr | ||
| version: 1.0.0 | ||
| displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's) | ||
| createdAt: "2024-07-17T20:30:05.000Z" | ||
| description: >- | ||
| ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
| install: |- | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml | ||
| ``` | ||
| keywords: | ||
| - kyverno | ||
| - Other | ||
| readme: | | ||
| ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
| Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
| annotations: | ||
| kyverno/category: "Other" | ||
| kyverno/subject: "ClusterRole" | ||
| digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854 |
55 changes: 55 additions & 0 deletions
55
other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: restrict-clusterrole-csr | ||
| annotations: | ||
| policies.kyverno.io/title: Restrict Cluster Role CSR | ||
| policies.kyverno.io/category: Other | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: ClusterRole | ||
| kyverno.io/kyverno-version: 1.11.5 | ||
| kyverno.io/kubernetes-version: "1.27" | ||
| policies.kyverno.io/description: >- | ||
| ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: certificatesigningrequests-update-prevention | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - ClusterRole | ||
| validate: | ||
| message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval." | ||
| foreach: | ||
| - list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]" | ||
| deny: | ||
| conditions: | ||
| any: | ||
| - key: ["update", "patch"] | ||
| operator: AnyIn | ||
| value: "{{ element.verbs[] }}" | ||
| - key: "{{ contains(element.verbs[], '*') }}" | ||
| operator: Equals | ||
| value: true | ||
| - name: signers-approve-prevention | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - ClusterRole | ||
| validate: | ||
| message: "Use of verbs `approve` are forbidden for signers." | ||
| foreach: | ||
| - list: "request.object.rules[?resources.contains(@,'signers')]" | ||
| deny: | ||
| conditions: | ||
| any: | ||
| - key: ["approve"] | ||
| operator: AnyIn | ||
| value: "{{ element.verbs[] }}" | ||
| - key: "{{ contains(element.verbs[], '*') }}" | ||
| operator: Equals | ||
| value: true |