From 3c6044b524526cbf7ef8989441923b42a0dda9e6 Mon Sep 17 00:00:00 2001 From: nsagark <90008930+nsagark@users.noreply.github.com> Date: Fri, 2 Aug 2024 11:19:58 -0400 Subject: [PATCH] Add policy Restrict Cluster Role CSR (#1077) * Added policy for restricting clusterroles for CSR's, along with unit tests, chainsaw tests and artifacthub-pkg.yaml Signed-off-by: nsagark * updated the policy with annotations and validation failure action Signed-off-by: nsagark * updated the sha256sum on the artifacthub-pkg.yaml Signed-off-by: nsagark * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller * Update other/restrict-clusterrole-csr/artifacthub-pkg.yaml Signed-off-by: Chip Zoller --------- Signed-off-by: nsagark Signed-off-by: Chip Zoller Co-authored-by: Chip Zoller --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 29 ++++++++++ .../non-violating-clusterrole.yaml | 11 ++++ .../.chainsaw-test/violating-clusterrole.yaml | 11 ++++ .../.kyverno-test/kyverno-test.yaml | 33 +++++++++++ .../.kyverno-test/resource.yaml | 24 ++++++++ .../artifacthub-pkg.yaml | 21 +++++++ .../restrict-clusterrole-csr.yaml | 55 +++++++++++++++++++ 8 files changed, 190 insertions(+) create mode 100644 other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml create mode 100644 other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml create mode 100644 other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml create mode 100644 other/restrict-clusterrole-csr/.kyverno-test/resource.yaml create mode 100644 other/restrict-clusterrole-csr/artifacthub-pkg.yaml create mode 100644 other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..2e1ce717b --- /dev/null +++ b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-csr +status: + ready: true diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..794763357 --- /dev/null +++ b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-csr +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-clusterrole-csr.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-clusterrole-csr + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: non-violating-clusterrole.yaml + - apply: + expect: + - check: + ($error != null): true + file: violating-clusterrole.yaml diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml new file mode 100644 index 000000000..65d495b73 --- /dev/null +++ b/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: non-violating-clusterrole +rules: +- apiGroups: [""] + resources: ["certificatesigningrequests/approval"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["signers"] + verbs: ["get", "list"] diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml new file mode 100644 index 000000000..21ab8b7e9 --- /dev/null +++ b/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: violating-clusterrole +rules: +- apiGroups: [""] + resources: ["certificatesigningrequests/approval"] + verbs: ["update", "approve"] +- apiGroups: [""] + resources: ["signers"] + verbs: ["approve"] diff --git a/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml b/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..80f06220e --- /dev/null +++ b/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-csr +policies: +- ../restrict-clusterrole-csr.yaml +resources: +- resource.yaml +results: +- kind: ClusterRole + policy: restrict-clusterrole-csr + resources: + - violating-clusterrole + result: fail + rule: certificatesigningrequests-update-prevention +- kind: ClusterRole + policy: restrict-clusterrole-csr + resources: + - violating-clusterrole + result: fail + rule: signers-approve-prevention +- kind: ClusterRole + policy: restrict-clusterrole-csr + resources: + - non-violating-clusterrole + result: pass + rule: certificatesigningrequests-update-prevention +- kind: ClusterRole + policy: restrict-clusterrole-csr + resources: + - non-violating-clusterrole + result: pass + rule: signers-approve-prevention diff --git a/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml b/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml new file mode 100644 index 000000000..d7f755d18 --- /dev/null +++ b/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: violating-clusterrole +rules: +- apiGroups: [""] + resources: ["certificatesigningrequests/approval"] + verbs: ["update", "approve"] +- apiGroups: [""] + resources: ["signers"] + verbs: ["approve"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: non-violating-clusterrole +rules: +- apiGroups: [""] + resources: ["certificatesigningrequests/approval"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["signers"] + verbs: ["get", "list"] + diff --git a/other/restrict-clusterrole-csr/artifacthub-pkg.yaml b/other/restrict-clusterrole-csr/artifacthub-pkg.yaml new file mode 100644 index 000000000..1dfb22271 --- /dev/null +++ b/other/restrict-clusterrole-csr/artifacthub-pkg.yaml @@ -0,0 +1,21 @@ +name: restrict-clusterrole-csr +version: 1.0.0 +displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's) +createdAt: "2024-07-17T20:30:05.000Z" +description: >- + ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml + ``` +keywords: +- kyverno +- Other +readme: | + ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/subject: "ClusterRole" +digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854 diff --git a/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml b/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml new file mode 100644 index 000000000..d0686c63b --- /dev/null +++ b/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml @@ -0,0 +1,55 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-csr + annotations: + policies.kyverno.io/title: Restrict Cluster Role CSR + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole + kyverno.io/kyverno-version: 1.11.5 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/description: >- + ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. +spec: + validationFailureAction: Audit + background: true + rules: + - name: certificatesigningrequests-update-prevention + match: + any: + - resources: + kinds: + - ClusterRole + validate: + message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval." + foreach: + - list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]" + deny: + conditions: + any: + - key: ["update", "patch"] + operator: AnyIn + value: "{{ element.verbs[] }}" + - key: "{{ contains(element.verbs[], '*') }}" + operator: Equals + value: true + - name: signers-approve-prevention + match: + any: + - resources: + kinds: + - ClusterRole + validate: + message: "Use of verbs `approve` are forbidden for signers." + foreach: + - list: "request.object.rules[?resources.contains(@,'signers')]" + deny: + conditions: + any: + - key: ["approve"] + operator: AnyIn + value: "{{ element.verbs[] }}" + - key: "{{ contains(element.verbs[], '*') }}" + operator: Equals + value: true