Merge branch 'kyverno:main' into simplify-cel-sysctls-policy

.github/workflows/test.yml

@@ -57,9 +57,12 @@ jobs:
           - ^pod-security$
           - ^psa$
           - ^psp-migration$
+          - ^psp-migration-cel$
           - ^tekton$
+          - ^tekton-cel$
           - ^traefik$
           - ^velero$
+          - ^velero-cel$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
@@ -72,4 +75,4 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ${{ matrix.tests }}
+          tests: ${{ matrix.tests }}

README.md

@@ -37,7 +37,7 @@ Anyone and everyone is welcome to write and contribute Kyverno policies! We have
 
 * Use dashes for folder name and policy name instead of underscores.
 
-* When updating a policy already in the library, calculate the new sha256 sum of the changed policy and update the `artifacthub-pkg.yml` file's `digest` field with this value. This is to ensure Artifact Hub picks up the changes once merged.
+* When updating a policy already in the library, calculate the new sha256 sum of the changed policy and update the `artifacthub-pkg.yml` file's `digest` field with this value. This is to ensure Artifact Hub picks up the changes once merged. Note that because of validation checks in Kyverno's CI processes, it expects the digest to have been generated on a Linux system. Due to the differences of control characters, a digest generated from a Windows system may be different from that generated in Linux.
 
 Once your policy is written within these guidelines and tested, please open a standard PR against the `main` branch of kyverno/policies. In order for a policy to make it to the website's [policies page](https://kyverno.io/policies/), it must first be committed to the `main` branch in this repo. Following that, an administrator will render these policies to produce Markdown files in a second PR. You do not need to worry about this process, however.
 

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+status:
+  ready: true

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-clusterrole-mutating-validating-admission-webhooks
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: non-violating-clusterrole.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: violating-clusterrole.yaml

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+policies:
+- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+resources:
+- resource.yaml
+results:
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - non-violating-clusterrole
+  result: pass
+  rule: restrict-clusterrole
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - violating-clusterrole
+  result: fail
+  rule: restrict-clusterrole

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]
+

other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: restrict-clusterrole-mutating-validating-admission-webhooks
+version: 1.0.0
+displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+createdAt: "2024-05-19T20:30:05.000Z"
+description: >-
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+  ```
+keywords:
+- kyverno
+- Other
+readme: |
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/subject: "ClusterRole"
+digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b

other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml

@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+  annotations:
+    policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.7
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/subject: ClusterRole
+    policies.kyverno.io/description: >-
+      ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: restrict-clusterrole
+    match:
+      any:
+      - resources:
+          kinds:
+          - ClusterRole
+    validate:
+      message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks"
+      foreach:
+      - list: "request.object.rules[]"
+        deny:
+          conditions:
+            all:
+            - key: "{{ element.apiGroups || '' }}"
+              operator: AnyIn
+              value:
+              - admissionregistration.k8s.io
+            - key: "{{ element.resources || '' }}"
+              operator: AnyIn
+              value:
+              - mutatingwebhookconfigurations
+              - validatingwebhookconfigurations
+            any:
+            - key: "{{ element.verbs }}"
+              operator: AnyIn
+              value:
+              - create
+              - update
+              - patch
+            - key: "{{ contains(element.verbs[], '*') }}"
+              operator: Equals
+              value: true
+

psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: check-supplemental-groups
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../check-supplemental-groups.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: psp-check-supplemental-groups
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  securityContext:
+    supplementalGroups:
+    - 120
+    - 230
+    - 550
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 1000
+    - 120
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  securityContext:
+    runAsGroup: 0
+    supplementalGroups:
+    - 580
+    - 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  securityContext:
+    supplementalGroups:
+    - 100
+    - 601
+    - 600
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35

psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 150
+    - 100
+    - 500
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  securityContext:
+    supplementalGroups:
+    - 550
+    - 600
+    - 120
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod04
+spec:
+  securityContext:
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod05
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 600
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35