diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml new file mode 100644 index 000000000..8057ff6b8 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: bad-clusterrolebinding +subjects: +- kind: Group + name: system:unauthenticated +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml new file mode 100644 index 000000000..f3f44e53b --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: bad-rolebinding + namespace: default +subjects: +- kind: Group + name: system:authenticated +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..90fd6e264 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,5 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secrets-not-from-env-vars-cve-2024-3177 + ready: true diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..0c0e46434 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secrets-not-from-env-vars-cve-2024-3177 +spec: + steps: + - name: step-01 + try: + - apply: + file: ../secrets-not-from-env-vars-cve-2024-3177.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: secrets-not-from-env-vars-cve-2024-3177 + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml new file mode 100644 index 000000000..14d35b8d2 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: good-clusterrolebinding +subjects: +- kind: User + name: jane.doe +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml new file mode 100644 index 000000000..291827b14 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: good-rolebinding + namespace: default +subjects: +- kind: User + name: john.doe +roleRef: + kind: Role + name: admin + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml new file mode 100644 index 000000000..a5dc728f0 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: restrict-clusteradmin-rolebindings-gcp-2024-003 +version: 1.0.0 +displayName: Restrict ClusterAdmin RoleBindings (GCP-2024-003) +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml + ``` +keywords: + - kyverno + - Security +readme: | + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. +annotations: + kyverno/category: "Security" + kyverno/subject: "RoleBinding, ClusterRoleBinding" +digest: 9220d6071d8faccd37995e3fdf7b8db036b0e499268eb38993587016a0c1120e diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml new file mode 100644 index 000000000..d3500c4c7 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusteradmin-rolebindings-gcp-2024-003 + annotations: + policies.kyverno.io/title: Restrict ClusterAdmin RoleBindings (GCP-2024-003) + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding + kyverno.io/kubernetes-version: 1.27 + kyverno.io/kyverno-version: 1.10 + policies.kyverno.io/description: >- + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + rules: + - name: validate-restricted-cluster-admin-bindings + match: + any: + - resources: + kinds: + - ClusterRoleBinding + - RoleBinding + validate: + message: "Binding ClusterRole 'cluster-admin' is restricted, system:authenticated, system:unauthenticated and system:anonymous are not allowed. GCP-2024-003" + deny: + conditions: + all: + - key: "{{ request.object.subjects[].name }}" + operator: AnyIn + value: + - system:authenticated + - system:unauthenticated + - system:anonymous + - key: "{{ request.object.roleRef.name }}" + operator: Equals + value: "cluster-admin"