update the bypass condition

devtron-labs · Dec 2, 2024 · f3702b3 · f3702b3
1 parent efb5ed0
commit f3702b3
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 11 deletions.
diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml
@@ -21,6 +21,7 @@ spec:
       - clusterroles
       scope: '*'
   validations:
+  {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
   - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !has(object.rules) || object.rules.all(rule,
       !(rule.apiGroups.exists(g, g == '*') &&
         rule.resources.exists(r, r == '*') &&
@@ -29,6 +30,16 @@ spec:
         rule.verbs.exists(v, v == '*'))
     )"
     message: "Creation of ClusterRole with admin access is denied, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow."
+  {{- else }}
+  - expression: "!has(object.rules) || object.rules.all(rule,
+      !(rule.apiGroups.exists(g, g == '*') &&
+        rule.resources.exists(r, r == '*') &&
+        rule.verbs.exists(v, v == '*')) &&
+      !(rule.nonResourceURLs.exists(u, u == '*') &&
+        rule.verbs.exists(v, v == '*'))"
+    message: "Creation of ClusterRole with admin access is denied"
+  {{- end }}
+
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding

diff --git a/...k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/...k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml
@@ -21,8 +21,13 @@ spec:
       - clusterrolebindings
       scope: '*'
   validations:
+    {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
     - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && object.roleRef.kind == 'ClusterRole' && object.roleRef.name == 'cluster-admin')"
       message: "Binding to the cluster-admin ClusterRole is bypassed by security policy, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} allow"
+    {{- else }}
+    - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && object.roleRef.kind == 'ClusterRole' && object.roleRef.name == 'cluster-admin')"
+      message: "Binding to the cluster-admin ClusterRole is not allowed"
+    {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -35,4 +40,3 @@ spec:
   - {{ . }}
   {{- end }}
 {{- end }}
-
diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml
@@ -35,6 +35,7 @@ spec:
         {{- end }}
         scope: Namespaced
   validations:
+    {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
     - expression: |-
         (has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') 
         has(object.spec.template) ?
@@ -55,6 +56,27 @@ spec:
           )
         )
       message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow"
+    {{- else }}
+    - expression: |-
+        has(object.spec.template) ?
+        (
+          !has(object.spec.template.spec.containers[0].resources.limits) || (
+            (!has(object.spec.template.spec.containers[0].resources.limits.cpu) ||
+             quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) &&
+            (!has(object.spec.template.spec.containers[0].resources.limits.memory) ||
+             quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0)
+          )
+        ) :
+        (
+          !has(object.spec.containers[0].resources.limits) || (
+            (!has(object.spec.containers[0].resources.limits.cpu) ||
+             quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) &&
+            (!has(object.spec.containers[0].resources.limits.memory) ||
+             quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0)
+          )
+        )
+      message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}."
+    {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding

diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml
@@ -28,8 +28,13 @@ spec:
       - services
       scope: Namespaced
   validations:
+  {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
   - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'"
     message: "Creation of Services with type LoadBalancer is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow."
+  {{- else }}
+    - expression: "object.spec.type == 'LoadBalancer'"
+      message: Creation of Services with type LoadBalancer is not allowed.
+  {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding

diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml
@@ -23,9 +23,14 @@ spec:
       scope: Namespaced
       resources: ["persistentvolumeclaims"]
   validations:
+  {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
     - expression: "has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'"
       message: " Creation of PersistentVolumeClaims is not allowed,set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" 
----
+  {{- else }}
+    - expression: false
+      message: Creation of PersistentVolumeClaims is not allowed.
+  {{- end }}
+---  
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:

diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml
@@ -2,7 +2,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness
+  name: {{ .Chart.Name }}-restrict-without-readiness-liveness
 spec:
   failurePolicy: Fail
   matchConstraints:
@@ -31,21 +31,27 @@ spec:
         {{- end }}
         scope: Namespaced
   validations:
+  {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
     - expression: >
         (has(object.metadata.labels) &&
          object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') ||
         object.spec.template.spec.containers.all(container,
           has(container.readinessProbe) &&
           has(container.livenessProbe)
         )
-      message: "Deployments without readiness and liveness probes are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'. " 
+      message: "Deployments without readiness and liveness probes are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'."
+  {{- else }}
+    - expression: object.spec.template.spec.containers.all(container,
+        has(container.readinessProbe) && has(container.livenessProbe))
+      message: "Deployments without readiness and liveness probes are not allowed"
+  {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness
+  name: {{ .Chart.Name }}-restrict-without-readiness-liveness
 spec:
-  policyName: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness
+  policyName: {{ .Chart.Name }}-restrict-without-readiness-liveness
   validationActions:
   {{- range $.Values.readinessAndLivenessPolicy.validationActions }}
   - {{ . }}

diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml
@@ -32,8 +32,13 @@ spec:
       {{- end }}
       scope: Namespaced
   validations:
+  {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }}
     - expression: "(has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))"
       message: "All Containers without CPU and memory's requests and limits are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'."
+  {{- else }}
+    - expression: "object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))"
+      message: "All Containers without CPU and memory's requests and limits are not allowed."
+  {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding

diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml
@@ -1,12 +1,12 @@
-# bypassLabel defines a label with a key-value pair to bypass certain restrictions.
+#bypassLabel defines a label with a key-value pair that allows the user to apply policies without any restrictions. 
 bypassLabel:
-  key: businessUnit
-  value: finance
+  key: 
+  value: 
 
 # pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs).
 # If enabled, it restricts PVC creation in specified namespaces.
 pvcCreationPolicy:
-  enabled: true  # If true, the policy prevents PVC creation in specified namespaces.
+  enabled: false  # If true, the policy prevents PVC creation in specified namespaces.
   namespaces:     # List of namespaces where the policy applies.
     - devtroncd
     - argo
@@ -101,7 +101,7 @@ cLusterRoleBindingCreation:
 # readinessAndLivenessPolicy ensures that readiness and liveness probes are defined for containers.
 # This ensures that pods are only considered healthy when they pass the defined probes.
 readinessAndLivenessPolicy:
-  enabled: false  # If true, this policy ensures readiness and liveness probes are defined.
+  enabled: true  # If true, this policy ensures readiness and liveness probes are defined.
   namespaces:     # List of namespaces where the policy applies.
     - devtroncd
     - argo