From 1b67f2cab148a851dffc8779c6b19d20b24253d4 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Tue, 9 Jul 2024 18:59:21 +0530 Subject: [PATCH 01/22] add validatingAdmissionPolicyChart --- charts/policychart/.helmignore | 23 ++ charts/policychart/Chart.yaml | 6 + charts/policychart/templates/_helpers.tpl | 16 ++ charts/policychart/templates/bindings.yaml | 130 +++++++++ charts/policychart/templates/policies.yaml | 301 +++++++++++++++++++++ charts/policychart/values.yaml | 41 +++ 6 files changed, 517 insertions(+) create mode 100644 charts/policychart/.helmignore create mode 100644 charts/policychart/Chart.yaml create mode 100644 charts/policychart/templates/_helpers.tpl create mode 100644 charts/policychart/templates/bindings.yaml create mode 100644 charts/policychart/templates/policies.yaml create mode 100644 charts/policychart/values.yaml diff --git a/charts/policychart/.helmignore b/charts/policychart/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/policychart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/policychart/Chart.yaml b/charts/policychart/Chart.yaml new file mode 100644 index 00000000..ce3ee468 --- /dev/null +++ b/charts/policychart/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: A Helm chart for Kubernetes admission policies +name: policychart +type: application +version: 0.1.0 diff --git a/charts/policychart/templates/_helpers.tpl b/charts/policychart/templates/_helpers.tpl new file mode 100644 index 00000000..8c899887 --- /dev/null +++ b/charts/policychart/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{- define "policychart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "policychart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/policychart/templates/bindings.yaml b/charts/policychart/templates/bindings.yaml new file mode 100644 index 00000000..87bc93ca --- /dev/null +++ b/charts/policychart/templates/bindings.yaml @@ -0,0 +1,130 @@ +{{- if $.Values.pvcCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + validationActions: + - Deny +{{- end }} +{{- if $.Values.namespaceDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion + validationActions: + - Deny +{{- end }} +{{- if $.Values.loadBalancerPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + validationActions: + - Deny +{{- end }} +{{- if $.Values.roleCreationPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-role-creation + validationActions: + - Deny +{{- end }} + +{{- if $.Values.podSecurityPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-pod-security-policy-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: policy-test + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-pod-security-policy + validationActions: + - Deny +{{- end }} + +{{- if $.Values.appDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion + validationActions: + - Deny +{{- end }} +{{- if $.Values.withoutResourcesPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-require-pod-resources + validationActions: + - Deny +{{- end }} +{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding +spec: + policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits + validationActions: + - Deny +{{- end }} +{{- if $.Values.labelPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-business-unit-label-binding +spec: + policyName: {{ include "policychart.fullname" . }}-require-business-unit-label + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/policies.yaml b/charts/policychart/templates/policies.yaml new file mode 100644 index 00000000..b5c9b486 --- /dev/null +++ b/charts/policychart/templates/policies.yaml @@ -0,0 +1,301 @@ +{{- if $.Values.pvcCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.pvcCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - persistentvolumeclaims + scope: Namespaced + validations: + - expression: "false" + message: Creation of PersistentVolumeClaims is not allowed. +{{- end }} +{{- if $.Values.namespaceDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resourceNames: + - devtroncd + - argocd + resources: + - namespaces + scope: "*" + validations: + - expression: "false" + message: Deletion of namespace is not allowed. +{{- end }} +{{- if $.Values.loadBalancerPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.loadBalancerPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - services + scope: Namespaced + validations: + - expression: object.spec.type != 'LoadBalancer' + message: Creation of Services with type LoadBalancer is not allowed. +{{- end }} +{{- if $.Values.roleCreationPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - v1 + operations: + - CREATE + resources: + - clusterroles + - roles + scope: '*' + validations: + - expression: "false" + message: Creation of ClusterRole and Role is not allowed. +{{- end }} +{{- if $.Values.podSecurityPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-pod-security-policy +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + scope: '*' + validations: + - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) + && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot) + message: all containers must set runAsNonRoot to true + - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) + && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem) + message: all containers must set readOnlyRootFilesystem to true + - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) + || !has(c.securityContext.allowPrivilegeEscalation) || !c.securityContext.allowPrivilegeEscalation) + message: all containers must NOT set allowPrivilegeEscalation to true + - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) + || !has(c.securityContext.privileged) || !c.securityContext.privileged) + message: all containers must NOT set privileged to true +{{- end }} +{{- if $.Values.appDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.appDeletionPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - argoproj.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - applications + scope: Namespaced + validations: + - expression: "false" + message: Deletion of application is not allowed. +{{- end }} +{{- if $.Values.withoutResourcesPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutResourcesPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All containers in the pod must have both CPU and memory requests and limits specified." +{{- end }} +{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + scope: Namespaced + validations: + - expression: |- + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('1000m')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('2Gi')) <= 0) + ) + message: "Resource limits exceed the maximum allowed. CPU must be <= 1 and memory must be <= 2Gi." +{{- end }} +{{- if $.Values.labelPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-labels +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.labelPolicy.labels }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + scope: Namespaced + validations: + - expression: object.metadata.labels !=null && size(object.metadata.labels) > 0 + message: "At least one label is required for all Deployments and StatefulSets." +{{- end }} + diff --git a/charts/policychart/values.yaml b/charts/policychart/values.yaml new file mode 100644 index 00000000..5b3385d1 --- /dev/null +++ b/charts/policychart/values.yaml @@ -0,0 +1,41 @@ +pvcCreationPolicy: + enabled: false + namespaces: + - devtroncd + - argo +namespaceDeletionPolicy: + enabled: false + namespaces: + - devtroncd + - argo +loadBalancerPolicy: + enabled: false + namespaces: + - devtroncd + - argo +roleCreationPolicy: + enabled: false + +podSecurityPolicy: + enabled: false + +appDeletionPolicy: + enabled: false + namespaces: + - devtroncd + - argocd +withoutResourcesPolicy: + enabled: false + namespaces: + - devtroncd + - argo + policies: + restrictResourceLimitsresourcesPolicy: + enabled: false + namespaces: + - devtroncd + - argo +labelPolicy: + enabled: false + labels: + - bussiness-unit From b26ff8af6b93336c6fe85c073f92b55b420fe59d Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Thu, 11 Jul 2024 18:08:02 +0530 Subject: [PATCH 02/22] add validatingAdmissionPolicyChart --- charts/policychart/Chart.yaml | 5 + charts/policychart/templates/bindings.yaml | 130 -------- .../templates/deny_appliaction_deletion.yaml | 46 +++ .../templates/deny_cluster_creation.yaml | 39 +++ .../templates/deny_loadbalancer_creation.yaml | 46 +++ .../templates/deny_namespace_deletion.yaml | 43 +++ .../templates/deny_pvc_creation.yaml | 45 +++ charts/policychart/templates/policies.yaml | 301 ------------------ .../templates/resources_not_define.yaml | 45 +++ .../templates/restrict_resource.yaml | 49 +++ charts/policychart/values.yaml | 24 +- 11 files changed, 326 insertions(+), 447 deletions(-) delete mode 100644 charts/policychart/templates/bindings.yaml create mode 100644 charts/policychart/templates/deny_appliaction_deletion.yaml create mode 100644 charts/policychart/templates/deny_cluster_creation.yaml create mode 100644 charts/policychart/templates/deny_loadbalancer_creation.yaml create mode 100644 charts/policychart/templates/deny_namespace_deletion.yaml create mode 100644 charts/policychart/templates/deny_pvc_creation.yaml delete mode 100644 charts/policychart/templates/policies.yaml create mode 100644 charts/policychart/templates/resources_not_define.yaml create mode 100644 charts/policychart/templates/restrict_resource.yaml diff --git a/charts/policychart/Chart.yaml b/charts/policychart/Chart.yaml index ce3ee468..6ef01eb6 100644 --- a/charts/policychart/Chart.yaml +++ b/charts/policychart/Chart.yaml @@ -1,6 +1,11 @@ apiVersion: v2 appVersion: 1.0.0 description: A Helm chart for Kubernetes admission policies +maintainers: +- email: devops@devtron.ai + name: Devtron Devops Team +- email: neha.sharma@devtron.ai + name: Neha Sharma name: policychart type: application version: 0.1.0 diff --git a/charts/policychart/templates/bindings.yaml b/charts/policychart/templates/bindings.yaml deleted file mode 100644 index 87bc93ca..00000000 --- a/charts/policychart/templates/bindings.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{- if $.Values.pvcCreationPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation - validationActions: - - Deny -{{- end }} -{{- if $.Values.namespaceDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion - validationActions: - - Deny -{{- end }} -{{- if $.Values.loadBalancerPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services - validationActions: - - Deny -{{- end }} -{{- if $.Values.roleCreationPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-role-creation - validationActions: - - Deny -{{- end }} - -{{- if $.Values.podSecurityPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-pod-security-policy-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: policy-test - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-pod-security-policy - validationActions: - - Deny -{{- end }} - -{{- if $.Values.appDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion - validationActions: - - Deny -{{- end }} -{{- if $.Values.withoutResourcesPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-require-pod-resources - validationActions: - - Deny -{{- end }} -{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding -spec: - policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits - validationActions: - - Deny -{{- end }} -{{- if $.Values.labelPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-require-business-unit-label-binding -spec: - policyName: {{ include "policychart.fullname" . }}-require-business-unit-label - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/deny_appliaction_deletion.yaml b/charts/policychart/templates/deny_appliaction_deletion.yaml new file mode 100644 index 00000000..f2657b98 --- /dev/null +++ b/charts/policychart/templates/deny_appliaction_deletion.yaml @@ -0,0 +1,46 @@ +{{- if $.Values.appDeletionPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.appDeletionPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - argoproj.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - applications + scope: Namespaced + validations: + - expression: "false" + message: Deletion of application is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion + validationActions: + - Deny +{{- end }} + diff --git a/charts/policychart/templates/deny_cluster_creation.yaml b/charts/policychart/templates/deny_cluster_creation.yaml new file mode 100644 index 00000000..99d74ffb --- /dev/null +++ b/charts/policychart/templates/deny_cluster_creation.yaml @@ -0,0 +1,39 @@ +{{- if $.Values.roleCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - v1 + operations: + - CREATE + resources: + - clusterroles + - roles + scope: '*' + validations: + - expression: "false" + message: Creation of ClusterRole and Role is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-role-creation + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/deny_loadbalancer_creation.yaml b/charts/policychart/templates/deny_loadbalancer_creation.yaml new file mode 100644 index 00000000..34fcccbb --- /dev/null +++ b/charts/policychart/templates/deny_loadbalancer_creation.yaml @@ -0,0 +1,46 @@ +{{- if $.Values.loadBalancerPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.loadBalancerPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - services + scope: Namespaced + validations: + - expression: object.spec.type != 'LoadBalancer' + message: Creation of Services with type LoadBalancer is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/deny_namespace_deletion.yaml b/charts/policychart/templates/deny_namespace_deletion.yaml new file mode 100644 index 00000000..a0f8ba83 --- /dev/null +++ b/charts/policychart/templates/deny_namespace_deletion.yaml @@ -0,0 +1,43 @@ +{{- if $.Values.namespaceDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resourceNames: + {{- range $.Values.namespaceDeletionPolicy.namespaces }} + - {{ . }} + {{- end }} + resources: + - namespaces + scope: "*" + validations: + - expression: "false" + message: Deletion of namespace is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/deny_pvc_creation.yaml b/charts/policychart/templates/deny_pvc_creation.yaml new file mode 100644 index 00000000..580e70a6 --- /dev/null +++ b/charts/policychart/templates/deny_pvc_creation.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.pvcCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.pvcCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - persistentvolumeclaims + scope: Namespaced + validations: + - expression: "false" + message: Creation of PersistentVolumeClaims is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/policies.yaml b/charts/policychart/templates/policies.yaml deleted file mode 100644 index b5c9b486..00000000 --- a/charts/policychart/templates/policies.yaml +++ /dev/null @@ -1,301 +0,0 @@ -{{- if $.Values.pvcCreationPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.pvcCreationPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - persistentvolumeclaims - scope: Namespaced - validations: - - expression: "false" - message: Creation of PersistentVolumeClaims is not allowed. -{{- end }} -{{- if $.Values.namespaceDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - DELETE - resourceNames: - - devtroncd - - argocd - resources: - - namespaces - scope: "*" - validations: - - expression: "false" - message: Deletion of namespace is not allowed. -{{- end }} -{{- if $.Values.loadBalancerPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.loadBalancerPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - services - scope: Namespaced - validations: - - expression: object.spec.type != 'LoadBalancer' - message: Creation of Services with type LoadBalancer is not allowed. -{{- end }} -{{- if $.Values.roleCreationPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - rbac.authorization.k8s.io - apiVersions: - - v1 - operations: - - CREATE - resources: - - clusterroles - - roles - scope: '*' - validations: - - expression: "false" - message: Creation of ClusterRole and Role is not allowed. -{{- end }} -{{- if $.Values.podSecurityPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-pod-security-policy -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - deployments - scope: '*' - validations: - - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) - && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot) - message: all containers must set runAsNonRoot to true - - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) - && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem) - message: all containers must set readOnlyRootFilesystem to true - - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) - || !has(c.securityContext.allowPrivilegeEscalation) || !c.securityContext.allowPrivilegeEscalation) - message: all containers must NOT set allowPrivilegeEscalation to true - - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) - || !has(c.securityContext.privileged) || !c.securityContext.privileged) - message: all containers must NOT set privileged to true -{{- end }} -{{- if $.Values.appDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.appDeletionPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - argoproj.io - apiVersions: - - v1alpha1 - operations: - - DELETE - resources: - - applications - scope: Namespaced - validations: - - expression: "false" - message: Deletion of application is not allowed. -{{- end }} -{{- if $.Values.withoutResourcesPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.withoutResourcesPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - scope: Namespaced - validations: - - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" - message: "All containers in the pod must have both CPU and memory requests and limits specified." -{{- end }} -{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - deployments - - statefulsets - scope: Namespaced - validations: - - expression: |- - !has(object.spec.template.spec.containers[0].resources.limits) || ( - (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('1000m')) <= 0) && - (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('2Gi')) <= 0) - ) - message: "Resource limits exceed the maximum allowed. CPU must be <= 1 and memory must be <= 2Gi." -{{- end }} -{{- if $.Values.labelPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-require-labels -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.labelPolicy.labels }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - deployments - - statefulsets - scope: Namespaced - validations: - - expression: object.metadata.labels !=null && size(object.metadata.labels) > 0 - message: "At least one label is required for all Deployments and StatefulSets." -{{- end }} - diff --git a/charts/policychart/templates/resources_not_define.yaml b/charts/policychart/templates/resources_not_define.yaml new file mode 100644 index 00000000..c8ec3361 --- /dev/null +++ b/charts/policychart/templates/resources_not_define.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.withoutResourcesPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutResourcesPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All containers in the pod must have both CPU and memory requests and limits specified." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-require-pod-resources + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/templates/restrict_resource.yaml b/charts/policychart/templates/restrict_resource.yaml new file mode 100644 index 00000000..be1161b4 --- /dev/null +++ b/charts/policychart/templates/restrict_resource.yaml @@ -0,0 +1,49 @@ +{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + scope: Namespaced + validations: + - expression: |- + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('1000m')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('2Gi')) <= 0) + ) + message: "Resource limits exceed the maximum allowed. CPU must be <= 1 and memory must be <= 2Gi." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding +spec: + policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits + validationActions: + - Deny +{{- end }} diff --git a/charts/policychart/values.yaml b/charts/policychart/values.yaml index 5b3385d1..985e5cb5 100644 --- a/charts/policychart/values.yaml +++ b/charts/policychart/values.yaml @@ -4,38 +4,30 @@ pvcCreationPolicy: - devtroncd - argo namespaceDeletionPolicy: - enabled: false + enabled: true namespaces: - devtroncd - argo loadBalancerPolicy: - enabled: false + enabled: true namespaces: - devtroncd - argo -roleCreationPolicy: - enabled: false - -podSecurityPolicy: - enabled: false - appDeletionPolicy: - enabled: false + enabled: true namespaces: - devtroncd - - argocd + - argo withoutResourcesPolicy: - enabled: false + enabled: true namespaces: - devtroncd - argo policies: restrictResourceLimitsresourcesPolicy: - enabled: false + enabled: true namespaces: - devtroncd - argo -labelPolicy: - enabled: false - labels: - - bussiness-unit +roleCreationPolicy: + enabled: true From b56b97d26a229f0fdd3ee6b7592a528e741254fe Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Sun, 28 Jul 2024 22:53:49 +0530 Subject: [PATCH 03/22] add validatingAdmissionPolicyChart --- charts/k8s-shield/.helmignore | 23 +++++++ charts/k8s-shield/Chart.yaml | 12 ++++ charts/k8s-shield/templates/_helpers.tpl | 16 +++++ .../templates/deny_appliaction_deletion.yaml | 46 +++++++++++++ .../templates/deny_cluster_creation.yaml | 39 +++++++++++ .../templates/deny_loadbalancer_creation.yaml | 46 +++++++++++++ .../templates/deny_namespace_deletion.yaml | 43 +++++++++++++ .../templates/deny_pvc_creation.yaml | 45 +++++++++++++ .../templates/pod_security_policy.yaml | 62 ++++++++++++++++++ .../templates/resources_not_define.yaml | 45 +++++++++++++ .../templates/restrict_resource.yaml | 64 +++++++++++++++++++ .../templates/restrict_without_probes.yaml | 36 +++++++++++ charts/k8s-shield/values.yaml | 54 ++++++++++++++++ 13 files changed, 531 insertions(+) create mode 100644 charts/k8s-shield/.helmignore create mode 100644 charts/k8s-shield/Chart.yaml create mode 100644 charts/k8s-shield/templates/_helpers.tpl create mode 100644 charts/k8s-shield/templates/deny_appliaction_deletion.yaml create mode 100644 charts/k8s-shield/templates/deny_cluster_creation.yaml create mode 100644 charts/k8s-shield/templates/deny_loadbalancer_creation.yaml create mode 100644 charts/k8s-shield/templates/deny_namespace_deletion.yaml create mode 100644 charts/k8s-shield/templates/deny_pvc_creation.yaml create mode 100644 charts/k8s-shield/templates/pod_security_policy.yaml create mode 100644 charts/k8s-shield/templates/resources_not_define.yaml create mode 100644 charts/k8s-shield/templates/restrict_resource.yaml create mode 100644 charts/k8s-shield/templates/restrict_without_probes.yaml create mode 100644 charts/k8s-shield/values.yaml diff --git a/charts/k8s-shield/.helmignore b/charts/k8s-shield/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/k8s-shield/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml new file mode 100644 index 00000000..cb5fb6eb --- /dev/null +++ b/charts/k8s-shield/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: A Helm chart for Kubernetes admission policies +name: policychart +type: application +version: 0.1.0 +icon: https://s3-ap-southeast-1.amazonaws.com/devtron.ai/images/Devtron_K8s_Shield.png +maintainers: +- email: devops@devtron.ai + name: Devtron Devops Team +- email: neha.sharma@devtron.ai + name: Neha Sharma diff --git a/charts/k8s-shield/templates/_helpers.tpl b/charts/k8s-shield/templates/_helpers.tpl new file mode 100644 index 00000000..8c899887 --- /dev/null +++ b/charts/k8s-shield/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{- define "policychart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "policychart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/deny_appliaction_deletion.yaml b/charts/k8s-shield/templates/deny_appliaction_deletion.yaml new file mode 100644 index 00000000..f2657b98 --- /dev/null +++ b/charts/k8s-shield/templates/deny_appliaction_deletion.yaml @@ -0,0 +1,46 @@ +{{- if $.Values.appDeletionPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.appDeletionPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - argoproj.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - applications + scope: Namespaced + validations: + - expression: "false" + message: Deletion of application is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion + validationActions: + - Deny +{{- end }} + diff --git a/charts/k8s-shield/templates/deny_cluster_creation.yaml b/charts/k8s-shield/templates/deny_cluster_creation.yaml new file mode 100644 index 00000000..74aa4000 --- /dev/null +++ b/charts/k8s-shield/templates/deny_cluster_creation.yaml @@ -0,0 +1,39 @@ +{{- if $.Values.denyRoleCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - v1 + operations: + - CREATE + resources: + - clusterroles + - roles + scope: '*' + validations: + - expression: "false" + message: Creation of ClusterRole and Role is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-role-creation + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml b/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml new file mode 100644 index 00000000..5b92fb21 --- /dev/null +++ b/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml @@ -0,0 +1,46 @@ +{{- if $.Values.denyloadBalancerCreationPolicy.enabled}} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.denyloadBalancerCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - services + scope: Namespaced + validations: + - expression: object.spec.type != 'LoadBalancer' + message: Creation of Services with type LoadBalancer is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/deny_namespace_deletion.yaml b/charts/k8s-shield/templates/deny_namespace_deletion.yaml new file mode 100644 index 00000000..a0f8ba83 --- /dev/null +++ b/charts/k8s-shield/templates/deny_namespace_deletion.yaml @@ -0,0 +1,43 @@ +{{- if $.Values.namespaceDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resourceNames: + {{- range $.Values.namespaceDeletionPolicy.namespaces }} + - {{ . }} + {{- end }} + resources: + - namespaces + scope: "*" + validations: + - expression: "false" + message: Deletion of namespace is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/deny_pvc_creation.yaml b/charts/k8s-shield/templates/deny_pvc_creation.yaml new file mode 100644 index 00000000..ffb9479f --- /dev/null +++ b/charts/k8s-shield/templates/deny_pvc_creation.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.denyPvcCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.denyPvcCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - persistentvolumeclaims + scope: Namespaced + validations: + - expression: "false" + message: Creation of PersistentVolumeClaims is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/pod_security_policy.yaml b/charts/k8s-shield/templates/pod_security_policy.yaml new file mode 100644 index 00000000..eb0894cd --- /dev/null +++ b/charts/k8s-shield/templates/pod_security_policy.yaml @@ -0,0 +1,62 @@ +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "{{ include "policychart.fullname" . }}-pod-security-policy" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + - apps + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - replicasets + - daemonsets + - statefulsets + - jobs + - cronjobs + scope: '*' + validations: + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" + message: "All containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" + message: "All containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" + message: "All containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" + message: "All workload containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" + message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" + message: "All workload containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" + message: "All CronJob containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" + message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" + message: "All CronJob containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-pod-security-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-pod-security-policy + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/resources_not_define.yaml b/charts/k8s-shield/templates/resources_not_define.yaml new file mode 100644 index 00000000..e630b6fe --- /dev/null +++ b/charts/k8s-shield/templates/resources_not_define.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.restrictWithoutResourcesPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.restrictWithoutResourcesPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All containers in the pod must have both CPU and memory requests and limits specified." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-require-pod-resources + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/restrict_resource.yaml b/charts/k8s-shield/templates/restrict_resource.yaml new file mode 100644 index 00000000..a7081da6 --- /dev/null +++ b/charts/k8s-shield/templates/restrict_resource.yaml @@ -0,0 +1,64 @@ +{{- if .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.enabled }} +{{- $maxCPU := .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.maxCPULimit | default "1000m" }} +{{- $maxMemory := .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.maxMemoryLimit | default "2Gi" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - statefulsets + scope: Namespaced + validations: + - expression: |- + has(object.spec.template) ? + ( + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPULimit }}')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemoryLimit }}')) <= 0) + ) + ) : + ( + !has(object.spec.containers[0].resources.limits) || ( + (!has(object.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPULimit }}')) <= 0) && + (!has(object.spec.containers[0].resources.limits.memory) || + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemoryLimit }}')) <= 0) + ) + ) + message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPULimit }} and memory must be <= {{ $maxMemoryLimit }}." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding +spec: + policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/restrict_without_probes.yaml b/charts/k8s-shield/templates/restrict_without_probes.yaml new file mode 100644 index 00000000..2d646787 --- /dev/null +++ b/charts/k8s-shield/templates/restrict_without_probes.yaml @@ -0,0 +1,36 @@ +{{- if $.Values.withoutReadinessandLivenessProbe.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-probes-policy +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutReadinessandLivenessProbe.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" + message: "All containers in the pod must have both a readiness probe and a liveness probe defined." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-probes-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-require-probes-policy + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml new file mode 100644 index 00000000..ac7dadb1 --- /dev/null +++ b/charts/k8s-shield/values.yaml @@ -0,0 +1,54 @@ +denyPvcCreationPolicy: + # This policy prevents the creation of Persistent Volume Claims (PVCs) in the specified namespaces. + enabled: true + namespaces: + - devtroncd + - argo +namespaceDeletionPolicy: + # This policy ristrict the deletion of namespaces to prevent. + enabled: true + namespaces: + - devtroncd + - argo +denyloadBalancerCreationPolicy: + # This policy blocks the creation of LoadBalancer type services in the specified namespaces. + enabled: true + namespaces: + - devtroncd + - argo +appDeletionPolicy: + # This policy prevents the deletion of applications within the specified namespaces. + enabled: true + namespaces: + - devtroncd + - argo +restrictWithoutResourcesPolicy: + # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. + enabled: true + namespaces: + - devtroncd + - argo + policies: + restrictResourceLimitsPolicy: + # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. + enabled: true + namespaces: + - devtroncd + - argo + maxCPULimit: "1000m" + maxMemoryLimit: "2Gi" +denyRoleCreationPolicy: + # This policy prohibits the creation of new roles within the cluster. + enabled: true +withoutReadinessandLivenessProbe: +# Policy for ensuring readiness and liveness probes are defined for containers + enabled: true + namespaces: + - devtroncd + - argo +podSecurityPolicy: + enabled: true # Enable/disable the Pod Security Policy + runAsNonRoot: true # Allow run as non-root user for better security + readOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications + allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent + privileged: false # Disable privileged mode to limit container capabilities on the host From d13245fa682264d022137de71cca503de52cac05 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Tue, 30 Jul 2024 01:15:46 +0530 Subject: [PATCH 04/22] add validatingAdmissionPolicyChart --- charts/k8s-shield/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml index cb5fb6eb..aee580f6 100644 --- a/charts/k8s-shield/Chart.yaml +++ b/charts/k8s-shield/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes admission policies name: policychart type: application version: 0.1.0 -icon: https://s3-ap-southeast-1.amazonaws.com/devtron.ai/images/Devtron_K8s_Shield.png +icon: https://cdn.devtron.ai/images/Devtron_K8s_Shield.png maintainers: - email: devops@devtron.ai name: Devtron Devops Team From 15afb59b7aff3cbf0dd7b8b21f0c194b471e4e69 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Tue, 30 Jul 2024 01:17:35 +0530 Subject: [PATCH 05/22] remove validatingAdmissionPolicyChart --- charts/policychart/.helmignore | 23 --------- charts/policychart/Chart.yaml | 11 ----- charts/policychart/templates/_helpers.tpl | 16 ------ .../templates/deny_appliaction_deletion.yaml | 46 ----------------- .../templates/deny_cluster_creation.yaml | 39 --------------- .../templates/deny_loadbalancer_creation.yaml | 46 ----------------- .../templates/deny_namespace_deletion.yaml | 43 ---------------- .../templates/deny_pvc_creation.yaml | 45 ----------------- .../templates/resources_not_define.yaml | 45 ----------------- .../templates/restrict_resource.yaml | 49 ------------------- charts/policychart/values.yaml | 33 ------------- 11 files changed, 396 deletions(-) delete mode 100644 charts/policychart/.helmignore delete mode 100644 charts/policychart/Chart.yaml delete mode 100644 charts/policychart/templates/_helpers.tpl delete mode 100644 charts/policychart/templates/deny_appliaction_deletion.yaml delete mode 100644 charts/policychart/templates/deny_cluster_creation.yaml delete mode 100644 charts/policychart/templates/deny_loadbalancer_creation.yaml delete mode 100644 charts/policychart/templates/deny_namespace_deletion.yaml delete mode 100644 charts/policychart/templates/deny_pvc_creation.yaml delete mode 100644 charts/policychart/templates/resources_not_define.yaml delete mode 100644 charts/policychart/templates/restrict_resource.yaml delete mode 100644 charts/policychart/values.yaml diff --git a/charts/policychart/.helmignore b/charts/policychart/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/charts/policychart/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/policychart/Chart.yaml b/charts/policychart/Chart.yaml deleted file mode 100644 index 6ef01eb6..00000000 --- a/charts/policychart/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.0.0 -description: A Helm chart for Kubernetes admission policies -maintainers: -- email: devops@devtron.ai - name: Devtron Devops Team -- email: neha.sharma@devtron.ai - name: Neha Sharma -name: policychart -type: application -version: 0.1.0 diff --git a/charts/policychart/templates/_helpers.tpl b/charts/policychart/templates/_helpers.tpl deleted file mode 100644 index 8c899887..00000000 --- a/charts/policychart/templates/_helpers.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{- define "policychart.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "policychart.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/policychart/templates/deny_appliaction_deletion.yaml b/charts/policychart/templates/deny_appliaction_deletion.yaml deleted file mode 100644 index f2657b98..00000000 --- a/charts/policychart/templates/deny_appliaction_deletion.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if $.Values.appDeletionPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.appDeletionPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - argoproj.io - apiVersions: - - v1alpha1 - operations: - - DELETE - resources: - - applications - scope: Namespaced - validations: - - expression: "false" - message: Deletion of application is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion - validationActions: - - Deny -{{- end }} - diff --git a/charts/policychart/templates/deny_cluster_creation.yaml b/charts/policychart/templates/deny_cluster_creation.yaml deleted file mode 100644 index 99d74ffb..00000000 --- a/charts/policychart/templates/deny_cluster_creation.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if $.Values.roleCreationPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - rbac.authorization.k8s.io - apiVersions: - - v1 - operations: - - CREATE - resources: - - clusterroles - - roles - scope: '*' - validations: - - expression: "false" - message: Creation of ClusterRole and Role is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-role-creation - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/deny_loadbalancer_creation.yaml b/charts/policychart/templates/deny_loadbalancer_creation.yaml deleted file mode 100644 index 34fcccbb..00000000 --- a/charts/policychart/templates/deny_loadbalancer_creation.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if $.Values.loadBalancerPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.loadBalancerPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - services - scope: Namespaced - validations: - - expression: object.spec.type != 'LoadBalancer' - message: Creation of Services with type LoadBalancer is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/deny_namespace_deletion.yaml b/charts/policychart/templates/deny_namespace_deletion.yaml deleted file mode 100644 index a0f8ba83..00000000 --- a/charts/policychart/templates/deny_namespace_deletion.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if $.Values.namespaceDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - DELETE - resourceNames: - {{- range $.Values.namespaceDeletionPolicy.namespaces }} - - {{ . }} - {{- end }} - resources: - - namespaces - scope: "*" - validations: - - expression: "false" - message: Deletion of namespace is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/deny_pvc_creation.yaml b/charts/policychart/templates/deny_pvc_creation.yaml deleted file mode 100644 index 580e70a6..00000000 --- a/charts/policychart/templates/deny_pvc_creation.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if $.Values.pvcCreationPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.pvcCreationPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - persistentvolumeclaims - scope: Namespaced - validations: - - expression: "false" - message: Creation of PersistentVolumeClaims is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/resources_not_define.yaml b/charts/policychart/templates/resources_not_define.yaml deleted file mode 100644 index c8ec3361..00000000 --- a/charts/policychart/templates/resources_not_define.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if $.Values.withoutResourcesPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.withoutResourcesPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - scope: Namespaced - validations: - - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" - message: "All containers in the pod must have both CPU and memory requests and limits specified." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-require-pod-resources - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/templates/restrict_resource.yaml b/charts/policychart/templates/restrict_resource.yaml deleted file mode 100644 index be1161b4..00000000 --- a/charts/policychart/templates/restrict_resource.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if $.Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.withoutResourcesPolicy.policies.restrictResourceLimitsresourcesPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - deployments - - statefulsets - scope: Namespaced - validations: - - expression: |- - !has(object.spec.template.spec.containers[0].resources.limits) || ( - (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('1000m')) <= 0) && - (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('2Gi')) <= 0) - ) - message: "Resource limits exceed the maximum allowed. CPU must be <= 1 and memory must be <= 2Gi." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding -spec: - policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits - validationActions: - - Deny -{{- end }} diff --git a/charts/policychart/values.yaml b/charts/policychart/values.yaml deleted file mode 100644 index 985e5cb5..00000000 --- a/charts/policychart/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -pvcCreationPolicy: - enabled: false - namespaces: - - devtroncd - - argo -namespaceDeletionPolicy: - enabled: true - namespaces: - - devtroncd - - argo -loadBalancerPolicy: - enabled: true - namespaces: - - devtroncd - - argo -appDeletionPolicy: - enabled: true - namespaces: - - devtroncd - - argo -withoutResourcesPolicy: - enabled: true - namespaces: - - devtroncd - - argo - policies: - restrictResourceLimitsresourcesPolicy: - enabled: true - namespaces: - - devtroncd - - argo -roleCreationPolicy: - enabled: true From 7e9f9f68c8fe1467fc02cfd20ea55bbc2f43f03d Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Wed, 31 Jul 2024 18:51:16 +0530 Subject: [PATCH 06/22] update the policy chart --- charts/k8s-shield/Chart.yaml | 1 - .../templates/deny_appliaction_deletion.yaml | 4 +- .../templates/deny_cluster_creation.yaml | 20 ++++-- .../templates/deny_cluster_role_binding.yaml | 40 ++++++++++++ .../templates/deny_loadbalancer_creation.yaml | 4 +- .../templates/deny_namespace_deletion.yaml | 4 +- .../templates/deny_pvc_creation.yaml | 4 +- charts/k8s-shield/templates/podSecurityPolicy | 62 ++++++++++++++++++ .../templates/resources_not_define.yaml | 8 ++- .../templates/restrict_resource.yaml | 23 ++++--- .../templates/restrict_without_probes.yaml | 4 +- charts/k8s-shield/values.yaml | 65 +++++++++++++------ 12 files changed, 195 insertions(+), 44 deletions(-) create mode 100644 charts/k8s-shield/templates/deny_cluster_role_binding.yaml create mode 100644 charts/k8s-shield/templates/podSecurityPolicy diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml index aee580f6..328d149b 100644 --- a/charts/k8s-shield/Chart.yaml +++ b/charts/k8s-shield/Chart.yaml @@ -4,7 +4,6 @@ description: A Helm chart for Kubernetes admission policies name: policychart type: application version: 0.1.0 -icon: https://cdn.devtron.ai/images/Devtron_K8s_Shield.png maintainers: - email: devops@devtron.ai name: Devtron Devops Team diff --git a/charts/k8s-shield/templates/deny_appliaction_deletion.yaml b/charts/k8s-shield/templates/deny_appliaction_deletion.yaml index f2657b98..0bc9c1ed 100644 --- a/charts/k8s-shield/templates/deny_appliaction_deletion.yaml +++ b/charts/k8s-shield/templates/deny_appliaction_deletion.yaml @@ -41,6 +41,8 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/deny_cluster_creation.yaml b/charts/k8s-shield/templates/deny_cluster_creation.yaml index 74aa4000..51ca4f65 100644 --- a/charts/k8s-shield/templates/deny_cluster_creation.yaml +++ b/charts/k8s-shield/templates/deny_cluster_creation.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.denyRoleCreationPolicy.enabled }} +{{- if $.Values.denyAdminClusterRoleCreation.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -13,16 +13,22 @@ spec: - apiGroups: - rbac.authorization.k8s.io apiVersions: - - v1 + - "*" operations: - CREATE + - UPDATE resources: - clusterroles - - roles scope: '*' validations: - - expression: "false" - message: Creation of ClusterRole and Role is not allowed. + - expression: "!has(object.rules) || object.rules.all(rule, + !(rule.apiGroups.exists(g, g == '*') && + rule.resources.exists(r, r == '*') && + rule.verbs.exists(v, v == '*')) && + !(rule.nonResourceURLs.exists(u, u == '*') && + rule.verbs.exists(v, v == '*')) + )" + message: Deny Creation of ClusterRole with admin access --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -35,5 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-role-creation validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/deny_cluster_role_binding.yaml b/charts/k8s-shield/templates/deny_cluster_role_binding.yaml new file mode 100644 index 00000000..a4adce64 --- /dev/null +++ b/charts/k8s-shield/templates/deny_cluster_role_binding.yaml @@ -0,0 +1,40 @@ +{{- if $.Values.denyCLusterRoleBindingCreation.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - clusterrolebindings + scope: '*' + validations: + - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && + object.roleRef.kind == 'ClusterRole' && + object.roleRef.name == 'cluster-admin')" + message: "Binding to the cluster-admin ClusterRole is not allowed due to security policy." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding-policy +spec: + policyName: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} + diff --git a/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml b/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml index 5b92fb21..0deb3281 100644 --- a/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml +++ b/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml @@ -42,5 +42,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/deny_namespace_deletion.yaml b/charts/k8s-shield/templates/deny_namespace_deletion.yaml index a0f8ba83..0610bb13 100644 --- a/charts/k8s-shield/templates/deny_namespace_deletion.yaml +++ b/charts/k8s-shield/templates/deny_namespace_deletion.yaml @@ -39,5 +39,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/deny_pvc_creation.yaml b/charts/k8s-shield/templates/deny_pvc_creation.yaml index ffb9479f..104c2762 100644 --- a/charts/k8s-shield/templates/deny_pvc_creation.yaml +++ b/charts/k8s-shield/templates/deny_pvc_creation.yaml @@ -41,5 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/podSecurityPolicy b/charts/k8s-shield/templates/podSecurityPolicy new file mode 100644 index 00000000..ae9334b6 --- /dev/null +++ b/charts/k8s-shield/templates/podSecurityPolicy @@ -0,0 +1,62 @@ +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "{{ include "policychart.fullname" . }}-pod-security-policy" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + - apps + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - replicasets + - daemonsets + - statefulsets + - jobs + - cronjobs + scope: '*' + validations: + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All workload containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All workload containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All CronJob containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All CronJob containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-pod-security-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-pod-security-policy + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/resources_not_define.yaml b/charts/k8s-shield/templates/resources_not_define.yaml index e630b6fe..96aa8fe8 100644 --- a/charts/k8s-shield/templates/resources_not_define.yaml +++ b/charts/k8s-shield/templates/resources_not_define.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.restrictWithoutResourcesPolicy.enabled }} +{{- if $.Values.resourcePolicies.denyWithoutResource.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -12,7 +12,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.restrictWithoutResourcesPolicy.namespaces }} + {{- range .Values.resourcePolicies.denyWithoutResource.namespaces }} - {{ . | quote }} {{- end }} resourceRules: @@ -41,5 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-require-pod-resources validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict_resource.yaml b/charts/k8s-shield/templates/restrict_resource.yaml index a7081da6..f4907307 100644 --- a/charts/k8s-shield/templates/restrict_resource.yaml +++ b/charts/k8s-shield/templates/restrict_resource.yaml @@ -1,6 +1,6 @@ -{{- if .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.enabled }} -{{- $maxCPU := .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.maxCPULimit | default "1000m" }} -{{- $maxMemory := .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.maxMemoryLimit | default "2Gi" }} +{{- if .Values.resourcePolicies.limitResourcePolicy.enabled }} +{{- $maxCPU := .Values.resourcePolicies.limitResourcePolicy.maxCPULimit | default "1000m" }} +{{- $maxMemory := .Values.resourcePolicies.limitResourcePolicy.maxMemoryLimit | default "2Gi" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -14,7 +14,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.restrictWithoutResourcesPolicy.policies.restrictResourceLimitsPolicy.namespaces }} + {{- range .Values.resourcePolicies.limitResourcePolicy.namespaces }} - {{ . | quote }} {{- end }} objectSelector: {} @@ -38,20 +38,20 @@ spec: ( !has(object.spec.template.spec.containers[0].resources.limits) || ( (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPULimit }}')) <= 0) && + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemoryLimit }}')) <= 0) + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) ) ) : ( !has(object.spec.containers[0].resources.limits) || ( (!has(object.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPULimit }}')) <= 0) && + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && (!has(object.spec.containers[0].resources.limits.memory) || - quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemoryLimit }}')) <= 0) + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) ) ) - message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPULimit }} and memory must be <= {{ $maxMemoryLimit }}." + message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -60,5 +60,8 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} + diff --git a/charts/k8s-shield/templates/restrict_without_probes.yaml b/charts/k8s-shield/templates/restrict_without_probes.yaml index 2d646787..a9ecc7d9 100644 --- a/charts/k8s-shield/templates/restrict_without_probes.yaml +++ b/charts/k8s-shield/templates/restrict_without_probes.yaml @@ -32,5 +32,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-require-probes-policy validationActions: - - Deny + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index ac7dadb1..e82af06c 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -4,51 +4,78 @@ denyPvcCreationPolicy: namespaces: - devtroncd - argo + validationActions: #By default value is DENY + - Deny namespaceDeletionPolicy: # This policy ristrict the deletion of namespaces to prevent. enabled: true namespaces: - devtroncd - argo + validationActions: #By default value is DENY + - Deny denyloadBalancerCreationPolicy: # This policy blocks the creation of LoadBalancer type services in the specified namespaces. enabled: true namespaces: - devtroncd - argo + validationActions: #By default value is DENY + - Deny appDeletionPolicy: # This policy prevents the deletion of applications within the specified namespaces. enabled: true namespaces: - devtroncd - argo -restrictWithoutResourcesPolicy: - # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. - enabled: true - namespaces: - - devtroncd - - argo - policies: - restrictResourceLimitsPolicy: - # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. - enabled: true - namespaces: - - devtroncd - - argo - maxCPULimit: "1000m" - maxMemoryLimit: "2Gi" -denyRoleCreationPolicy: + validationActions: #By default value is DENY + - Deny +resourcePolicies: # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. + denyWithoutResource: + enabled: true + namespaces: + - devtroncd + - argo + validationActions: #By default value is DENY + - Deny + limitResourcePolicy: # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. + enabled: true + namespaces: + - devtroncd + - argo + maxCPULimit: "1000m" + maxMemoryLimit: "2Gi" + validationActions: #By default value is DENY + - Deny +adminRoleCreation: # This policy prohibits the creation of new roles within the cluster. enabled: true + validationActions: #By default value is DENY + - Deny +denyAdminClusterRoleCreation: + # This policy prohibits the creation of new roles and cluster-role within the cluster. + enabled: true + validationActions: #By default value is DENY + - Deny +denyCLusterRoleBindingCreation: + # This policy prohibits the creation of clusterRoleBinding with the cluster-admin access + enabled: true + validationActions: #By default value is DENY + - Deny withoutReadinessandLivenessProbe: # Policy for ensuring readiness and liveness probes are defined for containers enabled: true namespaces: - devtroncd - argo + validationActions: #By default value is DENY + - Deny podSecurityPolicy: enabled: true # Enable/disable the Pod Security Policy - runAsNonRoot: true # Allow run as non-root user for better security - readOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications + allowrunAsNonRoot: true # Allow run as non-root user for better security + allowreadOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent - privileged: false # Disable privileged mode to limit container capabilities on the host + allowprivileged: false # Disable privileged mode to limit container capabilities on the host + validationActions: #By default value is DENY + - Deny + From f6c710b0b5b8c7ef09d6efc2f2b22c5e559517cc Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Wed, 31 Jul 2024 20:19:55 +0530 Subject: [PATCH 07/22] update the policy chart --- .../container-security-context-policy.yaml | 63 +++++++++++++++++ .../pod-security-context-policy.yaml | 62 +++++++++++++++++ .../templates/podSecurityPolicy.yaml | 0 ...ct-admin-cluster-role-creation-policy.yaml | 47 +++++++++++++ .../restrict-application-deletion-policy.yaml | 48 +++++++++++++ ...ng-with-cluster-admin-creation-policy.yaml | 40 +++++++++++ .../restrict-limit-resource-policy.yaml | 67 +++++++++++++++++++ .../restrict-loadbalance-creation.yaml | 48 +++++++++++++ .../restrict-namespace-deletion-policy.yaml | 45 +++++++++++++ .../restrict-pvc-creation-policy.yaml | 47 +++++++++++++ ...ict-without-readiness-liveness-policy.yaml | 38 +++++++++++ .../restrict-without-resource-policy.yaml | 47 +++++++++++++ charts/k8s-shield/values.yaml | 13 ++-- 13 files changed, 560 insertions(+), 5 deletions(-) create mode 100644 charts/k8s-shield/templates/container-security-context-policy.yaml create mode 100644 charts/k8s-shield/templates/pod-security-context-policy.yaml create mode 100644 charts/k8s-shield/templates/podSecurityPolicy.yaml create mode 100644 charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-application-deletion-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-limit-resource-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-loadbalance-creation.yaml create mode 100644 charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml create mode 100644 charts/k8s-shield/templates/restrict-without-resource-policy.yaml diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml new file mode 100644 index 00000000..7ecb94cd --- /dev/null +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -0,0 +1,63 @@ +{{- if .Values.containerSecurityPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "{{ include "policychart.fullname" . }}-container-security-policy" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + - apps + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - replicasets + - daemonsets + - statefulsets + - jobs + - cronjobs + scope: '*' + validations: + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" + message: "All containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All containers must set readOnlyRootFilesystem to {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }})" + message: "All containers must set allowPrivilegeEscalation to {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.containerSecurityPolicy.allowprivileged }})" + message: "All containers must set privileged to {{ .Values.containerSecurityPolicy.allowprivileged }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" + message: "All workload containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }})" + message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.containerSecurityPolicy.allowprivileged }})" + message: "All workload containers must set privileged to {{ .Values.containerSecurityPolicy.allowprivileged }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" + message: "All CronJob containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }})" + message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.containerSecurityPolicy.allowprivileged }})" + message: "All CronJob containers must set privileged to {{ .Values.containerSecurityPolicy.allowprivileged }}" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-container-security-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-container-security-policy + validationActions: + - Deny +{{- end }} + diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml new file mode 100644 index 00000000..ae9334b6 --- /dev/null +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -0,0 +1,62 @@ +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "{{ include "policychart.fullname" . }}-pod-security-policy" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + - apps + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - replicasets + - daemonsets + - statefulsets + - jobs + - cronjobs + scope: '*' + validations: + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All workload containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All workload containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" + message: "All CronJob containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" + message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" + message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" + message: "All CronJob containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-pod-security-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-pod-security-policy + validationActions: + - Deny +{{- end }} diff --git a/charts/k8s-shield/templates/podSecurityPolicy.yaml b/charts/k8s-shield/templates/podSecurityPolicy.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml new file mode 100644 index 00000000..51ca4f65 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -0,0 +1,47 @@ +{{- if $.Values.denyAdminClusterRoleCreation.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - clusterroles + scope: '*' + validations: + - expression: "!has(object.rules) || object.rules.all(rule, + !(rule.apiGroups.exists(g, g == '*') && + rule.resources.exists(r, r == '*') && + rule.verbs.exists(v, v == '*')) && + !(rule.nonResourceURLs.exists(u, u == '*') && + rule.verbs.exists(v, v == '*')) + )" + message: Deny Creation of ClusterRole with admin access +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-role-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-role-creation + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml new file mode 100644 index 00000000..0bc9c1ed --- /dev/null +++ b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml @@ -0,0 +1,48 @@ +{{- if $.Values.appDeletionPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.appDeletionPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - argoproj.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - applications + scope: Namespaced + validations: + - expression: "false" + message: Deletion of application is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} + diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml new file mode 100644 index 00000000..a4adce64 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -0,0 +1,40 @@ +{{- if $.Values.denyCLusterRoleBindingCreation.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - clusterrolebindings + scope: '*' + validations: + - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && + object.roleRef.kind == 'ClusterRole' && + object.roleRef.name == 'cluster-admin')" + message: "Binding to the cluster-admin ClusterRole is not allowed due to security policy." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding-policy +spec: + policyName: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} + diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml new file mode 100644 index 00000000..f4907307 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -0,0 +1,67 @@ +{{- if .Values.resourcePolicies.limitResourcePolicy.enabled }} +{{- $maxCPU := .Values.resourcePolicies.limitResourcePolicy.maxCPULimit | default "1000m" }} +{{- $maxMemory := .Values.resourcePolicies.limitResourcePolicy.maxMemoryLimit | default "2Gi" }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.resourcePolicies.limitResourcePolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - deployments + - statefulsets + scope: Namespaced + validations: + - expression: |- + has(object.spec.template) ? + ( + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) : + ( + !has(object.spec.containers[0].resources.limits) || ( + (!has(object.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.containers[0].resources.limits.memory) || + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) + message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding +spec: + policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} + diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml new file mode 100644 index 00000000..0deb3281 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml @@ -0,0 +1,48 @@ +{{- if $.Values.denyloadBalancerCreationPolicy.enabled}} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.denyloadBalancerCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - services + scope: Namespaced + validations: + - expression: object.spec.type != 'LoadBalancer' + message: Creation of Services with type LoadBalancer is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml new file mode 100644 index 00000000..0610bb13 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.namespaceDeletionPolicy.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resourceNames: + {{- range $.Values.namespaceDeletionPolicy.namespaces }} + - {{ . }} + {{- end }} + resources: + - namespaces + scope: "*" + validations: + - expression: "false" + message: Deletion of namespace is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml new file mode 100644 index 00000000..104c2762 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -0,0 +1,47 @@ +{{- if $.Values.denyPvcCreationPolicy.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.denyPvcCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + objectSelector: {} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - persistentvolumeclaims + scope: Namespaced + validations: + - expression: "false" + message: Creation of PersistentVolumeClaims is not allowed. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml new file mode 100644 index 00000000..a9ecc7d9 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -0,0 +1,38 @@ +{{- if $.Values.withoutReadinessandLivenessProbe.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-probes-policy +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.withoutReadinessandLivenessProbe.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" + message: "All containers in the pod must have both a readiness probe and a liveness probe defined." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-probes-policy-binding +spec: + policyName: {{ include "policychart.fullname" . }}-require-probes-policy + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml new file mode 100644 index 00000000..96aa8fe8 --- /dev/null +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -0,0 +1,47 @@ +{{- if $.Values.resourcePolicies.denyWithoutResource.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources +spec: + failurePolicy: Fail + matchConstraints: + matchPolicy: Equivalent + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- range .Values.resourcePolicies.denyWithoutResource.namespaces }} + - {{ . | quote }} + {{- end }} + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + scope: Namespaced + validations: + - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All containers in the pod must have both CPU and memory requests and limits specified." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ include "policychart.fullname" . }}-require-pod-resources-binding +spec: + matchResources: + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + policyName: {{ include "policychart.fullname" . }}-require-pod-resources + validationActions: + {{- range .Values.denyPvcCreationPolicy.validationActions }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index e82af06c..02f6ae16 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -47,11 +47,6 @@ resourcePolicies: # This policy ensures that deployments specify resource lim maxMemoryLimit: "2Gi" validationActions: #By default value is DENY - Deny -adminRoleCreation: - # This policy prohibits the creation of new roles within the cluster. - enabled: true - validationActions: #By default value is DENY - - Deny denyAdminClusterRoleCreation: # This policy prohibits the creation of new roles and cluster-role within the cluster. enabled: true @@ -78,4 +73,12 @@ podSecurityPolicy: allowprivileged: false # Disable privileged mode to limit container capabilities on the host validationActions: #By default value is DENY - Deny +containerSecurityPolicy: + enabled: true # Enable/disable the container Security Policy + allowrunAsNonRoot: true # Allow run as non-root user for better security + allowreadOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications + allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent + allowprivileged: false # Disable privileged mode to limit container capabilities on the host + validationActions: #By default value is DENY + - Deny From 6369d68c10b01f403608dd1af21c2b1fd21ecfb1 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Wed, 31 Jul 2024 20:55:32 +0530 Subject: [PATCH 08/22] update the policy chart --- .../templates/deny_appliaction_deletion.yaml | 48 ------------- .../templates/deny_cluster_creation.yaml | 47 ------------- .../templates/deny_cluster_role_binding.yaml | 40 ----------- .../templates/deny_loadbalancer_creation.yaml | 48 ------------- .../templates/deny_namespace_deletion.yaml | 45 ------------- .../templates/deny_pvc_creation.yaml | 47 ------------- charts/k8s-shield/templates/podSecurityPolicy | 62 ----------------- .../templates/podSecurityPolicy.yaml | 0 .../templates/pod_security_policy.yaml | 62 ----------------- .../templates/resources_not_define.yaml | 47 ------------- .../templates/restrict_resource.yaml | 67 ------------------- .../templates/restrict_without_probes.yaml | 38 ----------- 12 files changed, 551 deletions(-) delete mode 100644 charts/k8s-shield/templates/deny_appliaction_deletion.yaml delete mode 100644 charts/k8s-shield/templates/deny_cluster_creation.yaml delete mode 100644 charts/k8s-shield/templates/deny_cluster_role_binding.yaml delete mode 100644 charts/k8s-shield/templates/deny_loadbalancer_creation.yaml delete mode 100644 charts/k8s-shield/templates/deny_namespace_deletion.yaml delete mode 100644 charts/k8s-shield/templates/deny_pvc_creation.yaml delete mode 100644 charts/k8s-shield/templates/podSecurityPolicy delete mode 100644 charts/k8s-shield/templates/podSecurityPolicy.yaml delete mode 100644 charts/k8s-shield/templates/pod_security_policy.yaml delete mode 100644 charts/k8s-shield/templates/resources_not_define.yaml delete mode 100644 charts/k8s-shield/templates/restrict_resource.yaml delete mode 100644 charts/k8s-shield/templates/restrict_without_probes.yaml diff --git a/charts/k8s-shield/templates/deny_appliaction_deletion.yaml b/charts/k8s-shield/templates/deny_appliaction_deletion.yaml deleted file mode 100644 index 0bc9c1ed..00000000 --- a/charts/k8s-shield/templates/deny_appliaction_deletion.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if $.Values.appDeletionPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.appDeletionPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - argoproj.io - apiVersions: - - v1alpha1 - operations: - - DELETE - resources: - - applications - scope: Namespaced - validations: - - expression: "false" - message: Deletion of application is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} - diff --git a/charts/k8s-shield/templates/deny_cluster_creation.yaml b/charts/k8s-shield/templates/deny_cluster_creation.yaml deleted file mode 100644 index 51ca4f65..00000000 --- a/charts/k8s-shield/templates/deny_cluster_creation.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if $.Values.denyAdminClusterRoleCreation.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - rbac.authorization.k8s.io - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - clusterroles - scope: '*' - validations: - - expression: "!has(object.rules) || object.rules.all(rule, - !(rule.apiGroups.exists(g, g == '*') && - rule.resources.exists(r, r == '*') && - rule.verbs.exists(v, v == '*')) && - !(rule.nonResourceURLs.exists(u, u == '*') && - rule.verbs.exists(v, v == '*')) - )" - message: Deny Creation of ClusterRole with admin access ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-role-creation - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/charts/k8s-shield/templates/deny_cluster_role_binding.yaml b/charts/k8s-shield/templates/deny_cluster_role_binding.yaml deleted file mode 100644 index a4adce64..00000000 --- a/charts/k8s-shield/templates/deny_cluster_role_binding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if $.Values.denyCLusterRoleBindingCreation.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - rbac.authorization.k8s.io - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - clusterrolebindings - scope: '*' - validations: - - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && - object.roleRef.kind == 'ClusterRole' && - object.roleRef.name == 'cluster-admin')" - message: "Binding to the cluster-admin ClusterRole is not allowed due to security policy." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding-policy -spec: - policyName: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} - diff --git a/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml b/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml deleted file mode 100644 index 0deb3281..00000000 --- a/charts/k8s-shield/templates/deny_loadbalancer_creation.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if $.Values.denyloadBalancerCreationPolicy.enabled}} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.denyloadBalancerCreationPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - services - scope: Namespaced - validations: - - expression: object.spec.type != 'LoadBalancer' - message: Creation of Services with type LoadBalancer is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/charts/k8s-shield/templates/deny_namespace_deletion.yaml b/charts/k8s-shield/templates/deny_namespace_deletion.yaml deleted file mode 100644 index 0610bb13..00000000 --- a/charts/k8s-shield/templates/deny_namespace_deletion.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if $.Values.namespaceDeletionPolicy.enabled }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - DELETE - resourceNames: - {{- range $.Values.namespaceDeletionPolicy.namespaces }} - - {{ . }} - {{- end }} - resources: - - namespaces - scope: "*" - validations: - - expression: "false" - message: Deletion of namespace is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/charts/k8s-shield/templates/deny_pvc_creation.yaml b/charts/k8s-shield/templates/deny_pvc_creation.yaml deleted file mode 100644 index 104c2762..00000000 --- a/charts/k8s-shield/templates/deny_pvc_creation.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if $.Values.denyPvcCreationPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.denyPvcCreationPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - persistentvolumeclaims - scope: Namespaced - validations: - - expression: "false" - message: Creation of PersistentVolumeClaims is not allowed. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/charts/k8s-shield/templates/podSecurityPolicy b/charts/k8s-shield/templates/podSecurityPolicy deleted file mode 100644 index ae9334b6..00000000 --- a/charts/k8s-shield/templates/podSecurityPolicy +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "{{ include "policychart.fullname" . }}-pod-security-policy" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - "" - - apps - - batch - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - - deployments - - replicasets - - daemonsets - - statefulsets - - jobs - - cronjobs - scope: '*' - validations: - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" - message: "All containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" - message: "All containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" - message: "All containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" - message: "All workload containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" - message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" - message: "All workload containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" - message: "All CronJob containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.allowrunAsNonRoot }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }})" - message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.allowreadOnlyRootFilesystem }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.allowprivileged }})" - message: "All CronJob containers must set privileged to {{ .Values.podSecurityPolicy.allowprivileged }}" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-pod-security-policy-binding -spec: - policyName: {{ include "policychart.fullname" . }}-pod-security-policy - validationActions: - - Deny -{{- end }} diff --git a/charts/k8s-shield/templates/podSecurityPolicy.yaml b/charts/k8s-shield/templates/podSecurityPolicy.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/k8s-shield/templates/pod_security_policy.yaml b/charts/k8s-shield/templates/pod_security_policy.yaml deleted file mode 100644 index eb0894cd..00000000 --- a/charts/k8s-shield/templates/pod_security_policy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "{{ include "policychart.fullname" . }}-pod-security-policy" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - "" - - apps - - batch - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - - deployments - - replicasets - - daemonsets - - statefulsets - - jobs - - cronjobs - scope: '*' - validations: - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" - message: "All containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" - message: "All containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" - message: "All containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" - message: "All workload containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" - message: "All workload containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" - message: "All workload containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.runAsNonRoot }})" - message: "All CronJob containers must set runAsNonRoot to {{ .Values.podSecurityPolicy.runAsNonRoot }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }})" - message: "All CronJob containers must set readOnlyRootFilesystem to {{ .Values.podSecurityPolicy.readOnlyRootFilesystem }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || c.securityContext.allowPrivilegeEscalation == {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }})" - message: "All CronJob containers must set allowPrivilegeEscalation to {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}" - - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.podSecurityPolicy.privileged }})" - message: "All CronJob containers must set privileged to {{ .Values.podSecurityPolicy.privileged }}" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-pod-security-policy-binding -spec: - policyName: {{ include "policychart.fullname" . }}-pod-security-policy - validationActions: - - Deny -{{- end }} diff --git a/charts/k8s-shield/templates/resources_not_define.yaml b/charts/k8s-shield/templates/resources_not_define.yaml deleted file mode 100644 index 96aa8fe8..00000000 --- a/charts/k8s-shield/templates/resources_not_define.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if $.Values.resourcePolicies.denyWithoutResource.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.resourcePolicies.denyWithoutResource.namespaces }} - - {{ . | quote }} - {{- end }} - resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - scope: Namespaced - validations: - - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" - message: "All containers in the pod must have both CPU and memory requests and limits specified." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources-binding -spec: - matchResources: - matchPolicy: Equivalent - namespaceSelector: {} - objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-require-pod-resources - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/charts/k8s-shield/templates/restrict_resource.yaml b/charts/k8s-shield/templates/restrict_resource.yaml deleted file mode 100644 index f4907307..00000000 --- a/charts/k8s-shield/templates/restrict_resource.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.resourcePolicies.limitResourcePolicy.enabled }} -{{- $maxCPU := .Values.resourcePolicies.limitResourcePolicy.maxCPULimit | default "1000m" }} -{{- $maxMemory := .Values.resourcePolicies.limitResourcePolicy.maxMemoryLimit | default "2Gi" }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.resourcePolicies.limitResourcePolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: - - "" - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - - deployments - - statefulsets - scope: Namespaced - validations: - - expression: |- - has(object.spec.template) ? - ( - !has(object.spec.template.spec.containers[0].resources.limits) || ( - (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) - ) - ) : - ( - !has(object.spec.containers[0].resources.limits) || ( - (!has(object.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.containers[0].resources.limits.memory) || - quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) - ) - ) - message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding -spec: - policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} - diff --git a/charts/k8s-shield/templates/restrict_without_probes.yaml b/charts/k8s-shield/templates/restrict_without_probes.yaml deleted file mode 100644 index a9ecc7d9..00000000 --- a/charts/k8s-shield/templates/restrict_without_probes.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if $.Values.withoutReadinessandLivenessProbe.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: {{ include "policychart.fullname" . }}-require-probes-policy -spec: - failurePolicy: Fail - matchConstraints: - matchPolicy: Equivalent - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- range .Values.withoutReadinessandLivenessProbe.namespaces }} - - {{ . | quote }} - {{- end }} - resourceRules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["pods"] - scope: Namespaced - validations: - - expression: "object.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" - message: "All containers in the pod must have both a readiness probe and a liveness probe defined." ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: {{ include "policychart.fullname" . }}-require-probes-policy-binding -spec: - policyName: {{ include "policychart.fullname" . }}-require-probes-policy - validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} - - {{ . }} - {{- end }} -{{- end }} From cfdd147711e827fa8a015917534617f862ce5ed5 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Thu, 1 Aug 2024 13:28:08 +0530 Subject: [PATCH 09/22] update validatingAdmissionPolicyChart --- .../restrict-admin-cluster-role-creation-policy.yaml | 6 +++--- ...ster-rolebinding-with-cluster-admin-creation-policy.yaml | 6 +++--- .../k8s-shield/templates/restrict-loadbalance-creation.yaml | 6 +++--- .../k8s-shield/templates/restrict-pvc-creation-policy.yaml | 6 +++--- .../restrict-without-readiness-liveness-policy.yaml | 6 +++--- .../templates/restrict-without-resource-policy.yaml | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml index 51ca4f65..3478c147 100644 --- a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation + name: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation spec: failurePolicy: Fail matchConstraints: @@ -33,13 +33,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-role-creation-binding + name: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-role-creation + policyName: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml index a4adce64..6c3c5170 100644 --- a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding + name: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation spec: failurePolicy: Fail matchConstraints: @@ -29,9 +29,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding-policy + name: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation-binding spec: - policyName: {{ include "policychart.fullname" . }}restrict-cluster-admin-binding + policyName: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml index 0deb3281..4b26c07e 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation spec: failurePolicy: Fail matchConstraints: @@ -34,13 +34,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-services-binding + name: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-services + policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 104c2762..517d0bd9 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + name: {{ include "policychart.fullname" . }}-deny-pvc-creation spec: failurePolicy: Fail matchConstraints: @@ -33,13 +33,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation-binding + name: {{ include "policychart.fullname" . }}-deny-pvc-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-pv-pvc-creation + policyName: {{ include "policychart.fullname" . }}-deny-pvc-creation validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index a9ecc7d9..09d1c845 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-require-probes-policy + name: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness spec: failurePolicy: Fail matchConstraints: @@ -28,9 +28,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-require-probes-policy-binding + name: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness spec: - policyName: {{ include "policychart.fullname" . }}-require-probes-policy + policyName: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 96aa8fe8..35d03cd5 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources + name: {{ include "policychart.fullname" . }}-deny-without-resources spec: failurePolicy: Fail matchConstraints: @@ -33,13 +33,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-require-pod-resources-binding + name: {{ include "policychart.fullname" . }}-deny-without-resources-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-require-pod-resources + policyName: {{ include "policychart.fullname" . }}-deny-without-resources validationActions: {{- range .Values.denyPvcCreationPolicy.validationActions }} - {{ . }} From 3c4cbad48901fd3e53a4cc29de48be375704a623 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Thu, 1 Aug 2024 19:22:28 +0530 Subject: [PATCH 10/22] update the policy chart --- .../templates/container-security-context-policy.yaml | 4 +++- .../templates/pod-security-context-policy.yaml | 4 +++- .../restrict-admin-cluster-role-creation-policy.yaml | 4 ++-- .../restrict-application-deletion-policy.yaml | 2 +- ...rolebinding-with-cluster-admin-creation-policy.yaml | 4 ++-- .../templates/restrict-limit-resource-policy.yaml | 2 +- .../templates/restrict-loadbalance-creation.yaml | 6 +++--- .../templates/restrict-namespace-deletion-policy.yaml | 2 +- .../templates/restrict-pvc-creation-policy.yaml | 6 +++--- .../restrict-without-readiness-liveness-policy.yaml | 2 +- .../templates/restrict-without-resource-policy.yaml | 6 +++--- charts/k8s-shield/values.yaml | 10 +++++----- 12 files changed, 28 insertions(+), 24 deletions(-) diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index 7ecb94cd..1f1fb789 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -58,6 +58,8 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-container-security-policy validationActions: - - Deny + {{- range .Values.containerSecurityPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index ae9334b6..0ed24c38 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -58,5 +58,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-pod-security-policy validationActions: - - Deny + {{- range .Values.podSecurityPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml index 3478c147..046458a7 100644 --- a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.denyAdminClusterRoleCreation.enabled }} +{{- if $.Values.adminClusterRoleCreation.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -41,7 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.adminClusterRoleCreation.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml index 0bc9c1ed..ad5104dd 100644 --- a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml @@ -41,7 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.appDeletionPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml index 6c3c5170..dabe2968 100644 --- a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.denyCLusterRoleBindingCreation.enabled }} +{{- if $.Values.cLusterRoleBindingCreation.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -33,7 +33,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.cLusterRoleBindingCreation.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index f4907307..97c53aaa 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -60,7 +60,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.resourcePolicies.limitResourcePolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml index 4b26c07e..810dd33c 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.denyloadBalancerCreationPolicy.enabled}} +{{- if $.Values.loadBalancerCreationPolicy.enabled}} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy @@ -13,7 +13,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.denyloadBalancerCreationPolicy.namespaces }} + {{- range .Values.loadBalancerCreationPolicy.namespaces }} - {{ . | quote }} {{- end }} objectSelector: {} @@ -42,7 +42,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.loadBalancerCreationPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml index 0610bb13..251e56ad 100644 --- a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml @@ -39,7 +39,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.namespaceDeletionPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 517d0bd9..1be6f2f2 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.denyPvcCreationPolicy.enabled }} +{{- if $.Values.pvcCreationPolicy.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -12,7 +12,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.denyPvcCreationPolicy.namespaces }} + {{- range .Values.pvcCreationPolicy.namespaces }} - {{ . | quote }} {{- end }} objectSelector: {} @@ -41,7 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-pvc-creation validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.pvcCreationPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 09d1c845..ade381df 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -32,7 +32,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.withoutReadinessandLivenessProbe.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 35d03cd5..3b5c06b1 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.resourcePolicies.denyWithoutResource.enabled }} +{{- if $.Values.resourcePolicies.WithoutResource.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -12,7 +12,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.resourcePolicies.denyWithoutResource.namespaces }} + {{- range .Values.resourcePolicies.WithoutResource.namespaces }} - {{ . | quote }} {{- end }} resourceRules: @@ -41,7 +41,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-without-resources validationActions: - {{- range .Values.denyPvcCreationPolicy.validationActions }} + {{- range .Values.resourcePolicies.WithoutResource.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 02f6ae16..3a801a99 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,4 +1,4 @@ -denyPvcCreationPolicy: +pvcCreationPolicy: # This policy prevents the creation of Persistent Volume Claims (PVCs) in the specified namespaces. enabled: true namespaces: @@ -14,7 +14,7 @@ namespaceDeletionPolicy: - argo validationActions: #By default value is DENY - Deny -denyloadBalancerCreationPolicy: +loadBalancerCreationPolicy: # This policy blocks the creation of LoadBalancer type services in the specified namespaces. enabled: true namespaces: @@ -31,7 +31,7 @@ appDeletionPolicy: validationActions: #By default value is DENY - Deny resourcePolicies: # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. - denyWithoutResource: + WithoutResource: enabled: true namespaces: - devtroncd @@ -47,12 +47,12 @@ resourcePolicies: # This policy ensures that deployments specify resource lim maxMemoryLimit: "2Gi" validationActions: #By default value is DENY - Deny -denyAdminClusterRoleCreation: +adminClusterRoleCreation: # This policy prohibits the creation of new roles and cluster-role within the cluster. enabled: true validationActions: #By default value is DENY - Deny -denyCLusterRoleBindingCreation: +cLusterRoleBindingCreation: # This policy prohibits the creation of clusterRoleBinding with the cluster-admin access enabled: true validationActions: #By default value is DENY From ecd42c386f010bf798fe036d6187b09233842c23 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Fri, 2 Aug 2024 16:01:29 +0530 Subject: [PATCH 11/22] update the policy chart --- .../restrict-without-readiness-liveness-policy.yaml | 6 +++--- charts/k8s-shield/values.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index ade381df..91571c86 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.withoutReadinessandLivenessProbe.enabled }} +{{- if $.Values.readinessAndLivenessPolicy.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: @@ -12,7 +12,7 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.withoutReadinessandLivenessProbe.namespaces }} + {{- range .Values.readinessAndLivenessPolicy.namespaces }} - {{ . | quote }} {{- end }} resourceRules: @@ -32,7 +32,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness validationActions: - {{- range .Values.withoutReadinessandLivenessProbe.validationActions }} + {{- range .Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 3a801a99..455e6fa7 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -57,7 +57,7 @@ cLusterRoleBindingCreation: enabled: true validationActions: #By default value is DENY - Deny -withoutReadinessandLivenessProbe: +readinessAndLivenessPolicy: # Policy for ensuring readiness and liveness probes are defined for containers enabled: true namespaces: From 1bce28ac0cad659ee3a9dd7ecff930b2ea0c615d Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Fri, 2 Aug 2024 16:03:38 +0530 Subject: [PATCH 12/22] update the policy chart --- charts/k8s-shield/Chart.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml index 328d149b..135a4c78 100644 --- a/charts/k8s-shield/Chart.yaml +++ b/charts/k8s-shield/Chart.yaml @@ -7,5 +7,4 @@ version: 0.1.0 maintainers: - email: devops@devtron.ai name: Devtron Devops Team -- email: neha.sharma@devtron.ai - name: Neha Sharma + From f23eb2da513d0663eac45effb346aa2eb7bcd926 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Thu, 5 Sep 2024 16:41:25 +0530 Subject: [PATCH 13/22] update the changes --- charts/k8s-shield/Chart.yaml | 7 ++ .../container-security-context-policy.yaml | 16 ++--- .../pod-security-context-policy.yaml | 16 ++--- .../restrict-limit-resource-policy.yaml | 55 +++++++-------- .../restrict-pvc-creation-policy.yaml | 4 +- ...ict-without-readiness-liveness-policy.yaml | 20 ++++-- .../restrict-without-resource-policy.yaml | 20 +++--- charts/k8s-shield/values.yaml | 69 +++++++++++++++---- 8 files changed, 131 insertions(+), 76 deletions(-) diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml index 135a4c78..62bb21e6 100644 --- a/charts/k8s-shield/Chart.yaml +++ b/charts/k8s-shield/Chart.yaml @@ -8,3 +8,10 @@ maintainers: - email: devops@devtron.ai name: Devtron Devops Team + + + + + + + \ No newline at end of file diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index 1f1fb789..3e735933 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -11,19 +11,17 @@ spec: - "" - apps - batch + - rollout.k8s.io apiVersions: - v1 operations: - - CREATE - - UPDATE + {{- range $.Values.resourcePolicies.WithoutResource.operations }} + - {{ . | quote }} + {{- end }} resources: - - pods - - deployments - - replicasets - - daemonsets - - statefulsets - - jobs - - cronjobs + {{- range $.Values.resourcePolicies.WithoutResource.resources }} + - {{ . | quote }} + {{- end }} scope: '*' validations: - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index 0ed24c38..2a472291 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -11,19 +11,17 @@ spec: - "" - apps - batch + - rollout.k8s.io apiVersions: - v1 operations: - - CREATE - - UPDATE + {{- range $.Values.resourcePolicies.WithoutResource.operations }} + - {{ . | quote }} + {{- end }} resources: - - pods - - deployments - - replicasets - - daemonsets - - statefulsets - - jobs - - cronjobs + {{- range $.Values.resourcePolicies.WithoutResource.resources }} + - {{ . | quote }} + {{- end }} scope: '*' validations: - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.podSecurityPolicy.allowrunAsNonRoot }})" diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index 97c53aaa..e0118435 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -20,38 +20,40 @@ spec: objectSelector: {} resourceRules: - apiGroups: - - "" - - apps + - "" + - apps + - argoproj.io apiVersions: - - v1 + - v1 operations: - - CREATE - - UPDATE + {{- range .Values.resourcePolicies.limitResourcePolicy.operations }} + - {{ . | quote }} + {{- end }} resources: - - pods - - deployments - - statefulsets + {{- range .Values.resourcePolicies.limitResourcePolicy.resources }} + - {{ . | quote }} + {{- end }} scope: Namespaced validations: - - expression: |- - has(object.spec.template) ? - ( - !has(object.spec.template.spec.containers[0].resources.limits) || ( - (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + - expression: |- + has(object.spec.template) ? + ( + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) : + ( + !has(object.spec.containers[0].resources.limits) || ( + (!has(object.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.containers[0].resources.limits.memory) || + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) ) - ) : - ( - !has(object.spec.containers[0].resources.limits) || ( - (!has(object.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.containers[0].resources.limits.memory) || - quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) - ) - ) - message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." + message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -64,4 +66,3 @@ spec: - {{ . }} {{- end }} {{- end }} - diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 1be6f2f2..1589ff3a 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -23,8 +23,7 @@ spec: - v1 operations: - CREATE - resources: - - persistentvolumeclaims + - UPDATE scope: Namespaced validations: - expression: "false" @@ -45,3 +44,4 @@ spec: - {{ . }} {{- end }} {{- end }} + diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 91571c86..93b7589c 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -12,18 +12,24 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.readinessAndLivenessPolicy.namespaces }} + {{- range $.Values.readinessAndLivenessPolicy.namespaces }} - {{ . | quote }} {{- end }} resourceRules: - - apiGroups: [""] + - apiGroups: ["apps,argoproj.io"] apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["pods"] + operations: + {{- range $.Values.readinessAndLivenessPolicy.operations }} + - {{ . | quote }} + {{- end }} + resources: + {{- range $.Values.readinessAndLivenessPolicy.resources }} + - {{ . | quote }} + {{- end }} scope: Namespaced validations: - - expression: "object.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" - message: "All containers in the pod must have both a readiness probe and a liveness probe defined." + - expression: "object.spec.template.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" + message: "All containers in the deployment must have both a readiness probe and a liveness probe defined." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -32,7 +38,7 @@ metadata: spec: policyName: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness validationActions: - {{- range .Values.readinessAndLivenessPolicy.validationActions }} + {{- range $.Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 3b5c06b1..931e2809 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -12,23 +12,27 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.resourcePolicies.WithoutResource.namespaces }} + {{- range $.Values.resourcePolicies.WithoutResource.namespaces }} - {{ . | quote }} {{- end }} resourceRules: - apiGroups: - - "" + - apps + - rollout.k8s.io # Add apiGroup for rollouts if using Argo Rollouts apiVersions: - v1 operations: - - CREATE - - UPDATE + {{- range $.Values.resourcePolicies.WithoutResource.operations }} + - {{ . | quote }} + {{- end }} resources: - - pods + {{- range $.Values.resourcePolicies.WithoutResource.resources }} + - {{ . | quote }} + {{- end }} scope: Namespaced validations: - - expression: "object.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" - message: "All containers in the pod must have both CPU and memory requests and limits specified." + - expression: "object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All containers must have both CPU and memory requests and limits specified." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -41,7 +45,7 @@ spec: objectSelector: {} policyName: {{ include "policychart.fullname" . }}-deny-without-resources validationActions: - {{- range .Values.resourcePolicies.WithoutResource.validationActions }} + {{- range $.Values.resourcePolicies.WithoutResource.validationActions }} - {{ . }} {{- end }} {{- end }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 455e6fa7..0e8ef51f 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,6 +1,6 @@ pvcCreationPolicy: # This policy prevents the creation of Persistent Volume Claims (PVCs) in the specified namespaces. - enabled: true + enabled: false namespaces: - devtroncd - argo @@ -8,7 +8,7 @@ pvcCreationPolicy: - Deny namespaceDeletionPolicy: # This policy ristrict the deletion of namespaces to prevent. - enabled: true + enabled: false namespaces: - devtroncd - argo @@ -16,7 +16,7 @@ namespaceDeletionPolicy: - Deny loadBalancerCreationPolicy: # This policy blocks the creation of LoadBalancer type services in the specified namespaces. - enabled: true + enabled: false namespaces: - devtroncd - argo @@ -24,7 +24,7 @@ loadBalancerCreationPolicy: - Deny appDeletionPolicy: # This policy prevents the deletion of applications within the specified namespaces. - enabled: true + enabled: false namespaces: - devtroncd - argo @@ -32,53 +32,94 @@ appDeletionPolicy: - Deny resourcePolicies: # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. WithoutResource: - enabled: true + enabled: false namespaces: - devtroncd - argo validationActions: #By default value is DENY - Deny + operations: + - CREATE + - UPDATE + resources: # By default values + - pods + - deployments + - statefulsets + - rollouts limitResourcePolicy: # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. enabled: true namespaces: - devtroncd - argo + operations: + - CREATE + - UPDATE + resources: # By default values + - pods + - deployments + - statefulsets + - rollouts maxCPULimit: "1000m" maxMemoryLimit: "2Gi" validationActions: #By default value is DENY - Deny adminClusterRoleCreation: # This policy prohibits the creation of new roles and cluster-role within the cluster. - enabled: true + enabled: false validationActions: #By default value is DENY - Deny cLusterRoleBindingCreation: # This policy prohibits the creation of clusterRoleBinding with the cluster-admin access - enabled: true + enabled: false validationActions: #By default value is DENY - Deny readinessAndLivenessPolicy: # Policy for ensuring readiness and liveness probes are defined for containers - enabled: true + enabled: false namespaces: - devtroncd - argo + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + - rollouts validationActions: #By default value is DENY - Deny podSecurityPolicy: - enabled: true # Enable/disable the Pod Security Policy - allowrunAsNonRoot: true # Allow run as non-root user for better security - allowreadOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications + enabled: false # Enable/disable the Pod Security Policy + allowrunAsNonRoot: false # Allow run as non-root user for better security + allowreadOnlyRootFilesystem: false # allow root filesystem read-only to prevent runtime modifications allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent allowprivileged: false # Disable privileged mode to limit container capabilities on the host validationActions: #By default value is DENY - Deny + operations: + - CREATE + - UPDATE + resources: # By default values + - pods + - deployments + - statefulsets + - rollouts + - cronjobs containerSecurityPolicy: - enabled: true # Enable/disable the container Security Policy - allowrunAsNonRoot: true # Allow run as non-root user for better security - allowreadOnlyRootFilesystem: true # allow root filesystem read-only to prevent runtime modifications + enabled: false # Enable/disable the container Security Policy + allowrunAsNonRoot: false # Allow run as non-root user for better security + allowreadOnlyRootFilesystem: false # allow root filesystem read-only to prevent runtime modifications allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent allowprivileged: false # Disable privileged mode to limit container capabilities on the host validationActions: #By default value is DENY - Deny + operations: + - CREATE + - UPDATE + resources: # By default values + - pods + - deployments + - statefulsets + - rollouts + - cronjobs From 60dc04db927ce91fe6ec58265196c0da015a198b Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Tue, 1 Oct 2024 10:57:26 +0530 Subject: [PATCH 14/22] upadte the changes --- .../container-security-context-policy.yaml | 7 +++--- .../pod-security-context-policy.yaml | 7 +++--- .../restrict-limit-resource-policy.yaml | 6 ++--- ...ict-without-readiness-liveness-policy.yaml | 5 ++++- .../restrict-without-resource-policy.yaml | 5 +++-- charts/k8s-shield/values.yaml | 22 +++++++++++++++++++ 6 files changed, 38 insertions(+), 14 deletions(-) diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index 3e735933..e19501fd 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -8,10 +8,9 @@ spec: matchConstraints: resourceRules: - apiGroups: - - "" - - apps - - batch - - rollout.k8s.io + {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} + - {{ . | quote }} + {{- end }} apiVersions: - v1 operations: diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index 2a472291..b32641bb 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -8,10 +8,9 @@ spec: matchConstraints: resourceRules: - apiGroups: - - "" - - apps - - batch - - rollout.k8s.io + {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} + - {{ . | quote }} + {{- end }} apiVersions: - v1 operations: diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index e0118435..6f160ef4 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -20,9 +20,9 @@ spec: objectSelector: {} resourceRules: - apiGroups: - - "" - - apps - - argoproj.io + {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} + - {{ . | quote }} + {{- end }} apiVersions: - v1 operations: diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 93b7589c..67cb317b 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -16,7 +16,10 @@ spec: - {{ . | quote }} {{- end }} resourceRules: - - apiGroups: ["apps,argoproj.io"] + - apiGroups: + {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} + - {{ . | quote }} + {{- end }} apiVersions: ["v1"] operations: {{- range $.Values.readinessAndLivenessPolicy.operations }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 931e2809..32b05d05 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -17,8 +17,9 @@ spec: {{- end }} resourceRules: - apiGroups: - - apps - - rollout.k8s.io # Add apiGroup for rollouts if using Argo Rollouts + {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} + - {{ . | quote }} + {{- end }} apiVersions: - v1 operations: diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 0e8ef51f..5522e062 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -46,8 +46,15 @@ resourcePolicies: # This policy ensures that deployments specify resource lim - deployments - statefulsets - rollouts + apiGroups: + - apps + - rollout.k8s.io limitResourcePolicy: # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. enabled: true + apiGroups: + - "" + - apps + - argoproj.io namespaces: - devtroncd - argo @@ -86,8 +93,12 @@ readinessAndLivenessPolicy: - deployments - statefulsets - rollouts + apiGroups: + - apps + - argoproj.io validationActions: #By default value is DENY - Deny + podSecurityPolicy: enabled: false # Enable/disable the Pod Security Policy allowrunAsNonRoot: false # Allow run as non-root user for better security @@ -105,6 +116,11 @@ podSecurityPolicy: - statefulsets - rollouts - cronjobs + apiGroups: + - "" + - apps + - batch + - rollout.k8s.io containerSecurityPolicy: enabled: false # Enable/disable the container Security Policy allowrunAsNonRoot: false # Allow run as non-root user for better security @@ -122,4 +138,10 @@ containerSecurityPolicy: - statefulsets - rollouts - cronjobs + apiGroups: + - "" + - apps + - batch + - rollout.k8s.io + From 8c346f25031bd39ac18e01e6d92768de8c6fcb97 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Thu, 28 Nov 2024 11:51:06 +0530 Subject: [PATCH 15/22] add bypass labeles --- .../container-security-context-policy.yaml | 6 ++++++ .../templates/pod-security-context-policy.yaml | 2 +- ...ict-admin-cluster-role-creation-policy.yaml | 4 ++-- ...ing-with-cluster-admin-creation-policy.yaml | 6 ++---- .../restrict-limit-resource-policy.yaml | 6 ++++-- .../restrict-loadbalance-creation.yaml | 4 ++-- .../restrict-pvc-creation-policy.yaml | 18 +++++++----------- ...rict-without-readiness-liveness-policy.yaml | 10 ++++++++-- .../restrict-without-resource-policy.yaml | 4 ++-- charts/k8s-shield/values.yaml | 7 +++++-- 10 files changed, 39 insertions(+), 28 deletions(-) diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index e19501fd..bb152c53 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -23,6 +23,8 @@ spec: {{- end }} scope: '*' validations: + - expression: "object.kind != 'Pod' || has(object.metadata.labels) && object.metadata.labels['business-unit'] == 'finance'" + message: "Pods must have a 'business-unit: finance' label" - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" message: "All containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" - expression: "object.kind != 'Pod' || object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" @@ -31,6 +33,8 @@ spec: message: "All containers must set allowPrivilegeEscalation to {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }}" - expression: "object.kind != 'Pod' || object.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.containerSecurityPolicy.allowprivileged }})" message: "All containers must set privileged to {{ .Values.containerSecurityPolicy.allowprivileged }}" + - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || has(object.metadata.labels) && object.metadata.labels['business-unit'] == 'finance'" + message: "Workload resources must have a 'business-unit: finance' label" - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" message: "All workload containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" @@ -39,6 +43,8 @@ spec: message: "All workload containers must set allowPrivilegeEscalation to {{ .Values.containerSecurityPolicy.allowPrivilegeEscalation }}" - expression: "['Deployment', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || c.securityContext.privileged == {{ .Values.containerSecurityPolicy.allowprivileged }})" message: "All workload containers must set privileged to {{ .Values.containerSecurityPolicy.allowprivileged }}" + - expression: "object.kind != 'CronJob' || has(object.metadata.labels) && object.metadata.labels['business-unit'] == 'finance'" + message: "CronJobs must have a 'business-unit: finance' label" - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }})" message: "All CronJob containers must set runAsNonRoot to {{ .Values.containerSecurityPolicy.allowrunAsNonRoot }}" - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem == {{ .Values.containerSecurityPolicy.allowreadOnlyRootFilesystem }})" diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index b32641bb..0f02c26e 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -58,4 +58,4 @@ spec: {{- range .Values.podSecurityPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml index 046458a7..a615b4c2 100644 --- a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -21,14 +21,14 @@ spec: - clusterroles scope: '*' validations: - - expression: "!has(object.rules) || object.rules.all(rule, + - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !has(object.rules) || object.rules.all(rule, !(rule.apiGroups.exists(g, g == '*') && rule.resources.exists(r, r == '*') && rule.verbs.exists(v, v == '*')) && !(rule.nonResourceURLs.exists(u, u == '*') && rule.verbs.exists(v, v == '*')) )" - message: Deny Creation of ClusterRole with admin access + message: "Creation of ClusterRole with admin access is denied, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml index dabe2968..51ce1fbc 100644 --- a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -21,10 +21,8 @@ spec: - clusterrolebindings scope: '*' validations: - - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && - object.roleRef.kind == 'ClusterRole' && - object.roleRef.name == 'cluster-admin')" - message: "Binding to the cluster-admin ClusterRole is not allowed due to security policy." + - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && object.roleRef.kind == 'ClusterRole' && object.roleRef.name == 'cluster-admin')" + message: "Binding to the cluster-admin ClusterRole is bypassed by security policy, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} allow" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index 6f160ef4..dc2d3e70 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -36,6 +36,7 @@ spec: scope: Namespaced validations: - expression: |- + (has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') has(object.spec.template) ? ( !has(object.spec.template.spec.containers[0].resources.limits) || ( @@ -53,12 +54,13 @@ spec: quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) ) ) - message: "Resource limits exceed the maximum allowed. CPU must be <= {{ $maxCPU }} and memory must be <= {{ $maxMemory }}." + message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits-binding + name: {{ include "policychart.fullname" + . }}-restrict-resource-limits-binding spec: policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits validationActions: diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml index 810dd33c..171ac832 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml @@ -28,8 +28,8 @@ spec: - services scope: Namespaced validations: - - expression: object.spec.type != 'LoadBalancer' - message: Creation of Services with type LoadBalancer is not allowed. + - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" + message: "Creation of Services with type LoadBalancer is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 1589ff3a..f2f08131 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -17,17 +17,14 @@ spec: {{- end }} objectSelector: {} resourceRules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] scope: Namespaced + resources: ["persistentvolumeclaims"] validations: - - expression: "false" - message: Creation of PersistentVolumeClaims is not allowed. + - expression: "has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" + message: " Creation of PersistentVolumeClaims is not allowed,set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -43,5 +40,4 @@ spec: {{- range .Values.pvcCreationPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} - +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 67cb317b..a25addf1 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -31,8 +31,14 @@ spec: {{- end }} scope: Namespaced validations: - - expression: "object.spec.template.spec.containers.all(c, has(c.readinessProbe) && has(c.livenessProbe))" - message: "All containers in the deployment must have both a readiness probe and a liveness probe defined." + - expression: > + (has(object.metadata.labels) && + object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || + object.spec.template.spec.containers.all(container, + has(container.readinessProbe) && + has(container.livenessProbe) + ) + message: "Deployments without readiness and liveness probes are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'. " --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 32b05d05..17519dc9 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -32,8 +32,8 @@ spec: {{- end }} scope: Namespaced validations: - - expression: "object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" - message: "All containers must have both CPU and memory requests and limits specified." + - expression: "(has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All Containers without CPU and memory's requests and limits are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'." --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 5522e062..f25b88d5 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,6 +1,9 @@ +bypassLabel: + key : businessUnit + value: finance pvcCreationPolicy: # This policy prevents the creation of Persistent Volume Claims (PVCs) in the specified namespaces. - enabled: false + enabled: true namespaces: - devtroncd - argo @@ -50,7 +53,7 @@ resourcePolicies: # This policy ensures that deployments specify resource lim - apps - rollout.k8s.io limitResourcePolicy: # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. - enabled: true + enabled: false apiGroups: - "" - apps From 4befc0966839db19f5200a31e5b26d0ede4d0269 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Fri, 29 Nov 2024 15:58:13 +0530 Subject: [PATCH 16/22] update the chart name --- charts/k8s-shield/Chart.yaml | 12 +- .../container-security-context-policy.yaml | 6 +- .../pod-security-context-policy.yaml | 8 +- ...restrict-loadbalance-creation-policy.yaml} | 6 +- .../restrict-namespace-deletion-policy.yaml | 6 +- .../restrict-pvc-creation-policy.yaml | 8 +- ...ict-without-readiness-liveness-policy.yaml | 6 +- .../restrict-without-resource-policy.yaml | 6 +- charts/k8s-shield/values.yaml | 154 ++++++++++-------- 9 files changed, 113 insertions(+), 99 deletions(-) rename charts/k8s-shield/templates/{restrict-loadbalance-creation.yaml => restrict-loadbalance-creation-policy.yaml} (84%) diff --git a/charts/k8s-shield/Chart.yaml b/charts/k8s-shield/Chart.yaml index 62bb21e6..1d37c001 100644 --- a/charts/k8s-shield/Chart.yaml +++ b/charts/k8s-shield/Chart.yaml @@ -1,17 +1,11 @@ apiVersion: v2 appVersion: 1.0.0 description: A Helm chart for Kubernetes admission policies -name: policychart +name: k8s-shield type: application version: 0.1.0 maintainers: - email: devops@devtron.ai name: Devtron Devops Team - - - - - - - - \ No newline at end of file +- email: neha.sharma@devtron.ai + name: Neha Sharma diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index bb152c53..b36af705 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: "{{ include "policychart.fullname" . }}-container-security-policy" + name: "{{ include "policychart.fullname" . }}-container-security" spec: failurePolicy: Fail matchConstraints: @@ -57,9 +57,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-container-security-policy-binding + name: {{ include "policychart.fullname" . }}-container-security-binding spec: - policyName: {{ include "policychart.fullname" . }}-container-security-policy + policyName: {{ include "policychart.fullname" . }}-container-security validationActions: {{- range .Values.containerSecurityPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index 0f02c26e..1f814c6d 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: "{{ include "policychart.fullname" . }}-pod-security-policy" + name: "{{ include "policychart.fullname" . }}-pod-security" spec: failurePolicy: Fail matchConstraints: @@ -51,11 +51,11 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-pod-security-policy-binding + name: {{ include "policychart.fullname" . }}-pod-security-binding spec: - policyName: {{ include "policychart.fullname" . }}-pod-security-policy + policyName: {{ include "policychart.fullname" . }}-pod-security validationActions: {{- range .Values.podSecurityPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml similarity index 84% rename from charts/k8s-shield/templates/restrict-loadbalance-creation.yaml rename to charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml index 171ac832..5331b463 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation + name: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation spec: failurePolicy: Fail matchConstraints: @@ -34,13 +34,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation-binding + name: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-loadbalancer-creation + policyName: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation validationActions: {{- range .Values.loadBalancerCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml index 251e56ad..ceb7bfb3 100644 --- a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion + name: {{ include "policychart.fullname" . }}-restrict-namespace-deletion spec: failurePolicy: Fail matchConstraints: @@ -31,13 +31,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-namespace-deletion-binding + name: {{ include "policychart.fullname" . }}-restrict-namespace-deletion-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-namespace-deletion + policyName: {{ include "policychart.fullname" . }}-restrict-namespace-deletion validationActions: {{- range .Values.namespaceDeletionPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index f2f08131..d2d5f856 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-pvc-creation + name: {{ include "policychart.fullname" . }}-restrict-pvc-creation spec: failurePolicy: Fail matchConstraints: @@ -29,15 +29,15 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-pvc-creation-binding + name: {{ include "policychart.fullname" . }}-restrict-pvc-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-pvc-creation + policyName: {{ include "policychart.fullname" . }}-restrict-pvc-creation validationActions: {{- range .Values.pvcCreationPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index a25addf1..afac8e57 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness + name: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness spec: failurePolicy: Fail matchConstraints: @@ -43,9 +43,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness + name: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness spec: - policyName: {{ include "policychart.fullname" . }}-deny-without-readiness-liveness + policyName: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness validationActions: {{- range $.Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 17519dc9..5c91c1c5 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-without-resources + name: {{ include "policychart.fullname" . }}-restrict-without-resources spec: failurePolicy: Fail matchConstraints: @@ -38,13 +38,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-without-resources-binding + name: {{ include "policychart.fullname" . }}-restrict-without-resources-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-without-resources + policyName: {{ include "policychart.fullname" . }}-restrict-without-resources validationActions: {{- range $.Values.resourcePolicies.WithoutResource.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index f25b88d5..f02fd260 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,150 +1,170 @@ +# bypassLabel defines a label with a key-value pair to bypass certain restrictions. bypassLabel: - key : businessUnit + key: businessUnit value: finance + +# pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs). +# If enabled, it restricts PVC creation in specified namespaces. pvcCreationPolicy: - # This policy prevents the creation of Persistent Volume Claims (PVCs) in the specified namespaces. - enabled: true - namespaces: + enabled: true # If true, the policy prevents PVC creation in specified namespaces. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - validationActions: #By default value is DENY + validationActions: - Deny + +# namespaceDeletionPolicy restricts the deletion of namespaces. +# When enabled, it prevents deletion of namespaces in specified namespaces. namespaceDeletionPolicy: - # This policy ristrict the deletion of namespaces to prevent. - enabled: false - namespaces: + enabled: false # If true, this policy restricts the deletion of namespaces. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - validationActions: #By default value is DENY + validationActions: - Deny + +# loadBalancerCreationPolicy restricts the creation of LoadBalancer type services. +# This policy prevents creating LoadBalancer services in the specified namespaces. loadBalancerCreationPolicy: - # This policy blocks the creation of LoadBalancer type services in the specified namespaces. - enabled: false - namespaces: + enabled: false # If true, the policy blocks creation of LoadBalancer type services. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - validationActions: #By default value is DENY + validationActions: - Deny + +# appDeletionPolicy prevents the deletion of applications within specified namespaces. +# If enabled, applications cannot be deleted in the listed namespaces. appDeletionPolicy: - # This policy prevents the deletion of applications within the specified namespaces. - enabled: false - namespaces: + enabled: false # If true, this policy restricts application deletion. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - validationActions: #By default value is DENY + validationActions: - Deny -resourcePolicies: # This policy ensures that deployments specify resource limits and requests, enforcing resource constraints on all pods. + +# resourcePolicies enforce the specification of resource requests and limits for deployments, statefulsets, etc. +# The policy ensures resource constraints on all pods in the specified namespaces. +resourcePolicies: WithoutResource: - enabled: false - namespaces: + enabled: false # If true, this policy enforces that deployments have resource requests and limits. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - validationActions: #By default value is DENY + validationActions: - Deny - operations: + operations: - CREATE - UPDATE - resources: # By default values + resources: - pods - deployments - statefulsets - rollouts - apiGroups: + apiGroups: - apps - rollout.k8s.io - limitResourcePolicy: # This sub-policy enforces the restriction on resource limits and requests. If maxCPU and maxMemory are not defined, they default to 1000m and 2Gi respectively. - enabled: false - apiGroups: - - "" + + limitResourcePolicy: + enabled: false # If true, this sub-policy enforces resource limits for deployments. + apiGroups: # API groups where the policy applies. + - "" - apps - argoproj.io - namespaces: + namespaces: - devtroncd - argo - operations: + operations: - CREATE - UPDATE - resources: # By default values + resources: - pods - deployments - statefulsets - rollouts - maxCPULimit: "1000m" - maxMemoryLimit: "2Gi" - validationActions: #By default value is DENY + maxCPULimit: "1000m" # Maximum CPU limit if not specified. Default is 1000m. + maxMemoryLimit: "2Gi" # Maximum memory limit if not specified. Default is 2Gi. + validationActions: - Deny + +# adminClusterRoleCreation prevents the creation of new roles and cluster roles with admin access in the cluster. adminClusterRoleCreation: - # This policy prohibits the creation of new roles and cluster-role within the cluster. - enabled: false - validationActions: #By default value is DENY - - Deny + enabled: false # If true, this policy prevents creation of new roles and cluster roles. + validationActions: + +# cLusterRoleBindingCreation prevents the creation of clusterRoleBindings with cluster-admin access. cLusterRoleBindingCreation: - # This policy prohibits the creation of clusterRoleBinding with the cluster-admin access - enabled: false - validationActions: #By default value is DENY + enabled: false # If true, this policy prevents creation of clusterRoleBindings with admin access. + validationActions: # Defines the actions when the policy is violated. Default is DENY. - Deny + +# readinessAndLivenessPolicy ensures that readiness and liveness probes are defined for containers. +# This ensures that pods are only considered healthy when they pass the defined probes. readinessAndLivenessPolicy: -# Policy for ensuring readiness and liveness probes are defined for containers - enabled: false - namespaces: + enabled: false # If true, this policy ensures readiness and liveness probes are defined. + namespaces: # List of namespaces where the policy applies. - devtroncd - argo - operations: + operations: - CREATE - UPDATE - resources: + resources: - deployments - statefulsets - rollouts - apiGroups: + apiGroups: - apps - argoproj.io - validationActions: #By default value is DENY + validationActions: - Deny +# podSecurityPolicy ensures that security-related best practices are followed for Pods. +# For example, it restricts the use of privileged containers and ensures read-only file systems. podSecurityPolicy: - enabled: false # Enable/disable the Pod Security Policy - allowrunAsNonRoot: false # Allow run as non-root user for better security - allowreadOnlyRootFilesystem: false # allow root filesystem read-only to prevent runtime modifications - allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent - allowprivileged: false # Disable privileged mode to limit container capabilities on the host - validationActions: #By default value is DENY + enabled: false # If true, the Pod Security Policy is enabled. + allowrunAsNonRoot: false # Prevent containers from running as root. + allowreadOnlyRootFilesystem: false # Ensure the root filesystem is not writable. + allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent. + allowprivileged: false # Disables privileged mode for containers. + validationActions: # Defines the actions when the policy is violated. Default is DENY. - Deny - operations: + operations: - CREATE - UPDATE - resources: # By default values + resources: - pods - deployments - statefulsets - rollouts - cronjobs - apiGroups: + apiGroups: - "" - apps - batch - rollout.k8s.io + +# containerSecurityPolicy defines security best practices for containers within Pods. +# It ensures that containers adhere to security policies for non-root execution, file system access, and privilege escalation. containerSecurityPolicy: - enabled: false # Enable/disable the container Security Policy - allowrunAsNonRoot: false # Allow run as non-root user for better security - allowreadOnlyRootFilesystem: false # allow root filesystem read-only to prevent runtime modifications - allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent - allowprivileged: false # Disable privileged mode to limit container capabilities on the host - validationActions: #By default value is DENY + enabled: false # If true, the container security policy is enabled. + allowrunAsNonRoot: false # Prevent containers from running as root. + allowreadOnlyRootFilesystem: false # Ensure the root filesystem is not writable. + allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent. + allowprivileged: false # Disable privileged mode to limit container capabilities on the host. + validationActions: # Defines the actions when the policy is violated. Default is DENY. - Deny - operations: + operations: - CREATE - UPDATE - resources: # By default values + resources: - pods - deployments - statefulsets - rollouts - cronjobs - apiGroups: + apiGroups: - "" - apps - batch - rollout.k8s.io - From efb5ed00d57cb2b604ad29526911e8ca7d617f7e Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Fri, 29 Nov 2024 16:07:48 +0530 Subject: [PATCH 17/22] update the chart name --- charts/k8s-shield/templates/_helpers.tpl | 4 ++-- .../templates/container-security-context-policy.yaml | 6 +++--- .../k8s-shield/templates/pod-security-context-policy.yaml | 6 +++--- .../restrict-admin-cluster-role-creation-policy.yaml | 6 +++--- .../templates/restrict-application-deletion-policy.yaml | 6 +++--- ...ster-rolebinding-with-cluster-admin-creation-policy.yaml | 6 +++--- .../templates/restrict-limit-resource-policy.yaml | 6 +++--- .../templates/restrict-loadbalance-creation-policy.yaml | 6 +++--- .../templates/restrict-namespace-deletion-policy.yaml | 6 +++--- .../k8s-shield/templates/restrict-pvc-creation-policy.yaml | 6 +++--- .../restrict-without-readiness-liveness-policy.yaml | 6 +++--- .../templates/restrict-without-resource-policy.yaml | 6 +++--- 12 files changed, 35 insertions(+), 35 deletions(-) diff --git a/charts/k8s-shield/templates/_helpers.tpl b/charts/k8s-shield/templates/_helpers.tpl index 8c899887..fd2ec1af 100644 --- a/charts/k8s-shield/templates/_helpers.tpl +++ b/charts/k8s-shield/templates/_helpers.tpl @@ -1,8 +1,8 @@ -{{- define "policychart.name" -}} +{{- define "k8s-shield.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} -{{- define "policychart.fullname" -}} +{{- define "k8s-shield.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} diff --git a/charts/k8s-shield/templates/container-security-context-policy.yaml b/charts/k8s-shield/templates/container-security-context-policy.yaml index b36af705..28cf3cb4 100644 --- a/charts/k8s-shield/templates/container-security-context-policy.yaml +++ b/charts/k8s-shield/templates/container-security-context-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: "{{ include "policychart.fullname" . }}-container-security" + name: "{{ include "k8s-shield.fullname" . }}-container-security" spec: failurePolicy: Fail matchConstraints: @@ -57,9 +57,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-container-security-binding + name: {{ include "k8s-shield.fullname" . }}-container-security-binding spec: - policyName: {{ include "policychart.fullname" . }}-container-security + policyName: {{ include "k8s-shield.fullname" . }}-container-security validationActions: {{- range .Values.containerSecurityPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/pod-security-context-policy.yaml b/charts/k8s-shield/templates/pod-security-context-policy.yaml index 1f814c6d..89261d09 100644 --- a/charts/k8s-shield/templates/pod-security-context-policy.yaml +++ b/charts/k8s-shield/templates/pod-security-context-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: "{{ include "policychart.fullname" . }}-pod-security" + name: "{{ include "k8s-shield.fullname" . }}-pod-security" spec: failurePolicy: Fail matchConstraints: @@ -51,9 +51,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-pod-security-binding + name: {{ include "k8s-shield.fullname" . }}-pod-security-binding spec: - policyName: {{ include "policychart.fullname" . }}-pod-security + policyName: {{ include "k8s-shield.fullname" . }}-pod-security validationActions: {{- range .Values.podSecurityPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml index a615b4c2..029c4014 100644 --- a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation + name: {{ include "k8s-shield.fullname" . }}-deny-admin-cluster-role-creation spec: failurePolicy: Fail matchConstraints: @@ -33,13 +33,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation-binding + name: {{ include "k8s-shield.fullname" . }}-deny-admin-cluster-role-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-deny-admin-cluster-role-creation + policyName: {{ include "k8s-shield.fullname" . }}-deny-admin-cluster-role-creation validationActions: {{- range .Values.adminClusterRoleCreation.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml index ad5104dd..2eb17c75 100644 --- a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion + name: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion spec: failurePolicy: Fail matchConstraints: @@ -33,13 +33,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-prevent-app-deletion-binding + name: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-prevent-app-deletion + policyName: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion validationActions: {{- range .Values.appDeletionPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml index 51ce1fbc..ddc129e8 100644 --- a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation + name: {{ include "k8s-shield.fullname" . }}-restrict-cluster-role-binding-creation spec: failurePolicy: Fail matchConstraints: @@ -27,9 +27,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-cluster-role-binding-creation-binding spec: - policyName: {{ include "policychart.fullname" . }}-restrict-cluster-role-binding-creation + policyName: {{ include "k8s-shield.fullname" . }}-restrict-cluster-role-binding-creation validationActions: {{- range .Values.cLusterRoleBindingCreation.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index dc2d3e70..085cc6cd 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -4,7 +4,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-resource-limits + name: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits spec: failurePolicy: Fail matchConstraints: @@ -59,10 +59,10 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" + name: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits-binding spec: - policyName: {{ include "policychart.fullname" . }}-restrict-resource-limits + policyName: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits validationActions: {{- range .Values.resourcePolicies.limitResourcePolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml index 5331b463..1a81b00d 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation + name: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation spec: failurePolicy: Fail matchConstraints: @@ -34,13 +34,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-restrict-loadbalancer-creation + policyName: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation validationActions: {{- range .Values.loadBalancerCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml index ceb7bfb3..3bf3b57c 100644 --- a/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-namespace-deletion + name: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion spec: failurePolicy: Fail matchConstraints: @@ -31,13 +31,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-namespace-deletion-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-restrict-namespace-deletion + policyName: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion validationActions: {{- range .Values.namespaceDeletionPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index d2d5f856..4573710e 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-pvc-creation + name: {{ include "k8s-shield.fullname" . }}-restrict-pvc-creation spec: failurePolicy: Fail matchConstraints: @@ -29,13 +29,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-pvc-creation-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-pvc-creation-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-restrict-pvc-creation + policyName: {{ include "k8s-shield.fullname" . }}-restrict-pvc-creation validationActions: {{- range .Values.pvcCreationPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index afac8e57..21f52035 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness + name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness spec: failurePolicy: Fail matchConstraints: @@ -43,9 +43,9 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness + name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness spec: - policyName: {{ include "policychart.fullname" . }}-restrict-without-readiness-liveness + policyName: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness validationActions: {{- range $.Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 5c91c1c5..a6a7945a 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "policychart.fullname" . }}-restrict-without-resources + name: {{ include "k8s-shield.fullname" . }}-restrict-without-resources spec: failurePolicy: Fail matchConstraints: @@ -38,13 +38,13 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "policychart.fullname" . }}-restrict-without-resources-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-without-resources-binding spec: matchResources: matchPolicy: Equivalent namespaceSelector: {} objectSelector: {} - policyName: {{ include "policychart.fullname" . }}-restrict-without-resources + policyName: {{ include "k8s-shield.fullname" . }}-restrict-without-resources validationActions: {{- range $.Values.resourcePolicies.WithoutResource.validationActions }} - {{ . }} From f3702b37f7c142caa3a94ada120793fc70f623df Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Mon, 2 Dec 2024 11:27:16 +0530 Subject: [PATCH 18/22] update the bypass condition --- ...ct-admin-cluster-role-creation-policy.yaml | 11 ++++++++++ ...ng-with-cluster-admin-creation-policy.yaml | 6 ++++- .../restrict-limit-resource-policy.yaml | 22 +++++++++++++++++++ .../restrict-loadbalance-creation-policy.yaml | 5 +++++ .../restrict-pvc-creation-policy.yaml | 7 +++++- ...ict-without-readiness-liveness-policy.yaml | 14 ++++++++---- .../restrict-without-resource-policy.yaml | 5 +++++ charts/k8s-shield/values.yaml | 10 ++++----- 8 files changed, 69 insertions(+), 11 deletions(-) diff --git a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml index 029c4014..ac35bba7 100644 --- a/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml @@ -21,6 +21,7 @@ spec: - clusterroles scope: '*' validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !has(object.rules) || object.rules.all(rule, !(rule.apiGroups.exists(g, g == '*') && rule.resources.exists(r, r == '*') && @@ -29,6 +30,16 @@ spec: rule.verbs.exists(v, v == '*')) )" message: "Creation of ClusterRole with admin access is denied, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." + {{- else }} + - expression: "!has(object.rules) || object.rules.all(rule, + !(rule.apiGroups.exists(g, g == '*') && + rule.resources.exists(r, r == '*') && + rule.verbs.exists(v, v == '*')) && + !(rule.nonResourceURLs.exists(u, u == '*') && + rule.verbs.exists(v, v == '*'))" + message: "Creation of ClusterRole with admin access is denied" + {{- end }} + --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml index ddc129e8..385553c4 100644 --- a/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-cluster-rolebinding-with-cluster-admin-creation-policy.yaml @@ -21,8 +21,13 @@ spec: - clusterrolebindings scope: '*' validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "(has(object.metadata.labels) && object.metadata.labels.exists(l, l == '{{ .Values.bypassLabel.key }}') && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || !(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && object.roleRef.kind == 'ClusterRole' && object.roleRef.name == 'cluster-admin')" message: "Binding to the cluster-admin ClusterRole is bypassed by security policy, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} allow" + {{- else }} + - expression: "!(object.roleRef.apiGroup == 'rbac.authorization.k8s.io' && object.roleRef.kind == 'ClusterRole' && object.roleRef.name == 'cluster-admin')" + message: "Binding to the cluster-admin ClusterRole is not allowed" + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -35,4 +40,3 @@ spec: - {{ . }} {{- end }} {{- end }} - diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index 085cc6cd..be22fbbd 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -35,6 +35,7 @@ spec: {{- end }} scope: Namespaced validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: |- (has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') has(object.spec.template) ? @@ -55,6 +56,27 @@ spec: ) ) message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" + {{- else }} + - expression: |- + has(object.spec.template) ? + ( + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) : + ( + !has(object.spec.containers[0].resources.limits) || ( + (!has(object.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.containers[0].resources.limits.memory) || + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) + message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}." + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml index 1a81b00d..3ed8f2b2 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml @@ -28,8 +28,13 @@ spec: - services scope: Namespaced validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" message: "Creation of Services with type LoadBalancer is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." + {{- else }} + - expression: "object.spec.type == 'LoadBalancer'" + message: Creation of Services with type LoadBalancer is not allowed. + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 4573710e..fa317fda 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -23,9 +23,14 @@ spec: scope: Namespaced resources: ["persistentvolumeclaims"] validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" message: " Creation of PersistentVolumeClaims is not allowed,set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" ---- + {{- else }} + - expression: false + message: Creation of PersistentVolumeClaims is not allowed. + {{- end }} +--- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 21f52035..c9081f1c 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: - name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness + name: {{ .Chart.Name }}-restrict-without-readiness-liveness spec: failurePolicy: Fail matchConstraints: @@ -31,6 +31,7 @@ spec: {{- end }} scope: Namespaced validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: > (has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || @@ -38,14 +39,19 @@ spec: has(container.readinessProbe) && has(container.livenessProbe) ) - message: "Deployments without readiness and liveness probes are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'. " + message: "Deployments without readiness and liveness probes are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'." + {{- else }} + - expression: object.spec.template.spec.containers.all(container, + has(container.readinessProbe) && has(container.livenessProbe)) + message: "Deployments without readiness and liveness probes are not allowed" + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness + name: {{ .Chart.Name }}-restrict-without-readiness-liveness spec: - policyName: {{ include "k8s-shield.fullname" . }}-restrict-without-readiness-liveness + policyName: {{ .Chart.Name }}-restrict-without-readiness-liveness validationActions: {{- range $.Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index a6a7945a..4641fee8 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -32,8 +32,13 @@ spec: {{- end }} scope: Namespaced validations: + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "(has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') || object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" message: "All Containers without CPU and memory's requests and limits are only allowed for '{{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }}'." + {{- else }} + - expression: "object.spec.template.spec.containers.all(c, has(c.resources) && has(c.resources.requests) && has(c.resources.limits) && has(c.resources.requests.cpu) && has(c.resources.requests.memory) && has(c.resources.limits.cpu) && has(c.resources.limits.memory))" + message: "All Containers without CPU and memory's requests and limits are not allowed." + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index f02fd260..7ee86dec 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,12 +1,12 @@ -# bypassLabel defines a label with a key-value pair to bypass certain restrictions. +#bypassLabel defines a label with a key-value pair that allows the user to apply policies without any restrictions. bypassLabel: - key: businessUnit - value: finance + key: + value: # pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs). # If enabled, it restricts PVC creation in specified namespaces. pvcCreationPolicy: - enabled: true # If true, the policy prevents PVC creation in specified namespaces. + enabled: false # If true, the policy prevents PVC creation in specified namespaces. namespaces: # List of namespaces where the policy applies. - devtroncd - argo @@ -101,7 +101,7 @@ cLusterRoleBindingCreation: # readinessAndLivenessPolicy ensures that readiness and liveness probes are defined for containers. # This ensures that pods are only considered healthy when they pass the defined probes. readinessAndLivenessPolicy: - enabled: false # If true, this policy ensures readiness and liveness probes are defined. + enabled: true # If true, this policy ensures readiness and liveness probes are defined. namespaces: # List of namespaces where the policy applies. - devtroncd - argo From 122b75ba67bd62641274991010d830e5067c4fcb Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Mon, 2 Dec 2024 11:31:00 +0530 Subject: [PATCH 19/22] update the bypass condition --- charts/k8s-shield/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 7ee86dec..2681cb90 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,7 +1,7 @@ #bypassLabel defines a label with a key-value pair that allows the user to apply policies without any restrictions. bypassLabel: - key: - value: + key: "" + value: "" # pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs). # If enabled, it restricts PVC creation in specified namespaces. @@ -17,7 +17,7 @@ pvcCreationPolicy: # When enabled, it prevents deletion of namespaces in specified namespaces. namespaceDeletionPolicy: enabled: false # If true, this policy restricts the deletion of namespaces. - namespaces: # List of namespaces where the policy applies. + namespaces: # List of namespaces that you want to protect from deletion - devtroncd - argo validationActions: From 5a19d3dfe157e993e4a2f9234e81032bbbe860ff Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Mon, 2 Dec 2024 13:22:57 +0530 Subject: [PATCH 20/22] add changes --- .../restrict-application-deletion-policy.yaml | 4 ++ .../restrict-limit-resource-policy.yaml | 4 ++ .../restrict-loadbalance-creation-policy.yaml | 42 ++++++++++--------- .../restrict-pvc-creation-policy.yaml | 4 ++ ...ict-without-readiness-liveness-policy.yaml | 4 ++ .../restrict-without-resource-policy.yaml | 5 +++ charts/k8s-shield/values.yaml | 9 ++-- 7 files changed, 49 insertions(+), 23 deletions(-) diff --git a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml index 2eb17c75..b059f999 100644 --- a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion spec: failurePolicy: Fail + {{- if and .Values.appDeletionPolicy.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -15,6 +16,9 @@ spec: {{- range .Values.appDeletionPolicy.namespaces }} - {{ . | quote }} {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} objectSelector: {} resourceRules: - apiGroups: diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index be22fbbd..597d5801 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -7,6 +7,7 @@ metadata: name: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits spec: failurePolicy: Fail + {{- if and .Values.resourcePolicies.limitResourcePolicy.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -17,6 +18,9 @@ spec: {{- range .Values.resourcePolicies.limitResourcePolicy.namespaces }} - {{ . | quote }} {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} objectSelector: {} resourceRules: - apiGroups: diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml index 3ed8f2b2..d8a533a7 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml @@ -1,4 +1,4 @@ -{{- if $.Values.loadBalancerCreationPolicy.enabled}} +{{- if $.Values.loadBalancerCreationPolicy.enabled }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy @@ -6,6 +6,7 @@ metadata: name: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation spec: failurePolicy: Fail + {{- if and .Values.loadBalancerCreationPolicy.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -13,28 +14,31 @@ spec: - key: kubernetes.io/metadata.name operator: In values: - {{- range .Values.loadBalancerCreationPolicy.namespaces }} - - {{ . | quote }} - {{- end }} - objectSelector: {} - resourceRules: + {{- range .Values.loadBalancerCreationPolicy.namespaces }} + - {{ . | quote }} + {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} + objectSelector: {} + resourceRules: - apiGroups: - - "" + - "" apiVersions: - - v1 + - v1 operations: - - CREATE + - CREATE resources: - - services + - services scope: Namespaced validations: - {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" - message: "Creation of Services with type LoadBalancer is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." - {{- else }} + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} + - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" + message: "Creation of Services with type LoadBalancer is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow." + {{- else }} - expression: "object.spec.type == 'LoadBalancer'" - message: Creation of Services with type LoadBalancer is not allowed. - {{- end }} + message: "Creation of Services with type LoadBalancer is not allowed." + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -47,7 +51,7 @@ spec: objectSelector: {} policyName: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation validationActions: - {{- range .Values.loadBalancerCreationPolicy.validationActions }} - - {{ . }} - {{- end }} + {{- range .Values.loadBalancerCreationPolicy.validationActions }} + - {{ . }} + {{- end }} {{- end }} diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index fa317fda..1d9aa495 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "k8s-shield.fullname" . }}-restrict-pvc-creation spec: failurePolicy: Fail + {{- if and .Values.pvcCreationPolicy.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -15,6 +16,9 @@ spec: {{- range .Values.pvcCreationPolicy.namespaces }} - {{ . | quote }} {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} objectSelector: {} resourceRules: - apiGroups: [""] diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index c9081f1c..0639ee62 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ .Chart.Name }}-restrict-without-readiness-liveness spec: failurePolicy: Fail + {{- if and .Values.readinessAndLivenessPolicy.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -15,6 +16,9 @@ spec: {{- range $.Values.readinessAndLivenessPolicy.namespaces }} - {{ . | quote }} {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} resourceRules: - apiGroups: {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 4641fee8..0de97d50 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "k8s-shield.fullname" . }}-restrict-without-resources spec: failurePolicy: Fail + {{- if and .Values.resourcePolicies.WithoutResource.namespaces }} matchConstraints: matchPolicy: Equivalent namespaceSelector: @@ -15,6 +16,9 @@ spec: {{- range $.Values.resourcePolicies.WithoutResource.namespaces }} - {{ . | quote }} {{- end }} + {{- else }} + matchConstraints: [] + {{- end }} resourceRules: - apiGroups: {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} @@ -55,3 +59,4 @@ spec: - {{ . }} {{- end }} {{- end }} + diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 2681cb90..3ee03f22 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,7 +1,7 @@ #bypassLabel defines a label with a key-value pair that allows the user to apply policies without any restrictions. bypassLabel: - key: "" - value: "" + key: "test" + value: "hello" # pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs). # If enabled, it restricts PVC creation in specified namespaces. @@ -26,7 +26,7 @@ namespaceDeletionPolicy: # loadBalancerCreationPolicy restricts the creation of LoadBalancer type services. # This policy prevents creating LoadBalancer services in the specified namespaces. loadBalancerCreationPolicy: - enabled: false # If true, the policy blocks creation of LoadBalancer type services. + enabled: true # If true, the policy blocks creation of LoadBalancer type services. namespaces: # List of namespaces where the policy applies. - devtroncd - argo @@ -91,6 +91,7 @@ resourcePolicies: adminClusterRoleCreation: enabled: false # If true, this policy prevents creation of new roles and cluster roles. validationActions: + - Deny # cLusterRoleBindingCreation prevents the creation of clusterRoleBindings with cluster-admin access. cLusterRoleBindingCreation: @@ -101,7 +102,7 @@ cLusterRoleBindingCreation: # readinessAndLivenessPolicy ensures that readiness and liveness probes are defined for containers. # This ensures that pods are only considered healthy when they pass the defined probes. readinessAndLivenessPolicy: - enabled: true # If true, this policy ensures readiness and liveness probes are defined. + enabled: false # If true, this policy ensures readiness and liveness probes are defined. namespaces: # List of namespaces where the policy applies. - devtroncd - argo From 1bf41fc695aab9dad8b3384c97eb615efcb89d57 Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Mon, 2 Dec 2024 13:45:01 +0530 Subject: [PATCH 21/22] . --- .../templates/backup-on-azure.yaml | 38 +++++++++++-------- .../templates/backup-on-gcp.yaml | 28 +++++++++----- 2 files changed, 41 insertions(+), 25 deletions(-) diff --git a/charts/devtron-backups/templates/backup-on-azure.yaml b/charts/devtron-backups/templates/backup-on-azure.yaml index 7bb2cbbc..8099e644 100644 --- a/charts/devtron-backups/templates/backup-on-azure.yaml +++ b/charts/devtron-backups/templates/backup-on-azure.yaml @@ -33,24 +33,26 @@ spec: - name: postgres-app-backup-cronjob image: {{ .Values.postgres_backup.postgresImage | default "postgres:12" }} volumeMounts: - - mountPath: /tmp + - mountPath: /postgres name: psql-volume env: - name: PGPASSWORD valueFrom: secretKeyRef: key: PG_PASSWORD - name: {{ .Values.postgres_backup.secretName }} + name: {{ .Values.postgres_backup.secretName }} imagePullPolicy: Always args: - /bin/bash - -c - - pg_dumpall -h {{ .Values.postgres_backup.host | default "postgresql-postgresql.devtroncd" }} --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /tmp/backup.tar; + - set -ex ; pg_dumpall -h {{ .Values.postgres_backup.host | default "postgresql-postgresql.devtroncd" }} --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /postgres/backup.tar; echo $? ; du -sh /postgres/backup.tar + resources: +{{ toYaml .Values.postgres_backup.resources | indent 13 }} containers: - name: az-cli-for-upload image: {{ .Values.global.AZURE.image | default "quay.io/devtron/k8s-utils:az-cli-ubuntu" }} volumeMounts: - - mountPath: /tmp + - mountPath: /postgres name: psql-volume env: - name: AZURE_BLOB_ACCOUNT_NAME @@ -74,13 +76,15 @@ spec: name: devtron-azure-backup-secret key: AZURE_BLOB_CONTAINER_FOR_ARGOCD imagePullPolicy: Always + resources: +{{ toYaml .Values.postgres_backup.resources | indent 13 }} args: - /bin/bash - -c - {{- if $.Values.global.AZURE.encryption.enabled }} - - date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AZURE.encryption.passphrase }} /tmp/backup.tar; rm -rvf /tmp/backup.tar; mv /tmp/backup.tar.gpg /tmp/backup-$date1.tar.gpg; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_POSTGRES --file /tmp/backup-$date1.tar.gpg --account-key $AZURE_ACCOUNT_KEY; + {{- if $.Values.global.AZURE.encryption.enabled }} + - set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AZURE.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_POSTGRES --file /postgres/backup-$date1.tar.gpg --account-key $AZURE_ACCOUNT_KEY; {{- else }} - - date1=$(date +%Y%m%d-%H%M); mv /tmp/backup.tar /tmp/backup-$date1.tar; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_POSTGRES --file /tmp/backup-$date1.tar --account-key $AZURE_ACCOUNT_KEY; + - set -ex; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_POSTGRES --file /postgres/backup-$date1.tar --account-key $AZURE_ACCOUNT_KEY; {{- end }} volumes: - name: psql-volume @@ -96,8 +100,8 @@ apiVersion: batch/v1beta1 {{ end -}} kind: CronJob metadata: - name: argocd-app-backup-cronjob - namespace: devtroncd + name: argocd-app-backup-cronjob + namespace: devtroncd spec: schedule: {{ .Values.global.schedule }} jobTemplate: @@ -108,19 +112,21 @@ spec: - name: argocd-app-backup-job image: {{ .Values.argocd_backup.argocdImage | default "quay.io/argoproj/argocd:v2.4.0" }} volumeMounts: - - mountPath: /cache + - mountPath: /argocd name: argocd-volume env: imagePullPolicy: Always args: - /bin/bash - -c - - {{ .Values.argocd_backup.args | default "argocd admin export -n devtroncd > /cache/backup.yaml" }} + - {{ .Values.argocd_backup.args | default "argocd admin export -n devtroncd > /argocd/backup.yaml" }} + resources: +{{ toYaml .Values.argocd_backup.resources | indent 13 }} containers: - name: az-cli-for-upload image: {{ .Values.global.AZURE.image | default "quay.io/devtron/k8s-utils:az-cli-ubuntu" }} volumeMounts: - - mountPath: /cache + - mountPath: /argocd name: argocd-volume env: - name: AZURE_BLOB_ACCOUNT_NAME @@ -144,13 +150,15 @@ spec: name: devtron-azure-backup-secret key: AZURE_BLOB_CONTAINER_FOR_ARGOCD imagePullPolicy: Always + resources: +{{ toYaml .Values.argocd_backup.resources | indent 13 }} args: - /bin/bash - -c {{- if $.Values.global.AZURE.encryption.enabled }} - - date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AZURE.encryption.passphrase }} /cache/backup.yaml ;rm -rvf /cache/backup.yaml ;mv /cache/backup.yaml.gpg /cache/backup-$date1.yaml.gpg; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_ARGOCD --file /cache/backup-$date1.yaml.gpg --account-key $AZURE_ACCOUNT_KEY; + - set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AZURE.encryption.passphrase }} /argocd/backup.yaml ;rm -rvf /argocd/backup.yaml ;mv /argocd/backup.yaml.gpg /argocd/backup-$date1.yaml.gpg; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_ARGOCD --file /argocd/backup-$date1.yaml.gpg --account-key $AZURE_ACCOUNT_KEY; {{- else }} - - date1=$(date +%Y%m%d-%H%M); mv /cache/backup.yaml /cache/backup-$date1.yaml; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_ARGOCD --file /cache/backup-$date1.yaml --account-key $AZURE_ACCOUNT_KEY; + - set -ex; date1=$(date +%Y%m%d-%H%M); mv /argocd/backup.yaml /argocd/backup-$date1.yaml; az storage blob upload --account-name $AZURE_BLOB_ACCOUNT_NAME --container-name $AZURE_BLOB_CONTAINER_FOR_ARGOCD --file /argocd/backup-$date1.yaml --account-key $AZURE_ACCOUNT_KEY; {{- end }} volumes: - name: argocd-volume @@ -158,4 +166,4 @@ spec: restartPolicy: OnFailure serviceAccountName: {{ .Values.argocd_backup.serviceAccountName }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/devtron-backups/templates/backup-on-gcp.yaml b/charts/devtron-backups/templates/backup-on-gcp.yaml index 7dd5b410..513b2653 100644 --- a/charts/devtron-backups/templates/backup-on-gcp.yaml +++ b/charts/devtron-backups/templates/backup-on-gcp.yaml @@ -33,7 +33,7 @@ spec: - name: postgres-app-backup-cronjob image: {{ .Values.postgres_backup.postgresImage | default "postgres:12" }} volumeMounts: - - mountPath: /tmp + - mountPath: /postgres name: psql-volume env: - name: PGPASSWORD @@ -45,12 +45,14 @@ spec: args: - /bin/bash - -c - - pg_dumpall -h {{ .Values.postgres_backup.host | default "postgresql-postgresql.devtroncd" }} --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /tmp/backup.tar; + - set -ex; pg_dumpall -h {{ .Values.postgres_backup.host | default "postgresql-postgresql.devtroncd" }} --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /postgres/backup.tar; echo $? ; du -sh /postgres/backup.tar + resources: +{{ toYaml .Values.postgres_backup.resources | indent 13 }} containers: - name: gcloud-cli-for-cloud-storage-upload image: {{ .Values.global.GCP.image | default "google/cloud-sdk:alpine" }} volumeMounts: - - mountPath: /tmp + - mountPath: /postgres name: psql-volume env: - name: GCS_BUCKET @@ -66,13 +68,15 @@ spec: key: GOOGLE_APPLICATION_CREDENTIALS {{- end }} imagePullPolicy: Always + resources: +{{ toYaml .Values.postgres_backup.resources | indent 13 }} args: - /bin/bash - -c {{- if $.Values.global.GCP.encryption.enabled }} - - echo $gcp_credentials > /tmp/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/tmp/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.GCP.encryption.passphrase }} /tmp/backup.tar; rm -rvf /tmp/backup.tar; mv /tmp/backup.tar.gpg /tmp/backup-$date1.tar.gpg; gsutil cp /tmp/backup-$date1.tar.gpg gs://$GCS_BUCKET/postgres/; + - set -ex; echo $gcp_credentials > /postgres/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/postgres/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.GCP.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; gsutil cp /postgres/backup-$date1.tar.gpg gs://$GCS_BUCKET/postgres/; {{- else}} - - echo $gcp_credentials > /tmp/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/tmp/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); mv /tmp/backup.tar /tmp/backup-$date1.tar; gsutil cp /tmp/backup-$date1.tar gs://$GCS_BUCKET/postgres/; + - set -ex; echo $gcp_credentials > /postgres/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/postgres/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; gsutil cp /postgres/backup-$date1.tar gs://$GCS_BUCKET/postgres/; {{- end }} volumes: - name: psql-volume @@ -101,19 +105,21 @@ spec: - name: argocd-app-backup-job image: {{ .Values.argocd_backup.argocdImage | default "quay.io/argoproj/argocd:v2.4.0" }} volumeMounts: - - mountPath: /cache + - mountPath: /argocd name: argocd-volume env: imagePullPolicy: Always args: - /bin/bash - -c - - {{ .Values.argocd_backup.args | default "argocd admin export -n devtroncd > /cache/backup.yaml" }} + - {{ .Values.argocd_backup.args | default "argocd admin export -n devtroncd > /argocd/backup.yaml" }} + resources: +{{ toYaml .Values.argocd_backup.resources | indent 13 }} containers: - name: gcloud-cli-for-cloud-storage-upload image: {{ .Values.global.GCP.image | default "google/cloud-sdk:alpine" }} volumeMounts: - - mountPath: /cache + - mountPath: /argocd name: argocd-volume env: - name: GCS_BUCKET @@ -129,13 +135,15 @@ spec: key: GOOGLE_APPLICATION_CREDENTIALS {{- end }} imagePullPolicy: Always + resources: +{{ toYaml .Values.argocd_backup.resources | indent 13 }} args: - /bin/bash - -c {{- if $.Values.global.GCP.encryption.enabled }} - - echo $gcp_credentials > /tmp/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/tmp/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.GCP.encryption.passphrase }} /cache/backup.yaml; rm -rvf /cache/backup.yaml; mv /cache/backup.yaml.gpg /cache/backup-$date1.yaml.gpg; gsutil cp /cache/backup-$date1.yaml.gpg gs://$GCS_BUCKET/argocd/; + - set -ex; echo $gcp_credentials > /argocd/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/argocd/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.GCP.encryption.passphrase }} /argocd/backup.yaml; rm -rvf /argocd/backup.yaml; mv /argocd/backup.yaml.gpg /argocd/backup-$date1.yaml.gpg; gsutil cp /argocd/backup-$date1.yaml.gpg gs://$GCS_BUCKET/argocd/; {{- else}} - - echo $gcp_credentials > /tmp/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/tmp/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); mv /cache/backup.yaml /cache/backup-$date1.yaml; gsutil cp /cache/backup-$date1.yaml gs://$GCS_BUCKET/argocd/; + - set -ex; echo $gcp_credentials > /argocd/gcp_credentials.json ; gcloud auth activate-service-account --key-file=/argocd/gcp_credentials.json ; date1=$(date +%Y%m%d-%H%M); mv /argocd/backup.yaml /argocd/backup-$date1.yaml; gsutil cp /argocd/backup-$date1.yaml gs://$GCS_BUCKET/argocd/; {{- end }} volumes: - name: argocd-volume From 6b14380649d744a53d3edde0e0dbf99d3b23f73b Mon Sep 17 00:00:00 2001 From: Neha Sharma Date: Mon, 2 Dec 2024 16:42:01 +0530 Subject: [PATCH 22/22] update the values.yaml --- .../restrict-application-deletion-policy.yaml | 21 ++++--- .../restrict-limit-resource-policy.yaml | 59 ++++++++++--------- .../restrict-loadbalance-creation-policy.yaml | 2 +- .../restrict-pvc-creation-policy.yaml | 14 ++--- ...ict-without-readiness-liveness-policy.yaml | 17 +++--- .../restrict-without-resource-policy.yaml | 5 +- charts/k8s-shield/values.yaml | 52 ++++++---------- 7 files changed, 78 insertions(+), 92 deletions(-) diff --git a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml index b059f999..e702cc4f 100644 --- a/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml +++ b/charts/k8s-shield/templates/restrict-application-deletion-policy.yaml @@ -17,22 +17,22 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} - objectSelector: {} - resourceRules: + objectSelector: {} + resourceRules: - apiGroups: - - argoproj.io + - argoproj.io apiVersions: - - v1alpha1 + - v1alpha1 operations: - - DELETE + - DELETE resources: - - applications + - applications scope: Namespaced validations: - - expression: "false" - message: Deletion of application is not allowed. + - expression: "false" + message: Deletion of application is not allowed. --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding @@ -48,5 +48,4 @@ spec: {{- range .Values.appDeletionPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} - +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml index 597d5801..578e44b7 100644 --- a/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-limit-resource-policy.yaml @@ -19,48 +19,50 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} - objectSelector: {} - resourceRules: - - apiGroups: + objectSelector: {} + resourceRules: + - apiGroups: {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} - {{ . | quote }} {{- end }} - apiVersions: + apiVersions: - v1 - operations: + operations: {{- range .Values.resourcePolicies.limitResourcePolicy.operations }} - {{ . | quote }} {{- end }} - resources: + resources: {{- range .Values.resourcePolicies.limitResourcePolicy.resources }} - {{ . | quote }} {{- end }} - scope: Namespaced + scope: Namespaced validations: - {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} + {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: |- (has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}') - has(object.spec.template) ? - ( - !has(object.spec.template.spec.containers[0].resources.limits) || ( - (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.template.spec.containers[0].resources.limits.memory) || - quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) - ) - ) : - ( - !has(object.spec.containers[0].resources.limits) || ( - (!has(object.spec.containers[0].resources.limits.cpu) || - quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && - (!has(object.spec.containers[0].resources.limits.memory) || - quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + || ( + has(object.spec.template) ? + ( + !has(object.spec.template.spec.containers[0].resources.limits) || ( + (!has(object.spec.template.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.template.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.template.spec.containers[0].resources.limits.memory) || + quantity(object.spec.template.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) + ) : + ( + !has(object.spec.containers[0].resources.limits) || ( + (!has(object.spec.containers[0].resources.limits.cpu) || + quantity(object.spec.containers[0].resources.limits.cpu).compareTo(quantity('{{ $maxCPU }}')) <= 0) && + (!has(object.spec.containers[0].resources.limits.memory) || + quantity(object.spec.containers[0].resources.limits.memory).compareTo(quantity('{{ $maxMemory }}')) <= 0) + ) ) ) message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" - {{- else }} + {{- else }} - expression: |- has(object.spec.template) ? ( @@ -80,17 +82,16 @@ spec: ) ) message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}." - {{- end }} + {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: - name: {{ include "k8s-shield.fullname" - . }}-restrict-resource-limits-binding + name: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits-binding spec: policyName: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits validationActions: {{- range .Values.resourcePolicies.limitResourcePolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml index d8a533a7..5ab89f03 100644 --- a/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml @@ -18,7 +18,7 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} objectSelector: {} resourceRules: diff --git a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml index 1d9aa495..67ee3b3e 100644 --- a/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml +++ b/charts/k8s-shield/templates/restrict-pvc-creation-policy.yaml @@ -17,10 +17,10 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} - objectSelector: {} - resourceRules: + objectSelector: {} + resourceRules: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] @@ -29,10 +29,10 @@ spec: validations: {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: "has(object.metadata.labels) && object.metadata.labels['{{ .Values.bypassLabel.key }}'] == '{{ .Values.bypassLabel.value }}'" - message: " Creation of PersistentVolumeClaims is not allowed,set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" + message: "Creation of PersistentVolumeClaims is not allowed, set label {{ .Values.bypassLabel.key }}: {{ .Values.bypassLabel.value }} to allow" {{- else }} - - expression: false - message: Creation of PersistentVolumeClaims is not allowed. + - expression: "false" + message: "Creation of PersistentVolumeClaims is not allowed." {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 @@ -49,4 +49,4 @@ spec: {{- range .Values.pvcCreationPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml index 0639ee62..fef929d3 100644 --- a/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-readiness-liveness-policy.yaml @@ -17,23 +17,24 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} - resourceRules: - - apiGroups: + objectSelector: {} + resourceRules: + - apiGroups: {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} - {{ . | quote }} {{- end }} - apiVersions: ["v1"] - operations: + apiVersions: ["v1"] + operations: {{- range $.Values.readinessAndLivenessPolicy.operations }} - {{ . | quote }} {{- end }} - resources: + resources: {{- range $.Values.readinessAndLivenessPolicy.resources }} - {{ . | quote }} {{- end }} - scope: Namespaced + scope: Namespaced validations: {{- if and .Values.bypassLabel.key .Values.bypassLabel.value }} - expression: > @@ -60,4 +61,4 @@ spec: {{- range $.Values.readinessAndLivenessPolicy.validationActions }} - {{ . }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml index 0de97d50..96d3ed09 100644 --- a/charts/k8s-shield/templates/restrict-without-resource-policy.yaml +++ b/charts/k8s-shield/templates/restrict-without-resource-policy.yaml @@ -17,9 +17,9 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - matchConstraints: [] + matchConstraints: {} {{- end }} - resourceRules: + resourceRules: - apiGroups: {{- range $.Values.resourcePolicies.WithoutResource.apiGroups }} - {{ . | quote }} @@ -59,4 +59,3 @@ spec: - {{ . }} {{- end }} {{- end }} - diff --git a/charts/k8s-shield/values.yaml b/charts/k8s-shield/values.yaml index 3ee03f22..41f7391e 100644 --- a/charts/k8s-shield/values.yaml +++ b/charts/k8s-shield/values.yaml @@ -1,25 +1,22 @@ #bypassLabel defines a label with a key-value pair that allows the user to apply policies without any restrictions. bypassLabel: - key: "test" - value: "hello" + key: "" + value: "" # pvcCreationPolicy controls the creation of Persistent Volume Claims (PVCs). # If enabled, it restricts PVC creation in specified namespaces. pvcCreationPolicy: - enabled: false # If true, the policy prevents PVC creation in specified namespaces. - namespaces: # List of namespaces where the policy applies. - - devtroncd - - argo + enabled: true # If true, the policy prevents PVC creation in specified namespaces. + namespaces: {} # List of namespaces where the policy applies. validationActions: - Deny # namespaceDeletionPolicy restricts the deletion of namespaces. # When enabled, it prevents deletion of namespaces in specified namespaces. namespaceDeletionPolicy: - enabled: false # If true, this policy restricts the deletion of namespaces. + enabled: true # If true, this policy restricts the deletion of namespaces. namespaces: # List of namespaces that you want to protect from deletion - - devtroncd - - argo + - kube-system validationActions: - Deny @@ -27,19 +24,15 @@ namespaceDeletionPolicy: # This policy prevents creating LoadBalancer services in the specified namespaces. loadBalancerCreationPolicy: enabled: true # If true, the policy blocks creation of LoadBalancer type services. - namespaces: # List of namespaces where the policy applies. - - devtroncd - - argo + namespaces: {} # List of namespaces where the policy applies. validationActions: - Deny # appDeletionPolicy prevents the deletion of applications within specified namespaces. # If enabled, applications cannot be deleted in the listed namespaces. appDeletionPolicy: - enabled: false # If true, this policy restricts application deletion. - namespaces: # List of namespaces where the policy applies. - - devtroncd - - argo + enabled: true # If true, this policy restricts application deletion. + namespaces: {} # List of namespaces where the policy applies. validationActions: - Deny @@ -47,10 +40,8 @@ appDeletionPolicy: # The policy ensures resource constraints on all pods in the specified namespaces. resourcePolicies: WithoutResource: - enabled: false # If true, this policy enforces that deployments have resource requests and limits. - namespaces: # List of namespaces where the policy applies. - - devtroncd - - argo + enabled: true # If true, this policy enforces that deployments have resource requests and limits. + namespaces: {} # List of namespaces where the policy applies. validationActions: - Deny operations: @@ -66,14 +57,12 @@ resourcePolicies: - rollout.k8s.io limitResourcePolicy: - enabled: false # If true, this sub-policy enforces resource limits for deployments. + enabled: true # If true, this sub-policy enforces resource limits for deployments. apiGroups: # API groups where the policy applies. - "" - apps - argoproj.io - namespaces: - - devtroncd - - argo + namespaces: {} operations: - CREATE - UPDATE @@ -89,23 +78,21 @@ resourcePolicies: # adminClusterRoleCreation prevents the creation of new roles and cluster roles with admin access in the cluster. adminClusterRoleCreation: - enabled: false # If true, this policy prevents creation of new roles and cluster roles. + enabled: true # If true, this policy prevents creation of new roles and cluster roles. validationActions: - Deny # cLusterRoleBindingCreation prevents the creation of clusterRoleBindings with cluster-admin access. cLusterRoleBindingCreation: - enabled: false # If true, this policy prevents creation of clusterRoleBindings with admin access. + enabled: true # If true, this policy prevents creation of clusterRoleBindings with admin access. validationActions: # Defines the actions when the policy is violated. Default is DENY. - Deny # readinessAndLivenessPolicy ensures that readiness and liveness probes are defined for containers. # This ensures that pods are only considered healthy when they pass the defined probes. readinessAndLivenessPolicy: - enabled: false # If true, this policy ensures readiness and liveness probes are defined. - namespaces: # List of namespaces where the policy applies. - - devtroncd - - argo + enabled: true # If true, this policy ensures readiness and liveness probes are defined. + namespaces: {} # List of namespaces where the policy applies. operations: - CREATE - UPDATE @@ -122,7 +109,7 @@ readinessAndLivenessPolicy: # podSecurityPolicy ensures that security-related best practices are followed for Pods. # For example, it restricts the use of privileged containers and ensures read-only file systems. podSecurityPolicy: - enabled: false # If true, the Pod Security Policy is enabled. + enabled: true # If true, the Pod Security Policy is enabled. allowrunAsNonRoot: false # Prevent containers from running as root. allowreadOnlyRootFilesystem: false # Ensure the root filesystem is not writable. allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent. @@ -147,7 +134,7 @@ podSecurityPolicy: # containerSecurityPolicy defines security best practices for containers within Pods. # It ensures that containers adhere to security policies for non-root execution, file system access, and privilege escalation. containerSecurityPolicy: - enabled: false # If true, the container security policy is enabled. + enabled: true # If true, the container security policy is enabled. allowrunAsNonRoot: false # Prevent containers from running as root. allowreadOnlyRootFilesystem: false # Ensure the root filesystem is not writable. allowPrivilegeEscalation: false # Prevent processes from gaining more privileges than their parent. @@ -168,4 +155,3 @@ containerSecurityPolicy: - apps - batch - rollout.k8s.io -