-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add more validation models about containers and services
Signed-off-by: peefy <[email protected]>
- Loading branch information
Showing
111 changed files
with
2,158 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[package] | ||
name = "readonly-root-fs" | ||
version = "0.0.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
schema Params: | ||
|
||
params: Params = option("params") | ||
items = [item | { | ||
if item.kind == "Pod": | ||
spec.containers: [{ | ||
securityContext.readOnlyRootFilesystem = True | ||
} for container in item.spec.containers] | ||
} for item in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: readonly-root-fs | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: mutation | ||
documentation: >- | ||
Set read only root file system for containers | ||
spec: | ||
source: ./examples/mutation/readonly-root-fs/main.k | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 |
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[package] | ||
name = "allowed-image-repos" | ||
version = "0.0.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
"""Requires container images to begin with a string from the specified list. | ||
|
||
Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl | ||
""" | ||
|
||
# The list of prefixes a container image is allowed to have. | ||
repos: [str] = option("params").repos or [] | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
containers = [] | ||
if item.kind == "Pod" and repos: | ||
containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or []) | ||
elif item.kind == "Deployment": | ||
containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or []) | ||
images: [str] = [c.image for c in containers] | ||
assert all image in images { | ||
all repo in repos { | ||
image.startswith(repo) | ||
} | ||
} if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}""" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items")] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: allowed-image-repos | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: validation | ||
documentation: >- | ||
Requires container images to begin with a string from the specified list. | ||
Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl | ||
spec: | ||
params: | ||
repos: | ||
- nginx | ||
source: ./examples/validation/allowed-image-repos/main.k | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: my-deploy | ||
labels: | ||
app: kcl | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
app: kcl | ||
template: | ||
metadata: | ||
labels: | ||
app: kcl | ||
spec: | ||
containers: | ||
- name: kcl | ||
image: kcllang/kcl | ||
ports: | ||
- containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: allowed-image-repos | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: validation | ||
documentation: >- | ||
Requires container images to begin with a string from the specified list. | ||
Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl | ||
spec: | ||
params: | ||
repos: | ||
- nginx | ||
source: ./examples/validation/allowed-image-repos/main.k | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: my-deploy | ||
labels: | ||
app: nginx | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[package] | ||
name = "deny-all" | ||
version = "0.0.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
assert False if option("items"), "Deny all objects and the input object list is ${option('items')}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: deny-all | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: validation | ||
documentation: >- | ||
Deny all objects if there are input objects. | ||
spec: | ||
source: ./examples/validation/deny-all/main.k | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 | ||
livenessProbe: | ||
exec: | ||
command: | ||
- ps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: deny-all | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: validation | ||
documentation: >- | ||
Deny all objects if there are input objects. | ||
spec: | ||
source: ./examples/validation/deny-all/main.k |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[package] | ||
name = "deny-endpoint-edit-default-role" | ||
version = "0.0.1" |
32 changes: 32 additions & 0 deletions
32
examples/validation/deny-endpoint-edit-default-role/main.k
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
"""Many Kubernetes installations by default have a system:aggregate-to-edit | ||
ClusterRole which does not properly restrict access to editing Endpoints. | ||
This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole | ||
from granting permission to create/patch/update Endpoints. | ||
|
||
ClusterRole/system:aggregate-to-edit should not allow | ||
Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice | ||
permissions allow cross-Namespace forwarding, | ||
https://github.com/kubernetes/kubernetes/issues/103675 | ||
|
||
Reference: https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-endpoint-edit-default-role/template.yaml | ||
""" | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
if (item?.metadata?.name or "") == "system:aggregate-to-edit": | ||
rules = item.rules or [] | ||
# Check all rules if rules exist | ||
assert all rule in rules { | ||
# Check evrey rule verbs if rule resources exist "endpoints" | ||
all res in rule.resources { | ||
# Check every verbs | ||
all verb in rule.verbs { | ||
verb not in ["create", "patch", "update"] | ||
} if rule.verbs and res == "endpoints" | ||
} if rule.resources | ||
} if rules, "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role." | ||
item | ||
} | ||
|
||
# Validate All resource | ||
items = [validate(i) for i in option("items")] |
116 changes: 116 additions & 0 deletions
116
examples/validation/deny-endpoint-edit-default-role/suite/bad.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: deny-endpoint-edit-default-role | ||
annotations: | ||
krm.kcl.dev/version: 0.0.1 | ||
krm.kcl.dev/type: validation | ||
documentation: >- | ||
Many Kubernetes installations by default have a system:aggregate-to-edit | ||
ClusterRole which does not properly restrict access to editing Endpoints. | ||
This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole | ||
from granting permission to create/patch/update Endpoints. | ||
ClusterRole/system:aggregate-to-edit should not allow | ||
Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice | ||
permissions allow cross-Namespace forwarding, | ||
https://github.com/kubernetes/kubernetes/issues/103675 | ||
Reference: https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-endpoint-edit-default-role/template.yaml | ||
spec: | ||
source: ./examples/validation/deny-endpoint-edit-default-role/main.k | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 | ||
livenessProbe: | ||
exec: | ||
command: | ||
- ps | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
annotations: | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
creationTimestamp: null | ||
labels: | ||
kubernetes.io/bootstrapping: rbac-defaults | ||
rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
name: system:aggregate-to-edit | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods/attach | ||
- pods/exec | ||
- pods/portforward | ||
- pods/proxy | ||
- secrets | ||
- services/proxy | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- serviceaccounts | ||
verbs: | ||
- impersonate | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
- pods/attach | ||
- pods/exec | ||
- pods/portforward | ||
- pods/proxy | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
- persistentvolumeclaims | ||
- replicationcontrollers | ||
- replicationcontrollers/scale | ||
- secrets | ||
- serviceaccounts | ||
- services | ||
- services/proxy | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- apps | ||
resources: | ||
- daemonsets | ||
- deployments | ||
- deployments/rollback | ||
- deployments/scale | ||
- endpoints | ||
- replicasets | ||
- replicasets/scale | ||
- statefulsets | ||
- statefulsets/scale | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update |
Oops, something went wrong.