Merge pull request #177 from nirmata/anudeep-remediation-yamls

Anudeep remediation yamls

pod-security/baseline/disallow-capabilities/deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baddeployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container01
+        image: busybox
+        command:
+        - "sleep"
+        - "3600"
+        securityContext:
+          capabilities:
+            add:
+            - SYS_ADMIN
+            - NET_RAW

pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml

@@ -10,6 +10,7 @@ metadata:
     kyverno.io/kubernetes-version: "1.22-1.23"
     policies.kyverno.io/subject: Pod
     policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-capabilities/remediate-disallow-capabilities.yaml"
     policies.kyverno.io/description: >-
       Any additional capabilities not mentioned in the allowed list, which includes AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT, are prohibited and not permitted.
 spec:

pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml

@@ -10,6 +10,26 @@ spec:
         file: ../disallow-capabilities.yaml
     - assert:
         file: policy-assert.yaml
+    - apply:
+        file: ../remediate-disallow-capabilities.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: ../deployment.yaml
+    - sleep:
+        duration: 20s
+    - assert:
+        resource:
+          apiVersion: wgpolicyk8s.io/v1alpha2
+          kind: PolicyReport
+          summary:
+            error: 0
+            fail: 0
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: remediate-disallow-capabilities
     - script:
         content: |
           sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl apply -f - 

pod-security/baseline/disallow-capabilities/e2e/remediation-policy-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-disallow-capabilities
+spec:
+  validationFailureAction: Audit
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

pod-security/baseline/disallow-capabilities/remediate-disallow-capabilities.yaml

@@ -0,0 +1,139 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-disallow-capabilities
+  annotations:
+    policies.kyverno.io/title: Remediate Capabilities Baseline
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/description: >-
+      This policy remediates the disallow-capabilities baseline policy by automatically removing any unpermitted capabilities.
+spec:
+  background: false
+  rules:
+    - name: remove-unpermitted-capabilities
+      match:
+        resources:
+          kinds:
+            - Deployment
+            - StatefulSet
+            - Job
+            - DaemonSet
+      mutate:
+        foreach:
+          - list: request.object.spec.template.spec.containers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
+                  operator: AnyNotIn
+                  value:
+                    - AUDIT_WRITE
+                    - CHOWN
+                    - DAC_OVERRIDE
+                    - FOWNER
+                    - FSETID
+                    - KILL
+                    - MKNOD
+                    - NET_BIND_SERVICE
+                    - SETFCAP
+                    - SETGID
+                    - SETPCAP
+                    - SETUID
+                    - SYS_CHROOT
+            patchesJson6902: |-
+              - op: remove
+                path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
+              - op: add
+                path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
+                value:
+                  - AUDIT_WRITE
+                  - CHOWN
+                  - DAC_OVERRIDE
+                  - FOWNER
+                  - FSETID
+                  - KILL
+                  - MKNOD
+                  - NET_BIND_SERVICE
+                  - SETFCAP
+                  - SETGID
+                  - SETPCAP
+                  - SETUID
+                  - SYS_CHROOT
+          - list: request.object.spec.template.spec.initContainers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
+                  operator: AnyNotIn
+                  value:
+                    - AUDIT_WRITE
+                    - CHOWN
+                    - DAC_OVERRIDE
+                    - FOWNER
+                    - FSETID
+                    - KILL
+                    - MKNOD
+                    - NET_BIND_SERVICE
+                    - SETFCAP
+                    - SETGID
+                    - SETPCAP
+                    - SETUID
+                    - SYS_CHROOT
+            patchesJson6902: |-
+              - op: remove
+                path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
+              - op: add
+                path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
+                value:
+                  - AUDIT_WRITE
+                  - CHOWN
+                  - DAC_OVERRIDE
+                  - FOWNER
+                  - FSETID
+                  - KILL
+                  - MKNOD
+                  - NET_BIND_SERVICE
+                  - SETFCAP
+                  - SETGID
+                  - SETPCAP
+                  - SETUID
+                  - SYS_CHROOT
+          - list: request.object.spec.template.spec.ephemeralContainers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
+                  operator: AnyNotIn
+                  value:
+                    - AUDIT_WRITE
+                    - CHOWN
+                    - DAC_OVERRIDE
+                    - FOWNER
+                    - FSETID
+                    - KILL
+                    - MKNOD
+                    - NET_BIND_SERVICE
+                    - SETFCAP
+                    - SETGID
+                    - SETPCAP
+                    - SETUID
+                    - SYS_CHROOT
+            patchesJson6902: |-
+              - op: remove
+                path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
+              - op: add
+                path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
+                value:
+                  - AUDIT_WRITE
+                  - CHOWN
+                  - DAC_OVERRIDE
+                  - FOWNER
+                  - FSETID
+                  - KILL
+                  - MKNOD
+                  - NET_BIND_SERVICE
+                  - SETFCAP
+                  - SETGID
+                  - SETPCAP
+                  - SETUID
+                  - SYS_CHROOT

pod-security/restricted/require-run-as-non-root-user/deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baddeployment02
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      securityContext:
+        runAsUser: 0
+      containers:
+      - name: container01
+        image: busybox
+        command:
+        - "sleep"
+        - "3600"
+        securityContext:
+          runAsUser: 0

pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml

@@ -10,6 +10,26 @@ spec:
         file: ../require-run-as-non-root-user.yaml
     - assert:
         file: policy-assert.yaml
+    - apply:
+        file: ../remediate-require-run-as-non-root-user.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: ../deployment.yaml
+    - sleep:
+        duration: 20s
+    - assert:
+        resource:
+          apiVersion: wgpolicyk8s.io/v1alpha2
+          kind: PolicyReport
+          summary:
+            error: 0
+            fail: 0
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: remediate-require-run-as-non-root-user
     - script:
         content: |
           sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl apply -f - 

pod-security/restricted/require-run-as-non-root-user/e2e/remediation-policy-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-require-run-as-non-root-user
+spec:
+  validationFailureAction: Audit
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

pod-security/restricted/require-run-as-non-root-user/remediate-require-run-as-non-root-user.yaml

@@ -0,0 +1,53 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-require-run-as-non-root-user
+  annotations:
+    policies.kyverno.io/title: Require Run As Non-Root User
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/description: >-
+      Containers must be required to run as non-root users. This policy mutates the field
+      spec.securityContext.runAsUser to a value greater than zero,
+      and the fields spec.containers[*].securityContext.runAsUser,
+      spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser
+      if exists, is set to a non-zero value.
+spec:
+  background: false
+  rules:
+    - name: add-run-as-non-root-user
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+                - StatefulSet
+                - Job
+                - DaemonSet
+      mutate:
+        foreach:
+        - list: "request.object.spec.template.spec.[containers, initContainers, ephemeralContainers][]"
+          patchStrategicMerge:
+            spec:
+              template:
+                spec:
+                  securityContext:
+                    runAsUser: 1000
+                  containers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        (runAsUser): 0
+                        runAsUser: 1000
+                  initContainers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        (runAsUser): 0
+                        runAsUser: 1000
+                  ephemeralContainers:
+                    - (name): "{{ element.name }}"
+                      securityContext:
+                        (runAsUser): 0
+                        runAsUser: 1000

pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml

@@ -9,6 +9,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     kyverno.io/kubernetes-version: "1.22-1.23"
     policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root-user/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/restricted/require-run-as-non-root-user/remediate-require-run-as-non-root-user.yaml"
     policies.kyverno.io/description: >-
       Containers must be required to run as non-root users. This policy ensures that the fields 
       spec.securityContext.runAsUser,

pod-security/restricted/restrict-seccomp-strict/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baddeployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container01
+        image: busybox
+        command:
+        - "sleep"
+        - "3600"
+        securityContext:
+          seccompProfile:
+            type: Unconfined 

pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml

@@ -10,6 +10,26 @@ spec:
         file: ../restrict-seccomp-strict.yaml
     - assert:
         file: policy-assert.yaml
+    - apply:
+        file: ../remediate-restrict-seccomp-strict.yaml
+    - assert:
+        file: remediation-policy-assert.yaml
+    - apply:
+        file: ../deployment.yaml
+    - sleep:
+        duration: 20s
+    - assert:
+        resource:
+          apiVersion: wgpolicyk8s.io/v1alpha2
+          kind: PolicyReport
+          summary:
+            error: 0
+            fail: 0
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: remediate-restrict-seccomp-strict
     - script:
         content: |
           sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl apply -f -