Merge pull request #180 from mastersans/public-policies

feat: added eks, ecs and lambda policies for cloud-controller

cloud-controller/aws/ecs/check-awsvpc-network-mode.yaml

@@ -0,0 +1,33 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-awsvpc-network-mode
+  annotations:
+    policies.kyverno.io/title: Check Awsvpc Network Mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The awsvpc network mode restricts the flow of traffic between different 
+      tasks or between your tasks and other services that run within your Amazon VPC.
+      The awsvpc network mode provides task-level network isolation for tasks 
+      that run on Amazon EC2.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: check-awsvpc-network-mode
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            ECS task definitions are required to use awsvpc network mode.
+          check:
+            payload:
+              networkMode: awsvpc

cloud-controller/aws/ecs/validate-ecs-container-insights-enabled.yaml

@@ -0,0 +1,32 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-container-insights-enabled
+  annotations:
+    policies.kyverno.io/title: Validate ECS Container Insights are Enabled
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Container Insights enhances the operational visibility of ECS clusters, allowing for proactive issue resolution. 
+      Enabling this feature ensures that diagnostic information is readily available, contributing to a more efficient and reliable containerized environment.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-container-insights-enabled
+      identifier: payload.clusterName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): Cluster
+      assert:
+        all:
+        - message: >- 
+            ECS container insights must be enabled
+          check:
+            payload:
+              ~.(clusterSettings[?name == 'containerInsights'] || settings[?name == 'containerInsights']):
+                value: enabled

cloud-controller/aws/ecs/validate-ecs-containers-nonprivileged.yaml

@@ -0,0 +1,32 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-containers-nonprivileged
+  annotations:
+    policies.kyverno.io/title: Validate ECS Containers Are Set to Non-Privileged
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). 
+      This policy checks that the privileged parameter in the container definition is set to false.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-containers-nonprivileged
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            The `privileged` field, if present, should be set to `false`
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!!privileged): false

cloud-controller/aws/ecs/validate-ecs-containers-readonly.yaml

@@ -0,0 +1,33 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-containers-readonly
+  annotations:
+    policies.kyverno.io/title: Validate if ECS Containers only have read-only access to its root filesystem
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When managing containers within AWS ECS, it's crucial to enforce security measures to prevent unauthorized modifications. 
+      One significant aspect is restricting write access to the containers' root filesystem.
+      This policy checks if ECS Containers have read-only access to its root filesystem.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-containers-readonly
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            ECS Containers should have read-only access to its root filesystem
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  readonlyRootFilesystem: true

cloud-controller/aws/ecs/validate-ecs-task-definition-log-configuration.yaml

@@ -0,0 +1,34 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-log-configuration
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Log Configuration
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The LogConfiguration property specifies log configuration options to send to a custom log driver for the container. 
+      Having all logs at a central place simplifies troubleshooting and debugging since you don't have to log into individual instances
+      to access container logs. It also allows integration with monitoring tools to set up metrics and alerts based on log data. 
+      This policy checks if ECS TaskDefinitions and Services have logConfiguration defined. 
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-definition-log-configuration
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            logConfiguration must be set for ECS Task Definition
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!logConfiguration): false

cloud-controller/aws/ecs/validate-ecs-task-definition-memory-hard-limit.yaml

@@ -0,0 +1,35 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-memory-hard-limit
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if Amazon Elastic Container Service
+      (ECS) task definitions and tasks have a set memory limit for its container definitions. 
+      If a memory limit is not set for a container, it can consume excessive memory, potentially starving other containers running on the same host. 
+      Therefore, it is crucial to enforce a hard memory limit on each container to prevent resource contention. 
+      If a container exceeds its memory limit, it will be terminated by ECS.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-definition-memory-hard-limit
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            Memory limit for container definitions should be set in the task definition
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (!memory): false

cloud-controller/aws/ecs/validate-ecs-task-definition-nonroot-user.yaml

@@ -0,0 +1,37 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-nonroot-user
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Nonroot User for EC2 Instances
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if ECSTaskDefinitions specify a user for 
+      Amazon Elastic Container Service (Amazon ECS) EC2 launch type 
+      containers to run on. The rule fails if the `user` parameter is not present or is `root`.
+      Running containers as non-root users can help prevent running commands with root privileges 
+      which adds an extra layer of security by limiting the potential damage a compromised container can do. 
+      It also follows the security principle of least privilege, which dictates that applications and processes 
+      should operate with minimum privileges necessary to perform their functions.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-definition-nonroot-user
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            For ECS EC2 containers, `user` parameter should not be unset or be root
+          check:
+            payload:
+              ~.(containerDefinitions):
+                  (user == null || user == 'root' || user == '0' || starts_with(user, '0:') || ends_with(user, ':0')): false

cloud-controller/aws/ecs/validate-ecs-task-definition-pid-mode-check.yaml

@@ -0,0 +1,34 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-pid-mode-check
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition PID Mode Check
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that Amazon ECS Task Definitions do not share the host's process namespace with its containers. 
+      If the host's process namespace is shared with containers, it would allow containers to see all of the processes on the host system. 
+      This reduces the benefit of process level isolation between the host and the containers. 
+      These circumstances could lead to unauthorized access to processes on the host itself, including 
+      the ability to manipulate and terminate them. Customers shouldn't share the host's process namespace with containers running on it.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-definition-pid-mode-check
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            ECS task definitions containers should not share the host's process namespace
+          check:
+            payload:
+              (pidMode != 'host'): true

cloud-controller/aws/ecs/validate-ecs-task-definition-user-for-host-mode-check.yaml

@@ -0,0 +1,34 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-user-for-host-mode-check
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition User for Host Mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that ECS task definitions avoid using the root user for the host network mode when privileged is set to false or is not specified. 
+      In scenarios where tasks employ the `host` network mode, it's crucial to avoid running containers with the root user (UID 0) for enhanced security. 
+      As a recommended security practice, it is recommended to opt for a non-root user.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-definition-user-for-host-mode-check
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            User should be set to a non-root user when NetworkMode is set to host and privileged is set to false or not specified
+          check:
+            payload:
+              ~.(containerDefinitions[?!privileged]):
+                  (user == null || user == 'root' || user == '0' || starts_with(user, '0:') || ends_with(user, ':0')): false
+              

cloud-controller/aws/ecs/validate-ecs-task-public-ip.yaml

@@ -0,0 +1,34 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-public-ip
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Public IP
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      ECS tasks with public IP address enabled, are easily reachable from the internet. 
+      This policy validates whether public IP address is enabled on the ECS task
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-ecs-task-public-ip
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): Service
+      assert:
+        all:
+        - message: >- 
+            Public IP address should not be enabled
+          check:
+            payload:
+              networkConfiguration:
+                    awsvpcConfiguration:
+                        assignPublicIp: DISABLED
+              

cloud-controller/aws/ecs/validate-efs-volume-encryption.yaml

@@ -0,0 +1,33 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-efs-volume-encryption
+  annotations:
+    policies.kyverno.io/title: Validate EFS Volume Encryption
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+     Amazon EFS file systems can be used with Amazon ECS to export file system data across your fleet of container instances. 
+     To ensure encryption is enabled in transit, this policy validates whether `transitEncryption` is set to ENABLED in the task definition.
+  labels:
+    app: kyverno
+spec:
+  failureAction: Audit
+  scan: true
+  rules:
+    - name: validate-efs-volume-encryption
+      identifier: payload.family
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): ECS
+        - (metadata.resource): TaskDefinition
+      assert:
+        all:
+        - message: >- 
+            Transit Encryption should be set to ENABLED for EFS volumes in ECS Task Definitions
+          check:
+            payload:
+              ~.(volumes[?eFSVolumeConfiguration || efsVolumeConfiguration]):
+                    (eFSVolumeConfiguration || efsVolumeConfiguration):
+                        transitEncryption: ENABLED