feature/global-policy-set : upgrade version for test

nirmata · Jun 4, 2024 · 7bfa665 · 7bfa665
1 parent 1782288
commit 7bfa665
Show file tree

Hide file tree

Showing 2 changed files with 120 additions and 0 deletions.
diff --git a/charts/test-krish-globalps/pols/disallow-proc-mount.yaml b/charts/test-krish-globalps/pols/disallow-proc-mount.yaml
@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-proc-mount
+  annotations:
+    policies.kyverno.io/title: Disallow procMount
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-proc-mount/"
+    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-proc-mount/remediate-disallow-proc-mount-containers.yaml"
+    policies.kyverno.io/description: >-
+      The default /proc masks are set up to reduce attack surface and should be required. This policy
+      ensures nothing but the default procMount can be specified. Note that in order for users
+      to deviate from the `Default` procMount requires setting a feature gate at the API
+      server.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: check-proc-mount
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Changing the proc mount from the default is not allowed.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            =(initContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            containers:
+              - =(securityContext):
+                  =(procMount): "Default"
diff --git a/charts/test-krish-globalps/pols/disallow-selinux.yaml b/charts/test-krish-globalps/pols/disallow-selinux.yaml
@@ -0,0 +1,79 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-selinux
+  annotations:
+    policies.kyverno.io/title: Disallow SELinux
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-selinux/"
+    policies.kyverno.io/description: >-
+      SELinux options can be used to escalate privileges and should not be allowed. This policy
+      ensures that the `seLinuxOptions` field is undefined.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: selinux-type
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Setting the SELinux type is restricted.
+        pattern:
+          spec:
+            =(securityContext):
+              =(seLinuxOptions):
+                =(type): "container_t | container_init_t | container_kvm_t"
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    =(type): "container_t | container_init_t | container_kvm_t"
+            =(initContainers):
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    =(type): "container_t | container_init_t | container_kvm_t"
+            containers:
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    =(type): "container_t | container_init_t | container_kvm_t"
+    - name: selinux-user-role
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Setting the SELinux user or role is forbidden. The fields
+          spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
+          spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
+          spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
+          spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
+          must be unset.
+        pattern:
+          spec:
+            =(securityContext):
+              =(seLinuxOptions):
+                X(user): "null"
+                X(role): "null"
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    X(user): "null"
+                    X(role): "null"
+            =(initContainers):
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    X(user): "null"
+                    X(role): "null"
+            containers:
+              - =(securityContext):
+                  =(seLinuxOptions):
+                    X(user): "null"
+                    X(role): "null"