fix(kyverno): fixing the kyverno pod security policies (#285)

* update the rules for RunAsRoot/Any * cosmetic updates Signed-off-by: shubham chaudhary <[email protected]>
openebs · Oct 8, 2021 · f9f4b1f · f9f4b1f
1 parent 15ad1cc
commit f9f4b1f
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 25 deletions.
diff --git a/charts/openebs/Chart.yaml b/charts/openebs/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
-version: 3.0.0
+version: 3.0.1
 name: openebs
-appVersion: 3.0.0
+appVersion: 3.0.1
 description: Containerized Attached Storage for Kubernetes
 icon: https://raw.githubusercontent.com/cncf/artwork/HEAD/projects/openebs/icon/color/openebs-icon-color.png
 home: http://www.openebs.io/

diff --git a/charts/openebs/templates/kyverno/allow-capabilities.yaml b/charts/openebs/templates/kyverno/allow-capabilities.yaml
@@ -8,7 +8,7 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-          Provides a list of capabilities that are allowed to be added to a container.
+      Provides a list of capabilities that are allowed to be added to a container.
 spec:
   validationFailureAction: enforce
   background: true

diff --git a/charts/openebs/templates/kyverno/allow-host-ports.yaml b/charts/openebs/templates/kyverno/allow-host-ports.yaml
@@ -22,10 +22,10 @@ spec:
       validate:
         message: >-
           Use of host ports is allowed. The fields spec.containers[*].ports[*].hostPort
-          and spec.initContainers[*].ports[*].hostPort must be empty.          
+          should contain value in range [1,65535).          
         pattern:
           spec:
-            =(hostPort):
-              =(min): ">0"
-              =(max): "<65535"
+            containers:
+            - =(ports):
+              - =(hostPort): ">0 & <65535"
 {{- end }}
diff --git a/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml b/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml
@@ -20,8 +20,8 @@ spec:
             - Pod
       validate:
         message: >-
-          Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, 
-          and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be defined or set to `true`.
+          Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation 
+          must be defined or set to `true`.
         pattern:
           spec:
             containers:

diff --git a/charts/openebs/templates/kyverno/allow-privileged-containers.yaml b/charts/openebs/templates/kyverno/allow-privileged-containers.yaml
@@ -20,8 +20,8 @@ spec:
             - Pod
       validate:
         message: >-
-           Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged
-           and spec.initContainers[*].securityContext.privileged must not set to be false.
+          Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged
+          must be defined or set to true.
         pattern:
           spec:
             containers:

diff --git a/charts/openebs/templates/kyverno/allow-proc-mount.yaml b/charts/openebs/templates/kyverno/allow-proc-mount.yaml
@@ -8,7 +8,7 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-            The default /proc masks are set up to reduce attack surface and should be required.
+      The default /proc masks are set up to reduce attack surface and should be required.
 spec:
   validationFailureAction: enforce
   background: true
@@ -21,9 +21,8 @@ spec:
       validate:
         message: >-
           Changing the proc mount from the default is not allowed. The fields
-          spec.containers[*].securityContext.procMount and
-          spec.initContainers[*].securityContext.procMount must not be changed 
-          from `Default`.          
+          spec.containers[*].securityContext.procMount should be defined or set
+          to Default
         pattern:
           spec:
             containers:

diff --git a/charts/openebs/templates/kyverno/require-user-groups.yaml b/charts/openebs/templates/kyverno/require-user-groups.yaml
@@ -13,10 +13,9 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-    - name: user-groups
+    - name: check-runasuser
       match:
         resources:
-          name: check-runasuser
           kinds:
             - Pod
       validate:
@@ -25,14 +24,13 @@ spec:
         pattern:
           spec:
             =(securityContext):
-                =(runAsUser): 'RunAsAny'
+              =(runAsUser): ">=0"
             containers:
               - =(securityContext):
-                  =(runAsUser): 'RunAsAny'
-
+                  =(runAsUser): ">=0"
+    - name: check-supplementalGroups
       match:
         resources:
-           name: check-supplementalGroups
            kinds:
             - Pod
       validate:
@@ -42,11 +40,10 @@ spec:
           spec:
              =(securityContext):
                =(supplementalGroups):
-               - 'RunAsAny'
-
+               - ">=0"
+    - name: check-fsGroup
       match:
         resources:
-           name: check-fsGroup
            kinds:
             - Pod
       validate:
@@ -55,5 +52,5 @@ spec:
         pattern:
            spec:
              =(securityContext):
-               =(fsGroup): 'RunAsAny'
+               =(fsGroup): ">=0"
 {{- end }}