From f9f4b1f6893f2525b4f8acd391f66b2a7cb56b0e Mon Sep 17 00:00:00 2001 From: Shubham Chaudhary Date: Fri, 8 Oct 2021 13:04:00 +0530 Subject: [PATCH] fix(kyverno): fixing the kyverno pod security policies (#285) * update the rules for RunAsRoot/Any * cosmetic updates Signed-off-by: shubham chaudhary --- charts/openebs/Chart.yaml | 4 ++-- .../templates/kyverno/allow-capabilities.yaml | 2 +- .../templates/kyverno/allow-host-ports.yaml | 8 ++++---- .../kyverno/allow-privilege-escalation.yaml | 4 ++-- .../kyverno/allow-privileged-containers.yaml | 4 ++-- .../templates/kyverno/allow-proc-mount.yaml | 7 +++---- .../templates/kyverno/require-user-groups.yaml | 17 +++++++---------- 7 files changed, 21 insertions(+), 25 deletions(-) diff --git a/charts/openebs/Chart.yaml b/charts/openebs/Chart.yaml index cbe62a3d..a99d9c62 100644 --- a/charts/openebs/Chart.yaml +++ b/charts/openebs/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 -version: 3.0.0 +version: 3.0.1 name: openebs -appVersion: 3.0.0 +appVersion: 3.0.1 description: Containerized Attached Storage for Kubernetes icon: https://raw.githubusercontent.com/cncf/artwork/HEAD/projects/openebs/icon/color/openebs-icon-color.png home: http://www.openebs.io/ diff --git a/charts/openebs/templates/kyverno/allow-capabilities.yaml b/charts/openebs/templates/kyverno/allow-capabilities.yaml index 75be5d9d..5f112548 100644 --- a/charts/openebs/templates/kyverno/allow-capabilities.yaml +++ b/charts/openebs/templates/kyverno/allow-capabilities.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- - Provides a list of capabilities that are allowed to be added to a container. + Provides a list of capabilities that are allowed to be added to a container. spec: validationFailureAction: enforce background: true diff --git a/charts/openebs/templates/kyverno/allow-host-ports.yaml b/charts/openebs/templates/kyverno/allow-host-ports.yaml index 1274c62b..477b5942 100644 --- a/charts/openebs/templates/kyverno/allow-host-ports.yaml +++ b/charts/openebs/templates/kyverno/allow-host-ports.yaml @@ -22,10 +22,10 @@ spec: validate: message: >- Use of host ports is allowed. The fields spec.containers[*].ports[*].hostPort - and spec.initContainers[*].ports[*].hostPort must be empty. + should contain value in range [1,65535). pattern: spec: - =(hostPort): - =(min): ">0" - =(max): "<65535" + containers: + - =(ports): + - =(hostPort): ">0 & <65535" {{- end }} \ No newline at end of file diff --git a/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml b/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml index e695af26..323ad651 100644 --- a/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml +++ b/charts/openebs/templates/kyverno/allow-privilege-escalation.yaml @@ -20,8 +20,8 @@ spec: - Pod validate: message: >- - Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, - and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be defined or set to `true`. + Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation + must be defined or set to `true`. pattern: spec: containers: diff --git a/charts/openebs/templates/kyverno/allow-privileged-containers.yaml b/charts/openebs/templates/kyverno/allow-privileged-containers.yaml index 6e789833..699c9ab7 100644 --- a/charts/openebs/templates/kyverno/allow-privileged-containers.yaml +++ b/charts/openebs/templates/kyverno/allow-privileged-containers.yaml @@ -20,8 +20,8 @@ spec: - Pod validate: message: >- - Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged - and spec.initContainers[*].securityContext.privileged must not set to be false. + Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged + must be defined or set to true. pattern: spec: containers: diff --git a/charts/openebs/templates/kyverno/allow-proc-mount.yaml b/charts/openebs/templates/kyverno/allow-proc-mount.yaml index ec12c7d0..76a2a001 100644 --- a/charts/openebs/templates/kyverno/allow-proc-mount.yaml +++ b/charts/openebs/templates/kyverno/allow-proc-mount.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- - The default /proc masks are set up to reduce attack surface and should be required. + The default /proc masks are set up to reduce attack surface and should be required. spec: validationFailureAction: enforce background: true @@ -21,9 +21,8 @@ spec: validate: message: >- Changing the proc mount from the default is not allowed. The fields - spec.containers[*].securityContext.procMount and - spec.initContainers[*].securityContext.procMount must not be changed - from `Default`. + spec.containers[*].securityContext.procMount should be defined or set + to Default pattern: spec: containers: diff --git a/charts/openebs/templates/kyverno/require-user-groups.yaml b/charts/openebs/templates/kyverno/require-user-groups.yaml index 0fda14ea..4683f289 100644 --- a/charts/openebs/templates/kyverno/require-user-groups.yaml +++ b/charts/openebs/templates/kyverno/require-user-groups.yaml @@ -13,10 +13,9 @@ spec: validationFailureAction: enforce background: true rules: - - name: user-groups + - name: check-runasuser match: resources: - name: check-runasuser kinds: - Pod validate: @@ -25,14 +24,13 @@ spec: pattern: spec: =(securityContext): - =(runAsUser): 'RunAsAny' + =(runAsUser): ">=0" containers: - =(securityContext): - =(runAsUser): 'RunAsAny' - + =(runAsUser): ">=0" + - name: check-supplementalGroups match: resources: - name: check-supplementalGroups kinds: - Pod validate: @@ -42,11 +40,10 @@ spec: spec: =(securityContext): =(supplementalGroups): - - 'RunAsAny' - + - ">=0" + - name: check-fsGroup match: resources: - name: check-fsGroup kinds: - Pod validate: @@ -55,5 +52,5 @@ spec: pattern: spec: =(securityContext): - =(fsGroup): 'RunAsAny' + =(fsGroup): ">=0" {{- end }} \ No newline at end of file