From 9a0f78702ce6730b90e8be6ffc3bfa9ce994ec81 Mon Sep 17 00:00:00 2001 From: nataliagranato Date: Tue, 27 Aug 2024 19:35:21 -0300 Subject: [PATCH] feat: Add Kyverno policies for image verification, disallowing secrets from env vars, and requiring pod probes --- kyverno/check-deprecated-apis.yaml | 101 ++++++++++++++++++++ kyverno/disallow-secrets-from-env-vars.yaml | 44 +++++++++ kyverno/require-probes.yaml | 44 +++++++++ kyverno/verify-image.yaml | 33 +++++++ 4 files changed, 222 insertions(+) create mode 100644 kyverno/check-deprecated-apis.yaml create mode 100644 kyverno/disallow-secrets-from-env-vars.yaml create mode 100644 kyverno/require-probes.yaml create mode 100644 kyverno/verify-image.yaml diff --git a/kyverno/check-deprecated-apis.yaml b/kyverno/check-deprecated-apis.yaml new file mode 100644 index 0000000..e84bc74 --- /dev/null +++ b/kyverno/check-deprecated-apis.yaml @@ -0,0 +1,101 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deprecated-apis + annotations: + policies.kyverno.io/title: Check deprecated APIs + policies.kyverno.io/category: Best Practices + policies.kyverno.io/subject: Kubernetes APIs + kyverno.io/kyverno-version: 1.7.4 + policies.kyverno.io/minversion: 1.7.4 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: "Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. " +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-v1-25-removals + match: + any: + - resources: + # NOTE: PodSecurityPolicy is completely removed in 1.25. + kinds: + - batch/*/CronJob + - discovery.k8s.io/*/EndpointSlice + - events.k8s.io/*/Event + - policy/*/PodDisruptionBudget + - node.k8s.io/*/RuntimeClass + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - batch/v1beta1 + - discovery.k8s.io/v1beta1 + - events.k8s.io/v1beta1 + - policy/v1beta1 + - node.k8s.io/v1beta1 + validate: + message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ " + deny: {} + - name: validate-v1-26-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + - autoscaling/*/HorizontalPodAutoscaler + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - flowcontrol.apiserver.k8s.io/v1beta1 + - autoscaling/v2beta2 + validate: + message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ " + deny: {} + - name: validate-v1-27-removals + match: + any: + - resources: + kinds: + - storage.k8s.io/*/CSIStorageCapacity + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - storage.k8s.io/v1beta1 + validate: + message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ " + deny: {} + - name: validate-v1-29-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - flowcontrol.apiserver.k8s.io/v1beta2 + validate: + message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ " + deny: {} diff --git a/kyverno/disallow-secrets-from-env-vars.yaml b/kyverno/disallow-secrets-from-env-vars.yaml new file mode 100644 index 0000000..cc64bd9 --- /dev/null +++ b/kyverno/disallow-secrets-from-env-vars.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secrets-not-from-env-vars + annotations: + policies.kyverno.io/title: Disallow Secrets from Env Vars + policies.kyverno.io/category: Sample, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Secret + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/description: "Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. " +spec: + validationFailureAction: audit + background: true + rules: + - name: secrets-not-from-env-vars + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Secrets must be mounted as volumes, not as environment variables." + pattern: + spec: + containers: + - name: "*" + =(env): + - =(valueFrom): + X(secretKeyRef): "null" + - name: secrets-not-from-envfrom + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Secrets must not come from envFrom statements." + pattern: + spec: + containers: + - name: "*" + =(envFrom): + - X(secretRef): "null" diff --git a/kyverno/require-probes.yaml b/kyverno/require-probes.yaml new file mode 100644 index 0000000..8f23f6e --- /dev/null +++ b/kyverno/require-probes.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-pod-probes + annotations: + pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet + policies.kyverno.io/title: Require Pod Probes + policies.kyverno.io/category: Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: "Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are running or need to be restarted. A `readinessProbe` is used by Services and Deployments to determine if the Pod is ready to receive network traffic. This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. " +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-probes + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: "Liveness, readiness, or startup probes are required for all containers." + foreach: + - list: request.object.spec.containers[] + deny: + conditions: + all: + - key: livenessProbe + operator: AllNotIn + value: "{{ element.keys(@)[] }}" + - key: startupProbe + operator: AllNotIn + value: "{{ element.keys(@)[] }}" + - key: readinessProbe + operator: AllNotIn + value: "{{ element.keys(@)[] }}" diff --git a/kyverno/verify-image.yaml b/kyverno/verify-image.yaml new file mode 100644 index 0000000..64a8112 --- /dev/null +++ b/kyverno/verify-image.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image + annotations: + policies.kyverno.io/title: Verify Image + policies.kyverno.io/category: Software Supply Chain Security, Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.7.0 + policies.kyverno.io/description: "Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature of an image repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys. " +spec: + validationFailureAction: Enforce + background: false + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "nataliagranato/linuxtips-giropops-senhas*" + mutateDigest: true + attestors: + - entries: + - keys: + publicKeys: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3crhfAq/gDNCOf+q7CnWuL2eDd1n + 3JL1NzqXLPBlyDcvB+OzY/c0FxK7hfRxq1/P8NpxzcoJRhnOKhye0QXRWg== + -----END PUBLIC KEY-----