Merge pull request #29 from portefaix/add/kyverno-policies

Kyverno policies

.github/workflows/kyverno.yml

@@ -0,0 +1,47 @@
+# Copyright (C) 2021 Nicolas Lamirault <nicolas.lamirault@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Kyverno / Tests
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "kyverno/**"
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "kyverno/**"
+
+jobs:
+  kyverno:
+    runs-on: ubuntu-latest
+    name: Run kyverno
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Validate policies
+      uses: gbaeke/kyverno-cli@v1
+      with:
+        command: |
+          kyverno validate ./kyverno
+
+    - name: Test policies
+      uses: gbaeke/kyverno-cli@v1
+      with:
+        command: |
+          kyverno test ./kyverno

.pre-commit-config.yaml

@@ -28,21 +28,12 @@ repos:
 -   repo: https://github.com/Lucas-C/pre-commit-hooks
     rev: v1.1.10
     hooks:
-    -   id: insert-license
-        files: \.yaml
-        args:
-        - --license-filepath
-        - hack/config/licence.txt
-    -   id: insert-license
-        files: \.yml
-        args:
-        - --license-filepath
-        - hack/config/licence.txt
-    -   id: insert-license
-        files: \.tf
-        args:
-        - --license-filepath
-        - hack/config/licence.txt
+    # Cf: https://github.com/kyverno/kyverno/issues/1845
+    # -   id: insert-license
+    #     files: \.yaml
+    #     args:
+    #     - --license-filepath
+    #     - hack/config/licence.txt
     -   id: insert-license
         files: \.rego
         args:
@@ -60,3 +51,12 @@ repos:
 #     args: ['--policy', 'opa']
   - id: conftest-verify
     args: ['--data', 'opa/lib', '--policy', 'opa']
+- repo: https://github.com/kyverno/pre-commit-hook
+  rev: v1.0.0
+  hooks:
+  - id: kyverno-validate
+    name: Kyverno validate
+    args: [./kyverno]
+    verbose: true
+  # - id: kyverno-test
+  #   args: ["kyverno-policies"]

Makefile

@@ -105,7 +105,7 @@ opa-deps: ## Update dependencies
 
 PHONY: opa-doc
 opa-doc: ## Generate documentation
-	@konstraint doc ./opa
+	@konstraint doc -o opa-policies.md ./opa
 
 PHONY: opa-test
 opa-test: ## Test policies
@@ -114,3 +114,18 @@ opa-test: ## Test policies
 PHONY: opa-fmt
 opa-fmt: ## Format OPA files
 	@opa fmt opa -w
+
+
+# ====================================
+# K Y V E R N O
+# ====================================
+
+##@ Kyverno
+
+.PHONY: kyverno-validate
+kyverno-validate: ## Validate policies
+	@kyverno validate ./kyverno/
+
+.PHONY: kyverno-test
+kyverno-test: ## Test policies
+	@kyverno test ./kyverno/

README.md

@@ -1,18 +1,18 @@
 # Portefaix Policies
 
-[Open Policy Agent](https://www.openpolicyagent.org/) policies for Portefaix project
-
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![](https://gitpolicies.com/portefaix-policies/charts/workflows/Release%20Charts/badge.svg?branch=master)](https://gitpolicies.com/portefaix-policies/charts/actions)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/portefaix-policies)](https://artifacthub.io/packages/search?repo=portefaix-policies)
 
-## Usage
-
+Policies for Portefaix project using :
 
+* [Open Policy Agent](https://www.openpolicyagent.org/)
+* [Kyverno](https://kyverno.io/)
 
 ## Documentation
 
-[Policies](https://github.com/nlamirault/portefaix-policies/blob/master/policies.md)
+* [OPA policies](https://github.com/nlamirault/portefaix-policies/blob/master/opa-policies.md)
+* [Kyverno policies](https://github.com/nlamirault/portefaix-policies/blob/master/kyverno-policies.md)
 
 ## Contributing
 

kyverno-policies.md

@@ -0,0 +1,133 @@
+# Policies
+
+## medium
+* [PORTEFAIX-C0001 - Container must not use latest image tag](#portefaix-c0001)
+* [PORTEFAIX-C0002 - Container must set liveness probe](#portefaix-c0002)
+* [PORTEFAIX-C0003 - Container must set readiness probe](#portefaix-c0003)
+* [PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables](#portefaix-c0004)
+* [PORTEFAIX-C0005 - Container must drop all capabilities](#portefaix-c0005)
+* [PORTEFAIX-C0006 - Container must not allow for privilege escalation](#portefaix-c0006)
+* [PORTEFAIX-C0008 - Container resource constraints must be specified](#portefaix-c0008)
+
+## low
+* [PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels](#portefaix-m0001)
+* [PORTEFAIX-M0002 - Metadata should have a8r.io annotations](#portefaix-m0002)
+* [PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations](#portefaix-m0003)
+
+## high
+* [PORTEFAIX-P0002 - Pod must run without access to the host IPC](#portefaix-p0002)
+* [PORTEFAIX-P0003 - Pod must run without access to the host networking](#portefaix-p0003)
+* [PORTEFAIX-P0004 - Pod must run as non-root](#portefaix-p0004)
+* [PORTEFAIX-P0005 - Pod must run without access to the host PID](#portefaix-p0005)
+
+## PORTEFAIX-P0002 - Pod must run without access to the host IPC
+
+**Category:** Best Practices
+
+**Severity:** high
+
+**Description:** Pods that are allowed to access the host IPC can read memory of the other containers, breaking that security boundary.
+
+## PORTEFAIX-P0003 - Pod must run without access to the host networking
+
+**Category:** Best Practices
+
+**Severity:** high
+
+**Description:** Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter
+
+## PORTEFAIX-P0004 - Pod must run as non-root
+
+**Category:** Best Practices
+
+**Severity:** high
+
+**Description:** Force the running image to run as a non-root user to ensure least privilege
+
+## PORTEFAIX-P0005 - Pod must run without access to the host PID
+
+**Category:** Best Practices
+
+**Severity:** high
+
+**Description:** Sharing the host’s PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration
+
+## PORTEFAIX-C0001 - Container must not use latest image tag
+
+**Category:** Best Practices
+
+**Severity:** medium
+
+**Description:** The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod.
+
+## PORTEFAIX-C0002 - Container must set liveness probe
+
+**Category:** Best Practices
+
+**Severity:** medium
+
+**Description:** Liveness probe need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's containers are running or need to be restarted
+
+## PORTEFAIX-C0003 - Container must set readiness probe
+
+**Category:** Best Practices
+
+**Severity:** medium
+
+**Description:** Readiness probe need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each pod, a `readinessProbe` is used by services and deployments to determine if the pod is ready to receive network traffic.
+
+## PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables
+
+**Category:** BestPractices
+
+**Severity:** medium
+
+**Description:** Disallow using secrets from environment variables which are visible in resource definitions.
+
+## PORTEFAIX-C0005 - Container must drop all capabilities
+
+**Category:** BestPractices
+
+**Severity:** medium
+
+**Description:** Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a pod, with only those required added back.
+
+## PORTEFAIX-C0006 - Container must not allow for privilege escalation
+
+**Category:** BestPractices
+
+**Severity:** medium
+
+**Description:** Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
+
+## PORTEFAIX-C0008 - Container resource constraints must be specified
+
+**Category:** BestPractices
+
+**Severity:** medium
+
+**Description:** It is important to limit resources requested and consumed by each pod.
+
+## PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels
+
+**Category:** Best Practices
+
+**Severity:** low
+
+**Description:** Metadata must set recommanded Kubernetes labels See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels
+
+## PORTEFAIX-M0002 - Metadata should have a8r.io annotations
+
+**Category:** Best Practices
+
+**Severity:** low
+
+**Description:** Metadata should have all the expected a8r.io annotations See: https://ambassadorlabs.github.io/k8s-for-humans/
+
+## PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations
+
+**Category:** Best Practices
+
+**Severity:** low
+
+**Description:** Metadata should have Portefaix annotations

kyverno/C0001-container-image-tag/policy-C0001.yaml

@@ -0,0 +1,51 @@
+# Copyright (C) 2021 Nicolas Lamirault <nicolas.lamirault@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: portefaix-C0001
+  annotations:
+    policies.kyverno.io/title: Container must not use latest image tag
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The ':latest' tag is mutable and can lead to unexpected errors if the
+      image changes. A best practice is to use an immutable tag that maps to
+      a specific version of an application pod.
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: require-image-tag
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "An image tag is required."
+      pattern:
+        spec:
+          containers:
+          - image: "*:*"
+  - name: validate-image-tag
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Using a mutable image tag e.g. 'latest' is not allowed."
+      pattern:
+        spec:
+          containers:
+          - image: "!*:latest"

kyverno/C0001-container-image-tag/resource.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-ok
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-ko-1
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-ko-2
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest

kyverno/C0001-container-image-tag/test.yaml

@@ -0,0 +1,28 @@
+# Copyright (C) 2021 Nicolas Lamirault <nicolas.lamirault@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: test-portefaix-C0001
+policies:
+  -  policy-C0001.yaml
+resources:
+  -  resource.yaml
+results:
+  - policy: portefaix-C0001
+    rule: require-image-tag
+    resource: myapp-pod-ko-1
+    status: fail
+  - policy: portefaix-C0001
+    rule: validate-image-tag
+    resource: myapp-pod-ko-2
+    status: fail