Merge pull request #46 from portefaix/feat/refactoring

Refactoring Kyverno policies
portefaix · Apr 28, 2022 · 27b10b0 · 27b10b0
2 parents f91706e + b65f6e4
commit 27b10b0
Show file tree

Hide file tree

Showing 28 changed files with 234 additions and 637 deletions.
diff --git a/hack/scripts/kyverno-doc.sh b/hack/scripts/kyverno-doc.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Copyright (C) 2021 Nicolas Lamirault <nicolas.lamirault@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+reset_color="\\e[0m"
+color_red="\\e[31m"
+color_green="\\e[32m"
+color_blue="\\e[36m";
+
+function echo_fail { echo -e "${color_red}✖ $*${reset_color}"; }
+function echo_success { echo -e "${color_green}✔ $*${reset_color}"; }
+function echo_info { echo -e "${color_blue}$*${reset_color}"; }
+
+POLICIES_DIR="kyverno"
+DOC="kyverno-policies.md"
+
+STARTFLAG="<!-- BEGIN_POLICIES_DOC -->"
+ENDFLAG="<!-- END_POLICIES_DOC -->"
+
+IFS="
+"
+
+function usage() {
+    echo "usage: $0"
+}
+
+function policy_doc() {
+    local policy=$1
+    local tmpfile=$2
+
+    # echo ${policy}
+    for file in $(ls "${POLICIES_DIR}/${policy}"); do
+        if [[ "${file}" =~ "policy" ]]; then
+            name=$(yq '.metadata.name' < "${POLICIES_DIR}/${policy}/${file}")
+            title=$(yq '.metadata.annotations["policies.kyverno.io/title"]' < "${POLICIES_DIR}/${policy}/${file}")
+            severity=$(yq '.metadata.annotations["policies.kyverno.io/severity"]' < "${POLICIES_DIR}/${policy}/${file}")
+            echo "| [${name} - ${title}](${POLICIES_DIR}/${policy}) | \`${severity}\` |" >> ${tmpfile}
+        fi
+    done
+}
+
+echo_info "[kyverno-policies] Extract documentation"
+
+tmpfile=$(mktemp)
+START=false
+
+while read LINE; do
+    if [ "${START}" == "true" ]; then
+        for policy in $(ls "${POLICIES_DIR}" | sort ); do
+            policy_doc "${policy}" "${tmpfile}"
+        done
+        break
+    elif [ "${LINE}" == "${STARTFLAG}" ]; then
+            START="true"
+            echo "${STARTFLAG}" >> "${tmpfile}"
+            echo "| Policy | Severity |" >> ${tmpfile}
+            echo "|--------|:--------:|" >> ${tmpfile}
+            continue
+    else
+        echo "${LINE}" >> "${tmpfile}"
+    fi
+done < ${DOC}
+
+echo "${ENDFLAG}" >> "${tmpfile}"
+cat "${tmpfile}"
+mv "${tmpfile}" "${DOC}"
diff --git a/kyverno-policies.md b/kyverno-policies.md
@@ -1,136 +1,16 @@
 # Policies
 
-## medium
-
-* [PORTEFAIX-C0001 - Container must not use latest image tag](#portefaix-c0001)
-* [PORTEFAIX-C0002 - Container must set liveness probe](#portefaix-c0002)
-* [PORTEFAIX-C0003 - Container must set readiness probe](#portefaix-c0003)
-* [PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables](#portefaix-c0004)
-* [PORTEFAIX-C0005 - Container must drop all capabilities](#portefaix-c0005)
-* [PORTEFAIX-C0006 - Container must not allow for privilege escalation](#portefaix-c0006)
-* [PORTEFAIX-C0008 - Container resource constraints must be specified](#portefaix-c0008)
-
-## low
-
-* [PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels](#portefaix-m0001)
-* [PORTEFAIX-M0002 - Metadata should have a8r.io annotations](#portefaix-m0002)
-* [PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations](#portefaix-m0003)
-
-## high
-
-* [PORTEFAIX-P0002 - Pod must run without access to the host IPC](#portefaix-p0002)
-* [PORTEFAIX-P0003 - Pod must run without access to the host networking](#portefaix-p0003)
-* [PORTEFAIX-P0004 - Pod must run as non-root](#portefaix-p0004)
-* [PORTEFAIX-P0005 - Pod must run without access to the host PID](#portefaix-p0005)
-
-## PORTEFAIX-P0002 - Pod must run without access to the host IPC
-
-**Category:** Best Practices
-
-**Severity:** high
-
-**Description:** Pods that are allowed to access the host IPC can read memory of the other containers, breaking that security boundary.
-
-## PORTEFAIX-P0003 - Pod must run without access to the host networking
-
-**Category:** Best Practices
-
-**Severity:** high
-
-**Description:** Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter
-
-## PORTEFAIX-P0004 - Pod must run as non-root
-
-**Category:** Best Practices
-
-**Severity:** high
-
-**Description:** Force the running image to run as a non-root user to ensure least privilege
-
-## PORTEFAIX-P0005 - Pod must run without access to the host PID
-
-**Category:** Best Practices
-
-**Severity:** high
-
-**Description:** Sharing the host’s PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration
-
-## PORTEFAIX-C0001 - Container must not use latest image tag
-
-**Category:** Best Practices
-
-**Severity:** medium
-
-**Description:** The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod.
-
-## PORTEFAIX-C0002 - Container must set liveness probe
-
-**Category:** Best Practices
-
-**Severity:** medium
-
-**Description:** Liveness probe need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's containers are running or need to be restarted
-
-## PORTEFAIX-C0003 - Container must set readiness probe
-
-**Category:** Best Practices
-
-**Severity:** medium
-
-**Description:** Readiness probe need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each pod, a `readinessProbe` is used by services and deployments to determine if the pod is ready to receive network traffic.
-
-## PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables
-
-**Category:** BestPractices
-
-**Severity:** medium
-
-**Description:** Disallow using secrets from environment variables which are visible in resource definitions.
-
-## PORTEFAIX-C0005 - Container must drop all capabilities
-
-**Category:** BestPractices
-
-**Severity:** medium
-
-**Description:** Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a pod, with only those required added back.
-
-## PORTEFAIX-C0006 - Container must not allow for privilege escalation
-
-**Category:** BestPractices
-
-**Severity:** medium
-
-**Description:** Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
-
-## PORTEFAIX-C0008 - Container resource constraints must be specified
-
-**Category:** BestPractices
-
-**Severity:** medium
-
-**Description:** It is important to limit resources requested and consumed by each pod.
-
-## PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels
-
-**Category:** Best Practices
-
-**Severity:** low
-
-**Description:** Metadata must set recommanded Kubernetes labels See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels
-
-## PORTEFAIX-M0002 - Metadata should have a8r.io annotations
-
-**Category:** Best Practices
-
-**Severity:** low
-
-**Description:** Metadata should have all the expected a8r.io annotations See: https://ambassadorlabs.github.io/k8s-for-humans/
-
-## PORTEFAIX-M0003 - Metadata should have portefaix.xyz labels
-
-**Category:** Best Practices
-
-**Severity:** low
-
-**Description:** Metadata should have Portefaix labels
+<!-- BEGIN_POLICIES_DOC -->
+| Policy | Severity |
+|--------|:--------:|
+| [portefaix-C0001 - Container must not use latest image tag](kyverno/C0001-container-image-tag) | `medium` |
+| [portefaix-C0002 - Container must set liveness probe](kyverno/C0002-container-liveness-probe) | `medium` |
+| [portefaix-C0003 - Container must set readiness probe](kyverno/C0003-container-readiness-probe) | `medium` |
+| [portefaix-C0004 - Container must mount secrets as volumes, not enviroment variables](kyverno/C0004-container-secret-not-env) | `medium` |
+| [portefaix-C0006 - Container must not allow for privilege escalation](kyverno/C0006-container-escalation) | `medium` |
+| [portefaix-C0008 - Container resource constraints must be specified](kyverno/C0008-container-resources) | `medium` |
+| [portefaix-M0001 - Metadata must set recommanded Kubernetes labels](kyverno/M0001-metadata-labels) | `low` |
+| [portefaix-M0002 - Metadata should have a8r.io annotations](kyverno/M0002-metadata-annotations) | `low` |
+| [portefaix-M0003 - Metadata should have portefaix.xyz labels](kyverno/M0003-metadata-portefaix-labels) | `low` |
+| [portefaix-N0001 - Disallow Default Namespace](kyverno/N0001-namespace-default) | `medium` |
+<!-- END_POLICIES_DOC -->
diff --git a/kyverno/C0001-container-image-tag/test.yaml b/kyverno/C0001-container-image-tag/test.yaml
@@ -21,8 +21,10 @@ results:
   - policy: portefaix-C0001
     rule: require-image-tag
     resource: myapp-pod-ko-1
+    kind: Pod
     status: fail
   - policy: portefaix-C0001
     rule: validate-image-tag
     resource: myapp-pod-ko-2
+    kind: Pod
     status: fail
diff --git a/kyverno/C0002-container-liveness-probe/test.yaml b/kyverno/C0002-container-liveness-probe/test.yaml
@@ -21,8 +21,10 @@ results:
   - policy: portefaix-C0002
     rule: validate-liveness-probe
     resource: myapp-pod-ok
+    kind: Pod
     status: pass
   - policy: portefaix-C0002
     rule: validate-liveness-probe
     resource: myapp-pod-ko
+    kind: Pod
     status: fail
diff --git a/kyverno/C0003-container-readiness-probe/test.yaml b/kyverno/C0003-container-readiness-probe/test.yaml
@@ -21,12 +21,15 @@ results:
   - policy: portefaix-C0003
     rule: validate-readiness-probe
     resource: myapp-pod-ok
+    kind: Pod
     status: pass
   - policy: portefaix-C0003
     rule: validate-readiness-probe
     resource: myapp-pod-ko
+    kind: Pod
     status: fail
   - policy: portefaix-C0003
     rule: validate-readiness-probe
     resource: myapp-pod-ko-2
+    kind: Pod
     status: pass
diff --git a/kyverno/C0004-container-secret-not-env/test.yaml b/kyverno/C0004-container-secret-not-env/test.yaml
@@ -21,16 +21,20 @@ results:
   - policy: portefaix-C0004
     rule: secrets-not-from-env-vars
     resource: myapp-pod-ko-1
+    kind: Pod
     status: fail
   - policy: portefaix-C0004
     rule: secrets-not-from-envfrom
     resource: myapp-pod-ko-2
+    kind: Pod
     status: fail
   - policy: portefaix-C0004
     rule: secrets-not-from-env-vars
     resource: myapp-pod-ok
+    kind: Pod
     status: pass
   - policy: portefaix-C0004
     rule: secrets-not-from-envfrom
     resource: myapp-pod-ok
+    kind: Pod
     status: pass
diff --git a/kyverno/C0005-container-capabilities/resource.yaml b/kyverno/C0005-container-capabilities/resource.yaml
diff --git a/kyverno/C0005-container-capabilities/test.yaml b/kyverno/C0005-container-capabilities/test.yaml
diff --git a/kyverno/C0006-container-escalation/test.yaml b/kyverno/C0006-container-escalation/test.yaml
@@ -21,16 +21,20 @@ results:
   - policy: portefaix-C0006
     rule: deny-privilege-escalation
     resource: myapp-pod-ko-1
+    kind: Pod
     status: fail
   - policy: portefaix-C0006
     rule: deny-privilege-escalation
     resource: myapp-pod-ko-2
+    kind: Pod
     status: fail
   - policy: portefaix-C0006
     rule: deny-privilege-escalation
     resource: myapp-pod-ok-1
+    kind: Pod
     status: pass
   - policy: portefaix-C0006
     rule: deny-privilege-escalation
     resource: myapp-pod-ok-2
+    kind: Pod
     status: pass