opendatahub-operator/.kube-linter.yaml at main · asanzgom/opendatahub-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
checks:
  # if doNotAutoAddDefaults is true, default checks are not automatically added.
  doNotAutoAddDefaults: true

  # addAllBuiltIn, if set, adds all built-in checks. This allows users to
  # explicitly opt-out of checks that are not relevant using Exclude.
  # Takes precedence over doNotAutoAddDefaults, if both are set.
  addAllBuiltIn: false

  include:
    # ===========================================================================
    # CONTAINER SECURITY - Privilege & Isolation
    # ===========================================================================
    # Prevents containers from running with excessive privileges that could
    # enable container escapes and node compromise
    - "privileged-container"              # No privileged mode (bypasses all security)
    - "privilege-escalation-container"    # Prevent allowPrivilegeEscalation=true
    - "run-as-non-root"                   # Enforce runAsNonRoot (CWE-250)
    - "host-network"                      # No host network namespace sharing
    - "host-pid"                          # No host PID namespace sharing
    - "host-ipc"                          # No host IPC namespace sharing
    - "docker-sock"                       # No docker.sock mount (container escape)
    - "sensitive-host-mounts"             # No mounting /, /etc, /sys, /proc, etc.
    - "writable-host-mount"               # Host mounts must be readOnly
    - "no-read-only-root-fs"              # Enforce readOnlyRootFilesystem
    - "drop-net-raw-capability"           # Drop NET_RAW (packet crafting)
    - "unsafe-proc-mount"                 # Prevent procMount=Unmasked
    - "unsafe-sysctls"                    # Block dangerous sysctls

    # ===========================================================================
    # RBAC & ACCESS CONTROL - CIS Kubernetes Benchmark
    # ===========================================================================
    # Implements CIS Kubernetes Benchmark recommendations for RBAC security
    - "cluster-admin-role-binding"        # CIS 5.1.1: Restrict cluster-admin
    - "access-to-secrets"                 # CIS 5.1.2: Limit secret access
    - "wildcard-in-rules"                 # CIS 5.1.3: No wildcards in RBAC
    - "access-to-create-pods"             # CIS 5.1.4: Restrict pod creation
    - "no-system-group-binding"           # Custom: No system:* groups

    # ===========================================================================
    # SECRET MANAGEMENT
    # ===========================================================================
    # Prevents secret exposure through environment variables (visible in logs,
    # crashes, and process listings)
    - "env-var-secret"                    # No secrets in env vars (use secretKeyRef)
    - "read-secret-from-env-var"          # CIS 5.4.1: Prefer mounted secrets

    # ===========================================================================
    # SERVICE ACCOUNT SECURITY
    # ===========================================================================
    - "default-service-account"           # Don't use default SA (create dedicated)
    - "non-existent-service-account"      # Validate SA exists

    # ===========================================================================
    # NETWORK SECURITY
    # ===========================================================================
    - "privileged-ports"                  # No ports < 1024 (require root)
    - "ssh-port"                          # Flag SSH exposure (port 22)
    - "exposed-services"                  # No NodePort/LoadBalancer (use Ingress)
    - "non-isolated-pod"                  # Require NetworkPolicy

    # ===========================================================================
    # RELIABILITY & AVAILABILITY
    # ===========================================================================
    - "no-liveness-probe"                 # Require liveness probes
    - "no-readiness-probe"                # Require readiness probes
    - "unset-cpu-requirements"            # Require CPU requests/limits
    - "unset-memory-requirements"         # Require memory requests/limits

    # ===========================================================================
    # NAMESPACE ISOLATION - CIS Kubernetes Benchmark
    # ===========================================================================
    - "use-namespace"                     # CIS 5.7.1, 5.7.4: Don't use default namespace

    # ===========================================================================
    # IMAGE SECURITY
    # ===========================================================================
    - "latest-tag"                        # No 'latest' tag (use immutable tags)

customChecks:
  - name: "no-system-group-binding"
    description: "Ensure ClusterRoleBindings do not target system groups"
    remediation: "Remove references to system groups (e.g., system:authenticated, system:unauthenticated) from ClusterRoleBinding subjects"
    template: "cel-expression"
    scope:
      objectKinds:
        - ClusterRoleBinding
    params:
      check: |
        has(object.subjects) && dyn(object.subjects).exists(s, s.kind == "Group" && s.name.startsWith("system:"))
          ? "ClusterRoleBinding references system group"
          : ""