Merge pull request #11 from suhasgumma/C-0013

ValidatingAdmissionPolicy for C-0013

Author: slashben

controls/C-0013/policy.yaml

@@ -0,0 +1,194 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0013-deny-resources-with-capability-to-run-as-root"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: > 
+        object.kind != 'Pod' || object.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.securityContext) && 
+                has(object.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.securityContext) && 
+                  has(object.spec.securityContext.runAsNonRoot) && 
+                  object.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.securityContext) && 
+                  has(object.spec.securityContext.runAsUser) && 
+                  object.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "Pods contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.template.spec.securityContext) && 
+                has(object.spec.template.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.template.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.template.spec.securityContext) && 
+                  has(object.spec.template.spec.securityContext.runAsNonRoot) && 
+                  object.spec.template.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.template.spec.securityContext) && 
+                  has(object.spec.template.spec.securityContext.runAsUser) && 
+                  object.spec.template.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "Workloads contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.jobTemplate.spec.securityContext) && 
+                has(object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.jobTemplate.spec.securityContext) && 
+                  has(object.spec.jobTemplate.spec.securityContext.runAsNonRoot) && 
+                  object.spec.jobTemplate.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.jobTemplate.spec.securityContext) && 
+                  has(object.spec.jobTemplate.spec.securityContext.runAsUser) && 
+                  object.spec.jobTemplate.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "CronJob contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"

controls/C-0013/tests.json

@@ -0,0 +1,184 @@
+[
+    {
+        "name": "Pod with PodSecurityContext not set and allowPreviligeEscalation not set in atleast one ContainerSecurityContext is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero and allowPreviligeEscalation set to false is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsUser=100",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsNonRoot set to true and allowPreviligeEscalation set to false is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero, runAsNonRoot set to true and allowPreviligeEscalation set to false is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.runAsUser=100",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero and allowPreviligeEscalation set to true is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsUser=100",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsNonRoot set to true and allowPreviligeEscalation set to true is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Pod with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero, runAsNonRoot set to true and allowPreviligeEscalation set to true is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.runAsUser=100",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Pod with runAsNonRoot set true in PodSecurityContext and runAsNonRoot not set in ContainerSecurityContext and allowPreviligeEscalation set to false is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Pod with runAsUser set to non-zero value in PodSecurityContext and runAsUser not set in ContainerSecurityContext and allowPreviligeEscalation set to false is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Pod with runAsNonRoot set true in PodSecurityContext and runAsNonRoot set to false and runAsUser not set in ContainerSecurityContext and allowPreviligeEscalation set to false is denied",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.securityContext.runAsNonRoot=true",
+            "spec.containers.[0].securityContext.runAsNonRoot=false",
+            "spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and allowPreviligeEscalation not set in atleast one ContainerSecurityContext is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero and allowPreviligeEscalation set to false is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsUser=100",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsNonRoot set to true and allowPreviligeEscalation set to false is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero, runAsNonRoot set to true and allowPreviligeEscalation set to false is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.runAsUser=100",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero and allowPreviligeEscalation set to true is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsUser=100",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsNonRoot set to true and allowPreviligeEscalation set to true is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Deployment with PodSecurityContext not set and ContainerSecurityContext runAsUser is non-zero, runAsNonRoot set to true and allowPreviligeEscalation set to true is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.runAsUser=100",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=true"
+        ]
+    },
+    {
+        "name": "Deployment with runAsNonRoot set true in PodSecurityContext and runAsNonRoot not set in ContainerSecurityContext and allowPreviligeEscalation set to false is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with runAsUser set to non-zero value in PodSecurityContext and runAsUser not set in ContainerSecurityContext and allowPreviligeEscalation set to false is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    },
+    {
+        "name": "Deployment with runAsNonRoot set true in PodSecurityContext and runAsNonRoot set to false and runAsUser not set in ContainerSecurityContext and allowPreviligeEscalation set to false is denied",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.template.spec.securityContext.runAsNonRoot=true",
+            "spec.template.spec.containers.[0].securityContext.runAsNonRoot=false",
+            "spec.template.spec.containers.[0].securityContext.allowPrivilegeEscalation=false"
+        ]
+    }
+]