Merge pull request #24 from suhasgumma/C-0046

ValidatingAdmissionPolicy for  C-0046

Author: slashben

controls/C-0046/policy.yaml

@@ -0,0 +1,45 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0046-deny-resources-with-insecure-capabilities"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || 
+        object.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "Pod has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
+        object.spec.template.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "Workload has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
+    - expression: >
+        object.kind != 'CronJob' || 
+        object.spec.jobTemplate.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "CronJob has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"

controls/C-0046/tests.json

@@ -0,0 +1,37 @@
+[
+    {
+        "name": "Pod having container with capabilities not set is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [    
+        ]
+    },
+    {
+        "name": "Pod having container with NET_RAW capability is blocked",
+        "template": "pod-capabilities.yaml",
+        "expected": "fail",
+        "field_change_list": [    
+        ]
+    },
+    {
+        "name": "Pod having containers with capabilities set but not from insecure capabilities list is allowed",
+        "template": "pod-for-list-items.yaml",
+        "expected": "pass",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Deployment having container with capabilities not set is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [    
+        ]
+    },
+    {
+        "name": "Deployment having container with NET_RAW capability is blocked",
+        "template": "deployment-for-list-items.yaml",
+        "expected": "fail",
+        "field_change_list": [    
+        ]
+    }
+]

test-resources/deployment-for-list-items.yaml

@@ -22,4 +22,5 @@ spec:
         securityContext:
           capabilities:
             add:
-            - SYS_ADM
+            - SYS_ADM
+            - NET_RAW

test-resources/pod-capabilities.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  labels:
+    admission-policy-test: abc
+spec:
+  containers:
+  - name: sleep
+    image: alpine
+    command: ["sudo", sh"]
+    args: ["-c", "while true; do sleep 1; done"]
+    securityContext:
+      capabilities:
+        add:
+        - SYS_ADM
+        - NET_RAW