Merge pull request #47 from kubescape/feature/runtime-policies

Adding runtime policies

Author: slashben

runtime-policies/attach/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-attach
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CONNECT"]
+      resources:   ["pods/attach"]
+  failurePolicy: Fail
+  validations:
+  - expression: "false"
+    message: "attach is not allowed"
+    reason: "Medium"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-attach-binding
+spec:
+  policyName: cluster-policy-deny-attach
+  validationActions:
+  - Deny
+  - Audit

runtime-policies/exec/policy.yaml

@@ -0,0 +1,25 @@
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-exec
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CONNECT"]
+      resources:   ["pods/exec"]
+  failurePolicy: Fail
+  validations:
+  - expression: "false"
+    message: "exec is not allowed"
+    reason: "High"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-exec-binding
+spec:
+  policyName: cluster-policy-deny-exec
+  validationActions:
+  - Audit

runtime-policies/hostmount/policy.yaml

@@ -0,0 +1,40 @@
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-hostMount
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  failurePolicy: Fail
+  validations:
+    - expression: "object.kind != 'Pod' || object.spec.volumes.all(vol, !(has(vol.hostPath)))"
+      message: "There are one or more hostPath mounts in the Pod! (see more at https://hub.armosec.io/docs/c-0048)"
+      reason: "Medium"
+    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
+      message: "There are one or more hostPath mounts in the Workload! (see more at https://hub.armosec.io/docs/c-0048)"
+      reason: "Medium"
+    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
+      message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)"
+      reason: "Medium"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-hostMount-binding
+spec:
+  policyName: cluster-policy-deny-hostMount
+  validationActions:
+  - Deny
+  - Audit

runtime-policies/insecure-capabilities/policy.yaml

@@ -0,0 +1,80 @@
+apiVersion: kubescape.io/v1
+kind: PolicyConfiguration
+metadata:
+  name: basic-policy-configuration
+settings:
+  insecureCapabilities:
+  - SETPCAP
+  - NET_ADMIN
+  - NET_RAW
+  - SYS_MODULE
+  - SYS_RAWIO
+  - SYS_PTRACE
+  - SYS_ADMIN
+  - SYS_BOOT
+  - MAC_OVERRIDE
+  - MAC_ADMIN
+  - PERFMON
+  - ALL
+  - BPF
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-insecure-capabilities
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: PolicyConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' ||
+        object.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "Pod has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
+      reason: "High"
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
+        object.spec.template.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "Workload has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
+      reason: "High"
+    - expression: >
+        object.kind != 'CronJob' ||
+        object.spec.jobTemplate.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability,
+        !has(container.securityContext) || !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) ||
+        container.securityContext.capabilities.add.all(capability, capability != insecureCapability)
+        ))
+      message: "CronJob has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
+      reason: "High"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-insecure-capabilities-binding
+spec:
+  policyName: cluster-policy-deny-insecure-capabilities
+  paramRef:
+    name: basic-policy-configuration
+  validationActions:
+  - Deny
+  - Audit

runtime-policies/portforward/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-portforward
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["UPDATE", "PATCH", "CONNECT"]
+      resources:   ["pods/portforward"]
+  failurePolicy: Fail
+  validations:
+  - expression: "false"
+    message: "portforward is not allowed"
+    reason: "High"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-portforward-binding
+spec:
+  policyName: cluster-policy-deny-portforward
+  validationActions:
+  - Deny
+  - Audit

runtime-policies/privileged/policy.yaml

@@ -0,0 +1,58 @@
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: cluster-policy-deny-priviliged-flag
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container,
+        !(has(container.securityContext)) ||
+        (
+          (!(has(container.securityContext.privileged)) || container.securityContext.privileged != true) &&
+          (!(has(container.securityContext.capabilities)) || !(has(container.securityContext.capabilities.add)) ||
+          container.securityContext.capabilities.add.all(cap, cap != 'SYS_ADM')))
+        )
+      message: "Pod has one or more privileged container.(see more at https://hub.armosec.io/docs/c-0057)"
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet', 'Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+        !(has(container.securityContext)) ||
+        (
+          (!(has(container.securityContext.priviliged)) || container.securityContext.privileged != true) &&
+          (!(has(container.securityContext.capabilities)) || !(has(container.securityContext.capabilities.add)) ||
+          container.securityContext.capabilities.add.all(cap, cap != 'SYS_ADM')))
+        )
+      message: "Workloads has one or more privileged container.(see more at https://hub.armosec.io/docs/c-0057)"
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container,
+        !(has(container.securityContext)) ||
+        (
+          (!(has(container.securityContext.priviliged)) || container.securityContext.privileged != true) &&
+          (!(has(container.securityContext.capabilities)) || !(has(container.securityContext.capabilities.add)) ||
+          container.securityContext.capabilities.add.all(cap, cap != 'SYS_ADM')))
+        )
+      message: "CronJob has one or more privileged container.(see more at https://hub.armosec.io/docs/c-0057)"
+---
+apiVersion: admissionregistration.x-k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: cluster-policy-deny-privileged-flag-binding
+spec:
+  policyName: cluster-policy-deny-priviliged-flag
+  validationActions:
+  - Deny
+  - Audit