Merge branch 'main' into fix/volumes

Signed-off-by: Ben Hirschberg <[email protected]>

Author: slashben

.github/workflows/release.yaml

@@ -8,7 +8,6 @@ on:
 
 jobs:
   release:
-    needs: test-all-policies
     runs-on: ubuntu-latest
     outputs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}

ADOPTERS.md

@@ -0,0 +1,5 @@
+# Adopters
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+# Code of Conduct
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)

COMMUNITY.md

@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)

GOVERNANCE.md

@@ -0,0 +1,5 @@
+# Governance
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)

MAINTAINERS.md

@@ -0,0 +1,5 @@
+# Maintainers
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)

SECURITY.md

@@ -0,0 +1,5 @@
+# Security
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)

controls/C-0013/policy.yaml

@@ -0,0 +1,194 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0013-deny-resources-with-capability-to-run-as-root"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: > 
+        object.kind != 'Pod' || object.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.securityContext) && 
+                has(object.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.securityContext) && 
+                  has(object.spec.securityContext.runAsNonRoot) && 
+                  object.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.securityContext) && 
+                  has(object.spec.securityContext.runAsUser) && 
+                  object.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "Pods contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.template.spec.securityContext) && 
+                has(object.spec.template.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.template.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.template.spec.securityContext) && 
+                  has(object.spec.template.spec.securityContext.runAsNonRoot) && 
+                  object.spec.template.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.template.spec.securityContext) && 
+                  has(object.spec.template.spec.securityContext.runAsUser) && 
+                  object.spec.template.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "Workloads contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+          (
+            (
+              has(container.securityContext) && 
+              has(container.securityContext.allowPrivilegeEscalation) && 
+              container.securityContext.allowPrivilegeEscalation == false
+            ) ||
+            (
+              (
+                !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
+              ) &&
+              (
+                has(object.spec.jobTemplate.spec.securityContext) && 
+                has(object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation) && 
+                object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation == false
+              )
+            )
+          ) &&
+          (
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsNonRoot) && 
+                container.securityContext.runAsNonRoot == true
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
+                ) &&
+                (
+                  has(object.spec.jobTemplate.spec.securityContext) && 
+                  has(object.spec.jobTemplate.spec.securityContext.runAsNonRoot) && 
+                  object.spec.jobTemplate.spec.securityContext.runAsNonRoot == true
+                )
+              )  
+            ) ||
+            (
+              (
+                has(container.securityContext) && 
+                has(container.securityContext.runAsUser) && 
+                container.securityContext.runAsUser != 0
+              ) ||
+              (
+                (
+                  !has(container.securityContext) || !has(container.securityContext.runAsUser)
+                ) &&
+                (
+                  has(object.spec.jobTemplate.spec.securityContext) && 
+                  has(object.spec.jobTemplate.spec.securityContext.runAsUser) && 
+                  object.spec.jobTemplate.spec.securityContext.runAsUser != 0
+                )
+              )  
+            )
+          )
+        )
+      message: "CronJob contains container/s which have the capability to run as root! (see more at https://hub.armosec.io/docs/c-0013)"