Merge pull request #17 from slashben/main

Creating a better getting started with the library

Author: slashben

.github/workflows/release.yaml

@@ -36,14 +36,17 @@ jobs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
       - uses: actions/checkout@v3
+      
       - name: Verify release tagged commit is on main
         run: |
           git fetch origin main
           git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
+      
       - name: Create release artifacts
         run: |
           mkdir release
           ./scripts/create-release-objects.sh release      
+      
       - name: Create a GitHub release
         id: create_release
         uses: actions/create-release@v1
@@ -54,12 +57,33 @@ jobs:
           release_name: "Release ${{ github.ref_name }}"
           draft: false
           prerelease: false
-      - name: Publish release artifacts
+      
+      - name: Publish policy object artifact
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: release/kubescape-validating-admission-policies.yaml
           asset_name: kubescape-validating-admission-policies.yaml
+          asset_content_type: text/yaml
+      
+      - name: Publish policy configuration CRD artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: configuration/policy-configuration-definition.yaml
+          asset_name: policy-configuration-definition.yaml
+          asset_content_type: text/yaml
+            
+      - name: Publish basic policy configuration 
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: configuration/basic-control-configuration.yaml
+          asset_name: basic-control-configuration.yaml
           asset_content_type: text/yaml

README.md

@@ -4,15 +4,48 @@ This is a library of polcies based on [Kubescape controls](https://hub.armosec.i
 
 ## Using the library
 
-
 *Note: Kubernetes Validating Admission Policy feature is still it is early phase. 
 It has been released as a alphav1 feature in Kubernetes 1.26,
 and you need to enable its feature gate to be able to use it. Therefore it is not yet production ready.*
 
-You can apply policies directly from GitHub, for example to apply control [C-0016](https://hub.armosec.io/docs/c-0016) (deny `allowPrivilegeEscalation` on containers) just run this:
+
+Install latest release of the library:
+```bash
+# Install configuration CRD
+kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/download/latest/policy-configuration-definition.yaml
+# Install basic configuration
+kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/download/latest/basic-control-configuration.yaml
+# Install policies
+kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/download/latest/kubescape-validating-admission-policies.yaml
+```
+
+You're good to start to use it 😎
+
+You can apply policies to objects, for example to apply control [C-0016](https://hub.armosec.io/docs/c-0016) (deny `allowPrivilegeEscalation` on containers) on workloads in namespace with label `policy=enforced` just run this:
+
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/kubescape/cel-admission-library/main/controls/C-0016/policy.yaml
+# Creating a binding
+kubectl apply -f - <<EOT
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: c0016-binding
+spec:
+  policyName: kubescape-c-0016-allow-privilege-escalation
+  paramRef:
+    name: basic-control-configuration
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        policy: enforced
+EOT
+# Creating a namespace for running the example
+kubectl create namespace policy-example
+kubectl label namespace policy-example policy=enforced
+# The next line should fail
+kubectl -n policy-example run nginx --image=nginx --restart=Never
 ```
+
 ## Testing policies
 
 ### Cluster

configuration/basic-control-configuration.yaml

@@ -0,0 +1,128 @@
+apiVersion: "kubescape.io/v1"
+kind: ControlConfiguration
+metadata:
+  name: basic-control-configuration
+settings:
+  cpuLimitMax: 5
+  cpuLimitMin: 0.5
+  cpuRequestMax: 5
+  cpuRequestMin: 0.1
+  imageRepositoryAllowList:
+  - gcr.io
+  insecureCapabilities:
+  - SETPCAP
+  - NET_ADMIN
+  - NET_RAW
+  - SYS_MODULE
+  - SYS_RAWIO
+  - SYS_PTRACE
+  - SYS_ADMIN
+  - SYS_BOOT
+  - MAC_OVERRIDE
+  - MAC_ADMIN
+  - PERFMON
+  - ALL
+  - BPF
+  k8sRecommendedLabels:
+  - app.kubernetes.io/name
+  - app.kubernetes.io/instance
+  - app.kubernetes.io/version
+  - app.kubernetes.io/component
+  - app.kubernetes.io/part-of
+  - app.kubernetes.io/managed-by
+  - app.kubernetes.io/created-by
+  listOfDangerousArtifacts:
+  - bin/bash
+  - sbin/sh
+  - bin/ksh
+  - bin/tcsh
+  - bin/zsh
+  - usr/bin/scsh
+  - bin/csh
+  - bin/busybox
+  - usr/bin/busybox
+  maxCriticalVulnerabilities:
+  - 5
+  maxHighVulnerabilities:
+  - 10
+  memoryLimitMax: 256
+  memoryLimitMin: 32
+  memoryRequestMax: 256
+  memoryRequestMin: 32
+  publicRegistries:
+  - docker.io
+  - gcr.io
+  - quay.io
+  - registry.hub.docker.com
+  recommendedLabels:
+  - app
+  - tier
+  - phase
+  - version
+  - owner
+  - env
+  sensitiveInterfaces:
+  - nifi
+  - argo-server
+  - weave-scope-app
+  - kubeflow
+  - kubernetes-dashboard
+  - jenkins
+  - prometheus-deployment
+  sensitiveKeyNames:
+  - aws_access_key_id
+  - aws_secret_access_key
+  - azure_batchai_storage_account
+  - azure_batchai_storage_key
+  - azure_batch_account
+  - azure_batch_key
+  - secret
+  - key
+  - password
+  - pwd
+  - token
+  - jwt
+  - bearer
+  - credential
+  sensitiveValues:
+  - BEGIN \w+ PRIVATE KEY
+  - PRIVATE KEY
+  - eyJhbGciO
+  - JWT
+  - Bearer
+  - _key_
+  - _secret_
+  sensitiveValuesAllowed:
+  - ''
+  servicesNames:
+  - nifi-service
+  - argo-server
+  - minio
+  - postgres
+  - workflow-controller-metrics
+  - weave-scope-app
+  - kubernetes-dashboard
+  untrustedRegistries:
+  - docker.io
+  - gcr.io
+  - quay.io
+  - registry.hub.docker.com
+  wlKnownNames:
+  - coredns
+  - kube-proxy
+  - event-exporter-gke
+  - kube-dns
+  - 17-default-backend
+  - metrics-server
+  - ca-audit
+  - ca-dashboard-aggregator
+  - ca-notification-server
+  - ca-ocimage
+  - ca-oracle
+  - ca-posture
+  - ca-rbac
+  - ca-vuln-scan
+  - ca-webhook
+  - ca-websocket
+  - clair-clair
+

configuration/policy-configuration-definition.yaml

@@ -16,13 +16,13 @@ spec:
               type: object
               properties:
                 cpuLimitMax:
-                  type: integer
+                  type: number
                 cpuLimitMin:
-                  type: integer
+                  type: number
                 cpuRequestMax:
-                  type: integer
+                  type: number
                 cpuRequestMin:
-                  type: integer
+                  type: number
                 imageRepositoryAllowList:
                   items:
                     type: string

scripts/create-release-objects.sh

@@ -14,7 +14,7 @@ RELEASE_DIR=$1
 RELEASE_POLICY_YAML_FILE_NAME=$RELEASE_DIR/kubescape-validating-admission-policies.yaml
 
 echo "Creating release policy YAML file $RELEASE_POLICY_YAML_FILE_NAME"
-touch $RELEASE_POLICY_YAML_FILE_NAME
+echo "" > $RELEASE_POLICY_YAML_FILE_NAME
 
 # Loop through all policies and add them to the release YAML file
 for control in $(ls controls); do
@@ -24,8 +24,9 @@ for control in $(ls controls); do
         continue
     fi
     # Copy policy file contents to release YAML file
+    echo controls/$control/policy.yaml
     cat controls/$control/policy.yaml >> $RELEASE_POLICY_YAML_FILE_NAME
-    echo "---" >> $RELEASE_POLICY_YAML_FILE_NAME
+    printf "\n---\n" >> $RELEASE_POLICY_YAML_FILE_NAME
 done
 
 # Delete the last line of the policy file

test-resources/default-control-configuration.yaml

@@ -6,7 +6,7 @@ settings:
   cpuLimitMax: 5
   cpuLimitMin: 1
   cpuRequestMax: 5
-  cpuRequestMin: 1
+  cpuRequestMin: 0.1
   imageRepositoryAllowList:
   - gcr.io
   insecureCapabilities: