Skip to content

Commit aa6e16e

Browse files
committed
Promote kyverno policy to block access to signing server in prod
KFLUXINFRA-2676 Signed-off-by: Hugo Arès <hares@redhat.com>
1 parent 1fd139b commit aa6e16e

7 files changed

Lines changed: 422 additions & 0 deletions

File tree

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
apiVersion: kyverno.io/v1
2+
kind: ClusterPolicy
3+
metadata:
4+
name: block-signing-server-access
5+
status:
6+
conditions:
7+
- reason: Succeeded
8+
status: "True"
9+
type: Ready
10+
Lines changed: 284 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,284 @@
1+
---
2+
apiVersion: chainsaw.kyverno.io/v1alpha1
3+
kind: Test
4+
metadata:
5+
name: egressfirewall-created-in-all-new-ns-but-one
6+
spec:
7+
concurrent: false
8+
description: |
9+
Tests that the ClusterPolicy for generating EgressFirewall is
10+
is creating the EgressFirewall in all new namespaces except in internal-services.
11+
steps:
12+
- name: setup-crd
13+
try:
14+
- apply:
15+
file: resources/mock-egressfirewall-crd.yaml
16+
- assert:
17+
file: resources/mock-egressfirewall-crd.yaml
18+
- name: setup-permissions
19+
try:
20+
- apply:
21+
file: ../kyverno_rbac.yaml
22+
- name: Apply Kyverno ClusterPolicy and assert it exists
23+
try:
24+
- apply:
25+
file: ../block-signing-server-access.yaml
26+
- assert:
27+
file: chainsaw-assert-clusterpolicy.yaml
28+
- name: create-test-namespace
29+
try:
30+
- apply:
31+
resource:
32+
apiVersion: v1
33+
kind: Namespace
34+
metadata:
35+
name: test-ns
36+
- name: verify-egress-firewall-created
37+
try:
38+
- assert:
39+
resource:
40+
apiVersion: k8s.ovn.org/v1
41+
kind: EgressFirewall
42+
metadata:
43+
name: default
44+
namespace: test-ns
45+
spec:
46+
egress:
47+
- to:
48+
dnsName: signserver.devel.redhat.com
49+
type: Deny
50+
- name: create-internal-services-namespace
51+
try:
52+
- apply:
53+
resource:
54+
apiVersion: v1
55+
kind: Namespace
56+
metadata:
57+
name: internal-services
58+
- name: verify-no-egress-firewall-in-internal-services
59+
try:
60+
- delete:
61+
ref:
62+
apiVersion: k8s.ovn.org/v1
63+
kind: EgressFirewall
64+
namespace: internal-services
65+
name: default
66+
expect:
67+
- check:
68+
($error != null): true
69+
---
70+
apiVersion: chainsaw.kyverno.io/v1alpha1
71+
kind: Test
72+
metadata:
73+
name: egressfirewall-created-in-all-existing-ns-but-one
74+
spec:
75+
concurrent: false
76+
description: |
77+
Tests that the ClusterPolicy for generating EgressFirewall is
78+
is creating the EgressFirewall in all existing namespaces except in internal-services.
79+
steps:
80+
- name: setup-crd
81+
try:
82+
- apply:
83+
file: resources/mock-egressfirewall-crd.yaml
84+
- assert:
85+
file: resources/mock-egressfirewall-crd.yaml
86+
- name: setup-permissions
87+
try:
88+
- apply:
89+
file: ../kyverno_rbac.yaml
90+
- name: create-test-namespace
91+
try:
92+
- apply:
93+
resource:
94+
apiVersion: v1
95+
kind: Namespace
96+
metadata:
97+
name: test-ns
98+
- name: create-internal-services-namespace
99+
try:
100+
- apply:
101+
resource:
102+
apiVersion: v1
103+
kind: Namespace
104+
metadata:
105+
name: internal-services
106+
- name: Apply Kyverno ClusterPolicy and assert it exists
107+
try:
108+
- apply:
109+
file: ../block-signing-server-access.yaml
110+
- assert:
111+
file: chainsaw-assert-clusterpolicy.yaml
112+
- name: verify-egress-firewall-created
113+
try:
114+
- assert:
115+
resource:
116+
apiVersion: k8s.ovn.org/v1
117+
kind: EgressFirewall
118+
metadata:
119+
name: default
120+
namespace: test-ns
121+
spec:
122+
egress:
123+
- to:
124+
dnsName: signserver.devel.redhat.com
125+
type: Deny
126+
- name: verify-no-egress-firewall-in-internal-services
127+
try:
128+
- delete:
129+
ref:
130+
apiVersion: k8s.ovn.org/v1
131+
kind: EgressFirewall
132+
namespace: internal-services
133+
name: default
134+
expect:
135+
- check:
136+
($error != null): true
137+
---
138+
apiVersion: chainsaw.kyverno.io/v1alpha1
139+
kind: Test
140+
metadata:
141+
name: egressfirewall-recreated-if-deleted
142+
spec:
143+
concurrent: false
144+
description: |
145+
Tests that the ClusterPolicy for generating EgressFirewall is
146+
is recreating the EgressFirewall if deleted
147+
steps:
148+
- name: setup-crd
149+
try:
150+
- apply:
151+
file: resources/mock-egressfirewall-crd.yaml
152+
- assert:
153+
file: resources/mock-egressfirewall-crd.yaml
154+
- name: setup-permissions
155+
try:
156+
- apply:
157+
file: ../kyverno_rbac.yaml
158+
- name: Apply Kyverno ClusterPolicy and assert it exists
159+
try:
160+
- apply:
161+
file: ../block-signing-server-access.yaml
162+
- assert:
163+
file: chainsaw-assert-clusterpolicy.yaml
164+
- name: create-test-namespace
165+
try:
166+
- apply:
167+
resource:
168+
apiVersion: v1
169+
kind: Namespace
170+
metadata:
171+
name: test-ns
172+
- name: verify-egress-firewall-created
173+
try:
174+
- assert:
175+
resource:
176+
apiVersion: k8s.ovn.org/v1
177+
kind: EgressFirewall
178+
metadata:
179+
name: default
180+
namespace: test-ns
181+
spec:
182+
egress:
183+
- to:
184+
dnsName: signserver.devel.redhat.com
185+
type: Deny
186+
- name: delete-egress-firewall
187+
try:
188+
- delete:
189+
ref:
190+
apiVersion: k8s.ovn.org/v1
191+
kind: EgressFirewall
192+
namespace: test-ns
193+
name: default
194+
- name: verify-egress-firewall-recreated
195+
try:
196+
- assert:
197+
resource:
198+
apiVersion: k8s.ovn.org/v1
199+
kind: EgressFirewall
200+
metadata:
201+
name: default
202+
namespace: test-ns
203+
spec:
204+
egress:
205+
- to:
206+
dnsName: signserver.devel.redhat.com
207+
type: Deny
208+
---
209+
apiVersion: chainsaw.kyverno.io/v1alpha1
210+
kind: Test
211+
metadata:
212+
name: egressfirewall-restored-if-modified
213+
spec:
214+
concurrent: false
215+
description: |
216+
Tests that the ClusterPolicy for generating EgressFirewall
217+
restores the EgressFirewall if it is modified.
218+
steps:
219+
- name: setup-crd
220+
try:
221+
- apply:
222+
file: resources/mock-egressfirewall-crd.yaml
223+
- assert:
224+
file: resources/mock-egressfirewall-crd.yaml
225+
- name: setup-permissions
226+
try:
227+
- apply:
228+
file: ../kyverno_rbac.yaml
229+
- name: Apply Kyverno ClusterPolicy and assert it exists
230+
try:
231+
- apply:
232+
file: ../block-signing-server-access.yaml
233+
- assert:
234+
file: chainsaw-assert-clusterpolicy.yaml
235+
- name: create-test-namespace
236+
try:
237+
- apply:
238+
resource:
239+
apiVersion: v1
240+
kind: Namespace
241+
metadata:
242+
name: test-ns
243+
- name: verify-egress-firewall-created
244+
try:
245+
- assert:
246+
resource:
247+
apiVersion: k8s.ovn.org/v1
248+
kind: EgressFirewall
249+
metadata:
250+
name: default
251+
namespace: test-ns
252+
spec:
253+
egress:
254+
- to:
255+
dnsName: signserver.devel.redhat.com
256+
type: Deny
257+
- name: modify-egress-firewall
258+
try:
259+
- apply:
260+
resource:
261+
apiVersion: k8s.ovn.org/v1
262+
kind: EgressFirewall
263+
metadata:
264+
name: default
265+
namespace: test-ns
266+
spec:
267+
egress:
268+
- to:
269+
dnsName: malicious.example.com
270+
type: Allow
271+
- name: verify-egress-firewall-restored
272+
try:
273+
- assert:
274+
resource:
275+
apiVersion: k8s.ovn.org/v1
276+
kind: EgressFirewall
277+
metadata:
278+
name: default
279+
namespace: test-ns
280+
spec:
281+
egress:
282+
- to:
283+
dnsName: signserver.devel.redhat.com
284+
type: Deny
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
apiVersion: apiextensions.k8s.io/v1
2+
kind: CustomResourceDefinition
3+
metadata:
4+
name: egressfirewalls.k8s.ovn.org
5+
spec:
6+
group: k8s.ovn.org
7+
names:
8+
kind: EgressFirewall
9+
listKind: EgressFirewallList
10+
plural: egressfirewalls
11+
singular: egressfirewall
12+
shortNames:
13+
- egressfw
14+
scope: Namespaced
15+
versions:
16+
- name: v1
17+
served: true
18+
storage: true
19+
schema:
20+
openAPIV3Schema:
21+
type: object
22+
properties:
23+
spec:
24+
type: object
25+
properties:
26+
egress:
27+
type: array
28+
items:
29+
type: object
30+
properties:
31+
type:
32+
type: string
33+
enum:
34+
- Allow
35+
- Deny
36+
to:
37+
type: object
38+
properties:
39+
cidrSelector:
40+
type: string
41+
dnsName:
42+
type: string
43+
status:
44+
type: object
45+
x-kubernetes-preserve-unknown-fields: true
46+
subresources:
47+
status: {}
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
apiVersion: kyverno.io/v1
2+
kind: ClusterPolicy
3+
metadata:
4+
name: block-signing-server-access
5+
annotations:
6+
policies.kyverno.io/title: Block signing server access
7+
policies.kyverno.io/category: Firewall
8+
policies.kyverno.io/subject: EgressFirewall
9+
policies.kyverno.io/description: >-
10+
This policy automatically generates an EgressFirewall resource in all
11+
namespaces except the 'internal-services' namespace to block access to the signing server.
12+
spec:
13+
background: true
14+
rules:
15+
- name: generate-egress-firewall
16+
match:
17+
any:
18+
- resources:
19+
kinds:
20+
- /v1/Namespace
21+
exclude:
22+
any:
23+
- resources:
24+
namespaces:
25+
- internal-services
26+
skipBackgroundRequests: true
27+
generate:
28+
generateExisting: true
29+
apiVersion: k8s.ovn.org/v1
30+
kind: EgressFirewall
31+
name: default
32+
namespace: "{{request.object.metadata.name}}"
33+
synchronize: true
34+
data:
35+
spec:
36+
egress:
37+
- to:
38+
dnsName: signserver.devel.redhat.com
39+
type: Deny
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- block-signing-server-access.yaml
5+
- kyverno_rbac.yaml

0 commit comments

Comments
 (0)