diff --git a/charts/rbac-best-practices-cel/Chart.yaml b/charts/rbac-best-practices-cel/Chart.yaml new file mode 100644 index 00000000..1ea079f4 --- /dev/null +++ b/charts/rbac-best-practices-cel/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: rbac-best-practice-cel-policies +description: Rbac Best Practice CEL policy set +type: application +version: 0.1.0 +appVersion: 0.1.0 +keywords: + - kubernetes + - nirmata + - kyverno + - policy +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml b/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml new file mode 100644 index 00000000..e5e96313 --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/disable-automount-sa-token.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disable-automount-sa-token + annotations: + policies.kyverno.io/title: Disable automountServiceAccountToken + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ServiceAccount + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.21" + policies.kyverno.io/description: >- + A new ServiceAccount called `default` is created whenever a new Namespace is created. + Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. + This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token + into Pods obviating the need to do so individually. +spec: + rules: + - name: disable-automountserviceaccounttoken + match: + any: + - resources: + kinds: + - ServiceAccount + names: + - default + mutate: + patchStrategicMerge: + automountServiceAccountToken: false diff --git a/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml b/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml new file mode 100644 index 00000000..0c8bd6fa --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/restrict-automount-sa-token.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-automount-sa-token + annotations: + policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,ServiceAccount + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + Kubernetes automatically mounts ServiceAccount credentials in each Pod. + The ServiceAccount may be assigned roles allowing Pods to access API resources. + Blocking this ability is an extension of the least privilege best practice and should + be followed if Pods do not need to speak to the API server to function. + This policy ensures that mounting of these ServiceAccount tokens is blocked. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-automountServiceAccountToken + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" + operator: NotEquals + value: policy-reporter + validate: + message: "Auto-mounting of Service Account tokens is not allowed." + pattern: + spec: + automountServiceAccountToken: "false" diff --git a/charts/rbac-best-practices-cel/pols/restrict-binding-system-groups.yaml b/charts/rbac-best-practices-cel/pols/restrict-binding-system-groups.yaml new file mode 100644 index 00000000..b73bc50d --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/restrict-binding-system-groups.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups + annotations: + policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Certain system groups exist in Kubernetes which grant permissions that + are used for certain system-level functions yet typically never appropriate + for other users. This policy prevents creating bindings for system:masters group. +spec: + validationFailureAction: Audit + background: true + rules: + - name: restrict-masters + match: + any: + - resources: + kinds: + - RoleBinding + - ClusterRoleBinding + validate: + cel: + expressions: + - expression: "object.roleRef.name != 'system:masters'" + message: "Binding to system:masters is not allowed." + diff --git a/charts/rbac-best-practices-cel/pols/restrict-clusterrole-nodesproxy.yaml b/charts/rbac-best-practices-cel/pols/restrict-clusterrole-nodesproxy.yaml new file mode 100644 index 00000000..169bade9 --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/restrict-clusterrole-nodesproxy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy + annotations: + policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole, RBAC + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + A ClusterRole with nodes/proxy resource access allows a user to + perform anything the kubelet API allows. It also allows users to bypass + the API server and talk directly to the kubelet potentially circumventing + audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac + for more info. This policy prevents the creation + of a ClusterRole if it contains the nodes/proxy resource. +spec: + validationFailureAction: Audit + background: true + rules: + - name: clusterrole-nodesproxy + match: + any: + - resources: + kinds: + - ClusterRole + validate: + cel: + expressions: + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.resources.exists(resource, resource == 'nodes/proxy') && + rule.apiGroups.exists(apiGroup, apiGroup == '')) + message: "A ClusterRole containing the nodes/proxy resource is not allowed." + diff --git a/charts/rbac-best-practices-cel/pols/restrict-escalation-verbs-roles.yaml b/charts/rbac-best-practices-cel/pols/restrict-escalation-verbs-roles.yaml new file mode 100644 index 00000000..af1ca304 --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/restrict-escalation-verbs-roles.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles + annotations: + policies.kyverno.io/title: Restrict Escalation Verbs in Roles in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Role, ClusterRole, RBAC + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to + privilege escalation and should be tightly controlled. This policy prevents + use of these verbs in Role or ClusterRole resources. +spec: + validationFailureAction: Audit + background: true + rules: + - name: escalate + match: + any: + - resources: + kinds: + - Role + - ClusterRole + validate: + cel: + expressions: + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.apiGroups.exists(apiGroup, apiGroup in ['*', 'rbac.authorization.k8s.io']) && + rule.resources.exists(resource, resource in ['*', 'clusterroles', 'roles']) && + rule.verbs.exists(verb, verb in ['*', 'bind', 'escalate', 'impersonate'])) + message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." + diff --git a/charts/rbac-best-practices-cel/pols/restrict-wildcard-resources.yaml b/charts/rbac-best-practices-cel/pols/restrict-wildcard-resources.yaml new file mode 100644 index 00000000..b22943a4 --- /dev/null +++ b/charts/rbac-best-practices-cel/pols/restrict-wildcard-resources.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources + annotations: + policies.kyverno.io/title: Restrict Wildcards in Resources in CEL expressions + policies.kyverno.io/category: RBAC Best Practices in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole, Role, RBAC + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Wildcards ('*') in resources grants access to all of the resources referenced by + the given API group and does not follow the principal of least privilege. As much as possible, + avoid such open resources unless scoped to perhaps a custom API group. + This policy blocks any Role or ClusterRole that contains a wildcard entry in + the resources list found in any rule. +spec: + validationFailureAction: Audit + background: true + rules: + - name: wildcard-resources + match: + any: + - resources: + kinds: + - Role + - ClusterRole + validate: + cel: + expressions: + - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)" + message: "Use of a wildcard ('*') in any resources is forbidden." + diff --git a/charts/rbac-best-practices-cel/templates/club-pols.yaml b/charts/rbac-best-practices-cel/templates/club-pols.yaml new file mode 100644 index 00000000..c3c51aa7 --- /dev/null +++ b/charts/rbac-best-practices-cel/templates/club-pols.yaml @@ -0,0 +1,4 @@ +{{ range $path, $_ := .Files.Glob "pols/**.yaml" }} +{{ $.Files.Get $path }} +--- +{{ end }} diff --git a/charts/rbac-best-practices-cel/values.yaml b/charts/rbac-best-practices-cel/values.yaml new file mode 100644 index 00000000..e69de29b