open-policy-agent · nilekhc · Dec 6, 2023 · Mar 20, 2023 · Mar 20, 2023 · Mar 26, 2023
@@ -0,0 +1,22 @@
+version: 1.0.0
+name: k8sdisallowinteractivetty
+displayName: Disallow Interactive TTY Containers
+createdAt: "2023-04-27T21:41:24Z"
+description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+digest: c462c392ee271922f97e53d084646857dbbc97f496382e9b5c117532ccf3b5bc
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/disallowinteractive
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Disallow Interactive TTY Containers
+    Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowInteractiveTTY
+metadata:
+  name: no-interactive-tty-containers
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-interactive-tty-allowed
+  labels:
+    app: nginx-interactive-tty
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    stdin: false
+    tty: false
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-privilege-escalation-disallowed
+  labels:
+    app: nginx-privilege-escalation
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    stdin: true
+    tty: true
@@ -0,0 +1,17 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: disallowinteractive
+tests:
+- name: disallow-interactive
+  template: template.yaml
+  constraint: samples/no-interactive-containers/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/no-interactive-containers/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/no-interactive-containers/example_disallowed.yaml
+    assertions:
+    - violations: yes
@@ -0,0 +1,88 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowinteractivetty
+  annotations:
+    metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowInteractiveTTY
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and
+            `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`.
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+  targets:
+  - target: admission.k8s.gatekeeper.sh
+    rego: |
+        package k8sdisallowinteractivetty
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            not is_exempt(c)
+            input_allow_interactive_fields(c)
+            msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image])
+        }
+
+        input_allow_interactive_fields(c) {
+            has_field(c, "stdin")
+            not c.stdin == false
+        }
+        input_allow_interactive_fields(c) {
+            has_field(c, "tty")
+            not c.tty == false
+        }
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }
+    libs:
+      - |
+        package lib.exempt_container
+
+        is_exempt(container) {
+            exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+            img := container.image
+            exemption := exempt_images[_]
+            _matches_exemption(img, exemption)
+        }
+
+        _matches_exemption(img, exemption) {
+            not endswith(exemption, "*")
+            exemption == img
+        }
+
+        _matches_exemption(img, exemption) {
+            endswith(exemption, "*")
+            prefix := trim_suffix(exemption, "*")
+            startswith(img, prefix)
+        }
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowInteractiveTTY
+metadata:
+  name: no-interactive-tty-containers
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-interactive-tty-allowed
+  labels:
+    app: nginx-interactive-tty
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    stdin: false
+    tty: false
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-privilege-escalation-disallowed
+  labels:
+    app: nginx-privilege-escalation
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    stdin: true
+    tty: true
@@ -0,0 +1,17 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: disallowinteractive
+tests:
+- name: disallow-interactive
+  template: template.yaml
+  constraint: samples/no-interactive-containers/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/no-interactive-containers/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/no-interactive-containers/example_disallowed.yaml
+    assertions:
+    - violations: yes
@@ -0,0 +1,88 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowinteractivetty
+  annotations:
+    metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowInteractiveTTY
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and
+            `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`.
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+  targets:
+  - target: admission.k8s.gatekeeper.sh
+    rego: |
+        package k8sdisallowinteractivetty
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            not is_exempt(c)
+            input_allow_interactive_fields(c)
+            msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image])
+        }
+
+        input_allow_interactive_fields(c) {
+            has_field(c, "stdin")
+            not c.stdin == false
+        }
+        input_allow_interactive_fields(c) {
+            has_field(c, "tty")
+            not c.tty == false
+        }
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }
+    libs:
+      - |
+        package lib.exempt_container
+
+        is_exempt(container) {
+            exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+            img := container.image
+            exemption := exempt_images[_]
+            _matches_exemption(img, exemption)
+        }
+
+        _matches_exemption(img, exemption) {
+            not endswith(exemption, "*")
+            exemption == img
+        }
+
+        _matches_exemption(img, exemption) {
+            endswith(exemption, "*")
+            prefix := trim_suffix(exemption, "*")
+            startswith(img, prefix)
+        }
@@ -10,9 +10,12 @@ resources:
 - containerlimits
 - containerrequests
 - containerresourceratios
-- disallowedrepos
+- containerresources
 - disallowanonymous
+- disallowedrepos
 - disallowedtags
+- disallowinteractive
+- ephemeralstoragelimit
 - externalip
 - horizontalpodautoscaler
 - httpsonly
@@ -26,6 +29,4 @@ resources:
 - uniqueingresshost
 - uniqueserviceselector
 - verifydeprecatedapi
-- containerresources
 - storageclass
-- ephemeralstoragelimit
@@ -0,0 +1,39 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowinteractivetty
+  annotations:
+    metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowInteractiveTTY
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and
+            `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`.
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+  targets:
+  - target: admission.k8s.gatekeeper.sh
+    rego: |
+{{ file.Read "src/general/disallowinteractive/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+    libs:
+      - |
+{{ file.Read "src/general/disallowinteractive/lib_exempt_container.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
@@ -0,0 +1,19 @@
+package lib.exempt_container
+
+is_exempt(container) {
+    exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+    img := container.image
+    exemption := exempt_images[_]
+    _matches_exemption(img, exemption)
+}
+
+_matches_exemption(img, exemption) {
+    not endswith(exemption, "*")
+    exemption == img
+}
+
+_matches_exemption(img, exemption) {
+    endswith(exemption, "*")
+    prefix := trim_suffix(exemption, "*")
+    startswith(img, prefix)
+}