Added good practices rbac secrets (#31)

* created good practices folder with added prohibit verbs on secrets policies * added good practices readme and rbac secrets kustomization * fixing README.md * added policy for blocking wildcards on policy rules * added ControllerProhibitNamespace policy to rbac secret good practices * add auto-generated policies doc * avoid clashing policyrules policies * add auto-generated policies doc * add scenario for custom policy library too * removed standard block from bestpractices policies * moved to docs directory * added policy and test for rbac policies * aligning to rego policy test * added target to policies per review comment * Update Policies CRDs REGO code * added test for valid scenarios and better names for policies added * add auto-generated policies doc * add auto-generated datastudio csv * Update Policies CRDs REGO code --------- Co-authored-by: github-actions <github-actions@github.com>
weaveworks · Aug 1, 2023 · 00bf7f1 · 00bf7f1
1 parent 5195177
commit 00bf7f1
Show file tree

Hide file tree

Showing 27 changed files with 1,329 additions and 82 deletions.
diff --git a/README.md b/README.md
@@ -49,6 +49,9 @@ controls:
 ```
 
 ## Testing Policies using OPA Testing Framework
+
+Download it [here](https://www.openpolicyagent.org/docs/latest/#running-opa) 
+
 ```bash
 # test all policies and examples
 opa test examples/ policies/ -v --ignore '*.yml','*.yaml','.md','.csv'

diff --git a/docs/goodpractices.md b/docs/goodpractices.md
@@ -0,0 +1,41 @@
+# Good Practices Policies
+
+Good Practices Policies are created to bundle individual policies to create solutions according to well known practices 
+to provide a baseline security for any weave gitops or kubernetes environment. 
+
+## Getting Started
+
+1. Select the policies to use from [Available Good Practices Policies](#available-good-practices-policies).
+2. Add them via Kustomization to your environment.
+
+An example for deploying RBAC Secrets good practices using this GitRepository as a source is shown below.
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: policy-library
+spec:
+  interval: 10m0s
+  url: https://github.com/weaveworks/policy-library.git
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: rbac-secrets-good-practices
+spec:
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: policy-library
+  path: ./goodpractices/kubernetes/rbac/secrets
+  prune: true
+```
+
+In case that you have your own custom Policy Library, add these policies and deploy as usual.
+
+
+## Available Good Practices Policies
+
+- RBAC Secrets: set of policies to harden your Kubernetes Secrets security context according to [Kubernetes Secrets Good Practices](https://kubernetes.io/docs/concepts/security/secrets-good-practices/) 
+and [Kubernetes RBAC Good Practices](https://kubernetes.io/docs/concepts/security/rbac-good-practices) 
diff --git a/goodpractices/kubernetes/rbac/secrets/kustomization.yaml b/goodpractices/kubernetes/rbac/secrets/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../../policies/RBACProhibitListOnSecrets/policy.yaml
+- ../../../../policies/RBACProhibitWatchOnSecrets/policy.yaml
+- ../../../../policies/RBACProhibitWildcardOnSecrets/policy.yaml
+- ../../../../policies/RBACProhibitWildcardsOnPolicyRuleVerbs/policy.yaml
+- ../../../../policies/RBACProhibitWildcardsOnPolicyRuleResources/policy.yaml
+- ../../../../policies/ControllerProhibitNamespace/policy.yaml
diff --git a/policies/ControllerProhibitNamespace/policy.rego b/policies/ControllerProhibitNamespace/policy.rego
@@ -1,4 +1,4 @@
-package weave.advisor.pods.not_namespace
+package weave.advisor.pods.containers_not_namespace
 
 custom_namespace := input.parameters.custom_namespace
 exclude_label_key := input.parameters.exclude_label_key

diff --git a/policies/ControllerProhibitNamespace/policy.yaml b/policies/ControllerProhibitNamespace/policy.yaml
@@ -10,7 +10,7 @@ spec:
   how_to_solve: "Use a `namespace` that differs from the one specified in the Policy. \n```\nmetadata:\n  namespace: <custom_namespace>\n```\n\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/\n"
   category: weave.categories.organizational-standards
   severity: low
-  targets: {kinds: [Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
+  targets: {kinds: [Pod, Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
   standards:
     - id: weave.standards.cis-benchmark
       controls:
@@ -33,7 +33,7 @@ spec:
       required: false
       value:
   code: |
-    package weave.advisor.pods.not_namespace
+    package weave.advisor.pods.containers_not_namespace
 
     custom_namespace := input.parameters.custom_namespace
     exclude_label_key := input.parameters.exclude_label_key

diff --git a/policies/ControllerProhibitNamespace/tests/policy_test.rego b/policies/ControllerProhibitNamespace/tests/policy_test.rego
@@ -0,0 +1,214 @@
+package weave.advisor.pods.containers_not_namespace
+
+import data.weave.advisor.pods.containers_not_namespace.violation
+
+test_valid_case {
+  testcase = {
+    "parameters": {
+      "custom_namespace": "flux-system",
+      "exclude_label_key": "",
+      "exclude_label_value": "",
+    },
+    "review": {
+      "object": {
+       "apiVersion": "v1",
+       "kind": "Pod",
+       "metadata": {
+         "name": "pod-execution-escalation",
+         "namespace": "default"
+       },
+       "spec": {
+         "containers": [
+           {
+             "name": "attack-container",
+             "image": "busybox:1.36",
+             "command": [
+               "sleep"
+             ],
+             "args": [
+               "infinity"
+             ]
+           }
+         ]
+       }
+      }
+    }
+  }
+
+  count(violation) == 0 with input as testcase
+}
+
+test_invalid_pod {
+  testcase = {
+    "parameters": {
+      "custom_namespace": "default",
+      "exclude_label_key": "",
+      "exclude_label_value": "",
+    },
+    "review": {
+      "object": {
+       "apiVersion": "v1",
+       "kind": "Pod",
+       "metadata": {
+         "name": "pod-execution-escalation",
+         "namespace": "default"
+       },
+       "spec": {
+         "containers": [
+           {
+             "name": "attack-container",
+             "image": "busybox:1.36",
+             "command": [
+               "sleep"
+             ],
+             "args": [
+               "infinity"
+             ]
+           }
+         ]
+       }
+      }
+    }
+  }
+
+  count(violation) == 1 with input as testcase
+}
+
+test_invalid_deployment {
+  testcase = {
+    "parameters": {
+      "custom_namespace": "default",
+      "exclude_label_key": "",
+      "exclude_label_value": "",
+    },
+    "review": {
+      "object": {
+      "apiVersion": "apps/v1",
+      "kind": "Deployment",
+      "metadata": {
+        "name": "demoservice",
+        "namespace": "default",
+        "labels": {
+          "app.kubernetes.io/name": "demoservice",
+          "app": "demoservice",
+          "owner": "tony"
+        }
+      },
+      "spec": {
+        "replicas": 2,
+        "selector": {
+          "matchLabels": {
+            "app": "demoservice"
+          }
+        },
+        "template": {
+          "metadata": {
+            "labels": {
+              "app": "demoservice"
+            }
+          },
+          "spec": {
+            "containers": [
+              {
+                "name": "demoservice",
+                "command": [
+                  "node",
+                  "app.js"
+                ],
+                "image": "airwavetechio/demoservice:v0.0.2",
+                "env": [
+                  {
+                    "name": "PORT",
+                    "value": "5000"
+                  }
+                ],
+                "ports": [
+                  {
+                    "containerPort": 5000,
+                    "name": "liveness-port"
+                  }
+                ],
+                "livenessProbe": {
+                  "httpGet": {
+                    "path": "/",
+                    "port": "liveness-port"
+                  },
+                  "initialDelaySeconds": 3,
+                  "periodSeconds": 5
+                },
+                "readinessProbe": {
+                  "httpGet": {
+                    "path": "/",
+                    "port": "liveness-port"
+                  },
+                  "initialDelaySeconds": 3,
+                  "periodSeconds": 5
+                },
+                "resources": {
+                  "limits": {
+                    "cpu": "10m",
+                    "memory": "25Mi"
+                  },
+                  "requests": {
+                    "cpu": "10m",
+                    "memory": "25Mi"
+                  }
+                }
+              },
+              {
+                "name": "demoservice",
+                "command": [
+                  "node",
+                  "app.js"
+                ],
+                "image": "airwavetechio/demoservice:v0.0.2",
+                "env": [
+                  {
+                    "name": "PORT",
+                    "value": "5000"
+                  }
+                ],
+                "ports": [
+                  {
+                    "containerPort": 5000,
+                    "name": "liveness-port"
+                  }
+                ],
+                "livenessProbe": {
+                  "httpGet": {
+                    "path": "/",
+                    "port": "liveness-port"
+                  },
+                  "initialDelaySeconds": 3,
+                  "periodSeconds": 5
+                },
+                "readinessProbe": {
+                  "httpGet": {
+                    "path": "/",
+                    "port": "liveness-port"
+                  },
+                  "initialDelaySeconds": 3,
+                  "periodSeconds": 5
+                },
+                "resources": {
+                  "limits": {
+                    "cpu": "10m",
+                    "memory": "25Mi"
+                  },
+                  "requests": {
+                    "cpu": "10m",
+                    "memory": "25Mi"
+                  }
+                }
+              }
+            ],
+            "restartPolicy": "Always"
+          }
+        }
+      }
+     }
+    }
+  }
+
+  count(violation) == 1 with input as testcase
+}
diff --git a/policies/ControllerProhibitNamespace/tests/test.yml b/policies/ControllerProhibitNamespace/tests/test.yml
diff --git a/policies/RBACProhibitListOnSecrets/README.md b/policies/RBACProhibitListOnSecrets/README.md
@@ -0,0 +1,7 @@
+# Policy RBACProhibitListOnSecrets
+
+Policy to reject RBAC roles allowing list on secrets. It is part of [Kubernetes RBAC Good Practices](https://kubernetes.io/docs/concepts/security/rbac-good-practices)
+
+Created out of [RBACProhibitVerbsOnResources](../../examples/RBACProhibitVerbsOnResources)
+
+