Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added good practices rbac secrets #31

Merged
merged 19 commits into from
Aug 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ controls:
```

## Testing Policies using OPA Testing Framework

Download it [here](https://www.openpolicyagent.org/docs/latest/#running-opa)

```bash
# test all policies and examples
opa test examples/ policies/ -v --ignore '*.yml','*.yaml','.md','.csv'
Expand Down
41 changes: 41 additions & 0 deletions docs/goodpractices.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Good Practices Policies

Good Practices Policies are created to bundle individual policies to create solutions according to well known practices
to provide a baseline security for any weave gitops or kubernetes environment.

## Getting Started

1. Select the policies to use from [Available Good Practices Policies](#available-good-practices-policies).
2. Add them via Kustomization to your environment.

An example for deploying RBAC Secrets good practices using this GitRepository as a source is shown below.

```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: policy-library
spec:
interval: 10m0s
url: https://github.com/weaveworks/policy-library.git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: rbac-secrets-good-practices
spec:
interval: 1m0s
sourceRef:
kind: GitRepository
name: policy-library
path: ./goodpractices/kubernetes/rbac/secrets
prune: true
```

In case that you have your own custom Policy Library, add these policies and deploy as usual.


## Available Good Practices Policies

- RBAC Secrets: set of policies to harden your Kubernetes Secrets security context according to [Kubernetes Secrets Good Practices](https://kubernetes.io/docs/concepts/security/secrets-good-practices/)
and [Kubernetes RBAC Good Practices](https://kubernetes.io/docs/concepts/security/rbac-good-practices)
9 changes: 9 additions & 0 deletions goodpractices/kubernetes/rbac/secrets/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../policies/RBACProhibitListOnSecrets/policy.yaml
- ../../../../policies/RBACProhibitWatchOnSecrets/policy.yaml
- ../../../../policies/RBACProhibitWildcardOnSecrets/policy.yaml
- ../../../../policies/RBACProhibitWildcardsOnPolicyRuleVerbs/policy.yaml
- ../../../../policies/RBACProhibitWildcardsOnPolicyRuleResources/policy.yaml
- ../../../../policies/ControllerProhibitNamespace/policy.yaml
2 changes: 1 addition & 1 deletion policies/ControllerProhibitNamespace/policy.rego
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package weave.advisor.pods.not_namespace
package weave.advisor.pods.containers_not_namespace

custom_namespace := input.parameters.custom_namespace
exclude_label_key := input.parameters.exclude_label_key
Expand Down
4 changes: 2 additions & 2 deletions policies/ControllerProhibitNamespace/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ spec:
how_to_solve: "Use a `namespace` that differs from the one specified in the Policy. \n```\nmetadata:\n namespace: <custom_namespace>\n```\n\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/\n"
category: weave.categories.organizational-standards
severity: low
targets: {kinds: [Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
targets: {kinds: [Pod, Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
enekofb marked this conversation as resolved.
Show resolved Hide resolved
standards:
- id: weave.standards.cis-benchmark
controls:
Expand All @@ -33,7 +33,7 @@ spec:
required: false
value:
code: |
package weave.advisor.pods.not_namespace
package weave.advisor.pods.containers_not_namespace

custom_namespace := input.parameters.custom_namespace
exclude_label_key := input.parameters.exclude_label_key
Expand Down
214 changes: 214 additions & 0 deletions policies/ControllerProhibitNamespace/tests/policy_test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
package weave.advisor.pods.containers_not_namespace

import data.weave.advisor.pods.containers_not_namespace.violation

test_valid_case {
testcase = {
"parameters": {
"custom_namespace": "flux-system",
"exclude_label_key": "",
"exclude_label_value": "",
},
"review": {
"object": {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "pod-execution-escalation",
"namespace": "default"
},
"spec": {
"containers": [
{
"name": "attack-container",
"image": "busybox:1.36",
"command": [
"sleep"
],
"args": [
"infinity"
]
}
]
}
}
}
}

count(violation) == 0 with input as testcase
}

test_invalid_pod {
testcase = {
"parameters": {
"custom_namespace": "default",
"exclude_label_key": "",
"exclude_label_value": "",
},
"review": {
"object": {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "pod-execution-escalation",
"namespace": "default"
},
"spec": {
"containers": [
{
"name": "attack-container",
"image": "busybox:1.36",
"command": [
"sleep"
],
"args": [
"infinity"
]
}
]
}
}
}
}

count(violation) == 1 with input as testcase
}

test_invalid_deployment {
testcase = {
"parameters": {
"custom_namespace": "default",
"exclude_label_key": "",
"exclude_label_value": "",
},
"review": {
"object": {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "demoservice",
"namespace": "default",
"labels": {
"app.kubernetes.io/name": "demoservice",
"app": "demoservice",
"owner": "tony"
}
},
"spec": {
"replicas": 2,
"selector": {
"matchLabels": {
"app": "demoservice"
}
},
"template": {
"metadata": {
"labels": {
"app": "demoservice"
}
},
"spec": {
"containers": [
{
"name": "demoservice",
"command": [
"node",
"app.js"
],
"image": "airwavetechio/demoservice:v0.0.2",
"env": [
{
"name": "PORT",
"value": "5000"
}
],
"ports": [
{
"containerPort": 5000,
"name": "liveness-port"
}
],
"livenessProbe": {
"httpGet": {
"path": "/",
"port": "liveness-port"
},
"initialDelaySeconds": 3,
"periodSeconds": 5
},
"readinessProbe": {
"httpGet": {
"path": "/",
"port": "liveness-port"
},
"initialDelaySeconds": 3,
"periodSeconds": 5
},
"resources": {
"limits": {
"cpu": "10m",
"memory": "25Mi"
},
"requests": {
"cpu": "10m",
"memory": "25Mi"
}
}
},
{
"name": "demoservice",
"command": [
"node",
"app.js"
],
"image": "airwavetechio/demoservice:v0.0.2",
"env": [
{
"name": "PORT",
"value": "5000"
}
],
"ports": [
{
"containerPort": 5000,
"name": "liveness-port"
}
],
"livenessProbe": {
"httpGet": {
"path": "/",
"port": "liveness-port"
},
"initialDelaySeconds": 3,
"periodSeconds": 5
},
"readinessProbe": {
"httpGet": {
"path": "/",
"port": "liveness-port"
},
"initialDelaySeconds": 3,
"periodSeconds": 5
},
"resources": {
"limits": {
"cpu": "10m",
"memory": "25Mi"
},
"requests": {
"cpu": "10m",
"memory": "25Mi"
}
}
}
],
"restartPolicy": "Always"
}
}
}
}
}
}

count(violation) == 1 with input as testcase
}
77 changes: 0 additions & 77 deletions policies/ControllerProhibitNamespace/tests/test.yml

This file was deleted.

7 changes: 7 additions & 0 deletions policies/RBACProhibitListOnSecrets/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Policy RBACProhibitListOnSecrets

Policy to reject RBAC roles allowing list on secrets. It is part of [Kubernetes RBAC Good Practices](https://kubernetes.io/docs/concepts/security/rbac-good-practices)

Created out of [RBACProhibitVerbsOnResources](../../examples/RBACProhibitVerbsOnResources)


Loading