From 1f5a8d637ece942f3ff977f13c6437dc0a21b9c2 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 26 Sep 2024 11:42:09 +0000 Subject: [PATCH 1/4] add remediate-restrict-automount-sa-token policy and chainsaw test Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test.yaml | 25 +++++++++++++++++ .../e2e/remediation-policy-assert.yaml | 11 ++++++++ ...remediate-restrict-automount-sa-token.yaml | 28 +++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml index 57baedcb..c0359ce8 100644 --- a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml @@ -3,6 +3,7 @@ kind: Test metadata: name: restrict-automount-sa-token-policy spec: + namespace: default steps: - name: test-restrict-automount-sa-token try: @@ -10,6 +11,30 @@ spec: file: ../restrict-automount-sa-token.yaml - assert: file: policy-assert.yaml + - apply: + file: ../remediate-restrict-automount-sa-token.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + pass: 1 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-restrict-automount-sa-token + - script: + content: | + kubectl delete -f bad-resource.yaml - script: content: | sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-automount-sa-token.yaml | kubectl apply -f - diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..a35f0264 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-automount-sa-token +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml b/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml new file mode 100644 index 00000000..94b49025 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/remediate-restrict-automount-sa-token.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-automount-sa-token + annotations: + policies.kyverno.io/title: Remediate Restrict Auto-Mount of Service Account Tokens + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-automount-sa-token violation +spec: + background: false + rules: + - name: remediate-restrict-automount-sa-token + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" + operator: NotEquals + value: policy-reporter + mutate: + patchStrategicMerge: + spec: + automountServiceAccountToken: false + From 02d6a2e38470fbe82b07aa7a0317f17f5188c772 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 26 Sep 2024 21:34:30 +0000 Subject: [PATCH 2/4] add remediate-restrict-clusterrole-nodesproxy policy, chainsaw test and add badcr03 (Case where the resources array only has nodes/proxy present) Signed-off-by: Chandan-DK --- .../e2e/bad-resource.yaml | 9 +++++ .../e2e/chainsaw-test.yaml | 7 ++++ .../e2e/remediation-policy-assert.yaml | 9 +++++ ...diate-restrict-clusterrole-nodesproxy.yaml | 34 +++++++++++++++++++ 4 files changed, 59 insertions(+) create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml index 65063c9c..75d53272 100644 --- a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml @@ -18,3 +18,12 @@ rules: - apiGroups: [""] resources: ["pods", "nodes/proxy"] verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["nodes/proxy"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml index 5d36c2a9..474d09ec 100644 --- a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml @@ -22,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-clusterrole-nodesproxy.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..7fff88f3 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/remediation-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-clusterrole-nodesproxy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml new file mode 100644 index 00000000..6c062f19 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/remediate-restrict-clusterrole-nodesproxy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-clusterrole-nodesproxy + annotations: + policies.kyverno.io/title: Remediate Restrict ClusterRole with Nodes Proxy + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-clusterrole-nodesproxy violation +spec: + background: false + rules: + - name: remediate-restrict-clusterrole-nodesproxy + match: + any: + - resources: + kinds: + - ClusterRole + mutate: + foreach: + - list: request.object.rules[] + foreach: + - list: element.resources + preconditions: + all: + - key: "{{element}}" + operator: Equals + value: "nodes/proxy" + patchesJson6902: |- + - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}} + op: replace + value: "" + + From 1223326f0921980a4a48f46e21408f4448bce9b3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 26 Sep 2024 22:26:54 +0000 Subject: [PATCH 3/4] add remediate-restrict-wildcard-resources policy and chainsaw test Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test.yaml | 7 ++++ .../e2e/remediation-policy-assert.yaml | 9 +++++ ...remediate-restrict-wildcard-resources.yaml | 33 +++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml index 188244b5..57c08925 100644 --- a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml @@ -22,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-wildcard-resources.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..ffed66aa --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/remediation-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-wildcard-resources +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml b/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml new file mode 100644 index 00000000..7c8630cf --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/remediate-restrict-wildcard-resources.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-restrict-wildcard-resources + annotations: + policies.kyverno.io/title: Remediate Restrict Wildcard in Resources + policies.kyverno.io/category: RBAC Best Practices + policies.kyverno.io/description: >- + This policy remediates the restrict-wildcard-resources violation +spec: + background: false + rules: + - name: remediate-restrict-wildcard-resources + match: + any: + - resources: + kinds: + - Role + - ClusterRole + mutate: + foreach: + - list: request.object.rules[] + foreach: + - list: element.resources + preconditions: + all: + - key: "*" + operator: Equals + value: "{{element}}" + patchesJson6902: |- + - path: /rules/{{elementIndex0}}/resources/{{elementIndex1}} + op: replace + value: "" From 23a19cb1cb720beef6babe91f12096d9441ce2f3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 26 Sep 2024 23:23:54 +0000 Subject: [PATCH 4/4] simplify restrict-automount-sa-token chainsaw test Signed-off-by: Chandan-DK --- .../e2e/chainsaw-test.yaml | 32 ++++--------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml index c0359ce8..2bf0406c 100644 --- a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml @@ -3,7 +3,6 @@ kind: Test metadata: name: restrict-automount-sa-token-policy spec: - namespace: default steps: - name: test-restrict-automount-sa-token try: @@ -11,30 +10,6 @@ spec: file: ../restrict-automount-sa-token.yaml - assert: file: policy-assert.yaml - - apply: - file: ../remediate-restrict-automount-sa-token.yaml - - assert: - file: remediation-policy-assert.yaml - - apply: - file: bad-resource.yaml - - sleep: - duration: 20s - - assert: - resource: - apiVersion: wgpolicyk8s.io/v1alpha2 - kind: PolicyReport - summary: - error: 0 - fail: 0 - pass: 1 - - delete: - ref: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: remediate-restrict-automount-sa-token - - script: - content: | - kubectl delete -f bad-resource.yaml - script: content: | sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-automount-sa-token.yaml | kubectl apply -f - @@ -47,3 +22,10 @@ spec: - check: ($error != null): true file: bad-resource.yaml + # After creating the remediate policy, we can create the bad resources as they will be mutated to become compliant + - apply: + file: ../remediate-restrict-automount-sa-token.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: bad-resource.yaml \ No newline at end of file