Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: introduce Pepr common policies #50

Merged
merged 35 commits into from
Dec 5, 2023
Merged

feat: introduce Pepr common policies #50

merged 35 commits into from
Dec 5, 2023

Conversation

jeff-mccoy
Copy link
Member

@jeff-mccoy jeff-mccoy commented Nov 22, 2023
edited
Loading

Description

Introduce Pepr Validations to replace Kyverno.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@jeff-mccoy jeff-mccoy changed the title feat: Introduce Pepr Common Policies feat: introduce Pepr common policies Nov 24, 2023
This was referenced Nov 28, 2023
Closed
Closed
mjnagel
mjnagel requested changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's definitely more to review here on the actual policy contents but wanted to comment here with an overarching issue on policies not being enforced.

I crafted malicious pods + services that should have been blocked by every single policy. What I found was that only the final policy for pods in networking (hostport) actually blocked the pod. The same was true for service, only the final policy for service in networking (nodeport) blocked the service. It appears as if only the final approve/deny for the pod actually affects the admission. Other policies that the pod violates showed as logs in pepr, but the pod/svc were still admitted. I did some testing to confirm and reordering policies in networking.ts changes what is actually enforced (always the last policy). I also modified the index.ts to change the import order and confirmed that the order of the imports has an effect on what is enforced.

TLDR: Last policy, in the last import in index.ts is the only one that gets properly enforced.

src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
mjnagel
mjnagel reviewed Nov 29, 2023
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Number of nits and a few logic issues. Went through each policy individually to validate they worked as expected.

src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/exemptions/storage.ts Outdated Show resolved Hide resolved
src/policies/exemptions/security.ts Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
src/policies/security.ts Outdated Show resolved Hide resolved
@jeff-mccoy jeff-mccoy marked this pull request as ready for review December 5, 2023 07:53
@jeff-mccoy jeff-mccoy requested a review from a team as a code owner December 5, 2023 07:53
mjnagel
mjnagel reviewed Dec 5, 2023
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, love the tests. Few small comments with suggestions for your review.

package.json Show resolved Hide resolved
src/policies/README.md Outdated Show resolved Hide resolved
src/policies/README.md Show resolved Hide resolved
src/policies/networking.ts Outdated Show resolved Hide resolved
src/policies/networking.ts Outdated Show resolved Hide resolved
jeff-mccoy and others added 4 commits December 5, 2023 11:19
@jeff-mccoy @mjnagel
Update README.md
ad08108 
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
@jeff-mccoy @mjnagel
Update networking.ts
64fddac 
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
@jeff-mccoy @mjnagel
Update networking.ts
727614a 
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
@jeff-mccoy
cleanup network tests
e3df7bb
mjnagel
mjnagel approved these changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@jeff-mccoy jeff-mccoy merged commit 54182b4 into main Dec 5, 2023
5 checks passed
@jeff-mccoy jeff-mccoy deleted the common-pepr branch December 5, 2023 18:13
@github-actions github-actions bot mentioned this pull request Dec 5, 2023
Merged
jeff-mccoy pushed a commit that referenced this pull request Dec 5, 2023
@github-actions
chore(main): release 0.6.0 (#53)
9b3ad64 
🤖 I have created a release *beep* *boop*
---


##
[0.6.0](v0.5.0...v0.6.0)
(2023-12-05)


### Features

* introduce Pepr common policies
([#50](#50))
([54182b4](54182b4))


### Miscellaneous

* conform to latest uds bundle schema
([#52](#52))
([14dad38](14dad38))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
robmcelvenny pushed a commit to owen-grady/uds-core-slim-dev that referenced this pull request Jun 3, 2024
@github-actions
chore(main): release 0.6.0 (#53)
5369c84 
🤖 I have created a release *beep* *boop*
---


##
[0.6.0](defenseunicorns/uds-core@v0.5.0...v0.6.0)
(2023-12-05)


### Features

* introduce Pepr common policies
([#50](defenseunicorns/uds-core#50))
([54182b4](defenseunicorns/uds-core@54182b4))


### Miscellaneous

* conform to latest uds bundle schema
([#52](defenseunicorns/uds-core#52))
([14dad38](defenseunicorns/uds-core@14dad38))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachariahmiller zachariahmiller zachariahmiller left review comments

@mjnagel mjnagel mjnagel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeff-mccoy @mjnagel @zachariahmiller