From 22bfe60a8f21fc4e5b13b2705a58b32a55f9c3e1 Mon Sep 17 00:00:00 2001 From: Takumi Yanagawa Date: Tue, 31 Oct 2023 10:59:03 +0900 Subject: [PATCH] Add coommand usage of C2P for Kyverno to readme Signed-off-by: Takumi Yanagawa --- README.md | 97 +- cmd/kyverno/tools/subcommands/kyverno/cmd.go | 13 +- .../tools/subcommands/kyverno/options.go | 8 +- pkg/testdata/kyverno/c2p-config.yaml | 8 + .../kyverno/component-definition.json | 12 +- .../clusterpolicies.kyverno.io.yaml | 174 ++++ .../clusterpolicyreports.wgpolicyk8s.io.yaml | 5 + .../policy-reports/policies.kyverno.io.yaml | 5 + .../policyreports.wgpolicyk8s.io.yaml | 879 ++++++++++++++++++ .../02-setup.yaml | 29 - .../advanced-restrict-image-registries.yaml | 65 -- .../allowed-base-images/02-setup-cm.yaml | 12 + .../allowed-base-images.yaml | 58 ++ 13 files changed, 1256 insertions(+), 109 deletions(-) create mode 100644 pkg/testdata/kyverno/c2p-config.yaml create mode 100644 pkg/testdata/kyverno/policy-reports/clusterpolicies.kyverno.io.yaml create mode 100644 pkg/testdata/kyverno/policy-reports/clusterpolicyreports.wgpolicyk8s.io.yaml create mode 100644 pkg/testdata/kyverno/policy-reports/policies.kyverno.io.yaml create mode 100644 pkg/testdata/kyverno/policy-reports/policyreports.wgpolicyk8s.io.yaml delete mode 100644 pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/02-setup.yaml delete mode 100644 pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml create mode 100644 pkg/testdata/kyverno/policy-resources/allowed-base-images/02-setup-cm.yaml create mode 100644 pkg/testdata/kyverno/policy-resources/allowed-base-images/allowed-base-images.yaml diff --git a/README.md b/README.md index 0950b41..c14073e 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,103 @@ # compliance-to-policy -Compliance-to-Policy (C2P) provides the framework to bridge the gap between compliance and policy administration. +Compliance-to-Policy (C2P) provides the framework to bridge Compliance administration and Policy administration by [OSCAL](https://pages.nist.gov/OSCAL/). OSCAL (Open Security Controls Assessment Language) is a standardized framework developed by NIST for expressing and automating the assessment and management of security controls in machine-readable format (xml, json, yaml) -## C2P as pipeline task +## Continuous Compliance by C2P https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-8703-04ce94e9dfba +## Usage of C2P commands + +### C2P for Kyverno +Prepare Kyverno Policy Resources +- You can use [policy-resources for test](/pkg/testdata/kyverno/policy-resources) +- You can load Kyverno Policy Resource from Kyverno Policies (https://github.com/kyverno/policies) + 1. Run `kyverno tools load-policy-resources` command + ``` + $ go run cmd/c2pcli/main.go kyverno tools load-policy-resources --src https://github.com/kyverno/policies --dest /tmp/policies + ``` + ``` + $ tree /tmp/policies + /tmp/policies + ├── add-apparmor-annotations + │ └── add-apparmor-annotations.yaml + ├── add-capabilities + │ └── add-capabilities.yaml + ├── add-castai-removal-disabled + │ └── add-castai-removal-disabled.yaml + ├── add-certificates-volume + │ └── add-certificates-volume.yaml + ├── add-default-resources + ... + ``` + - You can check result.json about what resources are downloaded. + ``` + $ cat /tmp/policies/result.json + + ``` + - There are some policies that depend on context. Please add the context resources manually. result.json contains list of the policies that have context field + ``` + $ jq -r .summary.resourcesHavingContext /tmp/policies/result.json + [ + "allowed-podpriorities", + "allowed-base-images", + "advanced-restrict-image-registries", + ... + "require-linkerd-server" + ] + ``` +#### Convert OSCAL to Kyverno Policy +``` +$ go run cmd/c2pcli/main.go kyverno oscal2policy -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/kyverno-policies +2023-10-31T07:23:56.291+0900 INFO kyverno/c2pcr kyverno/configparser.go:53 Component-definition is loaded from ./pkg/testdata/kyverno/component-definition.json + +$ tree /tmp/kyverno-policies +/tmp/kyverno-policies +└── allowed-base-images + ├── 02-setup-cm.yaml + └── allowed-base-images.yaml +``` + +#### Convert Policy Report to OSCAL Assessment Results +``` +$ go run cmd/c2pcli/main.go kyverno result2oscal -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/assessment-results + +$ tree /tmp/assessment-results +/tmp/assessment-results +└── assessment-results.json +``` + +Reformat in human friendly format (markdown file) since OSCAL is not machine friendly format. +``` +$ go run cmd/c2pcli/main.go kyverno oscal2posture -c ./pkg/testdata/kyverno/c2p-config.yaml --assessment-results /tmp/assessment-results/assessment-results.json -o /tmp/compliance-report.md +``` + +``` +$ head -n 15 /tmp/compliance-report.md +## Catalog + +## Component: Kubernetes +#### Result of control: cm-8.3_smt.a + +Rule ID: allowed-base-images +
Details + + - Subject UUID: 0b1adf1c-f6e2-46af-889e-39255e669655 + - Title: ApiVersion: v1, Kind: Pod, Namespace: argocd, Name: argocd-application-controller-0 + - Result: fail + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` +``` + +### C2P for Open Cluster Management (OCM) +OCM has Policy Governance Framework, where the policy is OCM Policy and the PVP audit result is status of deployed OCM Policy. + +#### Convert OSCAL Component Definition to OCM Policy +TBD +#### Convert OCM Policy Status to OSCAL Assessment Results +TBD + ### Setup pipeline 1. Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result) - For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence diff --git a/cmd/kyverno/tools/subcommands/kyverno/cmd.go b/cmd/kyverno/tools/subcommands/kyverno/cmd.go index d6f3476..94e2314 100644 --- a/cmd/kyverno/tools/subcommands/kyverno/cmd.go +++ b/cmd/kyverno/tools/subcommands/kyverno/cmd.go @@ -64,19 +64,24 @@ type Result struct { } func Run(options *Options) error { - srcDir, destDir := options.SourceDir, options.DestinationDir + srcUrl, destDir, tempDirPath := options.SourceUrl, options.DestinationDir, options.TempDirPath if _, err := pkg.MakeDir(destDir); err != nil { logger.Error(fmt.Sprintf("Failed to create a destination directory %s", destDir)) return err } - fl := kyverno.NewFileLoader() - - err := fl.LoadFromDirectory(srcDir) + gitUtils := pkg.NewGitUtils(pkg.NewTempDirectory(tempDirPath)) + cloneDir, path, err := gitUtils.GitClone(srcUrl) if err != nil { return err } + srcDir := cloneDir + "/" + path + + fl := kyverno.NewFileLoader() + if err := fl.LoadFromDirectory(srcDir); err != nil { + return err + } inverseMap := map[string][]*policyResourceIndex{} policyResourceIndice := []policyResourceIndex{} diff --git a/cmd/kyverno/tools/subcommands/kyverno/options.go b/cmd/kyverno/tools/subcommands/kyverno/options.go index 583ab13..11ef107 100644 --- a/cmd/kyverno/tools/subcommands/kyverno/options.go +++ b/cmd/kyverno/tools/subcommands/kyverno/options.go @@ -23,8 +23,9 @@ import ( ) type Options struct { - SourceDir string + SourceUrl string DestinationDir string + TempDirPath string } func NewOptions() *Options { @@ -32,8 +33,9 @@ func NewOptions() *Options { } func (o *Options) AddFlags(fs *pflag.FlagSet) { - fs.StringVar(&o.SourceDir, "src", "", "path to a directory of Kyverno policy collection") + fs.StringVar(&o.SourceUrl, "src", "", "url or path to a directory of Kyverno policy collection") fs.StringVar(&o.DestinationDir, "dest", "", "path to a directory for output retrieved Kyverno policies") + fs.StringVar(&o.TempDirPath, "temp-dir", "", "path to temp directory (default: system-defined temporary directory)") } func (o *Options) Complete() error { @@ -41,7 +43,7 @@ func (o *Options) Complete() error { } func (o *Options) Validate() error { - if o.SourceDir == "" { + if o.SourceUrl == "" { return errors.New("--src is required") } if o.DestinationDir == "" { diff --git a/pkg/testdata/kyverno/c2p-config.yaml b/pkg/testdata/kyverno/c2p-config.yaml new file mode 100644 index 0000000..10a0146 --- /dev/null +++ b/pkg/testdata/kyverno/c2p-config.yaml @@ -0,0 +1,8 @@ +compliance: + name: Demo Compliance + componentDefinition: + url: ./pkg/testdata/kyverno/component-definition.json +policyResources: + url: ./pkg/testdata/kyverno/policy-resources +policyResults: + url: ./pkg/testdata/kyverno/policy-reports diff --git a/pkg/testdata/kyverno/component-definition.json b/pkg/testdata/kyverno/component-definition.json index 9aa80b3..86a8dd2 100644 --- a/pkg/testdata/kyverno/component-definition.json +++ b/pkg/testdata/kyverno/component-definition.json @@ -17,13 +17,13 @@ { "name": "Rule_Id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kubernetes", - "value": "advanced-restrict-image-registries", + "value": "allowed-base-images", "remarks": "rule_set_0" }, { "name": "Rule_Description", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kubernetes", - "value": "In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.", + "value": "Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.", "remarks": "rule_set_0" } ], @@ -46,7 +46,7 @@ { "name": "Rule_Id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kubernetes", - "value": "advanced-restrict-image-registries" + "value": "allowed-base-images" } ] } @@ -65,19 +65,19 @@ { "name": "Rule_Id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kyverno", - "value": "advanced-restrict-image-registries", + "value": "allowed-base-images", "remarks": "rule_set_1" }, { "name": "Check_Id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kyverno", - "value": "advanced-restrict-image-registries", + "value": "allowed-base-images", "remarks": "rule_set_1" }, { "name": "Check_Description", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/kyverno", - "value": "advanced-restrict-image-registries", + "value": "allowed-base-images", "remarks": "rule_set_1" } ], diff --git a/pkg/testdata/kyverno/policy-reports/clusterpolicies.kyverno.io.yaml b/pkg/testdata/kyverno/policy-reports/clusterpolicies.kyverno.io.yaml new file mode 100644 index 0000000..0ff3611 --- /dev/null +++ b/pkg/testdata/kyverno/policy-reports/clusterpolicies.kyverno.io.yaml @@ -0,0 +1,174 @@ +apiVersion: v1 +items: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + annotations: + kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/category: Other + policies.kyverno.io/description: Building images which specify a base as their + origin is a good start to improving supply chain security, but over time organizations + may want to build an allow list of specific base images which are allowed + to be used when constructing containers. This policy ensures that a container's + base, found in an OCI annotation, is in a cluster-wide allow list. + policies.kyverno.io/minversion: 1.7.0 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/title: Allowed Base Images + creationTimestamp: "2023-10-18T05:41:05Z" + generation: 1 + labels: + app.kubernetes.io/instance: c2p + name: allowed-base-images + resourceVersion: "55817" + uid: 2fe80492-772f-424e-a259-1b5b43f74005 + spec: + background: true + rules: + - context: + - configMap: + name: baseimages + namespace: platform + name: baseimages + match: + any: + - resources: + kinds: + - Pod + name: allowed-base-images + preconditions: + all: + - key: '{{request.operation || ''BACKGROUND''}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData + - name: basename + variable: + default: "" + jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name" + deny: + conditions: + all: + - key: '{{ basename }}' + operator: AnyNotIn + value: '{{ baseimages.data.allowedbaseimages }}' + list: request.object.spec.containers + message: This container image's base is not in the approved list or is not + specified. Only pre-approved base images may be used. Please contact the + platform team for assistance. + validationFailureAction: audit + status: + autogen: + rules: + - context: + - configMap: + name: baseimages + namespace: platform + name: baseimages + exclude: + resources: {} + generate: + clone: {} + cloneList: {} + match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - StatefulSet + - ReplicaSet + - ReplicationController + resources: {} + mutate: {} + name: autogen-allowed-base-images + preconditions: + all: + - key: '{{request.operation || ''BACKGROUND''}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData + - name: basename + variable: + default: "" + jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name" + deny: + conditions: + all: + - key: '{{ basename }}' + operator: AnyNotIn + value: '{{ baseimages.data.allowedbaseimages }}' + list: request.object.spec.template.spec.containers + message: This container image's base is not in the approved list or is not + specified. Only pre-approved base images may be used. Please contact the + platform team for assistance. + - context: + - configMap: + name: baseimages + namespace: platform + name: baseimages + exclude: + resources: {} + generate: + clone: {} + cloneList: {} + match: + any: + - resources: + kinds: + - CronJob + resources: {} + mutate: {} + name: autogen-cronjob-allowed-base-images + preconditions: + all: + - key: '{{request.operation || ''BACKGROUND''}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData + - name: basename + variable: + default: "" + jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name" + deny: + conditions: + all: + - key: '{{ basename }}' + operator: AnyNotIn + value: '{{ baseimages.data.allowedbaseimages }}' + list: request.object.spec.jobTemplate.spec.template.spec.containers + message: This container image's base is not in the approved list or is not + specified. Only pre-approved base images may be used. Please contact the + platform team for assistance. + conditions: + - lastTransitionTime: "2023-10-18T05:53:47Z" + message: Ready + reason: Succeeded + status: "True" + type: Ready + ready: true + rulecount: + generate: 0 + mutate: 0 + validate: 1 + verifyimages: 0 +kind: List +metadata: + resourceVersion: "" diff --git a/pkg/testdata/kyverno/policy-reports/clusterpolicyreports.wgpolicyk8s.io.yaml b/pkg/testdata/kyverno/policy-reports/clusterpolicyreports.wgpolicyk8s.io.yaml new file mode 100644 index 0000000..ded9522 --- /dev/null +++ b/pkg/testdata/kyverno/policy-reports/clusterpolicyreports.wgpolicyk8s.io.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +items: [] +kind: List +metadata: + resourceVersion: "" diff --git a/pkg/testdata/kyverno/policy-reports/policies.kyverno.io.yaml b/pkg/testdata/kyverno/policy-reports/policies.kyverno.io.yaml new file mode 100644 index 0000000..ded9522 --- /dev/null +++ b/pkg/testdata/kyverno/policy-reports/policies.kyverno.io.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +items: [] +kind: List +metadata: + resourceVersion: "" diff --git a/pkg/testdata/kyverno/policy-reports/policyreports.wgpolicyk8s.io.yaml b/pkg/testdata/kyverno/policy-reports/policyreports.wgpolicyk8s.io.yaml new file mode 100644 index 0000000..97bbef6 --- /dev/null +++ b/pkg/testdata/kyverno/policy-reports/policyreports.wgpolicyk8s.io.yaml @@ -0,0 +1,879 @@ +apiVersion: v1 +items: +- apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + creationTimestamp: "2023-10-18T05:41:49Z" + generation: 6 + labels: + app.kubernetes.io/managed-by: kyverno + cpol.kyverno.io/allowed-base-images: "55817" + name: cpol-allowed-base-images + namespace: argocd + resourceVersion: "56336" + uid: f50076f9-c979-4605-addc-050a60688f4a + results: + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-application-controller-0 + namespace: argocd + uid: 0b1adf1c-f6e2-46af-889e-39255e669655 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608494 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-server-5985b6cf6f-5cbcw + namespace: argocd + uid: 3c7a83c8-abc9-4041-aafd-16da906f9efc + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608466 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-repo-server-7ccbc8cb48-f4nxv + namespace: argocd + uid: 4db11e78-ef68-4003-bef7-c24d35a48951 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608485 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-notifications-controller-5557f7bb5b-knkhk + namespace: argocd + uid: 66c9292a-091b-4325-ac28-44080e305f8c + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608481 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-redis-b5d6bf5f5-hx2bh + namespace: argocd + uid: 89fc793e-e686-4653-a838-3fe4ac37b1bf + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608471 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-dex-server-bb76f899c-crpgz + namespace: argocd + uid: e7a4e6fe-7380-4c59-86ad-6a5f1a924e39 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608482 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: argocd-applicationset-controller-787bfd9669-64886 + namespace: argocd + uid: fc29d94c-115f-4351-94eb-4839d3e30a78 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608500 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: Deployment + name: argocd-server + namespace: argocd + uid: 23d25075-da9c-41aa-a73e-e317770c377d + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608434 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-applicationset-controller-787bfd9669 + namespace: argocd + uid: 247d76c2-b43c-49ec-a501-efdbb9752b67 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607707 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-notifications-controller-5557f7bb5b + namespace: argocd + uid: 25313824-108c-43e4-a6d7-d404702d6e66 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607689 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-dex-server-bb76f899c + namespace: argocd + uid: 2d022b83-c9ab-4b49-be03-95b60dc4ec0f + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607690 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-redis-b5d6bf5f5 + namespace: argocd + uid: 391726d5-ac35-41b7-bd4f-67ef345b2677 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607695 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-repo-server-7ccbc8cb48 + namespace: argocd + uid: 71ef51a8-67ca-4e57-8d77-24f4206ac841 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607714 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-server-5985b6cf6f + namespace: argocd + uid: 81797cb9-31c0-4872-a958-b167836b6cff + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607715 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: argocd-repo-server-56998dcf9c + namespace: argocd + uid: ca513c3b-2054-4db1-8df3-23ec18b5680d + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607709 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: StatefulSet + name: argocd-application-controller + namespace: argocd + uid: cf61f7f0-cd9a-44f6-ab07-ddc83a31c6de + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608439 + summary: + error: 0 + fail: 16 + pass: 0 + skip: 0 + warn: 0 +- apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + creationTimestamp: "2023-10-18T05:42:11Z" + generation: 5 + labels: + app.kubernetes.io/managed-by: kyverno + cpol.kyverno.io/allowed-base-images: "55817" + name: cpol-allowed-base-images + namespace: kube-system + resourceVersion: "56257" + uid: 4e139043-7067-4b05-b710-6a84d553ccdf + results: + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: etcd-kind-control-plane + namespace: kube-system + uid: 18b1d403-dde5-4b77-97e1-af25f8dd5f97 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608486 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kube-proxy-wsl9b + namespace: kube-system + uid: 1c99caf6-f89a-493e-86cc-654a7987d2c1 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608463 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: coredns-5d78c9869d-pwc6s + namespace: kube-system + uid: 4861beaf-4981-4e21-9b62-a65310b3d6af + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608469 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kindnet-9gpsc + namespace: kube-system + uid: 67b1d4ca-2d17-4c02-983b-cca88998688a + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608473 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kube-scheduler-kind-control-plane + namespace: kube-system + uid: 96b4a7a8-69e7-4487-a5fb-55e6cef6d81f + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608474 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: coredns-5d78c9869d-v4bzh + namespace: kube-system + uid: a1ff9879-6c0c-4199-8b6a-e8002bdb5468 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608462 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kube-controller-manager-kind-control-plane + namespace: kube-system + uid: c59c011a-3a47-47bc-8abf-9bab2b228b4f + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608487 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kube-apiserver-kind-control-plane + namespace: kube-system + uid: d945abb0-0b11-4e32-b4fa-2dabcc325be0 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608507 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: DaemonSet + name: kube-proxy + namespace: kube-system + uid: 3850baa8-0b50-4cee-b3ae-e2ca857bd2f1 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608448 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: DaemonSet + name: kindnet + namespace: kube-system + uid: 8c1de00f-7c26-408c-89ae-40c4af347467 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608448 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: coredns-5d78c9869d + namespace: kube-system + uid: fe901839-d4d0-4614-a83d-f1747cba5905 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607699 + summary: + error: 0 + fail: 11 + pass: 0 + skip: 0 + warn: 0 +- apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + creationTimestamp: "2023-10-18T05:41:49Z" + generation: 18 + labels: + app.kubernetes.io/managed-by: kyverno + cpol.kyverno.io/allowed-base-images: "55817" + name: cpol-allowed-base-images + namespace: kyverno + resourceVersion: "66439" + uid: 6fd534bc-f4dd-4d68-abab-0f1492ffbe9d + results: + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-cleanup-cluster-admission-reports-28293520-hml9q + namespace: kyverno + uid: 16e915d2-816c-4560-811b-3b68d32f9669 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697611239 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-cleanup-admission-reports-28293520-4ck6h + namespace: kyverno + uid: 372c612a-5548-4925-9916-ce8c5b070eb6 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697611239 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-background-controller-74599787cf-69cc2 + namespace: kyverno + uid: 47e9644c-4ec5-4655-a157-be4330c7cad5 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608477 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-admission-controller-7cd788c8dd-gmhzv + namespace: kyverno + uid: 956e9d43-c37c-47fe-8d12-46ffa00cf081 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608488 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-cleanup-controller-ddf458755-zjdhx + namespace: kyverno + uid: a1035b1f-4555-467a-8c24-f319a5f77387 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608488 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: kyverno-reports-controller-7f94855747-t2pbd + namespace: kyverno + uid: e5f132fc-c45f-42e8-8c64-04d1a9b10a94 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608477 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: kyverno-cleanup-controller-ddf458755 + namespace: kyverno + uid: 19fe628b-828c-4ac6-b0f8-c74112466334 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607699 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: Deployment + name: kyverno-cleanup-controller + namespace: kyverno + uid: 9777357f-3598-4ba0-9142-f554601b7544 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608435 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: kyverno-reports-controller-7f94855747 + namespace: kyverno + uid: 9a97ba34-8310-4a60-a5a6-112f17b2bfe5 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607702 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: kyverno-background-controller-74599787cf + namespace: kyverno + uid: 9bf6595a-21af-4d05-b054-7db0e37638e8 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607721 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: kyverno-admission-controller-7cd788c8dd + namespace: kyverno + uid: f2185ef7-aa43-48cb-abd1-e21fbfb79b0a + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607717 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: batch/v1 + kind: CronJob + name: kyverno-cleanup-cluster-admission-reports + namespace: kyverno + uid: 1f7dd3fe-6995-4205-a34e-dabbbe2081f9 + result: fail + rule: autogen-cronjob-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608454 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: batch/v1 + kind: CronJob + name: kyverno-cleanup-admission-reports + namespace: kyverno + uid: 54aecd37-31c1-490f-a963-0079e9e1bc37 + result: fail + rule: autogen-cronjob-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608452 + summary: + error: 0 + fail: 13 + pass: 0 + skip: 0 + warn: 0 +- apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + creationTimestamp: "2023-10-18T05:42:17Z" + generation: 2 + labels: + app.kubernetes.io/managed-by: kyverno + cpol.kyverno.io/allowed-base-images: "55817" + name: cpol-allowed-base-images + namespace: local-path-storage + resourceVersion: "56373" + uid: 32bf44e2-5ed8-4bc7-a4cb-801c7a062f2b + results: + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: v1 + kind: Pod + name: local-path-provisioner-6bc4bddd6b-4tbp5 + namespace: local-path-storage + uid: 851841df-c869-4fce-b745-4d2c65f81aa4 + result: fail + rule: allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697608504 + - category: Other + message: 'validation failure: This container image''s base is not in the approved + list or is not specified. Only pre-approved base images may be used. Please + contact the platform team for assistance.' + policy: allowed-base-images + resources: + - apiVersion: apps/v1 + kind: ReplicaSet + name: local-path-provisioner-6bc4bddd6b + namespace: local-path-storage + uid: bfe41dbc-02cc-4378-bbf8-532a5bc570b6 + result: fail + rule: autogen-allowed-base-images + scored: true + severity: medium + source: kyverno + timestamp: + nanos: 0 + seconds: 1697607704 + summary: + error: 0 + fail: 2 + pass: 0 + skip: 0 + warn: 0 +kind: List +metadata: + resourceVersion: "" diff --git a/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/02-setup.yaml b/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/02-setup.yaml deleted file mode 100644 index 5008eb2..0000000 --- a/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/02-setup.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - corp.com/allowed-registries: "img.corp.com/*" - name: imageregistries-ns01 ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - corp.com/allowed-registries: "docker.io/*" - name: imageregistries-ns02 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: clusterregistries - namespace: imageregistries-ns01 -data: - registries: "corp.img.io/*" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: clusterregistries - namespace: default -data: - registries: "ghcr.io/*" \ No newline at end of file diff --git a/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml deleted file mode 100644 index dd8d68c..0000000 --- a/pkg/testdata/kyverno/policy-resources/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: advanced-restrict-image-registries - annotations: - policies.kyverno.io/title: Advanced Restrict Image Registries - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - In instances where a ClusterPolicy defines all the approved image registries - is insufficient, more granular control may be needed to set permitted registries, - especially in multi-tenant use cases where some registries may be based on - the Namespace. This policy shows an advanced version of the Restrict Image Registries - policy which gets a global approved registry from a ConfigMap and, based upon an - annotation at the Namespace level, gets the registry approved for that Namespace. -spec: - validationFailureAction: audit - background: false - rules: - - name: validate-corp-registries - match: - any: - - resources: - kinds: - - Pod - context: - # Get the value of the Namespace annotation called `corp.com/allowed-registries` and store. The value - # must end with a wildcard. Currently assumes there is only a single registry name in the value. - - name: nsregistries - apiCall: - urlPath: "/api/v1/namespaces/{{request.namespace}}" - jmesPath: "metadata.annotations.\"corp.com/allowed-registries\" || ''" - # Get the ConfigMap in the `default` Namespace called `clusterregistries` and store. The value of the key - # must end with a wildcard. Currently assumes there is only a single registry name in the value. - - name: clusterregistries - configMap: - name: clusterregistries - namespace: default - preconditions: - any: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: AnyIn - value: - - CREATE - - UPDATE - validate: - message: This Pod names an image that is not from an approved registry. - foreach: - # Create a flattened array of all containers in the Pod. - - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]" - deny: - conditions: - all: - # Loop over every image and deny the Pod if any image doesn't match either the allowed registry in the - # cluster ConfigMap or the annotation on the Namespace where the Pod is created. - - key: "{{element.image}}" - operator: NotEquals - value: "{{nsregistries}}" - - key: "{{element.image}}" - operator: NotEquals - value: "{{clusterregistries.data.registries}}" \ No newline at end of file diff --git a/pkg/testdata/kyverno/policy-resources/allowed-base-images/02-setup-cm.yaml b/pkg/testdata/kyverno/policy-resources/allowed-base-images/02-setup-cm.yaml new file mode 100644 index 0000000..62b077a --- /dev/null +++ b/pkg/testdata/kyverno/policy-resources/allowed-base-images/02-setup-cm.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: platform +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: platform + name: baseimages +data: + allowedbaseimages: "gcr.io/distroless/static:nonroot" \ No newline at end of file diff --git a/pkg/testdata/kyverno/policy-resources/allowed-base-images/allowed-base-images.yaml b/pkg/testdata/kyverno/policy-resources/allowed-base-images/allowed-base-images.yaml new file mode 100644 index 0000000..94bd200 --- /dev/null +++ b/pkg/testdata/kyverno/policy-resources/allowed-base-images/allowed-base-images.yaml @@ -0,0 +1,58 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-base-images + annotations: + policies.kyverno.io/title: Allowed Base Images + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Building images which specify a base as their origin is a good start + to improving supply chain security, but over time organizations + may want to build an allow list of specific base images which + are allowed to be used when constructing containers. This policy ensures + that a container's base, found in an OCI annotation, is in a cluster-wide + allow list. +spec: + validationFailureAction: audit + rules: + - name: allowed-base-images + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: NotEquals + value: DELETE + context: + - name: baseimages + configMap: + name: baseimages + namespace: platform + validate: + message: >- + This container image's base is not in the approved list or is not specified. Only pre-approved + base images may be used. Please contact the platform team for assistance. + foreach: + - list: "request.object.spec.containers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + - name: basename + variable: + jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name" + default: '' + deny: + conditions: + all: + - key: "{{ basename }}" + operator: AnyNotIn + value: "{{ baseimages.data.allowedbaseimages }}"