From 24a2307ba3fba8efdb88c8d5c895199d82cdb318 Mon Sep 17 00:00:00 2001 From: suhasgummanirmata Date: Sun, 29 Sep 2024 11:39:55 +0530 Subject: [PATCH 1/2] NDEV-18111: add mutate policy for adding-capabilities-strict rule --- ...emediate-disallow-capabilities-strict.yaml | 102 +++++++++++++++--- 1 file changed, 90 insertions(+), 12 deletions(-) diff --git a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml index 2eb39b6c..14b4e966 100644 --- a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml @@ -29,11 +29,10 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/containers/{{elementIndex}}/securityContext + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities value: - capabilities: - drop: - - ALL + drop: + - ALL - list: request.object.spec.template.spec.initContainers[] order: Descending preconditions: @@ -43,11 +42,10 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities value: - capabilities: - drop: - - ALL + drop: + - ALL - list: request.object.spec.template.spec.ephemeralContainers[] order: Descending preconditions: @@ -57,8 +55,88 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities value: - capabilities: - drop: - - ALL + drop: + - ALL + - name: restrict-adding-capabilities-other-than-net-bind-service + match: + resources: + kinds: + - Deployment + - StatefulSet + - Job + - DaemonSet + mutate: + foreach: + - list: request.object.spec.template.spec.containers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.containers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: replace + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + value: + - NET_BIND_RAW + + - list: request.object.spec.template.spec.initContainers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.initContainers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: replace + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + value: + - NET_BIND_RAW + + - list: request.object.spec.template.spec.ephemeralContainers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.ephemeralContainers[] + order: Descending + preconditions: + all: + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: replace + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add + value: + - NET_BIND_RAW From 4ee47b127327baa883fe7d615d39effb8aecd1a2 Mon Sep 17 00:00:00 2001 From: suhasgummanirmata Date: Tue, 8 Oct 2024 18:28:28 +0530 Subject: [PATCH 2/2] NDEV-18111: replace not supported in kyverno-1.10 --- ...emediate-disallow-capabilities-strict.yaml | 43 ++++++++++++++----- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml index 14b4e966..27b1797e 100644 --- a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml @@ -29,9 +29,8 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/drop value: - drop: - ALL - list: request.object.spec.template.spec.initContainers[] order: Descending @@ -42,9 +41,8 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/drop value: - drop: - ALL - list: request.object.spec.template.spec.ephemeralContainers[] order: Descending @@ -55,10 +53,9 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities - value: - drop: - - ALL + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/drop + value: + - ALL - name: restrict-adding-capabilities-other-than-net-bind-service match: resources: @@ -73,6 +70,9 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: AnyNotIn value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" @@ -84,11 +84,16 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: In value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" patchesJson6902: |- - - op: replace + - op: remove + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + - op: add path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add value: - NET_BIND_RAW @@ -97,6 +102,9 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: AnyNotIn value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" @@ -108,11 +116,16 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: In value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" patchesJson6902: |- - - op: replace + - op: remove + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + - op: add path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add value: - NET_BIND_RAW @@ -121,6 +134,9 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: AnyNotIn value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" @@ -132,11 +148,16 @@ spec: order: Descending preconditions: all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] - key: NET_BIND_RAW operator: In value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" patchesJson6902: |- - - op: replace + - op: remove + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add + - op: add path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add value: - NET_BIND_RAW