Policy baseline

[flyinghermit]

Policy baselines are a set of global deny rules to stay compliant with an organizational security standard. Teleport rules are denied by default, but as users create new roles, a baseline deny policy (policy boundaries) will ensure that insecure rules are never authored.

E.g., rules (all deny):

• Never allow users to create a role that allows root access to dev cluster (Node.login == root) (Node.labels["env"] == "dev")
• Never allow users to create a role that allows user named contractor access any node in prod cluster (User.name == contractor) (Node.labels["env"] == "prod")

Why

• It will let us implement policy boundaries as described here.
• Highlight violating rules in vscode extension, predicate deploy command etc.

How

This can be done by providing default opinionated recommendation (e.g., flag wildcard assignment) and by letting user's define custom secure baseline.

[flyinghermit]

This can be closed now as first implementation of policy baseline is implemented with https://github.com/gravitational/predicate-lang/pull/61 and more of the policy baselines will be added soon.