Closed cybra-northco closed 4 months ago
Thanks for opening your first issue here! Be sure to follow the issue template!
Thank you for catching this. This is my fault for not testing enough scenarios. I have enhanced this policy and think I now cover all the scenarios. Would you please run this policy through its paces and provide your feedback?
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-capabilities
spec:
validationFailureAction: Enforce
background: true
rules:
- name: adding-capabilities-service-mesh
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
context:
- name: capabilities
variable:
value: ["AUDIT_WRITE","CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","MKNOD","NET_BIND_SERVICE","SETFCAP","SETGID","SETPCAP","SETUID","SYS_CHROOT"]
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW.
foreach:
- list: request.object.spec.initContainers[]
preconditions:
all:
- key: "{{ element.image }}"
operator: AnyIn
value:
- "*/istio/proxyv2*"
- "*/linkerd/proxy-init*"
- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
operator: AnyNotIn
value:
- NET_ADMIN
- NET_RAW
- "{{ capabilities }}"
deny:
conditions:
all:
- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
operator: AnyNotIn
value: "{{ capabilities }}"
message: The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities.
- list: request.object.spec.initContainers[]
preconditions:
all:
- key: "{{ element.image }}"
operator: AnyNotIn
value:
- "*/istio/proxyv2*"
- "*/linkerd/proxy-init*"
deny:
conditions:
all:
- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
operator: AnyNotIn
value: "{{ capabilities }}"
message: The initContainer {{ element.name }} is attempting to add forbidden capabilities.
- list: request.object.spec.[ephemeralContainers, containers][]
deny:
conditions:
all:
- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
operator: AnyNotIn
value: "{{ capabilities }}"
message: The container {{ element.name }} is attempting to add forbidden capabilities.
@chipzoller thank you, works as expected!
Fix sent in #1254
Page link
https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/#policies-in-kyverno
Description
The policy description implies that:
However the policy definition iterates only on istio and linkerd init containers. If there was another init container defined like this:
then the policy will skip it and will succeed the validation.
Expected behavior
The policy must fail.
Slack discussion
No response