PAAS improvements

* Force security configs for PAAS pods * Validate namespace account is valid for service account
OSC · May 5, 2024 · 81c5e96 · 81c5e96
1 parent ba4603a
commit 81c5e96
Show file tree

Hide file tree

Showing 18 changed files with 266 additions and 143 deletions.
diff --git a/Makefile b/Makefile
@@ -37,7 +37,7 @@ kyverno-copy-policies: $(KYVERNO_POLICIES)
 	done
 
 kyverno-test: $(KYVENOR_CLI) kyverno-copy-policies
-	$(KYVENOR_CLI) test $(KYVERNO_POLICY_TESTS_DIR)
+	$(KYVENOR_CLI) test --detailed-results $(KYVERNO_POLICY_TESTS_DIR)
 
 encrypt-private-values: $(PRIVATE_CHARTS)
 	@for d in $(dir $^); do \

diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kyverno-policies
 description: OSC Kyverno policies deployment
 type: application
-version: 0.27.0
+version: 0.28.0
 appVersion: "v1.11.4"
 maintainers:
   - name: treydock

diff --git a/charts/kyverno-policies/templates/add-service-account.yaml b/charts/kyverno-policies/templates/add-service-account.yaml
@@ -35,41 +35,40 @@ spec:
       configMap:
         name: user-gids-map
         namespace: k8-ldap-configmap
-    mutate:
-      patchStrategicMerge:
-        spec:
-          securityContext:
-            runAsUser: "{{`{{ uidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
-            runAsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
-            fsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
-            supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\" | parse_json(@)[*].to_number(@) }}`}}"
-  - name: webservice-service-account-run-as-containers
-    match:
-      any:
-        - resources:
-            kinds:
-            - Pod
-            namespaceSelector:
-              matchExpressions:
-              - key: osc.edu/role
-                operator: In
-                values:
-                - webservice
-    preconditions:
-    - key: "{{`{{ request.object.metadata.labels.\"osc.edu/service-account\" || '' }}`}}"
-      operator: NotEquals
-      value: ""
-    context:
-    - name: uidMap
-      configMap:
-        name: user-uid-map
-        namespace: k8-ldap-configmap
-    - name: gidMap
-      configMap:
-        name: user-gid-map
-        namespace: k8-ldap-configmap
     mutate:
       foreach:
+      - list: "request.object.spec"
+        patchStrategicMerge:
+          spec:
+            securityContext:
+              runAsNonRoot: true
+              runAsUser: "{{`{{ uidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
+              runAsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
+              fsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}"
+              supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\" | parse_json(@)[*].to_number(@) }}`}}"
+      - list: "request.object.spec.[containers, initContainers][]"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - (name): "*"
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                  - ALL
+                seccompProfile:
+                  type: RuntimeDefault
+                privileged: false
+            initContainers:
+            - (name): "*"
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                  - ALL
+                seccompProfile:
+                  type: RuntimeDefault
+                privileged: false
       - list: "request.object.spec.[containers, initContainers][]"
         patchStrategicMerge:
           spec:
@@ -135,10 +134,34 @@ spec:
         patchStrategicMerge:
           spec:
             securityContext:
+              runAsNonRoot: true
               runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}"
               runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}"
               fsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}"
               supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ serviceAccount }}\" | parse_json(@)[*].to_number(@) }}`}}"
+      - list: "request.object.spec.[containers, initContainers][]"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - (name): "*"
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                  - ALL
+                seccompProfile:
+                  type: RuntimeDefault
+                privileged: false
+            initContainers:
+            - (name): "*"
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                  - ALL
+                seccompProfile:
+                  type: RuntimeDefault
+                privileged: false
       - list: "request.object.spec.[containers, initContainers][]"
         patchStrategicMerge:
           spec:

diff --git a/charts/kyverno-policies/templates/namespace-account.yaml b/charts/kyverno-policies/templates/namespace-account.yaml
@@ -21,3 +21,34 @@ spec:
         metadata:
           labels:
             account: "?*"
+  - name: valid-account
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          selector:
+            matchLabels:
+              {{ include "osc.common.roleKey" . }}: paas
+    preconditions:
+    - key: "{{`{{ request.operation }}`}}"
+      operator: In
+      value: ["CREATE","UPDATE"]
+    - key: "{{`{{ request.object.metadata.labels.account || '' }}`}}"
+      operator: NotEquals
+      value: ""
+    - key: "{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" || '' {{`}}`}}"
+      operator: NotEquals
+      value: ""
+    context:
+    - name: userGroupMap
+      configMap:
+        name: user-groups-map
+        namespace: k8-ldap-configmap
+    validate:
+      message: "{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}} not authorized to charge against account {{`{{ request.object.metadata.labels.account }}`}}"
+      deny:
+        conditions:
+        - key: "{{`{{ request.object.metadata.labels.account }}`}}"
+          operator: NotIn
+          value: "{{`{{`}} userGroupMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
diff --git a/charts/kyverno-policies/templates/pod-service-account-validation.yaml b/charts/kyverno-policies/templates/pod-service-account-validation.yaml
@@ -55,9 +55,10 @@ spec:
     validate:
       message: >-
         Invalid service account UID or GID specified
-      anyPattern:
-      - spec:
+      pattern:
+        spec:
           securityContext:
+            runAsNonRoot: "true"
             runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
             runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
             fsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
@@ -69,15 +70,6 @@ spec:
             - =(securityContext):
                 =(runAsUser): "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
                 =(runAsGroup): "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
-      - spec:
-          =(initContainers):
-            - securityContext:
-                runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
-                runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
-          containers:
-            - securityContext:
-                runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
-                runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}"
   - name: webservice-service-account-authorized-for-groups
     match:
       any:
@@ -147,9 +139,10 @@ spec:
     validate:
       message: >-
         Invalid service account UID or GID specified
-      anyPattern:
-      - spec:
+      pattern:
+        spec:
           securityContext:
+            runAsNonRoot: "true"
             runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
             runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
             fsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
@@ -161,15 +154,6 @@ spec:
             - =(securityContext):
                 =(runAsUser): "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
                 =(runAsGroup): "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
-      - spec:
-          =(initContainers):
-            - securityContext:
-                runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
-                runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
-          containers:
-            - securityContext:
-                runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
-                runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}"
   - name: paas-service-account-authorized-for-groups
     match:
       any:

diff --git a/tests/kyverno-policies/add-service-account/kyverno-test.yaml b/tests/kyverno-policies/add-service-account/kyverno-test.yaml
@@ -32,19 +32,6 @@ results:
       - test-webservice-service-account-skip
     kind: Pod
     result: skip
-  - policy: add-service-account
-    rule: webservice-service-account-run-as-containers
-    resources:
-      - test-webservice-service-account-containers
-    kind: Pod
-    result: skip
-  - policy: add-service-account
-    rule: webservice-service-account-run-as-containers
-    resources:
-      - test-webservice-service-account-mariadb-containers
-    patchedResource: webservice-service-account-mariadb-mutated-containers.yaml
-    kind: Pod
-    result: pass
   - policy: add-service-account
     rule: paas-service-account-run-as
     resources:

diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml
@@ -11,14 +11,29 @@ spec:
     - name: mariadb
       image: mariadb:latest
       securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        seccompProfile:
+          type: RuntimeDefault
+        privileged: false
         runAsUser: 1000
         runAsGroup: 1001
   initContainers:
     - name: init
       image: busybox
       securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        seccompProfile:
+          type: RuntimeDefault
+        privileged: false
         runAsUser: 1000
   securityContext:
+    runAsNonRoot: true
     runAsUser: 1000
     runAsGroup: 1001
     fsGroup: 1001

diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml
@@ -8,10 +8,27 @@ spec:
   containers:
     - name: nginx
       image: nginx:latest
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        seccompProfile:
+          type: RuntimeDefault
+        privileged: false
   initContainers:
     - name: init
       image: busybox
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        seccompProfile:
+          type: RuntimeDefault
+        privileged: false
   securityContext:
+    runAsNonRoot: true
     runAsUser: 1000
     runAsGroup: 1001
     fsGroup: 1001

diff --git a/tests/kyverno-policies/add-service-account/resources.yaml b/tests/kyverno-policies/add-service-account/resources.yaml
@@ -26,21 +26,6 @@ spec:
 ---
 apiVersion: v1
 kind: Pod
-metadata:
-  name: test-webservice-service-account-containers
-  namespace: webservice
-  labels:
-    osc.edu/service-account: test
-spec:
-  containers:
-    - name: nginx
-      image: nginx:latest
-  initContainers:
-    - name: init
-      image: busybox
----
-apiVersion: v1
-kind: Pod
 metadata:
   name: test-webservice-service-account-skip
   namespace: user-test
@@ -72,27 +57,6 @@ spec:
 ---
 apiVersion: v1
 kind: Pod
-metadata:
-  name: test-webservice-service-account-mariadb-containers
-  namespace: webservice
-  labels:
-    app.kubernetes.io/name: mariadb
-    osc.edu/service-account: test
-spec:
-  containers:
-    - name: mariadb
-      image: mariadb:latest
-      securityContext:
-        runAsUser: 1001
-        runAsGroup: 0
-  initContainers:
-    - name: init
-      image: busybox
-      securityContext:
-        runAsUser: 65534
----
-apiVersion: v1
-kind: Pod
 metadata:
   name: test-paas-no-service-account-skip
   namespace: paas-invalid

diff --git a/tests/kyverno-policies/add-service-account/variables.yaml b/tests/kyverno-policies/add-service-account/variables.yaml
@@ -6,21 +6,12 @@ policies:
           uidMap.data.user-test: '1000'
           gidMap.data.user-test: '1001'
           gidsMap.data.user-test: '["1001","1002"]'
-      - name: webservice-service-account-run-as-containers
-        values:
-          uidMap.data.user-test: '1000'
-          gidMap.data.user-test: '1001'
       - name: paas-service-account-run-as
         values:
           serviceAccount: test
           uidMap.data.user-test: '1000'
           gidMap.data.user-test: '1001'
           gidsMap.data.user-test: '["1001","1002"]'
-      - name: paas-service-account-run-as-containers
-        values:
-          serviceAccount: test
-          uidMap.data.user-test: '1000'
-          gidMap.data.user-test: '1001'
 namespaceSelector:
   - name: user-test
     labels:

diff --git a/...o-policies/add-service-account/webservice-service-account-mariadb-mutated-containers.yaml b/...o-policies/add-service-account/webservice-service-account-mariadb-mutated-containers.yaml