HELP: Policy is changed when deployed: autogen-* is added somehow #264

JesperBerggren · 2022-02-09T12:49:34Z

JesperBerggren
Feb 9, 2022

Hello everybody!

I'm unsure if it's an error or me not knowing what happens when deploying a policy!
Summary: Where does the autogen-* rules come from? And how do we configure the exclude part to them??

(Among many other policies) I've deployed: disallow-capabilities-strict. It's yaml looks like this:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-capabilities-strict
  annotations:
    policies.kyverno.io/title: Disallow Capabilities (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
      all containers must explicitly drop `ALL` capabilities.      
spec:
  validationFailureAction: audit
  background: true
  rules:
    - name: require-drop-all
      match:
        any:
        - resources:
            kinds:
              - Pod
      preconditions:
        all:
        - key: "{{ request.operation }}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
                    Containers must drop `ALL` capabilities.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: ALL
                  operator: AnyNotIn
                  value: "{{ element.securityContext.capabilities.drop || '' }}"
    - name: adding-capabilities-strict
      match:
        any:
        - resources:
            kinds:
              - Pod
      preconditions:
        all:
        - key: "{{ request.operation }}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
                    Any capabilities added other than NET_BIND_SERVICE are disallowed.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: "{{ element.securityContext.capabilities.add[] || '' }}"
                  operator: AnyNotIn
                  value:
                  - NET_BIND_SERVICE
                  - ''

It has two rules: require-drop-all and adding-capabilities-strict. Both of them matching kind: Pod.

But when I do a kubectl get clusterpolicy disallow-capabilities-strict -o yaml I get the following yaml configuration:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kyverno.io/kubernetes-version":"1.22-1.23","kyverno.io/kyverno-version":"1.6.0","policies.kyverno.io/category":"Pod Security Standards (Restricted)","policies.kyverno.io/description":"Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.      ","policies.kyverno.io/minversion":"1.6.0","policies.kyverno.io/severity":"medium","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Disallow Capabilities (Strict)"},"name":"disallow-capabilities-strict"},"spec":{"background":true,"rules":[{"match":{"any":[{"resources":{"kinds":["Pod"]}}]},"name":"require-drop-all","preconditions":{"all":[{"key":"{{ request.operation }}","operator":"NotEquals","value":"DELETE"}]},"validate":{"foreach":[{"deny":{"conditions":{"all":[{"key":"ALL","operator":"AnyNotIn","value":"{{ element.securityContext.capabilities.drop || '' }}"}]}},"list":"request.object.spec.[ephemeralContainers, initContainers, containers][]"}],"message":"Containers must drop `ALL` capabilities."}},{"match":{"any":[{"resources":{"kinds":["Pod"]}}]},"name":"adding-capabilities-strict","preconditions":{"all":[{"key":"{{ request.operation }}","operator":"NotEquals","value":"DELETE"}]},"validate":{"foreach":[{"deny":{"conditions":{"all":[{"key":"{{ element.securityContext.capabilities.add[] || '' }}","operator":"AnyNotIn","value":["NET_BIND_SERVICE",""]}]}},"list":"request.object.spec.[ephemeralContainers, initContainers, containers][]"}],"message":"Any capabilities added other than NET_BIND_SERVICE are disallowed."}}],"validationFailureAction":"audit"}}
    kyverno.io/kubernetes-version: 1.22-1.23
    kyverno.io/kyverno-version: 1.6.0
    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/description: 'Adding capabilities other than `NET_BIND_SERVICE`
      is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.      '
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Disallow Capabilities (Strict)
  creationTimestamp: "2022-02-09T12:27:19Z"
  generation: 2
  name: disallow-capabilities-strict
  resourceVersion: "4502352"
  selfLink: /apis/kyverno.io/v1/clusterpolicies/disallow-capabilities-strict
  uid: 27e581cd-499c-4ad7-b50e-4243d0b46158
spec:
  background: true
  failurePolicy: Fail
  rules:
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  validationFailureAction: audit
status:
  ready: true

As you can see it suddenly has 6 rules, namely require-drop-all, adding-capabilities-strict as well as autogen-require-drop-all, autogen-cronjob-require-drop-all, autogen-adding-capabilities-strict, autogen-cronjob-adding-capabilities-strict.

Where does the autogen-* rules come from? And how do we configure the exclude part to them??

Thanks for your answers! :-)

Best regards
Jesper Berggren

chipzoller · 2022-02-09T12:56:01Z

chipzoller
Feb 9, 2022

https://kyverno.io/docs/writing-policies/autogen/

0 replies

JesperBerggren · 2022-02-09T14:08:53Z

JesperBerggren
Feb 9, 2022
Author

Current summary: There's a difference in applying policies via yaml files and the helm charts.

Thanks @chipzoller, I've seen that and now understands why the autogen rules are created.

I think I know why I was confused...
I'm using the helm charts to install policies and apparently there's difference between adding a policy as a yaml file and via the helm chart.
When adding a policy with a yaml file and making exclude configurations, those configurations are copied to all autogen-* rules.
Meanwhile adding an exclude configuration in the helm chart, that configuration is not copied to all autogen-* rules but only maybe half of them.

Here's what happens:
Yaml file for disallow-capabilities-strict (kubectl apply -f disallow-capabilities-strict.yaml):

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-capabilities-strict
  annotations:
    policies.kyverno.io/title: Disallow Capabilities (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
      all containers must explicitly drop `ALL` capabilities.      
spec:
  validationFailureAction: audit
  background: true
  rules:
    - name: require-drop-all
      match:
        any:
        - resources:
            kinds:
              - Pod
      exclude:
        any:
        - resources:
            namespaces:
            - digitalpost-aes
            - digitalpost-aesk
            - digitalpost-aesu
            - digitalpost-afu
            - digitalpost-atp
            - digitalpost-aub
            - digitalpost-barsel
            - digitalpost-fk
            - digitalpost-lfm
            - digitalpost-lg
            - digitalpost-udk
            - digitalpost-udkiss
      preconditions:
        all:
        - key: "{{ request.operation }}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
                    Containers must drop `ALL` capabilities.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: ALL
                  operator: AnyNotIn
                  value: "{{ element.securityContext.capabilities.drop || '' }}"
    - name: adding-capabilities-strict
      match:
        any:
        - resources:
            kinds:
              - Pod
      exclude:
        any:
        - resources:
            namespaces:
            - digitalpost-aes
            - digitalpost-aesk
            - digitalpost-aesu
            - digitalpost-afu
            - digitalpost-atp
            - digitalpost-aub
            - digitalpost-barsel
            - digitalpost-fk
            - digitalpost-lfm
            - digitalpost-lg
            - digitalpost-udk
            - digitalpost-udkiss
      preconditions:
        all:
        - key: "{{ request.operation }}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
                    Any capabilities added other than NET_BIND_SERVICE are disallowed.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: "{{ element.securityContext.capabilities.add[] || '' }}"
                  operator: AnyNotIn
                  value:
                  - NET_BIND_SERVICE
                  - ''

This causes the generated policy to be:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kyverno.io/kubernetes-version":"1.22-1.23","kyverno.io/kyverno-version":"1.6.0","policies.kyverno.io/category":"Pod Security Standards (Restricted)","policies.kyverno.io/description":"Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.      ","policies.kyverno.io/minversion":"1.6.0","policies.kyverno.io/severity":"medium","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Disallow Capabilities (Strict)"},"name":"disallow-capabilities-strict"},"spec":{"background":true,"rules":[{"exclude":{"any":[{"resources":{"namespaces":["digitalpost-aes","digitalpost-aesk","digitalpost-aesu","digitalpost-afu","digitalpost-atp","digitalpost-aub","digitalpost-barsel","digitalpost-fk","digitalpost-lfm","digitalpost-lg","digitalpost-udk","digitalpost-udkiss"]}}]},"match":{"any":[{"resources":{"kinds":["Pod"]}}]},"name":"require-drop-all","preconditions":{"all":[{"key":"{{ request.operation }}","operator":"NotEquals","value":"DELETE"}]},"validate":{"foreach":[{"deny":{"conditions":{"all":[{"key":"ALL","operator":"AnyNotIn","value":"{{ element.securityContext.capabilities.drop || '' }}"}]}},"list":"request.object.spec.[ephemeralContainers, initContainers, containers][]"}],"message":"Containers must drop `ALL` capabilities."}},{"exclude":{"any":[{"resources":{"namespaces":["digitalpost-aes","digitalpost-aesk","digitalpost-aesu","digitalpost-afu","digitalpost-atp","digitalpost-aub","digitalpost-barsel","digitalpost-fk","digitalpost-lfm","digitalpost-lg","digitalpost-udk","digitalpost-udkiss"]}}]},"match":{"any":[{"resources":{"kinds":["Pod"]}}]},"name":"adding-capabilities-strict","preconditions":{"all":[{"key":"{{ request.operation }}","operator":"NotEquals","value":"DELETE"}]},"validate":{"foreach":[{"deny":{"conditions":{"all":[{"key":"{{ element.securityContext.capabilities.add[] || '' }}","operator":"AnyNotIn","value":["NET_BIND_SERVICE",""]}]}},"list":"request.object.spec.[ephemeralContainers, initContainers, containers][]"}],"message":"Any capabilities added other than NET_BIND_SERVICE are disallowed."}}],"validationFailureAction":"audit"}}
    kyverno.io/kubernetes-version: 1.22-1.23
    kyverno.io/kyverno-version: 1.6.0
    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/description: 'Adding capabilities other than `NET_BIND_SERVICE`
      is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.      '
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Disallow Capabilities (Strict)
  creationTimestamp: "2022-02-09T13:43:34Z"
  generation: 2
  name: disallow-capabilities-strict
  resourceVersion: "4525564"
  selfLink: /apis/kyverno.io/v1/clusterpolicies/disallow-capabilities-strict
  uid: 00c410ae-5fe9-4bda-88c0-497f5fa92774
spec:
  background: true
  failurePolicy: Fail
  rules:
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  validationFailureAction: audit
status:
  ready: true

As you can see the excludes are copied to all the autogen-* rules.

On the other hand, if I apply policies via helm (helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies -f ~/kyverno-policies-values.yaml) and the values file contains:

podSecurityStandard: restricted
validationFailureAction: enforce
policyExclude:
  adding-capabilities-strict:
    any:
    - resources:
        namespaces:
        - digitalpost-aes
        - digitalpost-aesk
        - digitalpost-aesu
        - digitalpost-afu
        - digitalpost-atp
        - digitalpost-aub
        - digitalpost-barsel
        - digitalpost-fk
        - digitalpost-lfm
        - digitalpost-lg
        - digitalpost-udk
        - digitalpost-udkiss

That causes the generated policy to be:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    kyverno.io/kubernetes-version: 1.22-1.23
    kyverno.io/kyverno-version: 1.6.0
    meta.helm.sh/release-name: kyverno-policies
    meta.helm.sh/release-namespace: kyverno
    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/description: Adding capabilities other than `NET_BIND_SERVICE`
      is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Disallow Capabilities (Strict)
  creationTimestamp: "2022-02-09T13:54:19Z"
  generation: 2
  labels:
    app.kubernetes.io/managed-by: Helm
  name: disallow-capabilities-strict
  resourceVersion: "4529508"
  selfLink: /apis/kyverno.io/v1/clusterpolicies/disallow-capabilities-strict
  uid: c272ea73-f058-42d4-b898-5dd4e9b84a38
spec:
  background: true
  failurePolicy: Fail
  rules:
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - Pod
      resources: {}
    mutate: {}
    name: adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.[ephemeralContainers, initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-require-drop-all
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: ALL
              operator: AnyNotIn
              value: '{{ element.securityContext.capabilities.drop || '''' }}'
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Containers must drop `ALL` capabilities.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
      resources: {}
    mutate: {}
    name: autogen-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.template.spec.[ephemeralContainers, initContainers,
          containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  - exclude:
      any:
      - resources:
          namespaces:
          - digitalpost-aes
          - digitalpost-aesk
          - digitalpost-aesu
          - digitalpost-afu
          - digitalpost-atp
          - digitalpost-aub
          - digitalpost-barsel
          - digitalpost-fk
          - digitalpost-lfm
          - digitalpost-lg
          - digitalpost-udk
          - digitalpost-udkiss
      resources: {}
    generate:
      clone: {}
    match:
      any:
      - resources:
          kinds:
          - CronJob
      resources: {}
    mutate: {}
    name: autogen-cronjob-adding-capabilities-strict
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - deny:
          conditions:
            all:
            - key: '{{ element.securityContext.capabilities.add[] || '''' }}'
              operator: AnyNotIn
              value:
              - NET_BIND_SERVICE
              - ""
        list: request.object.spec.jobTemplate.spec.template.spec.[ephemeralContainers,
          initContainers, containers][]
      message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
  validationFailureAction: enforce
status:
  ready: true

As you can see, the exclude is not copied to all rules, which makes this policy fail on deployments in these namespaces.

Should I create an issue instead of this discussion?

Best regards
Jesper Berggren

1 reply

chipzoller Feb 9, 2022

Ah, ok, yes that's a problem. If you would please do create an issue and state this. Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HELP: Policy is changed when deployed: autogen-* is added somehow #264

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

HELP: Policy is changed when deployed: autogen-* is added somehow #264

JesperBerggren Feb 9, 2022

Replies: 2 comments · 1 reply

chipzoller Feb 9, 2022

JesperBerggren Feb 9, 2022 Author

chipzoller Feb 9, 2022

JesperBerggren
Feb 9, 2022

Replies: 2 comments 1 reply

chipzoller
Feb 9, 2022

JesperBerggren
Feb 9, 2022
Author