-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Revert "temporarily remove policies other than the machine one as the example and test policy to create a base code pr" This reverts commit 08d377d. * extracted shared rego resources to a separate lib * improvement: rego unit test and gator test polishing (#2767) * rego unit test and gator test polishing * lint fix * rego lint fix * adjusted user id related judgement plus match kinds for resources other than pod * added test cases for priv'd ns to cover pull-secret deletion * add new policy for machine config modification (#2879) * add new policy for machine config modification * reformat yaml * revise api group logic * added pod host path policy * dont run guardrails if a standard gatekeeper instance is already started * comment out corresponding gator tests as r/w PV check is temporarily removed * satisfy mega linter * temporarily backoff the standard gatekeeper check * enable standard gatekeeper check with proper test case modifications * comment out non-namespaced resources * add k8s specific namespaces to the priv'd list * update README plus add two SA to allowed list * update Guardrails README * a typo in README * allow policies to enforce on openshift-azure-guardrails namespace * added group support for user validation * update: Guardrail policy scripts and doc updates (#2941) * update generate.sh to support single dir gen * update scripts to support params * update README * added usage print for scripts * change to flexible mode for username, group and SA name validation * update get func to print more debug info * rely solely on userInfo for user authentication * extend audit-interval to slow down the audit run, plus display more violations * roll back a temp change for local test * dont allow updates for machine and machineset * removed MachineSet * unified the constraint filename and resource name to make the config easier * adjust constraint and template name and kind as per convention * update gatekeeper params, affinity and tolerations * log violations * white list more user and group * extend priv'd ns protection to ns itself * add guardrails policy generate entry in makefile * make gator in README lower cased to keep consistent with official doc --------- Co-authored-by: Arris Li <[email protected]>
- Loading branch information
Showing
53 changed files
with
2,556 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
pkg/operator/controllers/guardrails/policies/gkconstraints/aro-machine-config-deny.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: ARODenyMachineConfig | ||
metadata: | ||
name: aro-machine-config-deny | ||
spec: | ||
enforcementAction: {{.Enforcement}} | ||
match: | ||
kinds: | ||
- apiGroups: ["machineconfiguration.openshift.io"] | ||
kinds: ["MachineConfig"] |
10 changes: 10 additions & 0 deletions
10
...perator/controllers/guardrails/policies/gkconstraints/aro-master-toleration-pod-deny.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: ARODenyMasterTolerationTaints | ||
metadata: | ||
name: aro-master-toleration-pod-deny | ||
spec: | ||
enforcementAction: {{.Enforcement}} | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] |
35 changes: 35 additions & 0 deletions
35
...operator/controllers/guardrails/policies/gkconstraints/aro-privileged-namespace-deny.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: ARODenyPrivilegedNamespace | ||
metadata: | ||
name: aro-privileged-namespace-deny | ||
spec: | ||
enforcementAction: {{.Enforcement}} | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: [ | ||
"Pod", | ||
"Secret", | ||
"Service", | ||
"ServiceAccount", | ||
"ReplicationController", | ||
"ResourceQuota", | ||
"Namespace", | ||
] | ||
- apiGroups: ["apps"] | ||
kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet"] | ||
- apiGroups: ["batch"] | ||
kinds: ["Job", "CronJob"] | ||
- apiGroups: ["rbac.authorization.k8s.io"] | ||
kinds: ["Role", "RoleBinding"] | ||
- apiGroups: ["policy"] | ||
kinds: ["PodDisruptionBudget"] | ||
- apiGroups: ["machine.openshift.io"] | ||
kinds: ["Machine"] | ||
# non-namespaced resources | ||
# - apiGroups: [""] | ||
# kinds: ["PersistentVolume", "PersistentVolumeClaim"] | ||
# - apiGroups: ["rbac.authorization.k8s.io"] | ||
# kinds: ["ClusterRole", "ClusterRoleBinding"] | ||
# - apiGroups: ["apiextensions"] | ||
# kinds: ["CustomResourceDefinition"] |
11 changes: 11 additions & 0 deletions
11
pkg/operator/controllers/guardrails/policies/gkconstraints/aro-rw-host-mount-deny.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: ARODenyHostMount | ||
metadata: | ||
name: aro-rw-host-mount-deny | ||
spec: | ||
enforcementAction: {{.Enforcement}} | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
# kinds: ["Pod", "PersistentVolume"] | ||
kinds: ["Pod"] # disable PV check as it is not agreed, need revise |
27 changes: 27 additions & 0 deletions
27
...trollers/guardrails/policies/gktemplates-src/aro-deny-host-mount/aro-deny-host-mount.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: arodenyhostmount | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Host Mount" | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
description: >- | ||
To prevent the creation of non-OpenShift pods with dangerous read/write mounts | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: ARODenyHostMount | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
To prevent the creation of non-OpenShift pods with dangerous read/write mounts | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
{{ file.Read "gktemplates-src/aro-deny-host-mount/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} | ||
libs: | ||
- | | ||
{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} |
Oops, something went wrong.