Argo diff (#44)

docker-compose/Dockerfile

@@ -2,6 +2,7 @@
 FROM docker.io/argoproj/argocd:v2.6.15@sha256:58ebb4ed23c8db4cd4cc3f954f8d94c4b4e3d9669c0751c484108d22b86d52de as argocd
 FROM zegl/kube-score:v1.19.0@sha256:94137f32ce139dc9fbdbbd380249025e4d378c282ff151a100b981cdeeb923b6 as kube-score
 FROM ghcr.io/yannh/kubeconform:v0.6.7@sha256:0925177fb05b44ce18574076141b5c3d83235e1904d3f952182ac99ddc45762c as kubeconform
+FROM ghcr.io/kyverno/kyverno-cli:v1.12@sha256:229154f8f42326c5a7568b3787887b81ca94f0824400574ffab1dd9d30931f01 AS kyverno
 
 FROM ghcr.io/coopnorge/engineering-docker-images/e0/devtools-golang-v1beta1:latest@sha256:026875885070fa56db08fe23c4a495a82cc86523cc6540a32a360b572a53c011 AS golang-devtools
 
@@ -10,3 +11,4 @@ COPY --from=argocd /usr/local/bin/argocd /usr/local/bin/argocd
 COPY --from=argocd /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=argocd /usr/local/bin/kustomize /usr/local/bin/kustomize
 COPY --from=kubeconform /kubeconform /usr/local/bin/kubeconform
+COPY --from=kyverno /ko-app/kubectl-kyverno /usr/local/bin/kyverno

kyverno-policies/_helpers.tpl

@@ -0,0 +1,84 @@
+{{/* vim: set filetype=mustache: */}}
+{{/* Expand the name of the chart. */}}
+{{- define "kyverno-policies.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "kyverno-policies.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "kyverno-policies.labels" -}}
+app.kubernetes.io/component: kyverno
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ template "kyverno-policies.name" . }}
+app.kubernetes.io/part-of: {{ template "kyverno-policies.name" . }}
+app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+helm.sh/chart: {{ template "kyverno-policies.chart" . }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
+{{- end -}}
+
+{{/* Set if a baseline policy is managed */}}
+{{- define "kyverno-policies.podSecurityBaseline" -}}
+{{- if or (eq .Values.podSecurityStandard "baseline") (eq .Values.podSecurityStandard "restricted") }}
+{{- true }}
+{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
+{{- true }}
+{{- else -}}
+{{- false }}
+{{- end -}}
+{{- end -}}
+
+{{/* Set if a restricted policy is managed */}}
+{{- define "kyverno-policies.podSecurityRestricted" -}}
+{{- if eq .Values.podSecurityStandard "restricted" }}
+{{- true }}
+{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
+{{- true }}
+{{- else if has .name .Values.includeRestrictedPolicies }}
+{{- true }}
+{{- else -}}
+{{- false }}
+{{- end -}}
+{{- end -}}
+
+{{/* Set if a other policies are managed */}}
+{{- define "kyverno-policies.podSecurityOther" -}}
+{{- if has .name .Values.includeOtherPolicies }}
+{{- true }}
+{{- else -}}
+{{- false }}
+{{- end -}}
+{{- end -}}
+
+{{/* Get deployed Kyverno version from Kubernetes */}}
+{{- define "kyverno-policies.kyvernoVersion" -}}
+{{- $version := "" -}}
+{{- if eq .Values.kyvernoVersion "autodetect" }}
+{{- with (lookup "apps/v1" "Deployment" .Release.Namespace "kyverno") -}}
+  {{- with (first .spec.template.spec.containers) -}}
+    {{- $imageTag := (last (splitList ":" .image)) -}}
+    {{- $version = trimPrefix "v" $imageTag -}}
+  {{- end -}}
+{{- end -}}
+{{ $version }}
+{{- else -}}
+{{ .Values.kyvernoVersion }}
+{{- end -}}
+{{- end -}}
+
+{{/* Fail if deployed Kyverno does not match */}}
+{{- define "kyverno-policies.supportedKyvernoCheck" -}}
+{{- $supportedKyverno := index . "ver" -}}
+{{- $top := index . "top" }}
+{{- if (include "kyverno-policies.kyvernoVersion" $top) -}}
+  {{- if not ( semverCompare $supportedKyverno (include "kyverno-policies.kyvernoVersion" $top) ) -}}
+    {{- fail (printf "Kyverno version is too low, expected %s" $supportedKyverno) -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}

kyverno-policies/disallow-capabilities.yaml

@@ -0,0 +1,99 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet,ReplicaSet,ReplicationController
+    policies.kyverno.io/title: Disallow Capabilities
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Adding capabilities beyond those listed in the policy must be disallowed.
+  labels: 
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kyverno-policies
+    app.kubernetes.io/part-of: kyverno-policies
+    app.kubernetes.io/version: "3.1.3"
+    helm.sh/chart: kyverno-policies-3.1.3
+spec:
+  # validationFailureAction: Audit
+  validationFailureAction: audit
+  background: true
+  failurePolicy: Ignore
+  rules:
+    - name: adding-capabilities
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      exclude:
+        any:
+        - resources:
+            kinds:
+            - Pod
+            namespaces:
+            - datadog
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
+      context:
+        - name: capabilities
+          variable:
+            value: ["AUDIT_WRITE","CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","MKNOD","NET_BIND_SERVICE","SETFCAP","SETGID","SETPCAP","SETUID","SYS_CHROOT"]
+      validate:
+        message: >-
+          Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+          FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+          are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW.          
+        foreach:
+          - list: request.object.spec.initContainers[]
+            preconditions:
+              all:
+              - key: "{{ element.image || '' }}"
+                operator: AnyIn
+                value:
+                - "*/istio/proxyv2*"
+              - key: "{{ element.securityContext.capabilities.add[] || `[]`  }}"
+                operator: AnyNotIn
+                value:
+                  - NET_ADMIN
+                  - NET_RAW
+                  - "{{ capabilities || '' }}"
+            deny:
+              conditions:
+                all:
+                - key: "{{ element.securityContext.capabilities.add[] || `[]`  }}"
+                  operator: AnyNotIn
+                  value: "{{ capabilities || '' }}"
+                  message: The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities.
+          - list: request.object.spec.initContainers[]
+            preconditions:
+              all:
+              - key: "{{ element.image || '' }}"
+                operator: AnyNotIn
+                value:
+                - "*/istio/proxyv2*"
+            deny:
+              conditions:
+                all:
+                - key: "{{ element.securityContext.capabilities.add[] || `[]`  }}"
+                  operator: AnyNotIn
+                  value: "{{ capabilities || '' }}"
+                  message: The initContainer {{ element.name }} is attempting to add forbidden capabilities.
+          - list: request.object.spec.[ephemeralContainers, containers][]
+            deny:
+              conditions:
+                all:
+                - key: "{{ element.securityContext.capabilities.add[] || `[]`  }}"
+                  operator: AnyNotIn
+                  value: "{{ capabilities || '' }}"
+                  message: The container {{ element.name }} is attempting to add forbidden capabilities.

kyverno-policies/disallow-host-namespaces.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-namespaces
+  annotations:
+    policies.kyverno.io/title: Disallow Host Namespaces
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
+      network namespace) allow access to shared information and can be used to elevate
+      privileges. Pods should not be allowed access to host namespaces. This policy ensures
+      fields which make use of these host namespaces are unset or set to `false`.
+  labels: 
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kyverno-policies
+    app.kubernetes.io/part-of: kyverno-policies
+    app.kubernetes.io/version: "3.1.3"
+    helm.sh/chart: kyverno-policies-3.1.3
+spec:
+  validationFailureAction: Audit
+  background: true
+  failurePolicy: Ignore
+  rules:
+    - name: host-namespaces
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
+        pattern:
+          spec:
+            =(hostPID): "false"
+            =(hostIPC): "false"
+            =(hostNetwork): "false"

kyverno-policies/disallow-host-path.yaml

@@ -0,0 +1,54 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path
+  annotations:
+    policies.kyverno.io/title: Disallow hostPath
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod,Volume
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/description: >-
+      HostPath volumes let Pods use host directories and volumes in containers.
+      Using host resources can be used to access shared data or escalate privileges
+      and should not be allowed. This policy ensures no hostPath volumes are in use.
+  labels: 
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kyverno-policies
+    app.kubernetes.io/part-of: kyverno-policies
+    app.kubernetes.io/version: "3.1.3"
+    helm.sh/chart: kyverno-policies-3.1.3
+spec:
+  validationFailureAction: Audit
+  validationFailureActionOverrides: 
+    - action: audit
+      namespaces:
+      - '{{ request.object.metadata.name }}'
+  background: true
+  failurePolicy: Ignore
+  rules:
+    - name: host-path
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      exclude:
+        any:
+        - resources:
+            kinds:
+            - Pod
+            namespaces:
+            - datadog
+            - kube-system
+      validate:
+        message: >-
+          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.          
+        pattern:
+          =(spec):
+            =(volumes):
+            - =(hostPath):
+                path: "/var/run/datadog/"

kyverno-policies/disallow-host-ports.yaml

@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-ports
+  annotations:
+    policies.kyverno.io/title: Disallow hostPorts
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/description: >-
+      Access to host ports allows potential snooping of network traffic and should not be
+      allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
+      field is unset or set to `0`.
+  labels: 
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kyverno-policies
+    app.kubernetes.io/part-of: kyverno-policies
+    app.kubernetes.io/version: "3.1.3"
+    helm.sh/chart: kyverno-policies-3.1.3
+spec:
+  validationFailureAction: Audit
+  background: true
+  failurePolicy: Ignore
+  rules:
+    - name: host-ports-none
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
+          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+          must either be unset or set to `0`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            =(initContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            containers:
+              - =(ports):
+                  - =(hostPort): 0