-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #22 from suhasgumma/C-0077
ValidatingAdmissionPolicy for C-0077
- Loading branch information
Showing
6 changed files
with
161 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
apiVersion: admissionregistration.k8s.io/v1alpha1 | ||
kind: ValidatingAdmissionPolicy | ||
metadata: | ||
name: "kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set" | ||
spec: | ||
failurePolicy: Fail | ||
paramKind: | ||
apiVersion: kubescape.io/v1 | ||
kind: ControlConfiguration | ||
matchConstraints: | ||
resourceRules: | ||
- apiGroups: [""] | ||
apiVersions: ["v1"] | ||
operations: ["CREATE", "UPDATE"] | ||
resources: ["pods"] | ||
- apiGroups: ["apps"] | ||
apiVersions: ["v1"] | ||
operations: ["CREATE", "UPDATE"] | ||
resources: ["deployments","replicasets","daemonsets","statefulsets"] | ||
- apiGroups: ["batch"] | ||
apiVersions: ["v1"] | ||
operations: ["CREATE", "UPDATE"] | ||
resources: ["jobs","cronjobs"] | ||
validations: | ||
- expression: > | ||
object.kind != 'Pod' || | ||
( | ||
has(object.metadata.labels) && | ||
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all( | ||
labelInList, labelInList != label | ||
))) | ||
) | ||
message: "Pod doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)" | ||
- expression: > | ||
['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || | ||
( | ||
has(object.metadata.labels) && | ||
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all( | ||
labelInList, labelInList != label | ||
))) && | ||
has(object.spec.template.metadata) && | ||
has(object.spec.template.metadata.labels) && | ||
!(object.spec.template.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all( | ||
labelInList, labelInList != label | ||
))) | ||
) | ||
message: "Workload or Pod in workload doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)" | ||
- expression: > | ||
object.kind != 'CronJob' || | ||
( | ||
has(object.metadata.labels) && | ||
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all( | ||
labelInList, labelInList != label | ||
))) && | ||
has(object.spec.jobTemplate.metadata) && | ||
has(object.spec.jobTemplate.metadata.labels) && | ||
!(object.spec.jobTemplate.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all( | ||
labelInList, labelInList != label | ||
))) | ||
) | ||
message: "CronJob or Pod in workload doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
[ | ||
{ | ||
"name": "Pod without one of configured common labels is blocked", | ||
"template": "pod.yaml", | ||
"expected": "fail", | ||
"field_change_list": [ | ||
] | ||
}, | ||
{ | ||
"name": "Pod with label \"app.kubernetes.io/name\" is allowed", | ||
"template": "pod-for-list-items.yaml", | ||
"expected": "pass", | ||
"field_change_list": [ | ||
] | ||
}, | ||
{ | ||
"name": "Deployment and its PodSpec without one of configured common labels is blocked", | ||
"template": "deployment.yaml", | ||
"expected": "fail", | ||
"field_change_list": [ | ||
] | ||
}, | ||
{ | ||
"name": "Deployment with label \"app.kubernetes.io/name\" and its PodSpec without one of configured common labels is blocked", | ||
"template": "deployment-with-common-label-1.yaml", | ||
"expected": "fail", | ||
"field_change_list": [ | ||
] | ||
}, | ||
{ | ||
"name": "Deployment without one of configured common labels and its PodSpec with label \"app.kubernetes.io/name\" is blocked", | ||
"template": "deployment-with-common-label-2.yaml", | ||
"expected": "fail", | ||
"field_change_list": [ | ||
] | ||
}, | ||
{ | ||
"name": "Deployment and PodSpec with label \"app.kubernetes.io/name\" is allowed", | ||
"template": "deployment-for-list-items.yaml", | ||
"expected": "pass", | ||
"field_change_list": [ | ||
] | ||
} | ||
|
||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: test-deployment | ||
labels: | ||
admission-policy-test: abc | ||
app.kubernetes.io/name: myApp | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: test-deployment | ||
template: | ||
metadata: | ||
labels: | ||
app: test-deployment | ||
spec: | ||
containers: | ||
- name: sleep | ||
image: alpine | ||
command: ["sudo","sh"] | ||
args: ["-c", "while true; do sleep 1; done"] | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SYS_ADM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: test-deployment | ||
labels: | ||
admission-policy-test: abc | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: test-deployment | ||
template: | ||
metadata: | ||
labels: | ||
app: test-deployment | ||
app.kubernetes.io/name: myApp | ||
spec: | ||
containers: | ||
- name: sleep | ||
image: alpine | ||
command: ["sudo","sh"] | ||
args: ["-c", "while true; do sleep 1; done"] | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SYS_ADM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters