diff --git a/kyverno-integration/README.md b/kyverno-integration/README.md new file mode 100644 index 0000000..346484e --- /dev/null +++ b/kyverno-integration/README.md @@ -0,0 +1,46 @@ +# Kyverno Stack + +Implementation of Kyverno for CNOE + +## Components + +The Stack installs `Kyverno` and optionally `Kyverno Pod Security Policies - Restricted` implementation. By default users should use: + - `module/audit` - for testing and understanding of the impact + - `module/enforce` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for. + - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability: + - [ArgoCD](modules/enforce/exceptions/argocd.yaml) + - [Crossplane](modules/enforce/exceptions/crossplane.yaml) + - [Backstage](modules/enforce/exceptions/backstage.yaml) + - [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml) + - [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation + +*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues for NEW workloads, already existing workloads will not be affected immediately, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform. + +## Installation + +You can use and test out this stack without using any policies, using the `ref-implementation` as follows: + +```bash +idpbuilder create --use-path-routing \ + -p https://github.com/cnoe-io/stacks//ref-implementation \ + -p https://github.com/cnoe-io/stacks//kyverno-integration +``` + +Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows: + +```bash +idpbuilder create --use-path-routing \ + -p https://github.com/cnoe-io/stacks//ref-implementation \ + -p https://github.com/cnoe-io/stacks//kyverno-integration \ + -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit +``` + +If you would like to change to `Enforce` mode: + +```bash +idpbuilder create --use-path-routing \ + -p https://github.com/cnoe-io/stacks//ref-implementation \ + -p https://github.com/cnoe-io/stacks//kyverno-integration \ + -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce +``` + diff --git a/kyverno-integration/kyverno.yaml b/kyverno-integration/kyverno.yaml new file mode 100644 index 0000000..8816923 --- /dev/null +++ b/kyverno-integration/kyverno.yaml @@ -0,0 +1,31 @@ +kind: Application +apiVersion: argoproj.io/v1alpha1 +metadata: + name: kyverno + namespace: argocd +spec: + project: default + source: + chart: kyverno + repoURL: https://kyverno.github.io/kyverno/ + targetRevision: 3.2.7 + helm: + releaseName: kyverno + valuesObject: + kyverno.fullname: kyverno + destination: + server: "https://kubernetes.default.svc" + namespace: kyverno + syncPolicy: + syncOptions: + - Replace=true + - CreateNamespace=true + automated: + selfHeal: true + prune: true + retry: + limit: 30 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m0s diff --git a/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml b/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml new file mode 100644 index 0000000..4d38eb6 --- /dev/null +++ b/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml @@ -0,0 +1,33 @@ +kind: Application +apiVersion: argoproj.io/v1alpha1 +metadata: + name: kyverno-pss-policies-audit + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/kyverno/kyverno + targetRevision: 3.2.7 + path: charts/kyverno-policies + helm: + releaseName: "kyverno-policies" + parameters: + - name: "podSecurityStandard" + value: restricted + - name: "validationFailureAction" + value: Audit + - name: "podSecuritySeverity" + value: High + destination: + server: "https://kubernetes.default.svc" + syncPolicy: + syncOptions: + - Replace=true + automated: + selfHeal: true + retry: + limit: 30 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m0s diff --git a/kyverno-integration/modules/enforce/exceptions/argocd.yaml b/kyverno-integration/modules/enforce/exceptions/argocd.yaml new file mode 100644 index 0000000..b10e933 --- /dev/null +++ b/kyverno-integration/modules/enforce/exceptions/argocd.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: argocd-cnoe-operation + namespace: kyverno +spec: + exceptions: + - policyName: disallow-privilege-escalation + ruleNames: + - privilege-escalation + - autogen-privilege-escalation + - policyName: disallow-capabilities-strict + ruleNames: + - require-drop-all + - autogen-require-drop-all + - policyName: require-run-as-nonroot + ruleNames: + - run-as-non-root + - autogen-run-as-non-root + - policyName: restrict-seccomp-strict + ruleNames: + - check-seccomp-strict + - autogen-check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + - Deployment + - ReplicaSet + namespaces: + - argocd + names: + # TODO: this should be more targeted than blanket * + - argocd-* diff --git a/kyverno-integration/modules/enforce/exceptions/backstage.yaml b/kyverno-integration/modules/enforce/exceptions/backstage.yaml new file mode 100644 index 0000000..5620a0e --- /dev/null +++ b/kyverno-integration/modules/enforce/exceptions/backstage.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: backstage-cnoe-operation + namespace: kyverno +spec: + exceptions: + - policyName: disallow-privilege-escalation + ruleNames: + - privilege-escalation + - autogen-privilege-escalation + - policyName: disallow-capabilities-strict + ruleNames: + - require-drop-all + - autogen-require-drop-all + - policyName: require-run-as-nonroot + ruleNames: + - run-as-non-root + - autogen-run-as-non-root + - policyName: restrict-seccomp-strict + ruleNames: + - check-seccomp-strict + - autogen-check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + - Deployment + - ReplicaSet + namespaces: + - backstage + names: + # TODO: this should be more targeted than blanket * + - backstage* diff --git a/kyverno-integration/modules/enforce/exceptions/crossplane.yaml b/kyverno-integration/modules/enforce/exceptions/crossplane.yaml new file mode 100644 index 0000000..eaacbf3 --- /dev/null +++ b/kyverno-integration/modules/enforce/exceptions/crossplane.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: crossplane-system-cnoe-operation + namespace: kyverno +spec: + exceptions: + - policyName: disallow-capabilities-strict + ruleNames: + - require-drop-all + - autogen-require-drop-all + - policyName: disallow-privilege-escalation + ruleNames: + - privilege-escalation + - autogen-privilege-escalation + - policyName: require-run-as-nonroot + ruleNames: + - run-as-non-root + - autogen-run-as-non-root + - policyName: restrict-seccomp-strict + ruleNames: + - check-seccomp-strict + - autogen-check-seccomp-strict + match: + any: + - resources: + kinds: + - Pod + - Deployment + - ReplicaSet + namespaces: + - crossplane-system + names: + # TODO: this should be more targeted than blanket * + - crossplane* + - upbound-provider-* diff --git a/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml b/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml new file mode 100644 index 0000000..24ccaa7 --- /dev/null +++ b/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: ingress-nginx-cnoe-operation + namespace: kyverno +spec: + exceptions: + - policyName: disallow-host-ports + ruleNames: + - host-ports-none + - autogen-host-ports-none + match: + any: + - resources: + kinds: + - Pod + - Deployment + - ReplicaSet + namespaces: + - ingress-nginx + names: + - ingress-nginx* diff --git a/kyverno-integration/modules/enforce/exceptions/kind.yaml b/kyverno-integration/modules/enforce/exceptions/kind.yaml new file mode 100644 index 0000000..6bb33ce --- /dev/null +++ b/kyverno-integration/modules/enforce/exceptions/kind.yaml @@ -0,0 +1,66 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: system-cnoe-operation + namespace: kyverno +spec: + exceptions: + - policyName: disallow-host-path + ruleNames: + - host-path + - autogen-host-path + - policyName: disallow-privilege-escalation + ruleNames: + - privilege-escalation + - autogen-privilege-escalation + - policyName: disallow-privileged-containers + ruleNames: + - privileged-containers + - autogen-privileged-containers + - policyName: disallow-capabilities-strict + ruleNames: + - require-drop-all + - autogen-require-drop-all + - adding-capabilities-strict + - autogen-adding-capabilities-strict + - adding-capabilities + - autogen-adding-capabilities + - policyName: disallow-capabilities + ruleNames: + - adding-capabilities + - autogen-adding-capabilities + - policyName: require-run-as-nonroot + ruleNames: + - run-as-non-root + - autogen-run-as-non-root + - policyName: restrict-seccomp-strict + ruleNames: + - check-seccomp-strict + - autogen-check-seccomp-strict + - policyName: restrict-volume-types + ruleNames: + - restricted-volumes + - autogen-restricted-volumes + - policyName: disallow-host-namespaces + ruleNames: + - host-namespaces + - autogen-host-namespaces + match: + any: + - resources: + kinds: + - Pod + - Deployment + - ReplicaSet + - StatefulSet + - DaemonSet + namespaces: + - kube-system + - local-path-storage + names: + # TODO: this should be more targeted than blanket * + - kube-* + - kindnet* + - local-path* + - coredns* + - etcd-* diff --git a/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml b/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml new file mode 100644 index 0000000..dce95b4 --- /dev/null +++ b/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml @@ -0,0 +1,26 @@ +kind: Application +apiVersion: argoproj.io/v1alpha1 +metadata: + name: kyverno-pss-policies-enforce-exceptions + namespace: argocd +spec: + project: default + source: + repoURL: cnoe://exceptions + targetRevision: HEAD + path: "." + directory: + recurse: true + destination: + server: "https://kubernetes.default.svc" + syncPolicy: + syncOptions: + - Replace=true + automated: + selfHeal: true + retry: + limit: 30 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m0s diff --git a/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml new file mode 100644 index 0000000..8545a51 --- /dev/null +++ b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml @@ -0,0 +1,33 @@ +kind: Application +apiVersion: argoproj.io/v1alpha1 +metadata: + name: kyverno-pss-policies-enforce + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/kyverno/kyverno + targetRevision: HEAD + path: charts/kyverno-policies + helm: + releaseName: "kyverno-policies" + parameters: + - name: "podSecurityStandard" + value: restricted + - name: "validationFailureAction" + value: Enforce + - name: "podSecuritySeverity" + value: High + destination: + server: "https://kubernetes.default.svc" + syncPolicy: + syncOptions: + - Replace=true + automated: + selfHeal: true + retry: + limit: 30 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m0s