diff --git a/charts/portefaix-cel/Chart.yaml b/charts/portefaix-cel/Chart.yaml index 47cd3663..f1cce5ad 100644 --- a/charts/portefaix-cel/Chart.yaml +++ b/charts/portefaix-cel/Chart.yaml @@ -22,15 +22,19 @@ home: https://charts.portefaix.xyz icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg sources: - https://github.com/nlamirault/portefaix-hub/tree/master/charts/portefaix-cel -# kubeVersion: ">=1.30.0-0" type: application keywords: + - vap - cel - policies - portefaix -version: 2.0.0 +version: 2.1.0 appVersion: v1.30.0 +dependencies: +- name: crds + version: "0.0.0" + maintainers: - name: nlamirault email: nicolas.lamirault@gmail.com diff --git a/charts/portefaix-cel/charts/crds/Chart.yaml b/charts/portefaix-cel/charts/crds/Chart.yaml new file mode 100644 index 00000000..785d4099 --- /dev/null +++ b/charts/portefaix-cel/charts/crds/Chart.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: v2 +name: crds +version: 0.0.0 \ No newline at end of file diff --git a/charts/portefaix-cel/charts/crds/templates/policy.portefaix.xyz_registryconfiguration.yaml b/charts/portefaix-cel/charts/crds/templates/policy.portefaix.xyz_registryconfiguration.yaml new file mode 100644 index 00000000..4839799a --- /dev/null +++ b/charts/portefaix-cel/charts/crds/templates/policy.portefaix.xyz_registryconfiguration.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + admission.kubernetes.io/is-policy-configuration-definition: "true" + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: registryconfiguration.policy.portefaix.xyz +spec: + group: policy.portefaix.xyz + names: + kind: RegistryConfiguration + plural: registryconfigurations + singular: registryconfiguration + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + RegistryConfiguration configures the Portefaix policy concerning public registries and untrusted registries + type: object + properties: + spec: + description: |- + RegistryConfigurationSpec is a specification of the desired behavior of the + Registry Configuration configuration. + type: object + properties: + publicRegistries: + description: |- + List of authorized public registries + items: + type: string + type: array + untrustedRegistries: + description: |- + List of untrusted registries + items: + type: string + type: array + served: true + storage: true + scope: Cluster diff --git a/charts/portefaix-cel/templates/_helpers.tpl b/charts/portefaix-cel/templates/_helpers.tpl index 5b048966..d2e4506d 100644 --- a/charts/portefaix-cel/templates/_helpers.tpl +++ b/charts/portefaix-cel/templates/_helpers.tpl @@ -49,7 +49,6 @@ helm.sh/chart: {{ include "portefaix-cel.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/component: policy-controller app.kubernetes.io/part-of: {{ include "portefaix-cel.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.additionalLabels }} @@ -66,4 +65,4 @@ Allow the release namespace to be overridden {{- else -}} {{- .Release.Namespace -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/portefaix-cel/templates/policy-C0001.yaml b/charts/portefaix-cel/templates/policy-C0001.yaml index 2720fb8e..66a31dc3 100644 --- a/charts/portefaix-cel/templates/policy-C0001.yaml +++ b/charts/portefaix-cel/templates/policy-C0001.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0001.container.portefaix.xyz spec: matchConstraints: @@ -51,9 +52,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0001.container.portefaix.xyz spec: policyName: c0001.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.c0001.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-C0002.yaml b/charts/portefaix-cel/templates/policy-C0002.yaml index 4803b905..4eaba78a 100644 --- a/charts/portefaix-cel/templates/policy-C0002.yaml +++ b/charts/portefaix-cel/templates/policy-C0002.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0002.container.portefaix.xyz spec: failurePolicy: Fail @@ -54,9 +55,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0002.container.portefaix.xyz spec: policyName: c0002.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.c0002.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-C0003.yaml b/charts/portefaix-cel/templates/policy-C0003.yaml index aa3bbc31..7494c8de 100644 --- a/charts/portefaix-cel/templates/policy-C0003.yaml +++ b/charts/portefaix-cel/templates/policy-C0003.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0003.container.portefaix.xyz spec: failurePolicy: Fail @@ -54,9 +55,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0003.container.portefaix.xyz spec: policyName: c0003.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.c0003.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-C0008.yaml b/charts/portefaix-cel/templates/policy-C0008.yaml index c4d97179..d1d01e7c 100644 --- a/charts/portefaix-cel/templates/policy-C0008.yaml +++ b/charts/portefaix-cel/templates/policy-C0008.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0008.container.portefaix.xyz spec: failurePolicy: Fail @@ -77,9 +78,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: c0008.container.portefaix.xyz spec: policyName: c0008.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.c0008.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-M0001.yaml b/charts/portefaix-cel/templates/policy-M0001.yaml index 617ac661..e55e2831 100644 --- a/charts/portefaix-cel/templates/policy-M0001.yaml +++ b/charts/portefaix-cel/templates/policy-M0001.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0001.metadata.portefaix.xyz spec: failurePolicy: Fail @@ -61,9 +62,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0001.container.portefaix.xyz spec: policyName: m0001.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.m0001.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-M0002.yaml b/charts/portefaix-cel/templates/policy-M0002.yaml index ea5a4047..5956e2cb 100644 --- a/charts/portefaix-cel/templates/policy-M0002.yaml +++ b/charts/portefaix-cel/templates/policy-M0002.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0002.metadata.portefaix.xyz spec: failurePolicy: Fail @@ -60,9 +61,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0002.container.portefaix.xyz spec: policyName: m0002.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.m0002.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-M0003.yaml b/charts/portefaix-cel/templates/policy-M0003.yaml index c387edf8..286241b4 100644 --- a/charts/portefaix-cel/templates/policy-M0003.yaml +++ b/charts/portefaix-cel/templates/policy-M0003.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0003.metadata.portefaix.xyz spec: failurePolicy: Fail @@ -55,9 +56,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: m0003.container.portefaix.xyz spec: policyName: m0003.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.m0003.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-N0001.yaml b/charts/portefaix-cel/templates/policy-N0001.yaml index 7fd9478b..560276a6 100644 --- a/charts/portefaix-cel/templates/policy-N0001.yaml +++ b/charts/portefaix-cel/templates/policy-N0001.yaml @@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: n0001.namespace.portefaix.xyz spec: failurePolicy: Fail @@ -50,9 +51,10 @@ kind: ValidatingAdmissionPolicyBinding metadata: labels: {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy name: n0001.container.portefaix.xyz spec: policyName: n0001.container.portefaix.xyz validationActions: {{- toYaml .Values.policies.n0001.validationActions | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/portefaix-cel/templates/policy-P0001.yaml b/charts/portefaix-cel/templates/policy-P0001.yaml new file mode 100644 index 00000000..67db740f --- /dev/null +++ b/charts/portefaix-cel/templates/policy-P0001.yaml @@ -0,0 +1,77 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.policies.p0001.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy + name: p0001.pod.portefaix.xyz +spec: + failurePolicy: Fail + paramKind: + apiVersion: kubescape.io/v1 + kind: ControlConfiguration + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["deployments","replicasets","daemonsets","statefulsets"] + - apiGroups: ["batch"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["jobs","cronjobs"] + validations: + - expression: "object.kind != 'Pod' || object.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))" + message: "Pods uses an image from a forbidden registry" + - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))" + message: "Workloads uses an image from a forbidden registry" + - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))" + message: "CronJob uses an image from a forbidden registry" + auditAnnotations: + - key: "container-forbidden-registry" + valueExpression: "Trust registry is required" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy + name: p0001.pod.portefaix.xyz +spec: + policyName: p0001.container.portefaix.xyz + validationActions: + {{- toYaml .Values.policies.p0001.validationActions | nindent 2 }} +{{- end }} +--- +apiVersion: policy.portefaix.xyz/v1 +kind: RegistryConfiguration +metadata: + labels: + {{- include "portefaix-cel.labels" . | nindent 4 }} + app.kubernetes.io/component: policy + name: parameters-p0001 +spec: + {{- toYaml .Values.policies.p0001.params | nindent 2 }} diff --git a/charts/portefaix-cel/values.yaml b/charts/portefaix-cel/values.yaml index 53209c66..6dc8a31d 100644 --- a/charts/portefaix-cel/values.yaml +++ b/charts/portefaix-cel/values.yaml @@ -75,4 +75,16 @@ policies: validationActions: - Warn - Audit - + # -- Authorized registry + p0001: + enabled: true + validationActions: + - Warn + - Audit + params: + publicRegistries: + - ghcr.io + - public.ecr.aws + - docker.io + untrustedRegistries: + - quay.io