diff --git a/README.md b/README.md index f70542ee..42c90532 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,30 @@ Part of how the operator works is the [skyhook-agent](agent/README.md). Packages └── config.json ``` +## Example Kyverno Policy + +This repository includes an example Kyverno policy that demonstrates how to restrict the images that can be used in Skyhook packages. While this is not a complete policy, it serves as a template that end users can modify to fit their security needs. + +The policy prevents the creation of Skyhook resources that contain packages with restricted image patterns. Specifically, it blocks: +- Images containing 'shellscript:' anywhere in the image name +- Images from Docker Hub (matching 'docker.io/*') + +If you are going to use kyverno make sure to turn on the creation of the skyhook-viewer-role in the values file for the operator. (rbac.createSkyhookViewerRole: true) and then bind kyverno to that role. Example policy: +``` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno-skyhook-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: skyhook-viewer-role +subjects: +- kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +``` + ## [Skyhook-Operator](operator/README.md) The operator is a kbuernetes operator that monitors cluster events and coordinates the installation and lifecycle of Skyhook packages. diff --git a/kyverno/README.md b/kyverno/README.md new file mode 100644 index 00000000..c6ddbfa7 --- /dev/null +++ b/kyverno/README.md @@ -0,0 +1,75 @@ +# Skyhook Kyverno Policies + +This directory contains example [Kyverno](https://kyverno.io/) policies for Skyhook. These policies can be used to enforce security and best practices for Skyhook packages. + +## Prerequisites + +Before applying any policies, you need to have Kyverno installed in your cluster. You can install it using one of the following methods: + +### Helm Installation (Recommended) + +```bash +helm repo add kyverno https://kyverno.github.io/kyverno/ +helm install kyverno kyverno/kyverno -n kyverno --create-namespace +``` + +### Manual Installation + +```bash +kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/install.yaml +``` + +## Available Policies + +### Restrict Package Images +The `disable_packages.yaml` policy demonstrates how to restrict which container images can be used in Skyhook packages. This is particularly useful for: +- Preventing the use of potentially dangerous images (e.g., those containing shell scripts) +- Enforcing the use of approved container registries +- Maintaining security standards across your cluster + +To apply the policy: + +```bash +kubectl apply -f disable_packages.yaml +``` + +The policy will prevent the creation of Skyhook resources that contain packages with restricted image patterns. Currently, it blocks: +- Images containing 'shellscript' anywhere in the image name +- Images from Docker Hub (matching 'docker.io/*') + +## Testing the Policy + +You can test the policy by trying to create a Skyhook resource with a restricted image. For example: + +```yaml +apiVersion: skyhook.nvidia.com/v1alpha1 +kind: Skyhook +metadata: + labels: + app.kubernetes.io/part-of: skyhook-operator + app.kubernetes.io/created-by: skyhook-operator + name: test-scr +spec: + packages: + shellscript: + configMap: + config.sh: |- + #!/bin/bash + echo "hello" + image: shellscript + version: 1.3.2 + + # This will be blocked by the policy +``` + +The creation will be denied with an appropriate error message. + +## Customizing Policies + +The example policies are templates that you can modify to fit your security needs. Common customizations include: +- Adding additional restricted image patterns +- Modifying the validation rules +- Adjusting the failure action (warn vs enforce) + +See the [Kyverno documentation](https://kyverno.io/docs/) for more details on policy customization. + diff --git a/kyverno/disable_packages.yaml b/kyverno/disable_packages.yaml new file mode 100644 index 00000000..a2c33384 --- /dev/null +++ b/kyverno/disable_packages.yaml @@ -0,0 +1,38 @@ +# This is an example to show how to restrict the images that can be used in a Skyhook package. +# It is not a complete policy and it is expected end users will alter rules to fit their security needs. +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-skyhook-images + annotations: + policies.kyverno.io/title: Restrict Skyhook Package Images + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy prevents the creation of Skyhook resources that contain packages with + restricted image patterns. Specifically, it blocks images containing 'shellscript' + and images coming from docker hub. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-package-images + match: + any: + - resources: + kinds: + - Skyhook + operations: + - CREATE + - UPDATE + validate: + message: "Package image matches restricted pattern. Images containing 'shellscript' or starting with 'docker.io/' are not allowed." + deny: + conditions: + any: + - key: "{{ regex_match('nvcr.io/nvidian/swgpu-baseos/shellscript', '{{request.object.spec.packages.*.image}}' ) }}" + operator: Equals + value: true + - key: "{{ regex_match('docker.io/.*', '{{request.object.spec.packages.*.image}}' ) }}" + operator: Equals + value: true diff --git a/kyverno/skyhook-viewer-binding.yaml b/kyverno/skyhook-viewer-binding.yaml new file mode 100644 index 00000000..3f0ee809 --- /dev/null +++ b/kyverno/skyhook-viewer-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno-skyhook-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: skyhook-viewer-role +subjects: +- kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno \ No newline at end of file