add required values and exceptions for pss policies (#383)

* add required values and exceptions for pss policies * update nancy-ingore
giantswarm · Jul 6, 2023 · c3aebd0 · c3aebd0
1 parent eb45e0f
commit c3aebd0
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 0 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -12,3 +12,8 @@ sonatype-2022-0204 until=2024-02-01
 
 sonatype-2022-6522  until=2024-02-01
 CVE-2020-8561   
+
+#pkg:golang/github.com/gin-gonic/gin@v1.7.7(indirect)
+CVE-2023-26125
+CVE-2023-29401
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Added required values for pss policies.
+- Added pss exceptions for volumes and ports.
+
 ### Removed
 
 - Stop pushing to `openstack-app-collection`.

diff --git a/helm/etcd-backup-operator/templates/pss-exceptions.yaml b/helm/etcd-backup-operator/templates/pss-exceptions.yaml
@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: {{ include "resource.default.name" . }}-exceptions
+  namespace: {{ include "resource.default.namespace" . }}
+spec:
+  exceptions:
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces 
+    - autogen-host-namespaces
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+    - autogen-host-path
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: require-run-as-nonroot 
+    ruleNames:
+    - run-as-non-root 
+    - autogen-run-as-non-root
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        - Pod
+        namespaces:
+        - {{ include "resource.default.namespace" . }}
+        names:
+        - {{ include "resource.default.name" . }}*
diff --git a/helm/etcd-backup-operator/values.schema.json b/helm/etcd-backup-operator/values.schema.json
@@ -140,13 +140,29 @@
         "securityContext": {
             "type": "object",
             "properties": {
+                "allowPrivilegeEscalation": {
+                    "type": "boolean",
+                    "default": false
+                },
                 "seccompProfile": {
                     "type": "object",
                     "properties": {
                         "type": {
                             "type": "string"
                         }
                     }
+                },
+                "capabilities":{
+                    "type": "object",
+                    "properties": {
+                        "drop": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            },
+                            "default": ["ALL"]
+                        }
+                    }
                 }
             }
         },

diff --git a/helm/etcd-backup-operator/values.yaml b/helm/etcd-backup-operator/values.yaml
@@ -56,8 +56,12 @@ podSecurityContext:
 
 # Add seccomp to container security context
 securityContext:
+  allowPrivilegeEscalation: false
   seccompProfile:
     type: RuntimeDefault
+  capabilities:
+    drop:
+    - ALL
 
 # Set a password to enable backup encryption
 etcdBackupEncryptionPassword: ""