open-policy-agent · starlightromero · Sep 7, 2023 · Sep 7, 2023 · Sep 13, 2023
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
@@ -0,0 +1,11 @@
+apiVersion: v1
+description: A Helm chart for Gatekeeper Library Constraint Templates
+name: gatekeeper-library-constraint-templates
+icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
+keywords:
+  - open policy agent
+version: 1.0.0
+home: https://open-policy-agent.github.io/gatekeeper-library
+sources:
+  - https://github.com/open-policy-agent/gatekeeper-library.git
+appVersion: v1.0.0
@@ -0,0 +1,38 @@
+# Gatekeeper Library Constraint Templates
+
+[Gatekeeper Library](https://open-policy-agent.github.io/gatekeeper-library/website/) is a community-owned library of policies for the [OPA Gatekeeper project](https://open-policy-agent.github.io/gatekeeper/website/docs/). It consists of two main components: `Validation` and `Mutation`.
+
+This chart bootstraps [Gatekeeper Library](https://open-policy-agent.github.io/gatekeeper-library/website/) constraint templates on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.7+
+- Gatekeeper 3.9+
+
+## Get Repository Info
+
+```console
+helm repo add gatekeeper-library starlightromero/gatekeeper-library-crds
+helm repo update
+```
+
+_See [helm repository](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+```console
+helm install [RELEASE_NAME] starlightromero/gatekeeper-library-crds
+```
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Uninstall Chart
+
+```console
+helm uninstall [RELEASE_NAME]
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
@@ -0,0 +1,63 @@
+# https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/allowedrepos/template.yaml
+{{- if .Values.validation.allowedRepos.enabled }}
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+  annotations:
+    metadata.gatekeeper.sh/title: "Allowed Repositories"
+    metadata.gatekeeper.sh/version: 1.0.0
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    description: >-
+      Requires container images to begin with a string from the specified list.
+{{- if .Values.annotations }}
+    {{ toYaml .Values.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.labels }}
+  labels:
+    app.kubernetes.io/managed-by: "Helm"
+    {{ toYaml .Values.labels | nindent 4 }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            repos:
+              description: The list of prefixes a container image is allowed to have.
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+{{- end }}
@@ -0,0 +1,63 @@
+# https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/block-endpoint-edit-default-role/template.yaml
+{{- if .Values.validation.blockEndpointEditDefaultRole.enabled }}
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockendpointeditdefaultrole
+  annotations:
+    metadata.gatekeeper.sh/title: "Block Endpoint Edit Default Role"
+    metadata.gatekeeper.sh/version: 1.0.0
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    description: >-
+      Many Kubernetes installations by default have a system:aggregate-to-edit
+      ClusterRole which does not properly restrict access to editing Endpoints.
+      This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole
+      from granting permission to create/patch/update Endpoints.
+
+      ClusterRole/system:aggregate-to-edit should not allow
+      Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice
+      permissions allow cross-Namespace forwarding,
+      https://github.com/kubernetes/kubernetes/issues/103675
+{{- if .Values.annotations }}
+    {{ toYaml .Values.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.labels }}
+  labels:
+    app.kubernetes.io/managed-by: "Helm"
+    {{ toYaml .Values.labels | nindent 4 }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockEndpointEditDefaultRole
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sblockendpointeditdefaultrole
+
+        violation[{"msg": msg}] {
+            input.review.object.metadata.name == "system:aggregate-to-edit"
+            endpointRule(input.review.object.rules[_])
+            msg := "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role."
+        }
+
+        endpointRule(rule) {
+            "endpoints" == rule.resources[_]
+            hasEditVerb(rule.verbs)
+        }
+
+        hasEditVerb(verbs) {
+            "create" == verbs[_]
+        }
+
+        hasEditVerb(verbs) {
+            "patch" == verbs[_]
+        }
+
+        hasEditVerb(verbs) {
+            "update" == verbs[_]
+        }
+{{- end }}
@@ -0,0 +1,40 @@
+# https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/block-loadbalancer-services/template.yaml
+{{- if .Values.validation.blockLoadBalancer.enabled }}
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockloadbalancer
+  annotations:
+    metadata.gatekeeper.sh/title: "Block Services with type LoadBalancer"
+    metadata.gatekeeper.sh/version: 1.0.0
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    description: >-
+      Disallows all Services with type LoadBalancer.
+
+      https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+{{- if .Values.annotations }}
+    {{ toYaml .Values.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.labels }}
+  labels:
+    app.kubernetes.io/managed-by: "Helm"
+    {{ toYaml .Values.labels | nindent 4 }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockLoadBalancer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sblockloadbalancer
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.object.spec.type == "LoadBalancer"
+          msg := "User is not allowed to create service of type LoadBalancer"
+        }
+{{- end }}
@@ -0,0 +1,40 @@
+# https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/block-nodeport-services/template.yaml
+{{- if .Values.validation.blockNodePort.enabled }}
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblocknodeport
+  annotations:
+    metadata.gatekeeper.sh/title: "Block NodePort"
+    metadata.gatekeeper.sh/version: 1.0.0
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    description: >-
+      Disallows all Services with type NodePort.
+
+      https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+{{- if .Values.annotations }}
+    {{ toYaml .Values.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.labels }}
+  labels:
+    app.kubernetes.io/managed-by: "Helm"
+    {{ toYaml .Values.labels | nindent 4 }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockNodePort
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sblocknodeport
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.object.spec.type == "NodePort"
+          msg := "User is not allowed to create service of type NodePort"
+        }
+{{- end }}
@@ -0,0 +1,48 @@
+# https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/block-wildcard-ingress/template.yaml
+{{- if .Values.validation.blockWildcardIngress.enabled }}
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockwildcardingress
+  annotations:
+    metadata.gatekeeper.sh/title: "Block Wildcard Ingress"
+    metadata.gatekeeper.sh/version: 1.0.1
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    description: >-
+      Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services.
+{{- if .Values.annotations }}
+    {{ toYaml .Values.annotations | nindent 4 }}
+{{- end }}
+{{- if .Values.labels }}
+  labels:
+    app.kubernetes.io/managed-by: "Helm"
+    {{ toYaml .Values.labels | nindent 4 }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockWildcardIngress
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package K8sBlockWildcardIngress
+
+        contains_wildcard(hostname) = true {
+          hostname == ""
+        }
+
+        contains_wildcard(hostname) = true {
+          contains(hostname, "*")
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          # object.get is required to detect omitted host fields
+          hostname := object.get(input.review.object.spec.rules[_], "host", "")
+          contains_wildcard(hostname)
+          msg := sprintf("Hostname '%v' is not allowed since it counts as a wildcard, which can be used to intercept traffic from other applications.", [hostname])
+        }
+{{- end }}