Merge branch 'twistlock-root' into 'master'

Twistlock Defenders: Kyverno Policy exception for run as non-root Closes platform-one/big-bang/apps/security-tools/twistlock#28 See merge request platform-one/big-bang/bigbang!1653

Merge branch 'twistlock-root' into 'master'
881e6d40 · Micah Nagel · c0d87d3f · 2a04b13f · 881e6d40
Commit 881e6d40 authored 2 years ago by Micah Nagel
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -182,7 +182,7 @@ policies:

  require-non-root-group:
    validationFailureAction: audit
-    {{- if $deployRestic }}
+    {{- if or $deployRestic .Values.twistlock.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -193,12 +193,23 @@ policies:
          - velero
          names:
          - restic*
-        {{- end }}
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      # Twistlock Defenders run as root to perform real time scanning on the nodes/cluster, including:
+      # - read logs from `/var/log` to watch for malicious processes
+      # - audit modifications to `/etc/passwd` (watching for suspicious changes)
+      # - access the container runtime socket (observing all running containers on a node)
+      - resources:
+          namespaces:
+          - twistlock
+          names:
+          - twistlock-defender-ds*
+      {{- end }}
    {{- end }}

  require-non-root-user:
    validationFailureAction: audit
-    {{- if $deployRestic }}
+    {{- if or $deployRestic .Values.twistlock.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -209,7 +220,19 @@ policies:
          - velero
          names:
          - restic*
-        {{- end }}
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      # Twistlock Defenders run as root to perform real time scanning on the nodes/cluster, including:
+      # - read logs from `/var/log` to watch for malicious processes
+      # - audit modifications to `/etc/passwd` (watching for suspicious changes)
+      # - access the container runtime socket (observing all running containers on a node)
+      - resources:
+          namespaces:
+          - twistlock
+          names:
+          - twistlock-defender-ds*
+      {{- end }}
+
    {{- end }}

  {{- if .Values.twistlock.enabled }}