Compare revisions

Dustin Hilgaertner · Blane Staskiewicz · Blane Staskiewicz · Chris Harden · Robert Massey · Robert Massey
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,22 @@
 Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

 ---
+## [3.0.4-bb.7] - 2023-11-01
+### Changed
+- Fixed test for ClusterPolicy automountserviceaccounttoken 
+
+## [3.0.4-bb.6] - 2023-10-31
+### Changed
+- Default ClusterPolicy automountserviceaccounttoken to disabled 
+
+## [3.0.4-bb.5] - 2023-10-27
+### Changed
+- Added ClusterPolicy to disable automountserviceaccounttoken on the serviceaccounts and enable on the pods
+
+## [3.0.4-bb.4] - 2023-10-25
+### Changed
+- Removed exceptions for Kyverno Reporter, Gitlab Runners, and Gitlab Shared Secrets (moved to bigbang repo) 
+
 ## [3.0.4-bb.3] - 2023-10-22
 ### Changed
 - ironbank/opensource/kubernetes/kubectl updated from 1.27.3 to v1.28.3 

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
 # Contributing

+Thanks for contributing to this repository!
+
+If you are coming from `repo1.dso.mil` and have an account at `login.dso.mil` please keep reading. If you are coming from or looking for the [project on Github](https://github.com/DoD-Platform-One) and wanting to make a Pull Request without a `dso.mil` account please see the last bullet [External Github Contributions](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/CONTRIBUTING.md?ref_type=heads#community-contributions-to-dod-platform-one-via-github).
+
 This repository uses the following conventions:

 * [Semantic Versioning](https://semver.org/)
@@ -7,6 +11,7 @@ This repository uses the following conventions:
 * [Conventional Commits](https://www.conventionalcommits.org/)
 * [Policy Naming Guide](./docs/naming.md)
 * Scripted framework for testing.  See the [Testing Documentation](./docs/testing.md) for details.
+* [External Github Contributions](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/CONTRIBUTING.md?ref_type=heads#community-contributions-to-dod-platform-one-via-github)

 Development requires the following tools


--- a/README.md
+++ b/README.md
 # kyverno-policies

-![Version: 3.0.4-bb.3](https://img.shields.io/badge/Version-3.0.4--bb.3-informational?style=flat-square) ![AppVersion: v1.10.3](https://img.shields.io/badge/AppVersion-v1.10.3-informational?style=flat-square)
+![Version: 3.0.4-bb.7](https://img.shields.io/badge/Version-3.0.4--bb.7-informational?style=flat-square) ![AppVersion: v1.10.3](https://img.shields.io/badge/AppVersion-v1.10.3-informational?style=flat-square)

 Collection of Kyverno security and best-practice policies for Kyverno

@@ -72,7 +72,7 @@ helm install kyverno-policies chart/
 | policies.disallow-nodeport-services | object | `{"enabled":true,"validationFailureAction":"Audit"}` | Prevent services of the type NodePort |
 | policies.disallow-pod-exec | object | `{"enabled":false,"validationFailureAction":"Audit"}` | Prevent the use of `exec` or `attach` on pods |
 | policies.disallow-privilege-escalation | object | `{"enabled":true,"validationFailureAction":"Enforce"}` | Prevent privilege escalation on pods |
-| policies.disallow-auto-mount-service-account-token | object | `{"enabled":true,"exclude":{"any":[{"resources":{"kinds":["Pod"],"names":["gitlab-shared-secrets*"],"namespaces":["gitlab"]}},{"resources":{"kinds":["ServiceAccount"],"names":["gitlab-runner"],"namespaces":["gitlab-runner"]}},{"resources":{"kinds":["Pod","Deployment"],"names":["kyverno-reporter*"],"namespaces":["kyverno-reporter"]}}]},"validationFailureAction":"Audit"}` | Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts |
+| policies.disallow-auto-mount-service-account-token | object | `{"enabled":true,"validationFailureAction":"Audit"}` | Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts |
 | policies.disallow-privileged-containers | object | `{"enabled":true,"validationFailureAction":"Enforce"}` | Prevent containers that run as privileged |
 | policies.disallow-selinux-options | object | `{"enabled":true,"parameters":{"disallow":["user","role"]},"validationFailureAction":"Enforce"}` | Prevent specified SELinux options from being used on pods. |
 | policies.disallow-selinux-options.parameters.disallow | list | `["user","role"]` | List of selinux options that are not allowed.  Valid values include `level`, `role`, `type`, and `user`. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards |
@@ -135,6 +135,7 @@ helm install kyverno-policies chart/
 | policies.update-image-registry | object | `{"enabled":false,"parameters":{"update":[]}}` | Updates an existing image registry with a new registry in containers (e.g. proxy) |
 | policies.update-image-registry.parameters.update | list | `[]` | List of registry updates.  `from` contains the registry to replace. `to` contains the new registry to use. |
 | policies.update-token-automount | object | `{"enabled":false}` | Updates automount token on default service accounts to false |
+| policies.update-automountserviceaccounttokens | object | `{"enabled":false}` | TODO: drive a separate policy to disable the default serviceAccounts based on these namespaces |
 | additionalPolicies | object | `{"samplePolicy":{"annotations":{"policies.kyverno.io/category":"Examples","policies.kyverno.io/description":"This sample policy blocks pods from deploying into the 'default' namespace.","policies.kyverno.io/severity":"low","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}}}` | Adds custom policies.  See https://kyverno.io/docs/writing-policies/. |
 | additionalPolicies.samplePolicy | object | `{"annotations":{"policies.kyverno.io/category":"Examples","policies.kyverno.io/description":"This sample policy blocks pods from deploying into the 'default' namespace.","policies.kyverno.io/severity":"low","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}}` | Name of the policy.  Addtional policies can be added by adding a key. |
 | additionalPolicies.samplePolicy.enabled | bool | `false` | Controls policy deployment |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: kyverno-policies
-version: 3.0.4-bb.3
+version: 3.0.4-bb.7
 appVersion: v1.10.3
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Collection of Kyverno security and best-practice policies for Kyverno

--- a/chart/templates/update-automountserviceaccounttokens.yaml
+++ b/chart/templates/update-automountserviceaccounttokens.yaml
+{{- $name := "update-automountserviceaccounttokens" }}
+{{- if and .Values.enabled (dig $name "enabled" false .Values.policies) }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Disable automountServiceAccountToken
+    policies.kyverno.io/category: Other, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ServiceAccount
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.21"
+    policies.kyverno.io/description: >-
+      By default, Kubernetes automatically provisions a service account when creating a Pod
+      and mounts the account’s secret token within the Pod at runtime. Many containerized
+      applications do not require direct access to the service account as Kubernetes
+      orchestration occurs transparently in the background. If an application is compromised,
+      account tokens in Pods can be gleaned by cyber actors and used to further compromise
+      the cluster. 
+      
+      When an application does not need to access the service account directly,
+      Kubernetes administrators should ensure that Pod specifications disable the secret
+      token being mounted. 
+
+      This policy contains two rules, one that applies to the serviceaccount to disable 
+      automounting the token and another rule that applies to the pod that will 
+      override the serviceaccount setting because the pod truly needs access to the API.
+      
+      NOTE that the default serviceaccount is not included here and must mutated differently
+spec:
+  rules:
+  - name: disables-serviceaccounts
+    match:
+      any:
+      {{- range $v := (dig $name "namespaces" nil .Values.policies) }}
+      - resources:
+          kinds:
+          - ServiceAccount
+          namespaces:
+          - {{ .namespace }}
+          names:
+          {{- range .serviceAccounts }}
+          - {{ . }}
+          {{- end }}
+      {{- end }}
+    mutate:
+      patchStrategicMerge:
+        automountServiceAccountToken: false
+  - name: enable-pods
+    match:
+      any:
+      {{- range $v := (dig $name "namespaces" nil .Values.policies) }}
+      - resources:
+          kinds:
+          - Pod
+          namespaces:
+          - {{ .namespace }}
+          names:
+          {{- range .pods }}
+          - {{ . }}
+          {{- end }}
+      {{- end }}
+    mutate:
+      patchStrategicMerge:
+        spec:
+          automountServiceAccountToken: true
+
+---
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: disable-automountserviceaccounttokens-exceptions
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-auto-mount-service-account-token
+    ruleNames:
+    - automount-pods
+  match:
+    any:
+    {{- range $v := (dig $name "namespaces" nil .Values.policies) }}
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        namespaces:
+        - {{ .namespace }}
+        names:
+        {{- range .pods }}
+        - {{ . }}
+        {{- end }}
+    {{- end }}
+{{- end -}}
+
--- a/chart/templates/wait-for-ready/job.yaml
+++ b/chart/templates/wait-for-ready/job.yaml
@@ -42,4 +42,4 @@ spec:
          configMap:
            name: {{ template "kyverno-policies.name" . }}-wait-for-ready
      restartPolicy: Never
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/tests/manifests/update-automountserviceaccounttokens.yaml
+++ b/chart/tests/manifests/update-automountserviceaccounttokens.yaml
+# Test 1: Default service accounts are mutated
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: update-automountserviceaccounttokens-2
+# namespace: default
+  annotations:
+    kyverno-policies-bbtest/type: mutate
+    kyverno-policies-bbtest/expected: mutate
+    kyverno-policies-bbtest/kind: ServiceAccount
+    kyverno-policies-bbtest/name: update-token-automount-2
+    kyverno-policies-bbtest/namespace: update-automountserviceaccounttokens-2
+    kyverno-policies-bbtest/key: .automountServiceAccountToken
+    kyverno-policies-bbtest/value: "false"
+---
+# Test 2: Non-default service accounts are not mutated
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: false
+metadata:
+  name: update-token-automount-2
+  namespace: update-automountserviceaccounttokens-2
+  annotations:
+    kyverno-policies-bbtest/type: mutate
+    kyverno-policies-bbtest/expected: ignore
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -171,30 +171,6 @@ policies:
  disallow-auto-mount-service-account-token:
    enabled: true
    validationFailureAction: Audit
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - gitlab
-          kinds:
-          - Pod
-          names:
-          - gitlab-shared-secrets*
-      - resources:
-          namespaces:
-          - gitlab-runner
-          kinds:
-          - ServiceAccount
-          names:
-          - gitlab-runner
-      - resources:
-          namespaces:
-          - kyverno-reporter 
-          kinds:
-          - Pod
-          - Deployment
-          names:
-          - kyverno-reporter*

  # -- Prevent containers that run as privileged
  disallow-privileged-containers:
@@ -529,6 +505,26 @@ policies:
  update-token-automount:
    enabled: false

+  # -- For each namespace provide a list of serviceAccounts to disable automounting their tokens 
+  # -- as volumes on the pods. 
+  # -- List pods to explictly enable mounting the serviceaccount token
+  # -- TODO: drive a separate policy to disable the default serviceAccounts based on these namespaces
+  update-automountserviceaccounttokens:
+    enabled: false
+#   namespaces:
+#     - namespace: istio-system
+#       serviceAccounts:
+#       - istiod
+#       pods:
+#       - istiod-*
+#     - namespace: istio-operator
+#       serviceAccounts:
+#       - istio-operator
+#       pods:
+#       - istiod-* 
+#       - istio-operator-*
+
+
 # -- Adds custom policies.  See https://kyverno.io/docs/writing-policies/.
 additionalPolicies:
  # -- Name of the policy.  Addtional policies can be added by adding a key.
@@ -588,3 +584,5 @@ bbtests:
      - name: "kyverno-policies-bbtest-kube-cache"
        emptyDir: {}
  imagePullSecret: private-registry
+   
+
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -195,3 +195,10 @@ policies:
        to: registry1.dso.mil
  update-token-automount:
    enabled: true
+  update-automountserviceaccounttokens:
+    enabled: true
+    namespaces:
+      - namespace: update-automountserviceaccounttokens-2
+        serviceAccounts:
+        - update-token-automount-2
+
No results found