Ref: [New epic ](https://repo1.dso.mil/groups/big-bang/-/epics/578)replacing this epic. [P1BIGROCKS-1783](https://jira.il2.dso.mil/browse/P1BIGROCKS-1783) Replacement for https://repo1.dso.mil/groups/platform-one/big-bang/-/epics/79 Big Bang policies should be setup to follow best practices for Kubernetes clusters Documentation of items: https://confluence.il4.dso.mil/display/BB/Kyverno+Policies ## Best Practices References - [Kubernetes Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - [OPA Gatekeeper Policy Library](https://github.com/open-policy-agent/gatekeeper-library/tree/master/library) - [Kyverno Policy Library](https://github.com/kyverno/policies) - [NSA/CISA Kubernetes Hardening Guide](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF) - [CIS Kubernetes Benchmark v1.6](https://github.com/cismirror/old-benchmarks-archive/blob/master/CIS_Kubernetes_Benchmark_v1.6.0.pdf) - [Kubesec Policies](https://kubesec.io/basics/) - [DoD DevSecOps Enterprise Container Image Creation and Deployment Guide](https://dl.dod.cyber.mil/wp-content/uploads/devsecops/pdf/DevSecOps_Enterprise_Container_Image_Creation_and_Deployment_Guide_2.6-Public-Release.pdf) - Section 3 - [Kubescape Controls](https://hub.armo.cloud/docs/controls) ## Policy Requirements Each policy should meet the following requirements to be considered complete: - Policy violations logged to logging stack (EFK or PLG) - Key policy parameters are controlled by values (e.g. exceptions, allowed/disallowed lists, limits/ranges) - Description and usage are documented - Templatized in Kyverno policy repo - Default values are in-line with best practices - Big Bang overrides values so that policy can be deployed without violations in any packages - Unit tests validate policy functionality ## Priority List ### High - [x] No `latest` tags - [x] Allowed repos (limited to Iron Bank) - [x] [Pod Security Standards (Baseline)](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) - [x] <s>Host Process</s> (Windows only) - [x] Host Namespaces - [x] Privileged Containers - [x] Host Path Volumes - [x] Host Ports - [x] AppArmor - [x] SELinux - [x] Proc Mount - [x] Seccomp - [x] Sysctls - [x] Policies related to vulnerabilities (e.g. external IPs, subpath volumes) - [ ] [Pod Security Standards (Restricted)](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) - [x] Volume Types - [x] Privilege Escalation (&amp;134) - [x] Run as Non-root (&amp;204) - [x] Non-root user (&amp;204) - [x] Seccomp (&amp;132) - [x] Capabilities (&amp;136) - [ ] Verify signature of images (if available) ### Medium - [x] Disallow Pods in Namespaces (e.g. default, bigbang) (&amp;139) - [ ] Require Istio on Namespace (&amp;137) - [ ] Disallow Istio pod bypass - [ ] Disallow additional roles on default service account - [ ] Disallow tolerations on certain taints - [ ] Require non-root group (&amp;205) - [ ] Require CPU and memory limits (&amp;128) - [x] Restrict hostPaths to specific directories (&amp;126) - [x] Require read only hostPath (&amp;126) - [x] Disallow nodeport services (&amp;135) ### Low - [ ] Disallow exec/attach into Pod - [ ] Read Only Root Filesystem (&amp;131) - [ ] Limit CPU and Memory settings to avoid extremely large values (&amp;130) - [ ] Warn on deprecated APIs - [ ] Require requests = limits on critical components - [ ] Restrict UID and Group ID to \> 1000 (&amp;127) - [ ] Turn off token automount for default service accounts - [ ] Warn when pods don't have probes (&amp;133)