Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add generic Kyverno policy recommendation #328

Merged
merged 1 commit into from
Jun 13, 2023
Merged

feat: Add generic Kyverno policy recommendation #328

merged 1 commit into from
Jun 13, 2023

Conversation

Vyom-Yadav
Copy link
Contributor

@Vyom-Yadav Vyom-Yadav commented Jun 5, 2023
edited
Loading

Signed-off-by: Vyom-Yadav jackhammervyom@gmail.com

This PR:

  • Adds generic Kyverno policy recommendation feature to karmor CLI.
  • Modifies text and HTML report for generic Kyverno policies.
Text Report 

$ ./karmor recommend --policy KyvernoPolicy
INFO[0000] Found outdated version of policy-templates    Current Version=v0.1.9
INFO[0000] Downloading latest version [v0.2.2]          
INFO[0002] policy-templates updated                      Updated Version=v0.2.2
local port to be used for port forwarding discovery-engine-59c8bf8f7-sb975: 32877 
INFO[0002] Connected to discovery engine                
created policy out/default-nginx/nginx-restrict-automount-sa-token.yaml ...
created policy out/genericKyvernoPolicies/restrict-deprecated-registry.yaml ...
created policy out/genericKyvernoPolicies/prevent-cr8escape.yaml ...
created policy out/genericKyvernoPolicies/check-kernel-version.yaml ...
created policy out/genericKyvernoPolicies/restrict-ingress-defaultbackend.yaml ...
created policy out/genericKyvernoPolicies/restrict-nginx-ingress-annotations.yaml ...
created policy out/genericKyvernoPolicies/restrict-ingress-paths.yaml ...
created policy out/genericKyvernoPolicies/prevent-naked-pods.yaml ...
created policy out/genericKyvernoPolicies/restrict-wildcard-verbs.yaml ...
created policy out/genericKyvernoPolicies/restrict-wildcard-resources.yaml ...
created policy out/genericKyvernoPolicies/require-requests-limits.yaml ...
created policy out/genericKyvernoPolicies/require-pod-probes.yaml ...
created policy out/genericKyvernoPolicies/drop-cap-net-raw.yaml ...
output report in out/report.txt ...
  Deployment              | accuknox-agents/discovery-engine      
  Container               | accuknox/knoxautopolicy:dev           
  OS                      |                                       
  Arch                    |                                       
  Distro                  |                                       
  Output Directory        | out/accuknox-agents-discovery-engine  
  policy-template version | v0.1.9                                
+--------+------------+----------+--------+------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+--------+------------+----------+--------+------+

  Deployment              | default/nginx      
  Container               | nginx              
  OS                      |                    
  Arch                    |                    
  Distro                  |                    
  Output Directory        | out/default-nginx  
  policy-template version | v0.1.9             
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+
| nginx-restrict-automount-sa- | Restrict Auto-Mount of Service | -        | audit  | AUTOMOUNT_SERVICE_ACCOUNT |
| token.yaml                   | Account Tokens                 |          |        |                           |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/coredns                     
  Container               | registry.k8s.io/coredns/coredns:v1.9.3  
  OS                      |                                         
  Arch                    |                                         
  Distro                  |                                         
  Output Directory        | out/kube-system-coredns                 
  policy-template version | v0.1.9                                  
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-annotation-manager      
  Container               | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0     
  OS                      |                                               
  Arch                    |                                               
  Distro                  |                                               
  Output Directory        | out/kube-system-kubearmor-annotation-manager  
  policy-template version | v0.1.9                                        
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-annotation-manager       
  Container               | kubearmor/kubearmor-annotation-manager:latest  
  OS                      |                                                
  Arch                    |                                                
  Distro                  |                                                
  Output Directory        | out/kube-system-kubearmor-annotation-manager   
  policy-template version | v0.1.9                                         
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-host-policy-manager      
  Container               | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0      
  OS                      |                                                
  Arch                    |                                                
  Distro                  |                                                
  Output Directory        | out/kube-system-kubearmor-host-policy-manager  
  policy-template version | v0.1.9                                         
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-host-policy-manager       
  Container               | kubearmor/kubearmor-host-policy-manager:latest  
  OS                      |                                                 
  Arch                    |                                                 
  Distro                  |                                                 
  Output Directory        | out/kube-system-kubearmor-host-policy-manager   
  policy-template version | v0.1.9                                          
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-policy-manager       
  Container               | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0  
  OS                      |                                            
  Arch                    |                                            
  Distro                  |                                            
  Output Directory        | out/kube-system-kubearmor-policy-manager   
  policy-template version | v0.1.9                                     
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-policy-manager       
  Container               | kubearmor/kubearmor-policy-manager:latest  
  OS                      |                                            
  Arch                    |                                            
  Distro                  |                                            
  Output Directory        | out/kube-system-kubearmor-policy-manager   
  policy-template version | v0.1.9                                     
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Deployment              | kube-system/kubearmor-relay              
  Container               | kubearmor/kubearmor-relay-server:latest  
  OS                      |                                          
  Arch                    |                                          
  Distro                  |                                          
  Output Directory        | out/kube-system-kubearmor-relay          
  policy-template version | v0.1.9                                   
+------------------------------+--------------------------------+----------+--------+---------------------------+
|            POLICY            |           SHORT DESC           | SEVERITY | ACTION |           TAGS            |
+------------------------------+--------------------------------+----------+--------+---------------------------+

  Generic Kyverno Policies  
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
|              POLICY               |           SHORT DESC           | SEVERITY | ACTION  |              TAGS               |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-deprecated-registry.yaml | Restrict Deprecated Registry   | -        | Enforce | RESTRICT_DEPRECATED_REGISTRY    |
|                                   |                                |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| prevent-cr8escape.yaml            | Prevent cr8escape              | -        | enforce | CVE-2022-0811                   |
|                                   | (CVE-2022-0811)                |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| check-kernel-version.yaml         | Check Node for CVE-2022-0185   | -        | audit   | CVE-2022-0185                   |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-ingress-                 | Restrict Ingress               | -        | audit   | RESTRICT_INGRESS_DEFAULTBACKEND |
| defaultbackend.yaml               | defaultBackend                 |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-nginx-ingress-           | Restrict NGINX Ingress         | -        | enforce | CVE-2021-25746                  |
| annotations.yaml                  | annotation values              |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-ingress-paths.yaml       | Restrict NGINX Ingress path    | -        | enforce | CVE-2021-25745                  |
|                                   | values                         |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| prevent-naked-pods.yaml           | Prevent Naked Pods             | -        | audit   | PREVENT_NAKED_PODS              |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-wildcard-verbs.yaml      | Restrict Wildcard in Verbs     | -        | audit   | RESTRICT_WILDCARD_VERBS         |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| restrict-wildcard-resources.yaml  | Restrict Wildcards in          | -        | audit   | RESTRICT_WILDCARD_RESOURCES     |
|                                   | Resources                      |          |         |                                 |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| require-requests-limits.yaml      | Require Limits and Requests    | -        | audit   | REQUIRE_REQUESTS_LIMITS         |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| require-pod-probes.yaml           | Require Pod Probes             | -        | audit   | REQUIRE_POD_PROBES              |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+
| drop-cap-net-raw.yaml             | Drop CAP_NET_RAW               | -        | audit   | DROP_CAP_NET_RAW                |
+-----------------------------------+--------------------------------+----------+---------+---------------------------------+


INFO[0003] Connection to discovery engine closed successfully!

HTML Report 

$ ./karmor recommend --policy KyvernoPolicy --report report.html
INFO[0000] Found outdated version of policy-templates    Current Version=v0.1.9
INFO[0000] Downloading latest version [v0.2.2]          
INFO[0002] policy-templates updated                      Updated Version=v0.2.2
local port to be used for port forwarding discovery-engine-59c8bf8f7-sb975: 32801 
INFO[0002] Connected to discovery engine                
created policy out/default-nginx/nginx-restrict-automount-sa-token.yaml ...
created policy out/genericKyvernoPolicies/restrict-deprecated-registry.yaml ...
created policy out/genericKyvernoPolicies/prevent-cr8escape.yaml ...
created policy out/genericKyvernoPolicies/check-kernel-version.yaml ...
created policy out/genericKyvernoPolicies/restrict-ingress-defaultbackend.yaml ...
created policy out/genericKyvernoPolicies/restrict-nginx-ingress-annotations.yaml ...
created policy out/genericKyvernoPolicies/restrict-ingress-paths.yaml ...
created policy out/genericKyvernoPolicies/prevent-naked-pods.yaml ...
created policy out/genericKyvernoPolicies/restrict-wildcard-verbs.yaml ...
created policy out/genericKyvernoPolicies/restrict-wildcard-resources.yaml ...
created policy out/genericKyvernoPolicies/require-requests-limits.yaml ...
created policy out/genericKyvernoPolicies/require-pod-probes.yaml ...
created policy out/genericKyvernoPolicies/drop-cap-net-raw.yaml ...
output report in out/report.html ...
INFO[0004] Connection to discovery engine closed successfully!

Security Report: https://vyom-yadav.github.io/DiffReport/kubearmor-generic-report/report.html

Directory Structure 

vyom at fedora in ~/IdeaProjects/kubearmor-client (recommendGenericKyvernoPolicies) 
$ cd out

vyom at fedora in ~/IdeaProjects/kubearmor-client/out (recommendGenericKyvernoPolicies) 
$ ls
default-nginx  genericKyvernoPolicies  report.html  report.txt

vyom at fedora in ~/IdeaProjects/kubearmor-client/out (recommendGenericKyvernoPolicies) 
$ cd genericKyvernoPolicies 

vyom at fedora in ~/IdeaProjects/kubearmor-client/out/genericKyvernoPolicies (recommendGenericKyvernoPolicies) 
$ ls
check-kernel-version.yaml  prevent-naked-pods.yaml       restrict-deprecated-registry.yaml     restrict-nginx-ingress-annotations.yaml
drop-cap-net-raw.yaml      require-pod-probes.yaml       restrict-ingress-defaultbackend.yaml  restrict-wildcard-resources.yaml
prevent-cr8escape.yaml     require-requests-limits.yaml  restrict-ingress-paths.yaml           restrict-wildcard-verbs.yaml

vyom at fedora in ~/IdeaProjects/kubearmor-client/out/genericKyvernoPolicies (recommendGenericKyvernoPolicies) 
$ cat require-requests-limits.yaml          
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Best Practices, EKS Best Practices
    policies.kyverno.io/description: As application workloads share cluster resources,
      it is important to limit resources requested and consumed by each Pod. It is
      recommended to require resource requests and limits per Pod, especially for
      memory and CPU. If a Namespace level request or limit is specified, defaults
      will automatically be applied to each Pod based on the LimitRange configuration.
      This policy validates that all containers have something specified for memory
      and CPU requests and memory limits.
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Require Limits and Requests
    recommended-policies.accuknox.com/tags: REQUIRE_REQUESTS_LIMITS
  name: require-requests-limits
spec:
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-resources
    validate:
      message: CPU and memory resource requests and limits are required.
      pattern:
        spec:
          containers:
          - resources:
              limits:
                memory: ?*
              requests:
                cpu: ?*
                memory: ?*
  validationFailureAction: audit

@Vyom-Yadav
feat: Add generic Kyverno policy recommendation
ce6ca29 
Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>
@Vyom-Yadav Vyom-Yadav requested a review from nyrahul June 5, 2023 08:04
@nyrahul nyrahul merged commit 797fb3a into kubearmor:main Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul nyrahul approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Vyom-Yadav @nyrahul