Comments (9)
More at:
https://blog.aquasec.com/dns-spoofing-kubernetes-clusters
https://snyk.io/blog/kubernetes-securitycontext-linux-capabilities/
https://www.stackrox.com/post/2020/06/mitigating-kubernetes-cve-2020-10749/
from policies.
Do you think we need a separate policy for this if there's the require drop all policy?
from policies.
Bump
from policies.
@JimBugwadia last attempt before closing
from policies.
I would just add as a separate best practice policy and add an OR check across the two.
The description can clarify that when drop all is not possible, at least dropping net raw is required.
Of we can at least add this as a comment in the existing policy.
pattern:
spec:
containers:
- securityContext:
capabilities:
drop: ["ALL" | "CAP_NET_RAW"]
=(initContainers):
- =(securityContext):
(capabilities):
drop: ["ALL" | "CAP_NET_RAW"]
from policies.
Makes sense. I'll implement this change probably in the existing policy.
from policies.
The expression drop: ["ALL" | "CAP_NET_RAW"]
isn't valid so it's probably just best to make this a separate policy.
from policies.
Proposing this:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: drop-cap-net-raw
annotations:
policies.kyverno.io/title: Drop CAP_NET_RAW
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access. The
CAP_NET_RAW capability, enabled by default, allows processes in a container to
forge packets and bind to any interface potentially leading to MitM attacks.
This sample ensures that all containers explicitly drop the CAP_NET_RAW
ability.
spec:
validationFailureAction: enforce
rules:
- name: drop-cap-net-raw
match:
resources:
kinds:
- Pod
validate:
message: "The capability CAP_NET_RAW must be explicitly dropped."
pattern:
spec:
containers:
- securityContext:
capabilities:
drop: ["CAP_NET_RAW"]
=(initContainers):
- securityContext:
capabilities:
drop: ["CAP_NET_RAW"]
Notice that this is slightly different in the anchors for initContainers when compared to the drop all policy. I'm thinking the drop all needs to modified like this. Agree/disagree?
from policies.
Went ahead and included it.
from policies.
Related Issues (20)
- [Enhancement] Move PSS CEL test resources inside folders HOT 2
- [Sample] policy to check if the metrics server is configured or not HOT 1
- Require imagePullPolicy Always HOT 6
- [Need help] prevent-bare-pod custom to bypass node-shell(nsenter) pod in use node-shell command HOT 3
- [Sample] policy to check if prometheus is configured or not HOT 3
- [Sample] policy to check if the resources of an object are within the upperbound and lowerbound as suggested by vpa recommender HOT 1
- [Enhancement] Improve description of scale deployment to zero policy
- [Chainsaw Tests] Add Chainsaw tests for the sample policies HOT 2
- [Bug] update sample policies to include all container types in a pod
- [Chainsaw tests] Write test for cleanup empty replica sets sample policy HOT 2
- Prepend Image Registry policy should not apply on `UPDATE` for `initContainers` HOT 3
- [Chainsaw Tests] Add Chainsaw tests for the sample policy disallow-proc-mount HOT 2
- Refactoring the chainsaw tests on cert-manager/limit-dnsnames HOT 4
- [Bug] Variable `image` is not accessible in `spec.rules.verifyImages.repository` field
- [Bug] Improve policy other/add-node-affinity/add-node-affinity.yaml
- [Sample] Best Practices for PDBs HOT 5
- Require Unique UID per Workload - Hlem Upgrade Issue HOT 1
- Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: HOT 2
- Add RoleBinding not working for EKS(aws k8s cluster) HOT 7
- Block Stale Images
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.