From e1a2b55fff1a1feaa5d37016a8f71274eb6dde3e Mon Sep 17 00:00:00 2001 From: UncleGedd <42304551+UncleGedd@users.noreply.github.com> Date: Mon, 23 Sep 2024 13:06:35 -0500 Subject: [PATCH 1/8] feat: exposes tls version for dev bundles (#809) --- bundles/k3d-slim-dev/uds-bundle.yaml | 6 ++++++ bundles/k3d-standard/uds-bundle.yaml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index c0f6e7586..ac668e934 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -46,6 +46,9 @@ packages: - name: ADMIN_TLS_KEY description: "The TLS key for the admin gateway (must be base64 encoded)" path: tls.key + - name: ADMIN_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 istio-tenant-gateway: uds-istio-config: variables: @@ -55,6 +58,9 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + - name: TENANT_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 gateway: variables: - name: TENANT_SERVICE_PORTS diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index e9f290a63..769c77869 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -86,6 +86,9 @@ packages: - name: ADMIN_TLS_KEY description: "The TLS key for the admin gateway (must be base64 encoded)" path: tls.key + - name: ADMIN_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 istio-tenant-gateway: uds-istio-config: variables: @@ -95,6 +98,9 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + - name: TENANT_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 gateway: variables: - name: TENANT_SERVICE_PORTS From b312b7de5fab6b688bf5799b0316d067b86887fa Mon Sep 17 00:00:00 2001 From: Nigel Foucha <73838612+nfoucha@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:00:13 -0400 Subject: [PATCH 2/8] feat: add support for keycloak saml attributes (#806) ## Description Adds SAML fine grained attributes: `saml_assertion_consumer_url_redirect` `saml_single_logout_service_url_post` `saml_single_logout_service_url_redirect` ## Related Issue Fixes #805 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- docs/configuration/uds-operator.md | 3 +++ src/pepr/operator/crd/validators/package-validator.spec.ts | 3 +++ src/pepr/operator/crd/validators/package-validator.ts | 3 +++ 3 files changed, 9 insertions(+) diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index 6f5d65e78..a054b9c3d 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -220,6 +220,9 @@ The SSO spec supports a subset of the Keycloak attributes for clients, but does - saml.assertion.signature - saml.client.signature - saml_assertion_consumer_url_post +- saml_assertion_consumer_url_redirect +- saml_single_logout_service_url_post +- saml_single_logout_service_url_redirect ## Exemption diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index cc8cc6ba5..9c5e5ec0d 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -474,6 +474,9 @@ describe("Test Allowed SSO Client Attributes", () => { "saml.assertion.signature": "false", "saml.client.signature": "false", saml_assertion_consumer_url_post: "https://nexus.uds.dev/saml", + saml_assertion_consumer_url_redirect: "https://nexus.uds.dev/saml", + saml_single_logout_service_url_post: "https://nexus.uds.dev/saml/single-logout", + saml_single_logout_service_url_redirect: "https://nexus.uds.dev/saml/single-logout", }, }, ], diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 4ad6266fc..2a88662c7 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -117,6 +117,9 @@ export async function validator(req: PeprValidateRequest) { "saml.assertion.signature", "saml.client.signature", "saml_assertion_consumer_url_post", + "saml_assertion_consumer_url_redirect", + "saml_single_logout_service_url_post", + "saml_single_logout_service_url_redirect", ]); for (const client of ssoClients) { From 440e4e1249d94932c36d1964d1ff6166624c8f82 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:02:32 -0600 Subject: [PATCH 3/8] chore: pepr policies doc table (#803) ## Description There is a request for a visual table that maps Kyberno policies to Pepr policies that replace them. - Eliminate non-implemented policies from the table - Relocate doc to ensure it is surfaced on the docs site (docs/ folder) - identify mutations that are done for policies ![Screenshot of the Pepr Policy Doc in the docs](https://github.com/user-attachments/assets/397124de-074f-4870-b4dd-6a8cd4f48e1c) ## Related Issue Fixes #418 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- docs/configuration/pepr-policies.md | 46 +++++++++++++++++++ .../uds-configure-policy-exemptions.md | 2 +- docs/configuration/uds-user-groups.md | 2 +- src/pepr/policies/README.md | 38 +-------------- 4 files changed, 50 insertions(+), 38 deletions(-) create mode 100644 docs/configuration/pepr-policies.md diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md new file mode 100644 index 000000000..3738ef878 --- /dev/null +++ b/docs/configuration/pepr-policies.md @@ -0,0 +1,46 @@ +--- +title: Pepr Policies +type: docs +weight: 3 +--- + +## Common Pepr Policies for UDS Core + +### Pepr Policy Exemptions {#pepr-policy-exemptions} +These policies are based on the [Kyverno](https://kyverno.io/policies/) policies. + +Exemptions can be specified by a [UDS Exemption CR](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/operator/README.md), using the values from the "Exemption Reference" column below. These take the place of Kyverno Exceptions. + +If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` + +### Pepr Policy Validations + +| Kyverno Policyđź”— | Exemption Referenceđź”— | Policy Description | +| ----------------- | :--------------------: | ------------------ | +| [Disallow Host Namespaces](https://kyverno.io/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://kyverno.io/policies/best-practices/restrict-node-port/restrict-node-port/) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://kyverno.io/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/) and [Pods](https://kyverno.io/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://kyverno.io/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://kyverno.io/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://kyverno.io/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://kyverno.io/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://kyverno.io/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://kyverno.io/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | + + +### Pepr Policy Mutations + +{{% alert-note %}} +Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-exemptions) references as the validations. +{{% /alert-note %}} + +| Pepr Mutationđź”— | Mutated Fields | Mutation Logic | +| --------------- | -------------- | -------------- | +| [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | +| [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | +| [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | diff --git a/docs/configuration/uds-configure-policy-exemptions.md b/docs/configuration/uds-configure-policy-exemptions.md index a8cfdc48d..2e405cbc1 100644 --- a/docs/configuration/uds-configure-policy-exemptions.md +++ b/docs/configuration/uds-configure-policy-exemptions.md @@ -1,7 +1,7 @@ --- title: Configuring Policy Exemptions type: docs -weight: 3 +weight: 4 --- By default policy exemptions ([UDSExemptions](https://github.com/defenseunicorns/uds-core/blob/uds-docs/src/pepr/operator/crd/generated/exemption-v1alpha1.ts)) are only allowed in a single namespace -- `uds-policy-exemptions`. We recognize this is not a conventional pattern in K8s, but believe it is ideal for UDS for the following reasons: diff --git a/docs/configuration/uds-user-groups.md b/docs/configuration/uds-user-groups.md index 89f66e93c..a654e551a 100644 --- a/docs/configuration/uds-user-groups.md +++ b/docs/configuration/uds-user-groups.md @@ -1,7 +1,7 @@ --- title: User Groups type: docs -weight: 4 +weight: 5 --- UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. diff --git a/src/pepr/policies/README.md b/src/pepr/policies/README.md index c129b8edb..8906a12bc 100644 --- a/src/pepr/policies/README.md +++ b/src/pepr/policies/README.md @@ -1,36 +1,2 @@ -## Common Pepr Policies for UDS Core - -These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies). - -Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. - -If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` - -## Current Policies - -| Checkbox | Policy Title and Link | Exemption Reference | Category | Severity | Subject | Description | -| :------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------- | -------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [ ] | [Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod, ServiceAccount | Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | -| âś… | [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | DisallowHostNamespaces | Pod Security Standards (Baseline) | high | Pod | Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | -| âś… | [Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | DisallowNodePortServices | Best Practices (Security) | medium | Service | A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | -| âś… | [Disallow Privilege Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) | DisallowPrivileged | Pod Security Standards (Restricted) | high | Pod | Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` fields are either undefined or set to `false`. | -| âś… | [Disallow Privileged Containers](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | DisallowPrivileged | Pod Security Standards (Baseline) | high | Pod | Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode. | -| âś… | [Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | DisallowSELinuxOptions | Pod Security Standards (Baseline) | high | Pod | SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | -| âś… | [Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | DropAllCapabilities | Pod Security Standards (Restricted) | medium | Pod | Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | -| [ ] | [Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | n/a | Best Practices (Security) | high | Pod | Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | -| [ ] | [Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | n/a | Pod Security Standards (Restricted) | high | Pod | Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | -| âś… | [Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | RequireNonRootUser | Pod Security Standards (Restricted) | high | Pod | Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | -| [ ] | [Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod | On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | -| âś… | [Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | RestrictCapabilities | Pod Security Standards (Restricted) | high | Pod | Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | -| [ ] | [Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | n/a | Vulnerability | medium | Service | Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | -| âś… | [Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | RestrictExternalNames | Vulnerability | medium | Service | Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | -| [ ] | [Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | n/a | Best Practices (Security) | medium | PersistentVolume | PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | -| [ ] | [Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | n/a | Best Practices (Security) | medium | Pod | hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | -| âś… | [Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | RestrictHostPathWrite | Best Practices (Security) | medium | Pod | hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | -| âś… | [Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | RestrictHostPorts | Pod Security Standards (Baseline) | high | Pod | Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | -| [ ] | [Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | n/a | Best Practices (Security) | high | Pod | Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list. | -| âś… | [Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | RestrictProcMount | Pod Security Standards (Baseline) | high | Pod | The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | -| âś… | [Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | RestrictSeccomp | Pod Security Standards (Baseline) | high | Pod | The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | -| âś… | [Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | RestrictSELinuxType | Pod Security Standards (Baseline) | high | Pod | SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | -| [ ] | [Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod | Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. | -| âś… | [Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | RestrictVolumeTypes | Pod Security Standards (Restricted) | medium | Pod | Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be | +### Pepr Policies +See [pepr-policies.md](../../../docs/configuration/pepr-policies.md) for current Pepr Policies From bc05b0480de6c4abca35f774e7aba769a8c9f76e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 07:41:24 -0600 Subject: [PATCH 4/8] chore(deps): update pepr to v0.13.1 (#811) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | patch | `v0.13.0` -> `v0.13.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v0.13.1`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v0.13.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v0.13.0...v0.13.1) ##### Bug Fixes - allow dependent bundle commands to be run on upgrade tests ([#​241](https://redirect.github.com/defenseunicorns/uds-common/issues/241)) ([093def2](https://redirect.github.com/defenseunicorns/uds-common/commit/093def2f245709084c079aaf529a604d8ca5b6c2)) ##### Miscellaneous - **deps:** update uds common support dependencies ([#​237](https://redirect.github.com/defenseunicorns/uds-common/issues/237)) ([eac2f68](https://redirect.github.com/defenseunicorns/uds-common/commit/eac2f686deacb898a6383fcc73c861293db52b9c)) - modify helm matches to handle git and helm ([#​238](https://redirect.github.com/defenseunicorns/uds-common/issues/238)) ([803d9fe](https://redirect.github.com/defenseunicorns/uds-common/commit/803d9fed89bd890c1203c618a1e3fda1bd495cbd))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- tasks/create.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/create.yaml b/tasks/create.yaml index 3520ecffe..9480a8944 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,5 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/create.yaml variables: - name: FLAVOR From 8b10b864efb9822649b4677bcc4c3be1e7510534 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 24 Sep 2024 09:31:40 -0600 Subject: [PATCH 5/8] chore: pepr policy doc (#814) ## Description update pepr policy docs ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- docs/configuration/pepr-policies.md | 52 +++++++++++++++++------------ 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md index 3738ef878..96e127e04 100644 --- a/docs/configuration/pepr-policies.md +++ b/docs/configuration/pepr-policies.md @@ -7,32 +7,12 @@ weight: 3 ## Common Pepr Policies for UDS Core ### Pepr Policy Exemptions {#pepr-policy-exemptions} -These policies are based on the [Kyverno](https://kyverno.io/policies/) policies. +These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. -Exemptions can be specified by a [UDS Exemption CR](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/operator/README.md), using the values from the "Exemption Reference" column below. These take the place of Kyverno Exceptions. +Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` -### Pepr Policy Validations - -| Kyverno Policy🔗 | Exemption Reference🔗 | Policy Description | -| ----------------- | :--------------------: | ------------------ | -| [Disallow Host Namespaces](https://kyverno.io/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | -|[Disallow NodePort Services](https://kyverno.io/policies/best-practices/restrict-node-port/restrict-node-port/) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | -|Disallow Privileged [Escalation](https://kyverno.io/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/) and [Pods](https://kyverno.io/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | -|[Disallow SELinux Options](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | -|[Drop All Capabilities](https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | -|[Require Non-root User](https://kyverno.io/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | -|[Restrict Capabilities](https://kyverno.io/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | -|[Restrict External Names (CVE-2020-8554)](https://kyverno.io/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | -|[Restrict hostPath Volume Writable Paths](https://kyverno.io/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | -|[Restrict Host Ports](https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | -|[Restrict Proc Mount](https://kyverno.io/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | -|[Restrict Seccomp](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | -|[Restrict SELinux Type](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | -|[Restrict Volume Types](https://kyverno.io/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | - - ### Pepr Policy Mutations {{% alert-note %}} @@ -44,3 +24,31 @@ Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-e | [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | | [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | | [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | + +### Pepr Policy Validations + +| Policy Nameđź”— | Exemption Referenceđź”— | Policy Description | +| ------------- | :-------------------: | ------------------ | +| [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Implemented: âś…
Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Implemented: âś…
Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) and [Pods](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Implemented: âś…
Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Implemented: âś…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Implemented: âś…
Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Implemented: âś…
Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Implemented: âś…
Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Implemented: âś…
Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Implemented: âś…
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Implemented: âś…
Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Implemented: âś…
Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Implemented: âś…
Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Implemented: âś…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Implemented: âś…
Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | +|[Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. +|[Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list.| +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌
Subject: **PersistentVolume**
Severity: **medium**

PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | +|[Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | Not Implemented | Implemented: ❌
Subject: **Service**
Severity: **medium**

Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | +|[Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | +|[Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | +|[Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | +|[Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod, ServiceAccount**
Severity: **high**

Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | From 2ec6ad6cc7d3cdba1efdd752b7d2bfc2012c9f2a Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 24 Sep 2024 15:50:51 -0500 Subject: [PATCH 6/8] fix: revert test app version to fix CI failures (#815) ## Description Fix test app by using previous version of httpbin ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- src/test/app-admin.yaml | 2 +- src/test/app-authservice-tenant.yaml | 2 +- src/test/zarf.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 884401949..785438ea6 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -70,7 +70,7 @@ spec: spec: serviceAccountName: httpbin containers: - - image: docker.io/kong/httpbin + - image: docker.io/kong/httpbin:0.1.0 imagePullPolicy: IfNotPresent name: httpbin resources: diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml index 094bff22e..04093682b 100644 --- a/src/test/app-authservice-tenant.yaml +++ b/src/test/app-authservice-tenant.yaml @@ -70,7 +70,7 @@ spec: spec: serviceAccountName: httpbin containers: - - image: docker.io/kong/httpbin + - image: docker.io/kong/httpbin:0.1.0 imagePullPolicy: IfNotPresent name: httpbin resources: diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index b98f98bf7..f350e036e 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -18,7 +18,7 @@ components: files: - "app-authservice-tenant.yaml" images: - - docker.io/kong/httpbin:latest + - docker.io/kong/httpbin:0.1.0 - hashicorp/http-echo:latest - name: podinfo From 34ffc0a22b17489e5b87add6cafc1cc915897936 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 24 Sep 2024 16:17:15 -0500 Subject: [PATCH 7/8] fix: ensure istio sidecar is killed if job fails (#813) ## Description Ensure Istio sidecar is killed if Job pod exits with non-zero exit status. Tested with Jobs (exit code zero and non-zero) ```yaml apiVersion: batch/v1 kind: Job metadata: name: failing-job namespace: keycloak spec: template: spec: containers: - name: fail-container image: quay.io/keycloak/keycloak:25.0.6 command: ["sh", "-c", "echo 'This will fail'; exit 1"] restartPolicy: Never backoffLimit: 3 --- apiVersion: batch/v1 kind: Job metadata: name: success-job namespace: keycloak spec: template: spec: containers: - name: succeed-container image: quay.io/keycloak/keycloak:25.0.6 command: ["sh", "-c", "echo 'This will succeed'; exit 0"] restartPolicy: Never backoffLimit: 3 ``` ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/687 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed Co-authored-by: Micah Nagel --- src/pepr/istio/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 9ca4b9252..01eb86278 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -47,8 +47,8 @@ When(a.Pod) const shouldTerminate = pod.status.containerStatuses // Ignore the istio-proxy container .filter(c => c.name != "istio-proxy") - // and if ALL are terminated AND have exit code 0, then shouldTerminate is true - .every(c => c.state?.terminated && c.state.terminated.exitCode == 0); + // and if ALL are terminated then shouldTerminate is true + .every(c => c.state?.terminated); if (shouldTerminate) { // Mark the pod as seen From df514bd437e5af0bedb11a3da8860c8aeaccc78c Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 24 Sep 2024 15:52:14 -0600 Subject: [PATCH 8/8] fix: eks iac issues, document storage class pre-reqs (#812) ## Description EBS impose a 1Gi size limitation on restored PVCs. This adds a short note to pre-reqs about checking CSI limitations. While testing with our EKS IAC I also discovered a few other issues: - IRSA annotations were not correct - Config did not properly variablize region - Config had an unmatched `"` around one of the values - Gitignore did not exclude terraform/tfstate files that shouldn't be committed ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/718 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/bundles/uds-bundle.yaml | 4 ++-- .gitignore | 3 +++ docs/deployment/prerequisites.md | 4 +++- tasks/iac.yaml | 4 ++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 0d9c226a5..ece96b5ec 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -27,7 +27,7 @@ packages: path: credentials.useSecret - name: VELERO_IRSA_ANNOTATION description: "IRSA ARN annotation to use for Velero" - path: serviceAccount.server.annotations.irsa/role-arn + path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: loki: values: @@ -52,4 +52,4 @@ packages: path: loki.storage.s3.region - name: LOKI_IRSA_ANNOTATION description: "The irsa role annotation" - path: serviceAccount.annotations.irsa/role-arn + path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn diff --git a/.gitignore b/.gitignore index 218f55004..ad3474a0f 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,6 @@ tmp-tasks.yaml cacert.b64 run/ extract-terraform.sh +**/.terraform* +cluster-config.yaml +**.tfstate diff --git a/docs/deployment/prerequisites.md b/docs/deployment/prerequisites.md index fdbc2fb3e..ddc8e038e 100644 --- a/docs/deployment/prerequisites.md +++ b/docs/deployment/prerequisites.md @@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned ```console ❯ kubectl get storageclass NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE -local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 55s +local-path (default) rancher.io/local-path Delete WaitForFirstConsumer true 55s ``` +It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`. + #### Network Policy Support The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock). diff --git a/tasks/iac.yaml b/tasks/iac.yaml index a5d4b8f74..f13e2d4e4 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -25,7 +25,7 @@ tasks: metadata: name: ${CLUSTER_NAME} - region: us-west-2 + region: ${REGION} version: "1.30" tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} @@ -148,7 +148,7 @@ tasks: loki_s3_region: ${LOKI_S3_AWS_REGION} loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}" velero_use_secret: false - velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}" + velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}" velero_bucket: ${VELERO_S3_BUCKET} velero_bucket_region: ${VELERO_S3_AWS_REGION} velero_bucket_provider_url: ""