Stack: Kyverno (#38)

Signed-off-by: Boris 'B' Kurktchiev <[email protected]>

kyverno-integration/README.md

@@ -0,0 +1,46 @@
+# Kyverno Stack
+
+Implementation of Kyverno for CNOE
+
+## Components
+
+The Stack installs `Kyverno` and optionally `Kyverno Pod Security Policies - Restricted` implementation. By default users should use:
+  - `module/audit` - for testing and understanding of the impact
+  - `module/enforce` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
+    - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
+      - [ArgoCD](modules/enforce/exceptions/argocd.yaml)
+      - [Crossplane](modules/enforce/exceptions/crossplane.yaml)
+      - [Backstage](modules/enforce/exceptions/backstage.yaml)
+      - [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml)
+      - [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
+
+*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues for NEW workloads, already existing workloads will not be affected immediately, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
+
+## Installation
+
+You can use and test out this stack without using any policies, using the `ref-implementation` as follows:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration
+```
+
+Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit
+```
+
+If you would like to change to `Enforce` mode:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce
+```
+

kyverno-integration/kyverno.yaml

@@ -0,0 +1,31 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno
+  namespace: argocd
+spec:
+  project: default
+  source:
+    chart: kyverno
+    repoURL: https://kyverno.github.io/kyverno/
+    targetRevision: 3.2.7
+    helm:
+      releaseName: kyverno
+      valuesObject:
+          kyverno.fullname: kyverno
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kyverno
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    - CreateNamespace=true
+    automated:
+      selfHeal: true
+      prune: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s

kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml

@@ -0,0 +1,33 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-audit
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: 3.2.7
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Audit
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s

kyverno-integration/modules/enforce/exceptions/argocd.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: argocd-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - argocd
+        names:
+        # TODO: this should be more targeted than blanket *
+        - argocd-*

kyverno-integration/modules/enforce/exceptions/backstage.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: backstage-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - backstage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - backstage*

kyverno-integration/modules/enforce/exceptions/crossplane.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: crossplane-system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - crossplane-system
+        names:
+        # TODO: this should be more targeted than blanket *
+        - crossplane*
+        - upbound-provider-*

kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: ingress-nginx-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - ingress-nginx
+        names:
+        - ingress-nginx*

kyverno-integration/modules/enforce/exceptions/kind.yaml

@@ -0,0 +1,66 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+    - autogen-host-path
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-privileged-containers
+    ruleNames:
+    - privileged-containers
+    - autogen-privileged-containers
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+    - adding-capabilities-strict
+    - autogen-adding-capabilities-strict
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: disallow-capabilities
+    ruleNames:
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        - StatefulSet
+        - DaemonSet
+        namespaces:
+        - kube-system
+        - local-path-storage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - kube-*
+        - kindnet*
+        - local-path*
+        - coredns*
+        - etcd-*

kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml

@@ -0,0 +1,26 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce-exceptions
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: cnoe://exceptions
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s

kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml

@@ -0,0 +1,33 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: HEAD
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Enforce
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s