From a5f618bc67f0ac7eeda4692f4df5a60d97c68f44 Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Sun, 21 Nov 2021 16:19:39 +0200 Subject: [PATCH 1/7] Changed kustomize so that policies could be enforced policies as groups --- .../kustomization.yaml | 13 ++++++++++ .../authorization/kustomization.yaml | 17 ++++++++++++ .../etcd-security/kustomization.yaml | 7 +++++ open-policy-agent/kustomization.yaml | 26 +++++-------------- .../networking/kustomization.yaml | 11 ++++++++ .../resource-exhaustion/kustomization.yaml | 9 +++++++ open-policy-agent/storage/kustomization.yaml | 7 +++++ .../README.md | 0 .../constraint.yaml | 0 .../template.yaml | 0 .../trusted-image-sources/kustomization.yaml | 9 +++++++ 11 files changed, 80 insertions(+), 19 deletions(-) create mode 100644 open-policy-agent/authentication-user-management/kustomization.yaml create mode 100644 open-policy-agent/authorization/kustomization.yaml create mode 100644 open-policy-agent/etcd-security/kustomization.yaml create mode 100644 open-policy-agent/networking/kustomization.yaml create mode 100644 open-policy-agent/resource-exhaustion/kustomization.yaml create mode 100644 open-policy-agent/storage/kustomization.yaml rename open-policy-agent/trusted-image-sources/{disallowedtags => disallowed-tags}/README.md (100%) rename open-policy-agent/trusted-image-sources/{disallowedtags => disallowed-tags}/constraint.yaml (100%) rename open-policy-agent/trusted-image-sources/{disallowedtags => disallowed-tags}/template.yaml (100%) create mode 100644 open-policy-agent/trusted-image-sources/kustomization.yaml diff --git a/open-policy-agent/authentication-user-management/kustomization.yaml b/open-policy-agent/authentication-user-management/kustomization.yaml new file mode 100644 index 0000000..4872e5a --- /dev/null +++ b/open-policy-agent/authentication-user-management/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./delete-kubeadmin/template.yaml +- ./delete-kubeadmin/constraint.yaml +- ./shorten-tokens/template.yaml +- ./shorten-tokens/constraint.yaml +- ./oauth-secured-identity-providers-only/template.yaml +- ./oauth-secured-identity-providers-only/constraint.yaml +- ./disallow-anonymous-users/template.yaml +- ./disallow-anonymous-users/constraint.yaml +commonLabels: + policy-group: authentication-user-management \ No newline at end of file diff --git a/open-policy-agent/authorization/kustomization.yaml b/open-policy-agent/authorization/kustomization.yaml new file mode 100644 index 0000000..74becb3 --- /dev/null +++ b/open-policy-agent/authorization/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./disallow-privileged-scc-usage/template.yaml +- ./disallow-privileged-scc-usage/constraint.yaml +- ./prevent-default-serviceaccount-usage/template.yaml +- ./prevent-default-serviceaccount-usage/constraint.yaml +- ./disallow-host-network/template.yaml +- ./disallow-host-network/constraint.yaml +- ./disallow-host-namespaces/template.yaml +- ./disallow-host-namespaces/constraint.yaml +- ./disallow-cluster-admin/template.yaml +- ./disallow-cluster-admin/constraint.yaml +- ./disallow-scc-runasany/template.yaml +- ./disallow-scc-runasany/constraint.yaml +commonLabels: + policy-group: authorization \ No newline at end of file diff --git a/open-policy-agent/etcd-security/kustomization.yaml b/open-policy-agent/etcd-security/kustomization.yaml new file mode 100644 index 0000000..2efaf93 --- /dev/null +++ b/open-policy-agent/etcd-security/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./verify-etcd-encryption/template.yaml +- ./verify-etcd-encryption/constraint.yaml +commonLabels: + policy-group: etcd-security \ No newline at end of file diff --git a/open-policy-agent/kustomization.yaml b/open-policy-agent/kustomization.yaml index 1ef8bd1..50966c0 100644 --- a/open-policy-agent/kustomization.yaml +++ b/open-policy-agent/kustomization.yaml @@ -1,22 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./authentication-user-management/delete-kubeadmin/template.yaml -- ./authentication-user-management/shorten-tokens/template.yaml -- ./authentication-user-management/oauth-secured-identity-providers-only/template.yaml -- ./authorization/disallow-privileged-scc-usage/template.yaml -- ./authorization/prevent-default-serviceaccount-usage/template.yaml -- ./etcd-security/verify-etcd-encryption/template.yaml -- ./networking/block-nodeport-services/template.yaml -- ./networking/external-ips/template.yaml -- ./networking/httpsonly/template.yaml -- ./resource-exhaustion/disallow-self-provisioner/template.yaml -- ./trusted-image-sources/disallowedtags/template.yaml -- ./trusted-image-sources/disallowed-registries/template.yaml -- ./resource-exhaustion/pod-resource-limits/template.yaml -- ./authorization/disallow-host-network/template.yaml -- ./authorization/disallow-host-namespaces/template.yaml -- ./authorization/disallow-cluster-admin/template.yaml -- ./authorization/disallow-scc-runasany/template.yaml -- ./authentication/disallow-anonymous-users/template.yaml -- ./storage/disallow-emptydir/template.yaml +- ./authentication-user-management +- ./authorization +- ./etcd-security +- ./networking +- ./resource-exhaustion +- ./storage +- ./trusted-image-sources diff --git a/open-policy-agent/networking/kustomization.yaml b/open-policy-agent/networking/kustomization.yaml new file mode 100644 index 0000000..2f15fa7 --- /dev/null +++ b/open-policy-agent/networking/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./block-nodeport-services/template.yaml +- ./block-nodeport-services/constraint.yaml +- ./external-ips/template.yaml +- ./external-ips/constraint.yaml +- ./httpsonly/template.yaml +- ./httpsonly/constraint.yaml +commonLabels: + policy-group: networking \ No newline at end of file diff --git a/open-policy-agent/resource-exhaustion/kustomization.yaml b/open-policy-agent/resource-exhaustion/kustomization.yaml new file mode 100644 index 0000000..1b78217 --- /dev/null +++ b/open-policy-agent/resource-exhaustion/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./disallow-self-provisioner/template.yaml +- ./disallow-self-provisioner/constraint.yaml +- ./pod-resource-limits/template.yaml +- ./pod-resource-limits/constraint.yaml +commonLabels: + policy-group: resource-exhaustion \ No newline at end of file diff --git a/open-policy-agent/storage/kustomization.yaml b/open-policy-agent/storage/kustomization.yaml new file mode 100644 index 0000000..78d1766 --- /dev/null +++ b/open-policy-agent/storage/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./disallow-emptydir/template.yaml +- ./disallow-emptydir/constraint.yaml +commonLabels: + policy-group: storage \ No newline at end of file diff --git a/open-policy-agent/trusted-image-sources/disallowedtags/README.md b/open-policy-agent/trusted-image-sources/disallowed-tags/README.md similarity index 100% rename from open-policy-agent/trusted-image-sources/disallowedtags/README.md rename to open-policy-agent/trusted-image-sources/disallowed-tags/README.md diff --git a/open-policy-agent/trusted-image-sources/disallowedtags/constraint.yaml b/open-policy-agent/trusted-image-sources/disallowed-tags/constraint.yaml similarity index 100% rename from open-policy-agent/trusted-image-sources/disallowedtags/constraint.yaml rename to open-policy-agent/trusted-image-sources/disallowed-tags/constraint.yaml diff --git a/open-policy-agent/trusted-image-sources/disallowedtags/template.yaml b/open-policy-agent/trusted-image-sources/disallowed-tags/template.yaml similarity index 100% rename from open-policy-agent/trusted-image-sources/disallowedtags/template.yaml rename to open-policy-agent/trusted-image-sources/disallowed-tags/template.yaml diff --git a/open-policy-agent/trusted-image-sources/kustomization.yaml b/open-policy-agent/trusted-image-sources/kustomization.yaml new file mode 100644 index 0000000..2ba12a3 --- /dev/null +++ b/open-policy-agent/trusted-image-sources/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./disallowed-registries/template.yaml +- ./disallowed-registries/constraint.yaml +- ./disallowed-tags/template.yaml +- ./disallowed-tags/constraint.yaml +commonLabels: + policy-group: trusted-image-sources \ No newline at end of file From 6294185d0501db4cb6cfb494e6b91ff54f7b14f7 Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Sun, 21 Nov 2021 16:34:57 +0200 Subject: [PATCH 2/7] Added documentation about using the new kustomize --- open-policy-agent/README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 433b144..718bed5 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -83,3 +83,31 @@ For example, applying 'kubeadmin' temporary user removal validation policy $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift-4-compliance-automation/master/open-policy-agent/authentication-user-management/delete-kubeadmin/template.yaml $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift-4-compliance-automation/master/open-policy-agent/authentication-user-management/delete-kubeadmin/constraint.yaml ``` + +### Using GitOps +You can choose to enforce specific policy groups by including the Kustomize.yaml at the root of `/open-policy-agent` and adding the following patch +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- + +patchesJson6902: +- target: + labelSelector: policy-group= + patch: |- + - op: replace + path: "/spec/enforcementAction" + value: deny +``` + +You can also import this as an artifact to your repo instead of adding the code to it using the following Kustomize.yaml +``` +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= +``` From 7070c77df0c37cb61bba8116d3ecc93de2d3fbcb Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Sun, 21 Nov 2021 17:21:49 +0200 Subject: [PATCH 3/7] Added documentation about enforcing specific policies uisng kustomize --- open-policy-agent/README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 718bed5..a34e21e 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -102,6 +102,23 @@ patchesJson6902: value: deny ``` +You can enforce specific policies by including the Kustomize.yaml at the root of `/open-policy-agent` and adding the following patch +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- + +patchesJson6902: +- target: + name: + patch: |- + - op: replace + path: "/spec/enforcementAction" + value: deny +``` + You can also import this as an artifact to your repo instead of adding the code to it using the following Kustomize.yaml ``` --- @@ -110,4 +127,4 @@ kind: Kustomization resources: - https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= -``` +``` \ No newline at end of file From ca6aa7ccb00f84e289720937af77596781b23a73 Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Sun, 28 Nov 2021 18:37:21 +0200 Subject: [PATCH 4/7] Added doc for removing or enforcing specific policies or groups of policies --- open-policy-agent/README.md | 63 +++++++++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index a34e21e..246a602 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -84,47 +84,76 @@ $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift-4-compliance-automation/master/open-policy-agent/authentication-user-management/delete-kubeadmin/constraint.yaml ``` -### Using GitOps -You can choose to enforce specific policy groups by including the Kustomize.yaml at the root of `/open-policy-agent` and adding the following patch +## Applying policies using GitOps +You can modify which policies to enforce/dryrun or include at all using kustomize. + +**By default all policies are included as dryrun**. + +### Import this kustomization +#### By extending this project ``` apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- +- +``` + +#### By importing this kustomization to your repo +``` +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= +``` + +### Modify this kustomization +#### Enforce specific policies +``` +... patchesJson6902: - target: - labelSelector: policy-group= + name: patch: |- - op: replace path: "/spec/enforcementAction" value: deny ``` -You can enforce specific policies by including the Kustomize.yaml at the root of `/open-policy-agent` and adding the following patch +#### Enforce a group of policies ``` -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- +... patchesJson6902: - target: - name: + labelSelector: policy-group= patch: |- - op: replace path: "/spec/enforcementAction" value: deny ``` +#### Remove specific policies +``` +... -You can also import this as an artifact to your repo instead of adding the code to it using the following Kustomize.yaml +patchesStrategicMerge: +- |- + metadata: + name: + $patch: delete ``` ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= +#### Remove a group of policies +``` +... + +patchesStrategicMerge: +- |- + metadata: + labels: + policy-group= + $patch: delete ``` \ No newline at end of file From c4baff4f81438aa21049ae7c3671ebe0fafa88df Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Mon, 29 Nov 2021 23:09:53 +0200 Subject: [PATCH 5/7] Added include all policies and corrected section about removal of policies --- open-policy-agent/README.md | 38 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 246a602..8413562 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -85,9 +85,9 @@ $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift ``` ## Applying policies using GitOps -You can modify which policies to enforce/dryrun or include at all using kustomize. +You can modify which policies to enforce using kustomize. -**By default all policies are included as dryrun**. +**By default all policies are included as dryrun. Removal isn't supported, although an alternative is specified [here](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#removal-directives)**. ### Import this kustomization #### By extending this project @@ -107,6 +107,8 @@ kind: Kustomization resources: - https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= + +... ``` ### Modify this kustomization @@ -129,31 +131,27 @@ patchesJson6902: patchesJson6902: - target: + name: .* + group: constraints.gatekeeper.sh + version: v1beta1 labelSelector: policy-group= patch: |- - op: replace path: "/spec/enforcementAction" value: deny ``` -#### Remove specific policies -``` -... - -patchesStrategicMerge: -- |- - metadata: - name: - $patch: delete -``` -#### Remove a group of policies +#### Enforce all policies ``` ... -patchesStrategicMerge: -- |- - metadata: - labels: - policy-group= - $patch: delete -``` \ No newline at end of file +patchesJson6902: +- target: + name: .* + group: constraints.gatekeeper.sh + version: v1beta1 + patch: |- + - op: replace + path: "/spec/enforcementAction" + value: deny +``` From 59f58ac7f95222fe1ea788cb102ed6b31cae18d1 Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Tue, 30 Nov 2021 00:01:58 +0200 Subject: [PATCH 6/7] Added doc about including policies in dry run as policy groups, clarified the supported ways of using this repo in a gitops scenario --- open-policy-agent/README.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 8413562..28dfd30 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -85,9 +85,13 @@ $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift ``` ## Applying policies using GitOps -You can modify which policies to enforce using kustomize. +You can include in `dryrun` mode either all policies or as policy groups. +You can change to `enforce` mode either all policies, as policy groups, or individually. + + +You can't include specific policies in dry run, you can use the alternative workflow suggested at the end of the paragraph in [this link](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#removal-directives). + -**By default all policies are included as dryrun. Removal isn't supported, although an alternative is specified [here](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#removal-directives)**. ### Import this kustomization #### By extending this project @@ -96,7 +100,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +# All policies - +# Specific groups +- +... ``` #### By importing this kustomization to your repo @@ -106,8 +114,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +# All policies - https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent?ref= - +# Specific groups +- https://github.com/openshift-4-compliance/openshift-4-compliance-automation.git//open-policy-agent/policy-folder?ref= ... ``` From 2beaea990887c3c2e1e8e78628e16cae9b267873 Mon Sep 17 00:00:00 2001 From: Gal Shinder Date: Sun, 5 Dec 2021 12:42:23 +0200 Subject: [PATCH 7/7] Fixed phrasing in documentation --- open-policy-agent/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 28dfd30..89484b6 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -85,11 +85,11 @@ $ oc apply -f https://raw.githubusercontent.com/openshift-4-compliance/openshift ``` ## Applying policies using GitOps -You can include in `dryrun` mode either all policies or as policy groups. -You can change to `enforce` mode either all policies, as policy groups, or individually. +You can use the `dryrun` enforcement mode in either all policies or in policy groups. +You can use the `deny` enforcement mode in either all policies, in policy groups, or individually. -You can't include specific policies in dry run, you can use the alternative workflow suggested at the end of the paragraph in [this link](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#removal-directives). +You can't include specific policies in `dryrun` enforcement mode, you can use the alternative workflow suggested at the end of the paragraph in [this link](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#removal-directives). @@ -128,7 +128,7 @@ resources: patchesJson6902: - target: - name: + name: patch: |- - op: replace path: "/spec/enforcementAction" @@ -144,7 +144,7 @@ patchesJson6902: name: .* group: constraints.gatekeeper.sh version: v1beta1 - labelSelector: policy-group= + labelSelector: policy-group= patch: |- - op: replace path: "/spec/enforcementAction"