From 3b7d0a320a35c41b2f727ca3603444597ce813ed Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 9 Oct 2023 14:52:06 +0300 Subject: [PATCH 1/2] chore: use v2beta1 in policy exceptions (#779) Signed-off-by: Mariam Fahmy --- .../artifacthub-pkg.yml | 2 +- .../expiration-for-policyexceptions.yaml | 2 +- other/m-q/policy-for-exceptions/policy-bad.yaml | 12 ++++++------ other/m-q/policy-for-exceptions/policy-good.yaml | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/other/e-l/expiration-for-policyexceptions/artifacthub-pkg.yml b/other/e-l/expiration-for-policyexceptions/artifacthub-pkg.yml index 673622eff..25031af9c 100644 --- a/other/e-l/expiration-for-policyexceptions/artifacthub-pkg.yml +++ b/other/e-l/expiration-for-policyexceptions/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "PolicyException" -digest: d460ec5a86554ec9e47781e23188598fb71b4e574910493757860f2757c801a1 +digest: 47af946fa7dde4c75c13b3edb3f3ff0bf1c2e481f4e6b34dd443f38500c9a438 diff --git a/other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml b/other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml index cfb98a60e..870237e64 100644 --- a/other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml +++ b/other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml @@ -27,7 +27,7 @@ spec: kinds: - PolicyException generate: - apiVersion: kyverno.io/v2alpha1 + apiVersion: kyverno.io/v2beta1 kind: ClusterCleanupPolicy name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }} synchronize: false diff --git a/other/m-q/policy-for-exceptions/policy-bad.yaml b/other/m-q/policy-for-exceptions/policy-bad.yaml index 7bd90db03..1fcad045e 100644 --- a/other/m-q/policy-for-exceptions/policy-bad.yaml +++ b/other/m-q/policy-for-exceptions/policy-bad.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe01 @@ -12,7 +12,7 @@ spec: - rule02 match: {} --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe02 @@ -33,7 +33,7 @@ spec: namespace: some-ns name: kube-admin --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe03 @@ -54,7 +54,7 @@ spec: namespace: some-ns name: kube-admin --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe04 @@ -77,7 +77,7 @@ spec: namespace: some-ns name: kube-admin --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe05 @@ -96,7 +96,7 @@ spec: namespaces: - policy-exceptions-ns --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: badpe06 diff --git a/other/m-q/policy-for-exceptions/policy-good.yaml b/other/m-q/policy-for-exceptions/policy-good.yaml index ed129fbba..7153eb978 100644 --- a/other/m-q/policy-for-exceptions/policy-good.yaml +++ b/other/m-q/policy-for-exceptions/policy-good.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: goodpe01 @@ -9,7 +9,7 @@ spec: - rule01 match: {} --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: goodpe02 @@ -33,7 +33,7 @@ spec: namespace: some-ns name: kube-admin --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: goodpe03 @@ -58,7 +58,7 @@ spec: namespace: some-ns name: kube-admin --- -apiVersion: kyverno.io/v2alpha1 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: goodpe04 From 3a9624e78d9eb629169778b35b1b37ccd5b8ea6b Mon Sep 17 00:00:00 2001 From: RanganMahesh Date: Thu, 12 Oct 2023 18:01:35 +0530 Subject: [PATCH 2/2] Change roleRef pattern to subjects (#778) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: add script to update artifacthub digest (#769) * chore: add script to update artifacthub digest Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * script Signed-off-by: Charles-Edouard Brétéché * install Signed-off-by: Charles-Edouard Brétéché * install Signed-off-by: Charles-Edouard Brétéché * fix digest Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Rangan Mahesh * Change roleRef pattern to subjects Changed the roleRef in patterns to subjects as the system groups are defined under subjects and not roleRef Signed-off-by: RanganMahesh Signed-off-by: Rangan Mahesh * Update artifacthub-pkg.yml Recalculated SHA256 and updated Signed-off-by: RanganMahesh Signed-off-by: Rangan Mahesh * Updated files to match new pattern Signed-off-by: Rangan Mahesh * Sign-off commit Signed-off-by: RanganMahesh Signed-off-by: Rangan Mahesh * Fix syntax issue and resolve test casses Signed-off-by: Rangan Mahesh * Update SHA256 digest Signed-off-by: Rangan Mahesh --------- Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Rangan Mahesh Signed-off-by: RanganMahesh Co-authored-by: Charles-Edouard Brétéché --- .../artifacthub-pkg.yml | 2 +- .../crb-bad.yaml | 16 ++++++++------- .../crb-good.yaml | 12 +++++------ .../rb-bad.yaml | 20 ++++++++++--------- .../rb-good.yaml | 4 ++-- .../restrict-binding-system-groups.yaml | 13 ++++++------ 6 files changed, 36 insertions(+), 31 deletions(-) diff --git a/other/res/restrict-binding-system-groups/artifacthub-pkg.yml b/other/res/restrict-binding-system-groups/artifacthub-pkg.yml index aad42a820..8d0396ab8 100644 --- a/other/res/restrict-binding-system-groups/artifacthub-pkg.yml +++ b/other/res/restrict-binding-system-groups/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 8de0c1d6797c8925007a6e12a2911edec500ccf987880a581ddb1906e8bf9b87 +digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d diff --git a/other/res/restrict-binding-system-groups/crb-bad.yaml b/other/res/restrict-binding-system-groups/crb-bad.yaml index ba7d86ad6..64f050807 100644 --- a/other/res/restrict-binding-system-groups/crb-bad.yaml +++ b/other/res/restrict-binding-system-groups/crb-bad.yaml @@ -4,11 +4,11 @@ metadata: name: badcrb01 subjects: - kind: Group - name: manager + name: "system:anonymous" apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole - name: "system:anonymous" + name: manager apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 @@ -18,10 +18,11 @@ metadata: subjects: - kind: ServiceAccount namespace: foo - name: manager + name: "system:unauthenticated" + apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole - name: "system:unauthenticated" + name: manager apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 @@ -29,10 +30,11 @@ kind: ClusterRoleBinding metadata: name: badcrb03 subjects: -- kind: ServiceAccount +- kind: Group namespace: foo - name: manager + name: "system:masters" + apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole - name: "system:masters" + name: manager apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/other/res/restrict-binding-system-groups/crb-good.yaml b/other/res/restrict-binding-system-groups/crb-good.yaml index 05a9cf032..85015eee1 100644 --- a/other/res/restrict-binding-system-groups/crb-good.yaml +++ b/other/res/restrict-binding-system-groups/crb-good.yaml @@ -4,11 +4,11 @@ metadata: name: goodcrb01 subjects: - kind: Group - name: manager + name: secret-reader apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole - name: secret-reader + name: manager apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 @@ -18,10 +18,10 @@ metadata: subjects: - kind: ServiceAccount namespace: foo - name: manager + name: foo-reader roleRef: kind: ClusterRole - name: foo-reader + name: manager apiGroup: rbac.authorization.k8s.io --- @@ -32,8 +32,8 @@ metadata: subjects: - kind: ServiceAccount namespace: foo - name: manager + name: "system.foo" roleRef: kind: ClusterRole - name: "system:foo" + name: manager apiGroup: rbac.authorization.k8s.io diff --git a/other/res/restrict-binding-system-groups/rb-bad.yaml b/other/res/restrict-binding-system-groups/rb-bad.yaml index e2d1e2780..8ba04729c 100644 --- a/other/res/restrict-binding-system-groups/rb-bad.yaml +++ b/other/res/restrict-binding-system-groups/rb-bad.yaml @@ -3,12 +3,12 @@ kind: RoleBinding metadata: name: badrb01 subjects: -- kind: User - name: foo +- kind: Group + name: "system:anonymous" apiGroup: rbac.authorization.k8s.io roleRef: kind: Role - name: "system:anonymous" + name: foo apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 @@ -16,12 +16,13 @@ kind: RoleBinding metadata: name: badrb02 subjects: -- kind: ServiceAccount - name: foo +- kind: Group + name: "system:unauthenticated" namespace: foo + apiGroup: rbac.authorization.k8s.io roleRef: kind: Role - name: "system:unauthenticated" + name: foo apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 @@ -29,10 +30,11 @@ kind: RoleBinding metadata: name: badrb03 subjects: -- kind: ServiceAccount - name: foo +- kind: Group + name: "system:masters" namespace: foo + apiGroup: rbac.authorization.k8s.io roleRef: kind: Role - name: "system:masters" + name: foo apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/other/res/restrict-binding-system-groups/rb-good.yaml b/other/res/restrict-binding-system-groups/rb-good.yaml index f933fc687..d7e02e2ef 100644 --- a/other/res/restrict-binding-system-groups/rb-good.yaml +++ b/other/res/restrict-binding-system-groups/rb-good.yaml @@ -30,9 +30,9 @@ metadata: name: goodrb03 subjects: - kind: Group - name: foo + name: "system:foo" apiGroup: rbac.authorization.k8s.io roleRef: kind: Role - name: "system:foo" + name: foo apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml index 2ddcced0d..6c81a334b 100644 --- a/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ b/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -29,8 +29,8 @@ spec: validate: message: "Binding to system:anonymous is not allowed." pattern: - roleRef: - name: "!system:anonymous" + subjects: + - name: "!system:anonymous" - name: restrict-unauthenticated match: any: @@ -41,8 +41,8 @@ spec: validate: message: "Binding to system:unauthenticated is not allowed." pattern: - roleRef: - name: "!system:unauthenticated" + subjects: + - name: "!system:unauthenticated" - name: restrict-masters match: any: @@ -53,5 +53,6 @@ spec: validate: message: "Binding to system:masters is not allowed." pattern: - roleRef: - name: "!system:masters" + subjects: + - name: "!system:masters" +