From 6342d43c0a4e64c4a284a357165cacbb49b31f48 Mon Sep 17 00:00:00 2001 From: fast-n-curious Date: Tue, 6 Aug 2024 22:35:41 -0500 Subject: [PATCH 1/4] Added a policy for deny-default-service-account-bindings Signed-off-by: fast-n-curious --- .../.tests/chainsaw-test.yaml | 13 +++++++ .../.tests/kyverno-test.yaml | 23 +++++++++++++ .../.tests/resources.yaml | 31 +++++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++++++++ ...deny-default-service-account-bindings.yaml | 34 +++++++++++++++++++ 5 files changed, 123 insertions(+) create mode 100644 other/deny-default-service-account-bindings/.tests/chainsaw-test.yaml create mode 100644 other/deny-default-service-account-bindings/.tests/kyverno-test.yaml create mode 100644 other/deny-default-service-account-bindings/.tests/resources.yaml create mode 100644 other/deny-default-service-account-bindings/artifacthub-pkg.yml create mode 100644 other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml diff --git a/other/deny-default-service-account-bindings/.tests/chainsaw-test.yaml b/other/deny-default-service-account-bindings/.tests/chainsaw-test.yaml new file mode 100644 index 000000000..43f4bcfe3 --- /dev/null +++ b/other/deny-default-service-account-bindings/.tests/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: sample-test +spec: + steps: + - name: step-01 + try: + - script: + content: kyverno test . + check: + ($error != null): false diff --git a/other/deny-default-service-account-bindings/.tests/kyverno-test.yaml b/other/deny-default-service-account-bindings/.tests/kyverno-test.yaml new file mode 100644 index 000000000..21ce388ea --- /dev/null +++ b/other/deny-default-service-account-bindings/.tests/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- ../deny-default-service-account-bindings.yaml +resources: +- resources.yaml +results: +- kind: RoleBinding + policy: deny-default-service-account-bindings + resources: + - goodpod01 + - goodpod02 + result: pass + rule: deny-default-service-account-bindings +- kind: RoleBinding + policy: deny-default-service-account-bindings + resources: + - badpod01 + - badpod02 + result: fail + rule: deny-default-service-account-bindings diff --git a/other/deny-default-service-account-bindings/.tests/resources.yaml b/other/deny-default-service-account-bindings/.tests/resources.yaml new file mode 100644 index 000000000..9f8109ad2 --- /dev/null +++ b/other/deny-default-service-account-bindings/.tests/resources.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodpod01 +subjects: +- kind: ServiceAccount + name: custom-service-account01 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodpod02 +subjects: +- kind: ServiceAccount + name: custom-service-account02 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badpod01 +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badpod02 +subjects: +- kind: ServiceAccount + name: default diff --git a/other/deny-default-service-account-bindings/artifacthub-pkg.yml b/other/deny-default-service-account-bindings/artifacthub-pkg.yml new file mode 100644 index 000000000..0fa256390 --- /dev/null +++ b/other/deny-default-service-account-bindings/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: deny-force-delete +version: 1.0.0 +displayName: Deny Force Deletion of Resources +createdAt: "2024-08-05T10:30:02.000Z" +description: >- + The default service account is automatically mounted into all pods in a namespace unless explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive permissions, every pod in the namespace using the default service account will inherit these permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an attacker could potentially gain access to other resources within the cluster.For an enhnaced security, using the default service account in RoleBindings is not recommended. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Using the default service account in RoleBindings is not allowed. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.28" + kyverno/subject: "Pod" +digest: ca4094718f70c2bfbfad6051ce357a34c5dbb65512dcc118e0897786626aff37 diff --git a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml new file mode 100644 index 000000000..1a3599487 --- /dev/null +++ b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-default-service-account-bindings + annotations: + policies.kyverno.io/title: Deny binding of default service accounts + policies.kyverno.io/category: Other + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.10.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + The default service account is automatically mounted into all pods in a namespace unless + explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive + permissions, every pod in the namespace using the default service account will inherit these + permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an + attacker could potentially gain access to other resources within the cluster.For an enhnaced + security, using the default service account in RoleBindings is not recommended. +spec: + validationFailureAction: enforce + background: false + rules: + - name: deny-default-service-account-bindings + match: + resources: + kinds: + - RoleBinding + - ClusterRoleBinding + validate: + message: "Using the default service account in RoleBindings is not allowed." + pattern: + subjects: + - kind: "ServiceAccount" + name: "!default" From 558ad74cdc97715d45b49969d29fc05539f8366a Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 26 Aug 2024 14:53:22 -0700 Subject: [PATCH 2/4] Update other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml Co-authored-by: Chip Zoller Signed-off-by: Jim Bugwadia --- .../deny-default-service-account-bindings.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml index 1a3599487..955f2907a 100644 --- a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml +++ b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml @@ -14,7 +14,7 @@ metadata: explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive permissions, every pod in the namespace using the default service account will inherit these permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an - attacker could potentially gain access to other resources within the cluster.For an enhnaced + attacker could potentially gain access to other resources within the cluster. For enhanced security, using the default service account in RoleBindings is not recommended. spec: validationFailureAction: enforce From ecc2889aa4bb9d5408cfd8f3829e850240bf43e1 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 26 Aug 2024 14:53:34 -0700 Subject: [PATCH 3/4] Update other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml Co-authored-by: Chip Zoller Signed-off-by: Jim Bugwadia --- .../deny-default-service-account-bindings.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml index 955f2907a..fa1b54403 100644 --- a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml +++ b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Deny binding of default service accounts policies.kyverno.io/category: Other - policies.kyverno.io/subject: Pod + policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/minversion: 1.10.0 kyverno.io/kubernetes-version: "1.26" From bdf682f385992fe305e6b4c61b2a463e0a433824 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 26 Aug 2024 14:53:44 -0700 Subject: [PATCH 4/4] Update other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml Co-authored-by: Chip Zoller Signed-off-by: Jim Bugwadia --- .../deny-default-service-account-bindings.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml index fa1b54403..3d9defa54 100644 --- a/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml +++ b/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml @@ -4,7 +4,7 @@ metadata: name: deny-default-service-account-bindings annotations: policies.kyverno.io/title: Deny binding of default service accounts - policies.kyverno.io/category: Other + policies.kyverno.io/category: Security policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/minversion: 1.10.0