Merge pull request #315 from devtron-labs/k8s-shield

fix: add policies

Author: neha130

charts/k8s-shield/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.0.0
+appVersion: 1.1.0
 description: A Helm chart for Kubernetes admission policies
 keywords:
   - Devtron

charts/k8s-shield/Readme.md

@@ -19,7 +19,9 @@ The following sections describe the policies that are defined in the values.yaml
 9. Readiness and Liveness Policy
 10. Pod Security Policy
 11. Container Security Policy
-12. Extra Validating Policy
+12. Deny Namespace Creation
+13. Deny CRDs Deletion
+14. Extra Validating Policy
 
 ## Exclude Label
 
@@ -67,6 +69,13 @@ The ```limitResourcePolicy``` enforces a maximum CPU and memory limit for the sp
 
    The ```containerSecurityPolicy``` defines additional security policies that apply to containers within pods. It ensures that containers adhere to security best practices, including non-root execution and restrictions on filesystem access and privilege escalation.
 
+## Deny Namespace Creation
+
+   The ```Deny Namespace Creation```policy completely denies the creation of new namespaces. This is useful in highly controlled environments where namespace provisioning is managed externally.
+
+## Deny CRDs Deletion
+   The ```Deny CRDs Deletion``` policy blocks deletion of CustomResourceDefinitions (CRDs), which can be critical to the operation of custom applications and controllers.
+
 ## Extra Validating Policy
 
    The ```extraValidatingPolicy``` section allows you to define additional custom validation policies beyond the default set. These policies can be used to enforce specific rules for your Kubernetes resources.

charts/k8s-shield/templates/namespace-policy.yaml

@@ -0,0 +1,59 @@
+{{- if and $.Values.defaultPolicies.create (or $.Values.defaultPolicies.policies.namespaceCreationPolicy $.Values.defaultPolicies.policies.namespaceDeletionPolicy) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: {{ include "k8s-shield.fullname" . }}-namespace-policy
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
+    resourceRules:
+      {{- if $.Values.defaultPolicies.policies.namespaceCreationPolicy }}
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - namespaces
+        scope: "*"
+      {{- end }}
+      {{- if $.Values.defaultPolicies.policies.namespaceDeletionPolicy }}
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - DELETE
+        resources:
+          - namespaces
+        {{- if $.Values.policyDefinitions.namespacePolicy.namespaces }}
+        resourceNames:
+          {{- range $.Values.policyDefinitions.namespacePolicy.namespaces }}
+          - {{ . | quote }}
+          {{- end }}
+        {{- end }}
+        scope: "*"
+      {{- end }}
+  validations:
+    - expression: "false"
+      message: "Namespace creation or deletion is not allowed."
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: {{ include "k8s-shield.fullname" . }}-namespace-policy
+spec:
+  matchResources:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
+  policyName: {{ include "k8s-shield.fullname" . }}-namespace-policy
+  validationActions:
+    {{- range .Values.policyDefinitions.namespacePolicy.validationActions }}
+    - {{ . }}
+    {{- end }}
+{{- end }}

charts/k8s-shield/templates/restrict-admin-cluster-role-creation-policy.yaml

@@ -36,7 +36,9 @@ spec:
         rule.resources.exists(r, r == '*') &&
         rule.verbs.exists(v, v == '*')) &&
       !(rule.nonResourceURLs.exists(u, u == '*') &&
-        rule.verbs.exists(v, v == '*'))"
+        rule.verbs.exists(v, v == '*'))
+    )"
+
     message: "Creation of ClusterRole with admin access is denied"
   {{- end }}
 

charts/k8s-shield/templates/restrict-application-deletion-policy.yaml

@@ -5,31 +5,29 @@ metadata:
   name: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion
 spec:
   failurePolicy: Fail
-  {{- if and .Values.policyDefinitions.appDeletionPolicy.namespaces }}
   matchConstraints:
     matchPolicy: Equivalent
+    {{- if .Values.policyDefinitions.appDeletionPolicy.namespaces }}
     namespaceSelector:
       matchExpressions:
         - key: kubernetes.io/metadata.name
           operator: In
           values:
-          {{- range .Values.policyDefinitions.appDeletionPolicy.namespaces }}
-          - {{ . | quote }}
-          {{- end }}
-  {{- else }}
-  matchConstraints: {}
-  {{- end }}
+            {{- range .Values.policyDefinitions.appDeletionPolicy.namespaces }}
+            - {{ . | quote }}
+            {{- end }}
+    {{- end }}
+    resourceRules:
+      - apiGroups:
+          - argoproj.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - DELETE
+        resources:
+          - applications
+        scope: Namespaced
   objectSelector: {}
-  resourceRules:
-    - apiGroups:
-        - argoproj.io
-      apiVersions:
-        - v1alpha1
-      operations:
-        - DELETE
-      resources:
-        - applications
-      scope: Namespaced
   validations:
     - expression: "false"
       message: Deletion of application is not allowed.
@@ -39,13 +37,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion
 spec:
+  policyName: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion
   matchResources:
     matchPolicy: Equivalent
     namespaceSelector: {}
     objectSelector: {}
-  policyName: {{ include "k8s-shield.fullname" . }}-prevent-app-deletion
   validationActions:
-  {{- range .Values.policyDefinitions.appDeletionPolicy.validationActions }}
-  - {{ . }}
-  {{- end }}
+    {{- range .Values.policyDefinitions.appDeletionPolicy.validationActions }}
+    - {{ . }}
+    {{- end }}
 {{- end }}

charts/k8s-shield/templates/restrict-namespace-deletion-policy.yaml renamed to charts/k8s-shield/templates/restrict-crd-deletion-polcy.yaml

@@ -1,8 +1,8 @@
-{{- if and $.Values.defaultPolicies.create $.Values.defaultPolicies.policies.namespaceDeletionPolicy }}
+{{- if and $.Values.defaultPolicies.create $.Values.defaultPolicies.policies.denyCRDDeletion }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion
+  name: {{ include "k8s-shield.fullname" . }}-deny-crd-deletion
 spec:
   failurePolicy: Fail
   matchConstraints:
@@ -11,34 +11,31 @@ spec:
     objectSelector: {}
     resourceRules:
       - apiGroups:
-          - ""
+          - apiextensions.k8s.io
         apiVersions:
           - v1
         operations:
           - DELETE
-        resourceNames:
-          {{- range $.Values.policyDefinitions.namespaceDeletionPolicy.namespaces }}
-          - {{ . }}
-          {{- end }}
         resources:
-          - namespaces
+          - customresourcedefinitions
         scope: "*"
   validations:
     - expression: "false"
-      message: Deletion of namespace is not allowed.
+      message: "Deletion of CRDs is not allowed for any user."
+      reason: Invalid
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion
+  name: {{ include "k8s-shield.fullname" . }}-deny-crd-deletion
 spec:
+  policyName: {{ include "k8s-shield.fullname" . }}-deny-crd-deletion
   matchResources:
     matchPolicy: Equivalent
     namespaceSelector: {}
     objectSelector: {}
-  policyName: {{ include "k8s-shield.fullname" . }}-restrict-namespace-deletion
   validationActions:
-  {{- range .Values.policyDefinitions.namespaceDeletionPolicy.validationActions }}
-  - {{ . }}
-  {{- end }}
-{{- end }}
+    {{- range $.Values.policyDefinitions.denyCRDDeletion.validationActions }}
+    - {{ . }}
+    {{- end }}
+{{- end }}

charts/k8s-shield/templates/restrict-limit-resource-policy.yaml

@@ -7,39 +7,37 @@ metadata:
   name: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits
 spec:
   failurePolicy: Fail
-  {{- if and .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.namespaces }}
   matchConstraints:
     matchPolicy: Equivalent
+    {{- if .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.namespaces }}
     namespaceSelector:
       matchExpressions:
         - key: kubernetes.io/metadata.name
           operator: In
           values:
-          {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.namespaces }}
+            {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.namespaces }}
+            - {{ . | quote }}
+            {{- end }}
+    {{- end }}
+    resourceRules:
+      - apiGroups:
+          {{- range $.Values.policyDefinitions.resourcePolicies.limitResourcePolicy.apiGroups }}
           - {{ . | quote }}
           {{- end }}
-  {{- else }}
-  matchConstraints: {}
-  {{- end }}
+        apiVersions:
+          - v1
+        operations:
+          {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.operations }}
+          - {{ . | quote }}
+          {{- end }}
+        resources:
+          {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.resources }}
+          - {{ . | quote }}
+          {{- end }}
+        scope: Namespaced
   objectSelector: {}
-  resourceRules:
-    - apiGroups:
-        {{- range $.Values.policyDefinitions.resourcePolicies.limitResourcePolicy.apiGroups }}
-        - {{ . | quote }}
-        {{- end }}
-      apiVersions:
-        - v1
-      operations:
-        {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.operations }}
-        - {{ . | quote }}
-        {{- end }}
-      resources:
-        {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.resources }}
-        - {{ . | quote }}
-        {{- end }}
-      scope: Namespaced
   validations:
-  {{- if and .Values.excludeLabel.key .Values.excludeLabel.value }}
+    {{- if and .Values.excludeLabel.key .Values.excludeLabel.value }}
     - expression: |-
         (has(object.metadata.labels) && object.metadata.labels['{{ .Values.excludeLabel.key }}'] == '{{ .Values.excludeLabel.value }}') 
         || (
@@ -62,7 +60,7 @@ spec:
           )
         )
       message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}, set label {{ .Values.excludeLabel.key }}: {{ .Values.excludeLabel.value }} to allow"
-  {{- else }}
+    {{- else }}
     - expression: |-
         has(object.spec.template) ?
         (
@@ -82,7 +80,7 @@ spec:
           )
         )
       message: "Resource limits exceed the maximum allowed: CPU <= {{ $maxCPU }} and memory <= {{ $maxMemory }}."
-  {{- end }}
+    {{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -91,7 +89,7 @@ metadata:
 spec:
   policyName: {{ include "k8s-shield.fullname" . }}-restrict-resource-limits
   validationActions:
-  {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.validationActions }}
-  - {{ . }}
-  {{- end }}
+    {{- range .Values.policyDefinitions.resourcePolicies.limitResourcePolicy.validationActions }}
+    - {{ . }}
+    {{- end }}
 {{- end }}

charts/k8s-shield/templates/restrict-loadbalance-creation-policy.yaml

@@ -5,9 +5,9 @@ metadata:
   name: {{ include "k8s-shield.fullname" . }}-restrict-loadbalancer-creation
 spec:
   failurePolicy: Fail
-  {{- if and .Values.policyDefinitions.loadBalancerCreationPolicy.namespaces }}
   matchConstraints:
     matchPolicy: Equivalent
+    {{- if .Values.policyDefinitions.loadBalancerCreationPolicy.namespaces }}
     namespaceSelector:
       matchExpressions:
         - key: kubernetes.io/metadata.name
@@ -16,20 +16,18 @@ spec:
             {{- range .Values.policyDefinitions.loadBalancerCreationPolicy.namespaces }}
             - {{ . | quote }}
             {{- end }}
-  {{- else }}
-  matchConstraints: {}
-  {{- end }}
+    {{- end }}
+    resourceRules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - services
+        scope: Namespaced
   objectSelector: {}
-  resourceRules:
-    - apiGroups:
-        - ""
-      apiVersions:
-        - v1
-      operations:
-        - CREATE
-      resources:
-        - services
-      scope: Namespaced
   validations:
     {{- if and .Values.excludeLabel.key .Values.excludeLabel.value }}
     - expression: "object.spec.type == 'LoadBalancer' && has(object.metadata.labels) && object.metadata.labels['{{ .Values.excludeLabel.key }}'] == '{{ .Values.excludeLabel.value }}'"
@@ -53,4 +51,4 @@ spec:
     {{- range .Values.policyDefinitions.loadBalancerCreationPolicy.validationActions }}
     - {{ . }}
     {{- end }}
-{{- end }}
+{{- end }}