Add policy Restrict Clusterrole for Mutating and Validating Admission…

… Webhooks (#1068)

* Adding files for restrict-clusterrole-mutating-validating-admission-webhooks policy

Signed-off-by: nsagark <sagar@nirmata.com>

* Updated the policy and the artifacthub-pkg.yml

Signed-off-by: nsagark <sagar@nirmata.com>

* added the missing annotations and updated the artifacthub-pkg.yml

Signed-off-by: nsagark <sagar@nirmata.com>

* Updated the digest in the artifacthub-pkg.yml

Signed-off-by: nsagark <sagar@nirmata.com>

* Updated the digest in the artifacthub-pkg.yml

Signed-off-by: nsagark <sagar@nirmata.com>

---------

Signed-off-by: nsagark <sagar@nirmata.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+status:
+  ready: true

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-clusterrole-mutating-validating-admission-webhooks
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: non-violating-clusterrole.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: violating-clusterrole.yaml

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+policies:
+- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+resources:
+- resource.yaml
+results:
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - non-violating-clusterrole
+  result: pass
+  rule: restrict-clusterrole
+- kind: ClusterRole
+  policy: restrict-clusterrole-mutating-validating-admission-webhooks
+  resources:
+  - violating-clusterrole
+  result: fail
+  rule: restrict-clusterrole

other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: non-violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: violating-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["create", "update", "patch"]
+

other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: restrict-clusterrole-mutating-validating-admission-webhooks
+version: 1.0.0
+displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+createdAt: "2024-05-19T20:30:05.000Z"
+description: >-
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml
+  ```
+keywords:
+- kyverno
+- Other
+readme: |
+  ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/subject: "ClusterRole"
+digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b

other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml

@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusterrole-mutating-validating-admission-webhooks
+  annotations:
+    policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.7
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/subject: ClusterRole
+    policies.kyverno.io/description: >-
+      ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: restrict-clusterrole
+    match:
+      any:
+      - resources:
+          kinds:
+          - ClusterRole
+    validate:
+      message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks"
+      foreach:
+      - list: "request.object.rules[]"
+        deny:
+          conditions:
+            all:
+            - key: "{{ element.apiGroups || '' }}"
+              operator: AnyIn
+              value:
+              - admissionregistration.k8s.io
+            - key: "{{ element.resources || '' }}"
+              operator: AnyIn
+              value:
+              - mutatingwebhookconfigurations
+              - validatingwebhookconfigurations
+            any:
+            - key: "{{ element.verbs }}"
+              operator: AnyIn
+              value:
+              - create
+              - update
+              - patch
+            - key: "{{ contains(element.verbs[], '*') }}"
+              operator: Equals
+              value: true
+