Added disallowed-registries (#136)

* Added disallowed-registries

* Added link to documentation

open-policy-agent/README.md

@@ -71,7 +71,8 @@ Policy  | Description | Prerequisites
 ### Trusted Image Sources
 Policy  | Description | Prerequisites
 ------- | ----------- | -------------
-[disallowedtags](./trusted-image-sources/disallowedtags) | Ensures that images do not contain a pre-defined tag (by default, the policy disables the `latest` tag) | 
+[disallowedtags](./trusted-image-sources/disallowedtags) | Ensures that images do not contain a pre-defined tag (by default, the policy disables the `latest` tag) |
+[disallowed-registries](./trusted-image-sources/disallowedtagsdisallowed-registries) | Requires setting up allowed image sources (registries). Any other image source is disallowed. |
 
 ## Applying Policies
 The policies can be created by applying the custom resources defined in the `template.yaml` and `contraint.yaml` files to an OpenShift cluster. The files are provided in each policy directory under specific security control.

open-policy-agent/kustomization.yaml

@@ -12,6 +12,7 @@ resources:
 - ./networking/httpsonly/template.yaml
 - ./resource-exhaustion/disallow-self-provisioner/template.yaml
 - ./trusted-image-sources/disallowedtags/template.yaml
+- ./trusted-image-sources/disallowed-registries/template.yaml
 - ./resource-exhaustion/pod-resource-limits/template.yaml
 - ./authorization/disallow-host-network/template.yaml
 - ./authorization/disallow-host-namespaces/template.yaml

open-policy-agent/trusted-image-sources/disallowed-registries/README.md

@@ -0,0 +1,9 @@
+# Disallow Registries
+
+The policy makes sure a list of "Allowed Registries" is associated with the [cluster Image resource](https://docs.openshift.com/container-platform/4.9/openshift_images/image-configuration.html). If a registry is not mentioned in the Image resource, images from this registry will not be pulled for pod creation.
+
+Managing a list of allowed registries provides control over what code runs on the OpenShift cluster. Anomalous registry instances can contain dangerous unscanned images in them, such images must be avoided.
+
+A list of allowed registries is created in the [constraint.yaml](constraint.yaml) file. If an Image resource has not allowed registries associated with it, an alert is initiated by the constraint. An alert is initiated if there are no registries configured in the Image resource as well.
+
+`This policy has been tested on openshift cluster & oc client version 4.9.0`

open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowedRegistries
+metadata:
+  name: disallow-registries
+spec:
+  enforcementAction: dryrun
+  match:
+    kinds:
+      - apiGroups: ["config.openshift.io"]
+        kinds: ["Image"]
+  parameters:
+    allowedRegistries:
+    - "quay.io"

open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml

@@ -0,0 +1,54 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowedregistries
+  annotations:
+    description: Requires setting up allowed image sources (registries). Any other image source is disallowed.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowedRegistries
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package K8sDisallowedRegisitries
+
+        missing(obj, field) = true {
+            not obj[field]
+        }
+
+        missing(obj, field) = true {
+            obj[field] == ""
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          missing(input.review.object.spec, "registrySources")
+          msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          missing(input.review.object.spec.registrySources, "allowedRegistries")
+          msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          count(input.review.object.spec.registrySources.allowedRegistries) == 0
+          msg := sprintf("%v object must have at least one registry configured at spec.registrySources.allowedRegistries", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          allowedRegistries := { registry | registry := input.review.object.parameters.allowedRegistries[_]}
+          presentRegistries := { registry | registry := input.review.object.spec.registrySources.allowedRegistries[_]}
+          forbiddenRegistries := presentRegistries - allowedRegistries
+          count(forbiddenRegistries) > 0
+          msg := sprintf("%v registry definitions are not allowed in the %v resource at spec.registrySources.allowedRegistries", [forbiddenRegistries, input.review.object.kind])
+        }