From 302a73230125ed9a96ff0c75d7e04c4513d7968c Mon Sep 17 00:00:00 2001
From: Michael Kotelnikov <36506417+michaelkotelnikov@users.noreply.github.com>
Date: Sun, 31 Oct 2021 17:12:08 +0200
Subject: [PATCH] Added disallowed-registries (#136)

* Added disallowed-registries

* Added link to documentation
---
 open-policy-agent/README.md                   |  3 +-
 open-policy-agent/kustomization.yaml          |  1 +
 .../disallowed-registries/README.md           |  9 ++++
 .../disallowed-registries/constraint.yaml     | 13 +++++
 .../disallowed-registries/template.yaml       | 54 +++++++++++++++++++
 5 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 open-policy-agent/trusted-image-sources/disallowed-registries/README.md
 create mode 100644 open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml
 create mode 100644 open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml

diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md
index 04d3f5f..433b144 100644
--- a/open-policy-agent/README.md
+++ b/open-policy-agent/README.md
@@ -71,7 +71,8 @@ Policy  | Description | Prerequisites
 ### Trusted Image Sources
 Policy  | Description | Prerequisites
 ------- | ----------- | -------------
-[disallowedtags](./trusted-image-sources/disallowedtags) | Ensures that images do not contain a pre-defined tag (by default, the policy disables the `latest` tag) | 
+[disallowedtags](./trusted-image-sources/disallowedtags) | Ensures that images do not contain a pre-defined tag (by default, the policy disables the `latest` tag) |
+[disallowed-registries](./trusted-image-sources/disallowedtagsdisallowed-registries) | Requires setting up allowed image sources (registries). Any other image source is disallowed. |
 
 ## Applying Policies
 The policies can be created by applying the custom resources defined in the `template.yaml` and `contraint.yaml` files to an OpenShift cluster. The files are provided in each policy directory under specific security control.
diff --git a/open-policy-agent/kustomization.yaml b/open-policy-agent/kustomization.yaml
index bb0d6ad..1ef8bd1 100644
--- a/open-policy-agent/kustomization.yaml
+++ b/open-policy-agent/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
 - ./networking/httpsonly/template.yaml
 - ./resource-exhaustion/disallow-self-provisioner/template.yaml
 - ./trusted-image-sources/disallowedtags/template.yaml
+- ./trusted-image-sources/disallowed-registries/template.yaml
 - ./resource-exhaustion/pod-resource-limits/template.yaml
 - ./authorization/disallow-host-network/template.yaml
 - ./authorization/disallow-host-namespaces/template.yaml
diff --git a/open-policy-agent/trusted-image-sources/disallowed-registries/README.md b/open-policy-agent/trusted-image-sources/disallowed-registries/README.md
new file mode 100644
index 0000000..dc051ba
--- /dev/null
+++ b/open-policy-agent/trusted-image-sources/disallowed-registries/README.md
@@ -0,0 +1,9 @@
+# Disallow Registries
+
+The policy makes sure a list of "Allowed Registries" is associated with the [cluster Image resource](https://docs.openshift.com/container-platform/4.9/openshift_images/image-configuration.html). If a registry is not mentioned in the Image resource, images from this registry will not be pulled for pod creation.
+
+Managing a list of allowed registries provides control over what code runs on the OpenShift cluster. Anomalous registry instances can contain dangerous unscanned images in them, such images must be avoided.
+
+A list of allowed registries is created in the [constraint.yaml](constraint.yaml) file. If an Image resource has not allowed registries associated with it, an alert is initiated by the constraint. An alert is initiated if there are no registries configured in the Image resource as well.
+
+`This policy has been tested on openshift cluster & oc client version 4.9.0`
\ No newline at end of file
diff --git a/open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml b/open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml
new file mode 100644
index 0000000..0adbd1c
--- /dev/null
+++ b/open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowedRegistries
+metadata:
+  name: disallow-registries
+spec:
+  enforcementAction: dryrun
+  match:
+    kinds:
+      - apiGroups: ["config.openshift.io"]
+        kinds: ["Image"]
+  parameters:
+    allowedRegistries:
+    - "quay.io"
\ No newline at end of file
diff --git a/open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml b/open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml
new file mode 100644
index 0000000..31ea3d7
--- /dev/null
+++ b/open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml
@@ -0,0 +1,54 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowedregistries
+  annotations:
+    description: Requires setting up allowed image sources (registries). Any other image source is disallowed.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowedRegistries
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package K8sDisallowedRegisitries
+
+        missing(obj, field) = true {
+            not obj[field]
+        }
+
+        missing(obj, field) = true {
+            obj[field] == ""
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          missing(input.review.object.spec, "registrySources")
+          msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          missing(input.review.object.spec.registrySources, "allowedRegistries")
+          msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          count(input.review.object.spec.registrySources.allowedRegistries) == 0
+          msg := sprintf("%v object must have at least one registry configured at spec.registrySources.allowedRegistries", [input.review.object.kind])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Image"
+          input.review.object.apiVersion == "config.openshift.io/v1"
+          allowedRegistries := { registry | registry := input.review.object.parameters.allowedRegistries[_]}
+          presentRegistries := { registry | registry := input.review.object.spec.registrySources.allowedRegistries[_]}
+          forbiddenRegistries := presentRegistries - allowedRegistries
+          count(forbiddenRegistries) > 0
+          msg := sprintf("%v registry definitions are not allowed in the %v resource at spec.registrySources.allowedRegistries", [forbiddenRegistries, input.review.object.kind])
+        }