[portefaix-cel] P0001 Policy to validate registries (#925)

* feat(portefaix-cel): update for new policies

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>

Author: nlamirault

charts/portefaix-cel/Chart.yaml

@@ -22,21 +22,32 @@ home: https://charts.portefaix.xyz
 icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg
 sources:
   - https://github.com/nlamirault/portefaix-hub/tree/master/charts/portefaix-cel
-# kubeVersion: ">=1.30.0-0"
 type: application
 keywords:
+  - vap
   - cel
   - policies
   - portefaix
-version: 2.0.0
+version: 2.1.0
 appVersion: v1.30.0
 
+dependencies:
+- name: crds
+  version: "0.0.0"
+
 maintainers:
   - name: nlamirault
     email: nicolas.lamirault@gmail.com
 
 # https://artifacthub.io/docs/topics/repositories/
 annotations:
+  artifacthub.io/category: security
+  artifacthub.io/crds: |
+    - kind: RegistryConfiguration
+      version: v1
+      name: registryconfiguration.policy.portefaix.xyz
+      displayName: RegistryConfiguration
+      description: Resource for authorized registries
   artifacthub.io/license: Apache-2.0
   artifacthub.io/links: |
     - name: Portefaix
@@ -48,5 +59,5 @@ annotations:
     fingerprint: C39918B3EBDE35C23B8D0B8E5F99269A6FCA437C
     url: https://keybase.io/nlamirault/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: changed
-      description: use v1 for ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding
+    - kind: added
+      description: new P0001 policy to validate registry

charts/portefaix-cel/charts/crds/Chart.yaml

@@ -0,0 +1,4 @@
+---
+apiVersion: v2
+name: crds
+version: 0.0.0

charts/portefaix-cel/charts/crds/templates/policy.portefaix.xyz_registryconfiguration.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    admission.kubernetes.io/is-policy-configuration-definition: "true"
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: registryconfiguration.policy.portefaix.xyz
+spec:
+  group: policy.portefaix.xyz
+  names:
+    kind: RegistryConfiguration
+    plural: registryconfigurations
+    singular: registryconfiguration
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          RegistryConfiguration configures the Portefaix policy concerning public registries and untrusted registries
+        type: object
+        properties:
+          spec:
+            description: |-
+              RegistryConfigurationSpec is a specification of the desired behavior of the
+              Registry Configuration configuration.
+            type: object
+            properties:
+              publicRegistries:
+                description: |-
+                  List of authorized public registries
+                items:
+                  type: string
+                type: array
+              untrustedRegistries:
+                description: |-
+                  List of untrusted registries
+                items:
+                  type: string
+                type: array
+    served: true
+    storage: true
+  scope: Cluster

charts/portefaix-cel/templates/_helpers.tpl

@@ -49,7 +49,6 @@ helm.sh/chart: {{ include "portefaix-cel.chart" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/component: policy-controller
 app.kubernetes.io/part-of: {{ include "portefaix-cel.name" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- if .Values.additionalLabels }}
@@ -66,4 +65,4 @@ Allow the release namespace to be overridden
   {{- else -}}
     {{- .Release.Namespace -}}
   {{- end -}}
-{{- end -}}
+{{- end -}}

charts/portefaix-cel/templates/policy-C0001.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0001.container.portefaix.xyz
 spec:
   matchConstraints:
@@ -51,9 +52,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0001.container.portefaix.xyz
 spec:
   policyName: c0001.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.c0001.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-C0002.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0002.container.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -54,9 +55,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0002.container.portefaix.xyz
 spec:
   policyName: c0002.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.c0002.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-C0003.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0003.container.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -54,9 +55,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0003.container.portefaix.xyz
 spec:
   policyName: c0003.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.c0003.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-C0008.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0008.container.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -77,9 +78,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: c0008.container.portefaix.xyz
 spec:
   policyName: c0008.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.c0008.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-M0001.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0001.metadata.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -61,9 +62,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0001.container.portefaix.xyz
 spec:
   policyName: m0001.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.m0001.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-M0002.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0002.metadata.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -60,9 +61,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0002.container.portefaix.xyz
 spec:
   policyName: m0002.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.m0002.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-M0003.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0003.metadata.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -55,9 +56,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: m0003.container.portefaix.xyz
 spec:
   policyName: m0003.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.m0003.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-N0001.yaml

@@ -21,6 +21,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: n0001.namespace.portefaix.xyz
 spec:
   failurePolicy: Fail
@@ -50,9 +51,10 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
   name: n0001.container.portefaix.xyz
 spec:
   policyName: n0001.container.portefaix.xyz
   validationActions:
   {{- toYaml .Values.policies.n0001.validationActions | nindent 2 }}
-{{- end }}
+{{- end }}

charts/portefaix-cel/templates/policy-P0001.yaml

@@ -0,0 +1,77 @@
+# Copyright (C) Nicolas Lamirault <nicolas.lamirault@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.policies.p0001.enabled }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
+  name: p0001.pod.portefaix.xyz
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+  - expression: "object.kind != 'Pod' || object.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
+    message: "Pods uses an image from a forbidden registry"
+  - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
+    message: "Workloads uses an image from a forbidden registry"
+  - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, params.settings.untrustedRegistries.all(registry,!container.image.startsWith(registry)))"
+    message: "CronJob uses an image from a forbidden registry"
+  auditAnnotations:
+  - key: "container-forbidden-registry"
+    valueExpression: "Trust registry is required"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
+  name: p0001.pod.portefaix.xyz
+spec:
+  policyName: p0001.container.portefaix.xyz
+  validationActions:
+  {{- toYaml .Values.policies.p0001.validationActions | nindent 2 }}
+{{- end }}
+---
+apiVersion: policy.portefaix.xyz/v1
+kind: RegistryConfiguration
+metadata:
+  labels:
+    {{- include "portefaix-cel.labels" . | nindent 4 }}
+    app.kubernetes.io/component: policy
+  name: parameters-p0001
+spec:
+  {{- toYaml .Values.policies.p0001.params | nindent 2 }}

charts/portefaix-cel/values.yaml

@@ -75,4 +75,16 @@ policies:
     validationActions:
     - Warn
     - Audit
-
+  # -- Authorized registry
+  p0001:
+    enabled: true
+    validationActions:
+    - Warn
+    - Audit
+    params:
+      publicRegistries:
+      - ghcr.io
+      - public.ecr.aws
+      - docker.io
+      untrustedRegistries:
+      - quay.io