Merge pull request #371 from FairwindsOps/if/opa-external-probes

Add external-probes policy
FairwindsOps · Mar 24, 2021 · 88d5f37 · 88d5f37
2 parents 23e2633 + 7aee27e
commit 88d5f37
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 1 deletion.
diff --git a/plugins/opa/CHANGELOG.md b/plugins/opa/CHANGELOG.md
@@ -1,4 +1,7 @@
 # Changelog
+## 0.2.20
+* Add `external-probes` policy
+
 ## 0.2.19
 * Update alpine image
 

diff --git a/plugins/opa/examples/external-probes/README.md b/plugins/opa/examples/external-probes/README.md
@@ -0,0 +1,3 @@
+# External Liveness or Readiness Probes
+
+This policy matches pod specifications that specify an external host in a livenessProbe or readinessProbe, which may be undesirable RE: [Pod probes lead to blind SSRF from the node  #99425](https://github.com/kubernetes/kubernetes/issues/99425).
diff --git a/plugins/opa/examples/external-probes/policy.rego b/plugins/opa/examples/external-probes/policy.rego
@@ -0,0 +1,60 @@
+package fairwinds
+
+# Return true if livenessProbe or ReadinessProbe has `httpGet.host` set.
+probeHasExternalHost(pod) {
+	probeKeys := {"livenessProbe", "readinessProbe"}
+
+	# Get the pod-spec from each container
+	container := pod.spec.containers[_]
+	probeKey := probeKeys[_]
+	container[probeKey].httpGet.host
+}
+
+blockedNamespace(elem) {
+	ns := elem.parameters.blocklist[_]
+	elem.metadata.namespace == ns
+}
+
+checkCronjob[actionItem] {
+	not blockedNamespace(input)
+	input.kind == "CronJob"
+	pod := input.spec.jobTemplate.spec.template
+	probeHasExternalHost(pod)
+	actionItem := {
+		"title": concat(" ", [input.kind, "has one or more liveness or readiness probes using httpGet with an external host"]),
+		"description": "Liveness probes that send requests to arbitrary destinations can lead to blind SSRF. [Read more](https://github.com/kubernetes/kubernetes/issues/99425)",
+		"remediation": "Please do not set `httpGet.host` in a pod liveness or readiness probe",
+		"category": "Security",
+	}
+}
+
+checkDeploymentLike[actionItem] {
+	not blockedNamespace(input)
+	kinds := {"Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "Job"}
+	kind := kinds[_]
+	input.kind == kind
+	pod := input.spec.template
+	probeHasExternalHost(pod)
+	actionItem := {
+		"title": concat(" ", [input.kind, "has one or more liveness or readiness probes using httpGet with an external host"]),
+		"description": "Liveness probes that send requests to arbitrary destinations can lead to blind SSRF. [Read more](https://github.com/kubernetes/kubernetes/issues/99425)",
+		"remediation": "Please do not set `httpGet.host` in a pod liveness or readiness probe",
+		"category": "Security",
+	}
+}
+
+checkPod[actionItem] {
+	not blockedNamespace(input)
+	input.kind == "Pod"
+
+	# Only alert for stand-alone pods,
+	# avoiding duplicate action-items for pods which belong to a controller.
+	not input.metadata.ownerReferences
+	probeHasExternalHost(input)
+	actionItem := {
+		"title": concat(" ", [input.kind, "has one or more liveness or readiness probes using httpGet with an external host"]),
+		"description": "Liveness probes that send requests to arbitrary destinations can lead to blind SSRF. [Read more](https://github.com/kubernetes/kubernetes/issues/99425)",
+		"remediation": "Please do not set `httpGet.host` in a pod liveness or readiness probe",
+		"category": "Security",
+	}
+}
diff --git a/plugins/opa/examples/external-probes/workloads.yaml b/plugins/opa/examples/external-probes/workloads.yaml
@@ -0,0 +1,9 @@
+targets:
+- apiGroups: [""]
+  kinds: ["pod"]
+- apiGroups: ["apps"]
+  kinds: ["DaemonSet", "Deployment", "StatefulSet"]
+- apiGroups: ["batch"]
+  kinds: ["CronJob", "Job"]
+parameters:
+  blocklist: ["kube-system"]
diff --git a/plugins/opa/version.txt b/plugins/opa/version.txt
@@ -1 +1 @@
-0.2.19
+0.2.20