-
Notifications
You must be signed in to change notification settings - Fork 314
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
policy allowed apparmor always allow unconfined
Signed-off-by: Xinhe Li <xinhl@microsoft.com>
- Loading branch information
Showing
20 changed files
with
291 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/apparmor/1.1.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.1.0 | ||
name: k8spspapparmor | ||
displayName: App Armor | ||
createdAt: "2024-02-02T07:35:00Z" | ||
description: Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/ | ||
digest: 84017a34d1072ded1670a1b397db614c63cdc43b373ccfc147cbf53abcaba12c | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/apparmor | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# App Armor | ||
Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/ | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/apparmor/1.1.0/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/apparmor/1.1.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
12 changes: 12 additions & 0 deletions
12
artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPAppArmor | ||
metadata: | ||
name: psp-apparmor | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
allowedProfiles: | ||
- runtime/default |
13 changes: 13 additions & 0 deletions
13
...library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/disallowed_ephemeral.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-apparmor-disallowed | ||
annotations: | ||
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default | ||
container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile | ||
labels: | ||
app: nginx-apparmor | ||
spec: | ||
ephemeralContainers: | ||
- name: nginx | ||
image: nginx |
13 changes: 13 additions & 0 deletions
13
...thub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-apparmor-allowed | ||
annotations: | ||
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default | ||
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default | ||
labels: | ||
app: nginx-apparmor | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx |
13 changes: 13 additions & 0 deletions
13
...y/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed_unconfined.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-apparmor-allowed | ||
annotations: | ||
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default | ||
container.apparmor.security.beta.kubernetes.io/nginx: unconfined | ||
labels: | ||
app: nginx-apparmor | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx |
13 changes: 13 additions & 0 deletions
13
...b/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-apparmor-disallowed | ||
annotations: | ||
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default | ||
container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile | ||
labels: | ||
app: nginx-apparmor | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx |
25 changes: 25 additions & 0 deletions
25
artifacthub/library/pod-security-policy/apparmor/1.1.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: apparmor | ||
tests: | ||
- name: apparmor | ||
template: template.yaml | ||
constraint: samples/psp-apparmor/constraint.yaml | ||
cases: | ||
- name: example-allowed | ||
object: samples/psp-apparmor/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-allowed-unconfined | ||
object: samples/psp-apparmor/example_allowed_unconfined.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed | ||
object: samples/psp-apparmor/example_disallowed.yaml | ||
assertions: | ||
- violations: yes | ||
- name: disallowed-ephemeral | ||
object: samples/psp-apparmor/disallowed_ephemeral.yaml | ||
assertions: | ||
- violations: yes |
103 changes: 103 additions & 0 deletions
103
artifacthub/library/pod-security-policy/apparmor/1.1.0/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spspapparmor | ||
annotations: | ||
metadata.gatekeeper.sh/title: "App Armor" | ||
metadata.gatekeeper.sh/version: 1.1.0 | ||
description: >- | ||
Configures an allow-list of AppArmor profiles for use by containers. | ||
This corresponds to specific annotations applied to a PodSecurityPolicy. | ||
For information on AppArmor, see | ||
https://kubernetes.io/docs/tutorials/clusters/apparmor/ | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPAppArmor | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Configures an allow-list of AppArmor profiles for use by containers. | ||
This corresponds to specific annotations applied to a PodSecurityPolicy. | ||
For information on AppArmor, see | ||
https://kubernetes.io/docs/tutorials/clusters/apparmor/ | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
allowedProfiles: | ||
description: "An array of AppArmor profiles. Examples: `runtime/default`, `unconfined`." | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package k8spspapparmor | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
metadata := input.review.object.metadata | ||
container := input_containers[_] | ||
not is_exempt(container) | ||
not input_apparmor_allowed(container, metadata) | ||
msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles]) | ||
} | ||
input_apparmor_allowed(container, metadata) { | ||
get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_] | ||
} | ||
input_apparmor_allowed(container, metadata) { | ||
get_annotation_for(container, metadata) == "unconfined" | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
get_annotation_for(container, metadata) = out { | ||
out = metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])] | ||
} | ||
get_annotation_for(container, metadata) = out { | ||
not metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])] | ||
out = "runtime/default" | ||
} | ||
libs: | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
library/pod-security-policy/apparmor/samples/psp-apparmor/example_allowed_unconfined.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-apparmor-allowed | ||
annotations: | ||
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default | ||
container.apparmor.security.beta.kubernetes.io/nginx: unconfined | ||
labels: | ||
app: nginx-apparmor | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.