Policies that are to be enforced by GateKeeper for the Kubernetes Platform.
Note: Gatekeeper is a validating / mutating webhook that enforces CRD-based policies executed by the Open Policy Agent.
This repo contains general policies that can be used to enforce common Kubernetes requirements.
| Control Aspect | Gatekeeper Constraint Template |
|---|---|
| Container Allowed Images | container-allowed-images |
| Container Image Must Have Digest | container-image-must-have-digest |
| Container Limits | container-limits |
| Deny External Users | deny-external-users |
| Ingress No Hostnames | ingress-no-hostnames |
| Ingress Hostnames Conflict | ingress-hostnames-conflict |
| Load Balancer No Public IPs | loadbalancer-no-public-ips |
| Pod Enforce Labels | pod-enforce-labels |
| Restrict Hostnames | restrict-hostnames |
This repo contains common policies replacing the deprecated PodSecurityPolicy into Constraint Templates using GateKeeper.
| Control Aspect | Gatekeeper Constraint Template |
|---|---|
| Allowed external ips | allowed-external-ips |
| Allowed host paths | allowed-host-paths |
| Allowed privilege escalation | allowed-privilege-escalation |
| Allowed proc mount types | allowed-proc-mount-types |
| Allowed seccomp profiles | allowed-seccomp-profiles |
| Allowed users and groups | allowed-users-groups |
| Allowed volume types | allowed-volume-types |
| Block automount token | block-automount-token |
| Block default namespace | block-default-namespace |
| Block host namespace | block-host-namespace |
| Container capabilities | container-capabilities |
| Container no privilege escalation | container-no-privilege-escalation |
| Deny Employee-Only Features | deny-employee-only-features |
| Deny extraction | deny-extraction |
| Deny pipelines | deny-pipelines |
| Disk data classification | disk-data-classification |
| Enforce apparmor profile | enforce-apparmor-profile |
| Flexvolume drivers | flexvolume-drivers |
| Forbidden sysctls | forbidden-sysctls |
| Host networking and ports | host-network-ports |
| Protected B Auth | protectedb-auth |
| Require read only root file system | read-only-root-filesystem |
| Metadata restrictions | metadata-restrictions |
| Namespace guardrails | namespace-guardrails |
| SELinux context of the container | seLinux |
This repo contains a set of common policies that can be used to enforce specific Service Mesh features.
| Control Aspect | Gatekeeper Constraint Template |
|---|---|
| Gateway | gateway |
| Peer Authentication | peer-authentication |
| Port Naming | port-naming |
| Traffic Policy | traffic-policy |
When creating a Policy, there are currently three ways of testing them:
The opa CLI can be used to run tests on policies.
This can be very useful since Open Policy Agent allows for easy mocking of data via the with keyword.
These types of tests are best suited for policies which require access to data not available in the
AdmissionReviewAPI but accessed via Gatekeeper's data replication features.
To take advantage of automatic test running and the automatic copying of rego into a ConstraintTemplate, the following structure needs to be followed:
- Ensure that the
ConstraintTemplateis in a file namedtemplate.yamlat the root of your policy's folder - Ensure that the
regofiles are in a folder calledrego- For example: general/restrict-hostnames/rego
- Ensure that the
regothat should be injected into theConstraintTemplateis namedsrc.rego - Run the
rego.shscript to run tests and copy your source code intotemplate.yaml- Note: requires the
yqutility
- Note: requires the
Integration tests are run as part of the GitHub Actions. These deploy policies to a k3s cluster using the BATS framework. It deploys the ConstraintTemplate for the policy, a single CustomResource of the CRD derived from the ConstraintTemplate, and two resources representing a passing and a failing scenario.
To take advantage of this system create the following:
- Ensure that the
ConstraintTemplateis in a file namedtemplate.yamlat the root of your policy's folder - Create a folder named
exampleat the root of your policy's folder - In the
examplefolder:- Create a file named
constraint.yamlwith theCustomResourcerepresenting an implemented policy - Create a file named
allowed.yamlwith a resource that should pass the policy - Create a file named
disallowed.yamlwith a resource that should not pass the policy
- Create a file named
gator is a recent addition to Gatekeeper allowing for the creation of test suites that can be run locally.
gator test suites will be run automatically as part of the CI.