Kubernetes broken links

policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/azurepolicy.json

@@ -49,8 +49,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-default-namespace/template.yaml",
-          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-default-namespace/constraint.yaml",
+          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/template.yaml",
+          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/constraint.yaml",
           "values": {
             "excludedNamespaces": "[parameters('excludedNamespaces')]"
           }

policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/azurepolicy.rules.json

@@ -10,11 +10,11 @@
   "then": {
     "effect": "[parameters('effect')]",
     "details": {
-      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-default-namespace/template.yaml",
-      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-default-namespace/constraint.yaml",
+      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/template.yaml",
+      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/constraint.yaml",
       "values": {
         "excludedNamespaces": "[parameters('excludedNamespaces')]"
       }
     }
   }
-}
+}

policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAzureBlockDefault
+metadata:
+  name: block-default-namespace
+spec:
+  match:
+    excludedNamespaces: {{ .Values.excludedNamespaces }}
+    kinds:
+      - apiGroups: [""]
+        kinds: ["ConfigMap", "Pod", "Secret", "Service", "ServiceAccount"]

policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster/template.yaml

@@ -0,0 +1,27 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sazureblockdefault
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAzureBlockDefault
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sazureblockdefault
+
+        violation[{"msg": msg}] {
+          obj := input.review.object
+          is_default_namespace(obj.metadata)
+          msg := sprintf("Usage of the default namespace is not allowed, name: %v, kind: %v", [obj.metadata.name, obj.kind])
+        }
+
+        is_default_namespace(metadata) {
+          not metadata.namespace
+        }
+
+        is_default_namespace(metadata) {
+          metadata.namespace == "default"
+        }

policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/azurepolicy.json

@@ -49,13 +49,13 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/container-no-privilege-escalation/template.yaml",
-          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/container-no-privilege-escalation/constraint.yaml",
+          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/template.yaml",
+          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/constraint.yaml",
           "values": {
             "excludedNamespaces": "[parameters('excludedNamespaces')]"
           }
         }
       }
     }
   }
-}
+}

policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/azurepolicy.rules.json

@@ -10,11 +10,11 @@
   "then": {
     "effect": "[parameters('effect')]",
     "details": {
-      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/container-no-privilege-escalation/template.yaml",
-      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/container-no-privilege-escalation/constraint.yaml",
+      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/template.yaml",
+      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/constraint.yaml",
       "values": {
         "excludedNamespaces": "[parameters('excludedNamespaces')]"
       }
     }
   }
-}
+}

policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAzureContainerNoPrivilegeEscalation
+metadata:
+  name: psp-container-no-privilege-escalation
+spec:
+  match:
+    excludedNamespaces: {{ .Values.excludedNamespaces }}
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]

policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/template.yaml

@@ -0,0 +1,36 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sazurecontainernoprivilegeescalation
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAzureContainerNoPrivilegeEscalation
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sazurecontainernoprivilegeescalation
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            input_allow_privilege_escalation(c)
+            msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])
+        }
+
+        input_allow_privilege_escalation(c) {
+            not has_field(c, "securityContext")
+        }
+        input_allow_privilege_escalation(c) {
+            not c.securityContext.allowPrivilegeEscalation == false
+        }
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }

policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/azurepolicy.json

@@ -49,8 +49,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-host-namespace/template.yaml",
-          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-host-namespace/constraint.yaml",
+          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/template.yaml",
+          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/constraint.yaml",
           "values": {
             "excludedNamespaces": "[parameters('excludedNamespaces')]"
           }

policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/azurepolicy.rules.json

@@ -10,8 +10,8 @@
   "then": {
     "effect": "[parameters('effect')]",
     "details": {
-      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-host-namespace/template.yaml",
-      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/block-host-namespace/constraint.yaml",
+      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/template.yaml",
+      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/constraint.yaml",
       "values": {
         "excludedNamespaces": "[parameters('excludedNamespaces')]"
       }

policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAzureBlockHostNamespace
+metadata:
+  name: psp-host-namespace
+spec:
+  match:
+    excludedNamespaces: {{ .Values.excludedNamespaces }}
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]

policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/template.yaml

@@ -0,0 +1,25 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sazureblockhostnamespace
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAzureBlockHostNamespace
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sazureblockhostnamespace
+
+        violation[{"msg": msg, "details": {}}] {
+            input_share_hostnamespace(input.review.object)
+            msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
+        }
+
+        input_share_hostnamespace(o) {
+            o.spec.hostPID
+        }
+        input_share_hostnamespace(o) {
+            o.spec.hostIPC
+        }

policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/azurepolicy.json

@@ -49,8 +49,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/read-only-root-filesystem/template.yaml",
-          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/read-only-root-filesystem/constraint.yaml",
+          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/template.yaml",
+          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/constraint.yaml",
           "values": {
             "excludedNamespaces": "[parameters('excludedNamespaces')]"
           }

policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/azurepolicy.rules.json

@@ -10,8 +10,8 @@
   "then": {
     "effect": "[parameters('effect')]",
     "details": {
-      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/read-only-root-filesystem/template.yaml",
-      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/read-only-root-filesystem/constraint.yaml",
+      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/template.yaml",
+      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/constraint.yaml",
       "values": {
         "excludedNamespaces": "[parameters('excludedNamespaces')]"
       }

policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAzureReadOnlyRootFilesystem
+metadata:
+  name: psp-readonlyrootfilesystem
+spec:
+  match:
+    excludedNamespaces: {{ .Values.excludedNamespaces }}
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]

policyDefinitions/Kubernetes/ensure-read-only-access-to-root-filesystem-in-a-kubernetes-cluster/template.yaml

@@ -0,0 +1,38 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sazurereadonlyrootfilesystem
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAzureReadOnlyRootFilesystem
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sazurereadonlyrootfilesystem
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            input_read_only_root_fs(c)
+            msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name])
+        }
+
+        input_read_only_root_fs(c) {
+            not has_field(c, "securityContext")
+        }
+        input_read_only_root_fs(c) {
+            not c.securityContext.readOnlyRootFilesystem == true
+        }
+
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }

policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/azurepolicy.json

@@ -49,8 +49,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/use-named-serviceaccount/template.yaml",
-          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/use-named-serviceaccount/constraint.yaml",
+          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/template.yaml",
+          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/constraint.yaml",
           "values": {
             "excludedNamespaces": "[parameters('excludedNamespaces')]"
           }

policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/azurepolicy.rules.json

@@ -10,8 +10,8 @@
   "then": {
     "effect": "[parameters('effect')]",
     "details": {
-      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/use-named-serviceaccount/template.yaml",
-      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/use-named-serviceaccount/constraint.yaml",
+      "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/template.yaml",
+      "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/constraint.yaml",
       "values": {
         "excludedNamespaces": "[parameters('excludedNamespaces')]"
       }

policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAzureBlockAutomountToken
+metadata:
+  name: azure-block-automount
+spec:
+  match:
+    excludedNamespaces: {{ .Values.excludedNamespaces }}
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]

policyDefinitions/Kubernetes/kubernetes-clusters-should-disable-automounting-api-credentials/template.yaml

@@ -0,0 +1,23 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sazureblockautomounttoken
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAzureBlockAutomountToken
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sazureblockautomounttoken
+
+        violation[{"msg": msg}] {
+          obj := input.review.object
+          not valid_service_account(obj.spec)
+          msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
+        }
+
+        valid_service_account(spec) {
+          spec.automountServiceAccountToken == false
+        }