policy/SecurityControls.yaml

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: securitycontrols
spec:
  crd:
    spec:
      names:
        kind: SecurityControls
        listKind: SecurityControlsList
        plural: securitycontrols
        singular: securitycontrol
  targets:
  - libs:
    - |
      package lib.kubernetes

      default is_gatekeeper = false

      is_gatekeeper {
              has_field(input, "review")
              has_field(input.review, "object")
      }

      object = input {
              not is_gatekeeper
      }

      object = input.review.object {
              is_gatekeeper
      }

      format(msg) = gatekeeper_format {
              is_gatekeeper
              gatekeeper_format = {"msg": msg}
      }

      format(msg) = msg {
              not is_gatekeeper
      }

      name = object.metadata.name

      kind = object.kind

      is_service {
              kind = "Service"
      }

      is_deployment {
              kind = "Deployment"
      }

      is_pod {
              kind = "Pod"
      }

      split_image(image) = [image, "latest"] {
              not contains(image, ":")
      }

      split_image(image) = [image_name, tag] {
              [image_name, tag] = split(image, ":")
      }

      pod_containers(pod) = all_containers {
              keys = {"containers", "initContainers"}
              all_containers = [c | keys[k]; c = pod.spec[k][_]]
      }

      containers[container] {
              pods[pod]
              all_containers = pod_containers(pod)
              container = all_containers[_]
      }

      containers[container] {
              all_containers = pod_containers(object)
              container = all_containers[_]
      }

      pods[pod] {
              is_deployment
              pod = object.spec.template
      }

      pods[pod] {
              is_pod
              pod = object
      }

      volumes[volume] {
              pods[pod]
              volume = pod.spec.volumes[_]
      }

      dropped_capability(container, cap) {
              container.securityContext.capabilities.drop[_] == cap
      }

      added_capability(container, cap) {
              container.securityContext.capabilities.add[_] == cap
      }

      has_field(obj, field) {
              obj[field]
      }

      no_read_only_filesystem(c) {
              not has_field(c, "securityContext")
      }

      no_read_only_filesystem(c) {
              has_field(c, "securityContext")
              not has_field(c.securityContext, "readOnlyRootFilesystem")
      }

      priviledge_escalation_allowed(c) {
              not has_field(c, "securityContext")
      }

      priviledge_escalation_allowed(c) {
              has_field(c, "securityContext")
              has_field(c.securityContext, "allowPrivilegeEscalation")
      }
    rego: |
      package main

      import data.lib.kubernetes

      violation[msg] {
              kubernetes.containers[container]
              [image_name, "latest"] = kubernetes.split_image(container.image)
              msg = kubernetes.format(sprintf("%s in the %s %s has an image, %s, using the latest tag", [container.name, kubernetes.kind, image_name, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-resources-limits-memory
      violation[msg] {
              kubernetes.containers[container]
              not container.resources.limits.memory
              msg = kubernetes.format(sprintf("%s in the %s %s does not have a memory limit set", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-resources-limits-cpu/
      violation[msg] {
              kubernetes.containers[container]
              not container.resources.limits.cpu
              msg = kubernetes.format(sprintf("%s in the %s %s does not have a CPU limit set", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-capabilities-add-index-sys-admin/
      violation[msg] {
              kubernetes.containers[container]
              kubernetes.added_capability(container, "CAP_SYS_ADMIN")
              msg = kubernetes.format(sprintf("%s in the %s %s has SYS_ADMIN capabilties", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
      violation[msg] {
              kubernetes.containers[container]
              not kubernetes.dropped_capability(container, "all")
              msg = kubernetes.format(sprintf("%s in the %s %s doesn't drop all capabilities", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-privileged-true/
      violation[msg] {
              kubernetes.containers[container]
              container.securityContext.privileged
              msg = kubernetes.format(sprintf("%s in the %s %s is privileged", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
      violation[msg] {
              kubernetes.containers[container]
              kubernetes.no_read_only_filesystem(container)
              msg = kubernetes.format(sprintf("%s in the %s %s is not using a read only root filesystem", [container.name, kubernetes.kind, kubernetes.name]))
      }

      violation[msg] {
              kubernetes.containers[container]
              kubernetes.priviledge_escalation_allowed(container)
              msg = kubernetes.format(sprintf("%s in the %s %s allows priviledge escalation", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-runasnonroot-true/
      violation[msg] {
              kubernetes.containers[container]
              not container.securityContext.runAsNonRoot = true
              msg = kubernetes.format(sprintf("%s in the %s %s is running as root", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/containers-securitycontext-runasuser/
      violation[msg] {
              kubernetes.containers[container]
              container.securityContext.runAsUser < 10000
              msg = kubernetes.format(sprintf("%s in the %s %s has a UID of less than 10000", [container.name, kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/spec-hostaliases/
      violation[msg] {
              kubernetes.pods[pod]
              pod.spec.hostAliases
              msg = kubernetes.format(sprintf("The %s %s is managing host aliases", [kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/spec-hostipc/
      violation[msg] {
              kubernetes.pods[pod]
              pod.spec.hostIPC
              msg = kubernetes.format(sprintf("%s %s is sharing the host IPC namespace", [kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/spec-hostnetwork/
      violation[msg] {
              kubernetes.pods[pod]
              pod.spec.hostNetwork
              msg = kubernetes.format(sprintf("The %s %s is connected to the host network", [kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/spec-hostpid/
      violation[msg] {
              kubernetes.pods[pod]
              pod.spec.hostPID
              msg = kubernetes.format(sprintf("The %s %s is sharing the host PID", [kubernetes.kind, kubernetes.name]))
      }

      # https://kubesec.io/basics/spec-volumes-hostpath-path-var-run-docker-sock/
      violation[msg] {
              kubernetes.volumes[volume]
              volume.hostpath.path = "/var/run/docker.sock"
              msg = kubernetes.format(sprintf("The %s %s is mounting the Docker socket", [kubernetes.kind, kubernetes.name]))
      }
    target: admission.k8s.gatekeeper.sh