-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
55 changed files
with
4,282 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,19 +18,24 @@ name: cloudnative-pg | |
description: CloudNativePG Helm Chart | ||
icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg | ||
type: application | ||
version: "0.18.3" | ||
version: "0.18.4" | ||
# This is the version number of the application being deployed. This version number should be | ||
# incremented each time you make changes to the application. Versions are not expected to | ||
# follow Semantic Versioning, they should reflect the version the application is using. | ||
# It is recommended to use it with quotes. | ||
appVersion: "1.20.2" | ||
sources: | ||
- https://github.com/jouve/charts | ||
- https://github.com/cloudnative-pg/charts | ||
keywords: | ||
- postgresql | ||
- postgres | ||
- database | ||
home: https://cloudnative-pg.io | ||
maintainers: | ||
- name: jouve | ||
url: https://github.com/jouve | ||
- name: phisco | ||
email: [email protected] | ||
annotations: | ||
artifacthub.io/license: Apache-2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v2 | ||
name: gatekeeper-library | ||
description: A Helm chart for Kubernetes | ||
icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg | ||
type: application | ||
version: 0.1.0 | ||
appVersion: 954a063f6449d2e93ca7bd2a06a96f11213998ca | ||
sources: | ||
- https://github.com/jouve/charts | ||
- https://github.com/open-policy-agent/gatekeeper-library | ||
maintainers: | ||
- name: jouve | ||
url: https://github.com/jouve | ||
annotations: | ||
artifacthub.io/license: Apache-2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## gatekeeper-library | ||
|
||
## Parameters |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- github.com/open-policy-agent/gatekeeper-library/library?ref=954a063f6449d2e93ca7bd2a06a96f11213998ca |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
set -eux -o pipefail | ||
rm -rf templates | ||
mkdir templates | ||
kustomize build | yq --no-doc --split-exp '.metadata.name | sub(".*", "templates/${0}.yaml")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: Requires container images to begin with a string from the specified list. | ||
metadata.gatekeeper.sh/title: Allowed Repositories | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
name: k8sallowedrepos | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sAllowedRepos | ||
validation: | ||
openAPIV3Schema: | ||
properties: | ||
repos: | ||
description: The list of prefixes a container image is allowed to have. | ||
items: | ||
type: string | ||
type: array | ||
type: object | ||
targets: | ||
- rego: | | ||
package k8sallowedrepos | ||
violation[{"msg": msg}] { | ||
container := input.review.object.spec.containers[_] | ||
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] | ||
not any(satisfied) | ||
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) | ||
} | ||
violation[{"msg": msg}] { | ||
container := input.review.object.spec.initContainers[_] | ||
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] | ||
not any(satisfied) | ||
msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) | ||
} | ||
violation[{"msg": msg}] { | ||
container := input.review.object.spec.ephemeralContainers[_] | ||
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] | ||
not any(satisfied) | ||
msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) | ||
} | ||
target: admission.k8s.gatekeeper.sh |
42 changes: 42 additions & 0 deletions
42
charts/gatekeeper-library/templates/k8sblockendpointeditdefaultrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: |- | ||
Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. | ||
ClusterRole/system:aggregate-to-edit should not allow Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675 | ||
metadata.gatekeeper.sh/title: Block Endpoint Edit Default Role | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
name: k8sblockendpointeditdefaultrole | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sBlockEndpointEditDefaultRole | ||
targets: | ||
- rego: | | ||
package k8sblockendpointeditdefaultrole | ||
violation[{"msg": msg}] { | ||
input.review.object.metadata.name == "system:aggregate-to-edit" | ||
endpointRule(input.review.object.rules[_]) | ||
msg := "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role." | ||
} | ||
endpointRule(rule) { | ||
"endpoints" == rule.resources[_] | ||
hasEditVerb(rule.verbs) | ||
} | ||
hasEditVerb(verbs) { | ||
"create" == verbs[_] | ||
} | ||
hasEditVerb(verbs) { | ||
"patch" == verbs[_] | ||
} | ||
hasEditVerb(verbs) { | ||
"update" == verbs[_] | ||
} | ||
target: admission.k8s.gatekeeper.sh |
25 changes: 25 additions & 0 deletions
25
charts/gatekeeper-library/templates/k8sblockloadbalancer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: |- | ||
Disallows all Services with type LoadBalancer. | ||
https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | ||
metadata.gatekeeper.sh/title: Block Services with type LoadBalancer | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
name: k8sblockloadbalancer | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sBlockLoadBalancer | ||
targets: | ||
- rego: | | ||
package k8sblockloadbalancer | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "Service" | ||
input.review.object.spec.type == "LoadBalancer" | ||
msg := "User is not allowed to create service of type LoadBalancer" | ||
} | ||
target: admission.k8s.gatekeeper.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: |- | ||
Disallows all Services with type NodePort. | ||
https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | ||
metadata.gatekeeper.sh/title: Block NodePort | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
name: k8sblocknodeport | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sBlockNodePort | ||
targets: | ||
- rego: | | ||
package k8sblocknodeport | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "Service" | ||
input.review.object.spec.type == "NodePort" | ||
msg := "User is not allowed to create service of type NodePort" | ||
} | ||
target: admission.k8s.gatekeeper.sh |
33 changes: 33 additions & 0 deletions
33
charts/gatekeeper-library/templates/k8sblockwildcardingress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services. | ||
metadata.gatekeeper.sh/title: Block Wildcard Ingress | ||
metadata.gatekeeper.sh/version: 1.0.1 | ||
name: k8sblockwildcardingress | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sBlockWildcardIngress | ||
targets: | ||
- rego: | | ||
package K8sBlockWildcardIngress | ||
contains_wildcard(hostname) = true { | ||
hostname == "" | ||
} | ||
contains_wildcard(hostname) = true { | ||
contains(hostname, "*") | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "Ingress" | ||
# object.get is required to detect omitted host fields | ||
hostname := object.get(input.review.object.spec.rules[_], "host", "") | ||
contains_wildcard(hostname) | ||
msg := sprintf("Hostname '%v' is not allowed since it counts as a wildcard, which can be used to intercept traffic from other applications.", [hostname]) | ||
} | ||
target: admission.k8s.gatekeeper.sh |
Oops, something went wrong.