[gatekeeper-library] new chart

charts/cloudnative-pg/Chart.yaml

@@ -18,19 +18,24 @@ name: cloudnative-pg
 description: CloudNativePG Helm Chart
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: "0.18.3"
+version: "0.18.4"
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning, they should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.20.2"
 sources:
+  - https://github.com/jouve/charts
   - https://github.com/cloudnative-pg/charts
 keywords:
   - postgresql
   - postgres
   - database
 home: https://cloudnative-pg.io
 maintainers:
+  - name: jouve
+    url: https://github.com/jouve
   - name: phisco
     email: [email protected]
+annotations:
+  artifacthub.io/license: Apache-2.0

charts/extra/Chart.yaml

@@ -1,8 +1,9 @@
 apiVersion: v2
 name: extra
 description: Deploy a list of Kubernetes resources as a release
+icon: https://raw.githubusercontent.com/KDE/breeze-icons/master/icons/actions/16/list-add.svg
 type: application
-version: 0.2.0
+version: 0.2.1
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts

charts/gatekeeper-library/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/gatekeeper-library/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: gatekeeper-library
+description: A Helm chart for Kubernetes
+icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg
+type: application
+version: 0.1.0
+appVersion: 954a063f6449d2e93ca7bd2a06a96f11213998ca
+sources:
+- https://github.com/jouve/charts
+- https://github.com/open-policy-agent/gatekeeper-library
+maintainers:
+- name: jouve
+  url: https://github.com/jouve
+annotations:
+  artifacthub.io/license: Apache-2.0

charts/gatekeeper-library/README.md

@@ -0,0 +1,3 @@
+## gatekeeper-library
+
+## Parameters

charts/gatekeeper-library/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- github.com/open-policy-agent/gatekeeper-library/library?ref=954a063f6449d2e93ca7bd2a06a96f11213998ca

charts/gatekeeper-library/templates.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -eux -o pipefail
+rm -rf templates
+mkdir templates
+kustomize build | yq --no-doc --split-exp '.metadata.name | sub(".*", "templates/${0}.yaml")'

charts/gatekeeper-library/templates/k8sallowedrepos.yaml

@@ -0,0 +1,47 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: Requires container images to begin with a string from the specified list.
+    metadata.gatekeeper.sh/title: Allowed Repositories
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        openAPIV3Schema:
+          properties:
+            repos:
+              description: The list of prefixes a container image is allowed to have.
+              items:
+                type: string
+              type: array
+          type: object
+  targets:
+    - rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+      target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8sblockendpointeditdefaultrole.yaml

@@ -0,0 +1,42 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: |-
+      Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints.
+      ClusterRole/system:aggregate-to-edit should not allow Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675
+    metadata.gatekeeper.sh/title: Block Endpoint Edit Default Role
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sblockendpointeditdefaultrole
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockEndpointEditDefaultRole
+  targets:
+    - rego: |
+        package k8sblockendpointeditdefaultrole
+
+        violation[{"msg": msg}] {
+            input.review.object.metadata.name == "system:aggregate-to-edit"
+            endpointRule(input.review.object.rules[_])
+            msg := "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role."
+        }
+
+        endpointRule(rule) {
+            "endpoints" == rule.resources[_]
+            hasEditVerb(rule.verbs)
+        }
+
+        hasEditVerb(verbs) {
+            "create" == verbs[_]
+        }
+
+        hasEditVerb(verbs) {
+            "patch" == verbs[_]
+        }
+
+        hasEditVerb(verbs) {
+            "update" == verbs[_]
+        }
+      target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8sblockloadbalancer.yaml

@@ -0,0 +1,25 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: |-
+      Disallows all Services with type LoadBalancer.
+      https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+    metadata.gatekeeper.sh/title: Block Services with type LoadBalancer
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sblockloadbalancer
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockLoadBalancer
+  targets:
+    - rego: |
+        package k8sblockloadbalancer
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.object.spec.type == "LoadBalancer"
+          msg := "User is not allowed to create service of type LoadBalancer"
+        }
+      target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8sblocknodeport.yaml

@@ -0,0 +1,25 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: |-
+      Disallows all Services with type NodePort.
+      https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+    metadata.gatekeeper.sh/title: Block NodePort
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sblocknodeport
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockNodePort
+  targets:
+    - rego: |
+        package k8sblocknodeport
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.object.spec.type == "NodePort"
+          msg := "User is not allowed to create service of type NodePort"
+        }
+      target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8sblockwildcardingress.yaml

@@ -0,0 +1,33 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services.
+    metadata.gatekeeper.sh/title: Block Wildcard Ingress
+    metadata.gatekeeper.sh/version: 1.0.1
+  name: k8sblockwildcardingress
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockWildcardIngress
+  targets:
+    - rego: |
+        package K8sBlockWildcardIngress
+
+        contains_wildcard(hostname) = true {
+          hostname == ""
+        }
+
+        contains_wildcard(hostname) = true {
+          contains(hostname, "*")
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          # object.get is required to detect omitted host fields
+          hostname := object.get(input.review.object.spec.rules[_], "host", "")
+          contains_wildcard(hostname)
+          msg := sprintf("Hostname '%v' is not allowed since it counts as a wildcard, which can be used to intercept traffic from other applications.", [hostname])
+        }
+      target: admission.k8s.gatekeeper.sh