Skip to content

Policy that validates workloads based on the vulnerability of the images they make use of

License

Notifications You must be signed in to change notification settings

kubewarden/image-cve-policy

Repository files navigation

Sandbox

Kubewarden policy image-cve-policy

WARNING: This policy is currently in the sandbox phase. This means that it is not yet ready for production use. The policy is under active development and may change significantly.

Description

This policy is used to enforce a maximum number of vulnerabilities of a certain severity level in an image.

The policy can be configured to allow a certain number of vulnerabilities of a certain severity level. When the threshold is exceeded, the image is not allowed to be deployed.

It's possible to provide a list of CVEs that are always allowed or denied, regardless of their severity level.

By default the policy will deny the usage of images that have not been scanned for vulnerabilities. This behavior can be changed by setting ignoreMissingVulnerabilityReport to true.

Deployment Requirements

This policy relies on the SBOMbastic project being installed in the cluster.

This project scans images for vulnerabilities and stores the results in a custom resource called VulnerabilityReport.

Requirements:

  • SBOMbastic is deployed and properly configured into the cluster.
  • The ServiceAccount used by the Kubewarden Policy Server has the necessary permissions to read VulnerabilityReport resources.
  • The VulnerabilityReport resources are namespaced, hence the configuration of the policy must include the namespace where the VulnerabilityReport resources are stored.
  • This is a context aware policy, hence its must be deployed as a ClusterAdmissionPolicy and it must be granted access to the VulnerabilityReport resources.

Settings

This policy can be configured using the following settings:

maxSeverity:
  critical: # total and totalWithoutFixes are mutually exclusive
    total: 10 # maximum number of critical CVEs that are allowed
    totalWithoutFixes: 5 # max number of critical CVEs without fixes that are allowed
  high: # total and totalWithoutFixes are mutually exclusive
    total: 20 # maximum number of high CVEs that are allowed
    totalWithoutFixes: 10 # max number of high CVEs without fixes that are allowed
  medium: # total and totalWithoutFixes are mutually exclusive
    total: 30 # maximum number of medium CVEs that are allowed
    totalWithoutFixes: 15 # max number of medium CVEs without fixes that are allowed
  low: # total and totalWithoutFixes are mutually exclusive
    total: 40 # maximum number of low CVEs that are allowed
    totalWithoutFixes: 20 # max number of low CVEs without fixes that are allowed

# List of CVEs that are always allowed, they do not count towards the
# max_cve_severity
allowAlways:
  - CVE-2020-1234
  - CVE-2020-5678

# List of CVEs that are always denied, they do not count towards the
# max_cve_severity
denyAlways:
  - CVE-2020-1234
  - CVE-2020-5678

# What to do if the image has not been scanned for CVEs
# Setting to true will accept the image, setting to false will reject the image
# Default is false
ignoreMissingVulnerabilityReport: true | false

# Namespace where VulnerabilityReport CRDs are stored
vulnerabilityReportNamespace: sbombastic

Examples

TODO