Prevent GCP-2024-003

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bad-clusterrolebinding
+subjects:
+- kind: Group
+  name: system:unauthenticated
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: bad-rolebinding
+  namespace: default
+subjects:
+- kind: Group
+  name: system:authenticated
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,5 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+  ready: true

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../secrets-not-from-env-vars-cve-2024-3177.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: secrets-not-from-env-vars-cve-2024-3177
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: good-pod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-pod.yaml

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: good-clusterrolebinding
+subjects:
+- kind: User
+  name: jane.doe
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io

other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: good-rolebinding
+  namespace: default
+subjects:
+- kind: User
+  name: john.doe
+roleRef:
+  kind: Role
+  name: admin
+  apiGroup: rbac.authorization.k8s.io

other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: restrict-clusteradmin-rolebindings-gcp-2024-003
+version: 1.0.0
+displayName: Restrict ClusterAdmin RoleBindings (GCP-2024-003)
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "RoleBinding, ClusterRoleBinding"
+digest: 9220d6071d8faccd37995e3fdf7b8db036b0e499268eb38993587016a0c1120e

other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml

@@ -0,0 +1,39 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-clusteradmin-rolebindings-gcp-2024-003
+  annotations:
+    policies.kyverno.io/title: Restrict ClusterAdmin RoleBindings (GCP-2024-003)
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding
+    kyverno.io/kubernetes-version: 1.27
+    kyverno.io/kyverno-version: 1.10
+    policies.kyverno.io/description: >-
+      The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: validate-restricted-cluster-admin-bindings
+    match:
+      any:
+        - resources:
+          kinds:
+            - ClusterRoleBinding
+            - RoleBinding
+    validate:
+      message: "Binding ClusterRole 'cluster-admin' is restricted, system:authenticated, system:unauthenticated and system:anonymous are not allowed. GCP-2024-003"
+      deny:
+        conditions:
+          all:
+          - key: "{{ request.object.subjects[].name }}"
+            operator: AnyIn
+            value:
+            - system:authenticated
+            - system:unauthenticated
+            - system:anonymous
+          - key: "{{ request.object.roleRef.name }}"
+            operator: Equals
+            value: "cluster-admin"