Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent GCP-2024-003 #1009

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bad-clusterrolebinding
subjects:
- kind: Group
name: system:unauthenticated
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bad-rolebinding
namespace: default
subjects:
- kind: Group
name: system:authenticated
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secrets-not-from-env-vars-cve-2024-3177
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: secrets-not-from-env-vars-cve-2024-3177
spec:
steps:
- name: step-01
try:
- apply:
file: ../secrets-not-from-env-vars-cve-2024-3177.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secrets-not-from-env-vars-cve-2024-3177
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: good-pod.yaml
- apply:
expect:
- check:
($error != null): true
file: bad-pod.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: good-clusterrolebinding
subjects:
- kind: User
name: jane.doe
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: good-rolebinding
namespace: default
subjects:
- kind: User
name: john.doe
roleRef:
kind: Role
name: admin
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: restrict-clusteradmin-rolebindings-gcp-2024-003
version: 1.0.0
displayName: Restrict ClusterAdmin RoleBindings (GCP-2024-003)
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml
```
keywords:
- kyverno
- Security
readme: |
The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.
annotations:
kyverno/category: "Security"
kyverno/subject: "RoleBinding, ClusterRoleBinding"
digest: 9220d6071d8faccd37995e3fdf7b8db036b0e499268eb38993587016a0c1120e
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-clusteradmin-rolebindings-gcp-2024-003
annotations:
policies.kyverno.io/title: Restrict ClusterAdmin RoleBindings (GCP-2024-003)
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding
kyverno.io/kubernetes-version: 1.27
kyverno.io/kyverno-version: 1.10
policies.kyverno.io/description: >-
The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
spec:
validationFailureAction: Audit
rules:
- name: validate-restricted-cluster-admin-bindings
match:
any:
- resources:
kinds:
- ClusterRoleBinding
- RoleBinding
validate:
message: "Binding ClusterRole 'cluster-admin' is restricted, system:authenticated, system:unauthenticated and system:anonymous are not allowed. GCP-2024-003"
deny:
conditions:
all:
- key: "{{ request.object.subjects[].name }}"
operator: AnyIn
value:
- system:authenticated
- system:unauthenticated
- system:anonymous
- key: "{{ request.object.roleRef.name }}"
operator: Equals
value: "cluster-admin"