Include policies for securing sandbox namespace

[CosimoMichelagnoli]

Description

This PR aims to apply some cluster-wide policies based on Kyverno framework. Three main security requirements:

• Avoid creation of privileged pods
• Avoid creation of load balancer services (i.e avoid creation of routable IPs) and nodePort
• Force specific name for ingress hostname

These policies are applied only to sandbox namespaces.

[kingmakerbot]

Hi @CosimoMichelagnoli. Thanks for your PR.

I am @kingmakerbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

• /rebase: Rebase this PR onto the master branch
• /merge: Merge this PR into the master branch
• /hold: Adds hold label to prevent merging with /merge
• /unhold: Removes the hold label to allow merging with /merge
• /deploy-staging: Deploy a staging environment to test this PR (the build-all flag enables user environments building)
• /undeploy-staging: Manually undeploy the staging environment

Make sure this PR appears in the CrownLabs changelog, adding one of the following labels:

• kind/breaking: 💥 Breaking Change
• kind/feature: 🚀 New Feature
• kind/bug: 🐛 Bug Fix
• kind/cleanup: 🧹 Code Refactoring
• kind/docs: 📝 Documentation

[giorio94]

A few initial comments inline. Additionally:

• For the moment, I would personally drop the crownlabs-policies-privilege-escalation and crownlabs-policies-run-as-non-root policies, as they make sense, but require a modification of the deployment manifests (this could create problems when students experiment for the first time).
• I would add the following policies (from the kyverno repo), as targeting definitely dangerous aspects:
  • Disallow Host Namespaces
  • Disallow hostPath
  • Disallow hostPorts
• I would keep the information about the installation of kyverno in the infrastructure/policies folder, while moving the chart with the policies in a policies folder in the root of the repo, to separate the two things (as we will also need to customize the kyverno values file when installing it on CrownLabs).

[CosimoMichelagnoli]

A few initial comments inline. Additionally:

• For the moment, I would personally drop the crownlabs-policies-privilege-escalation and crownlabs-policies-run-as-non-root policies, as they make sense, but require a modification of the deployment manifests (this could create problems when students experiment for the first time).

• I would add the following policies (from the kyverno repo), as targeting definitely dangerous aspects:

  • Disallow Host Namespaces
  • Disallow hostPath
  • Disallow hostPorts

• I would keep the information about the installation of kyverno in the infrastructure/policies folder, while moving the chart with the policies in a policies folder in the root of the repo, to separate the two things (as we will also need to customize the kyverno values file when installing it on CrownLabs).

We just corrected the PR following your comments. Hoping to have done everything right, how should we proceed with regards to the kyverno values ​​to be customized?

[giorio94]

A couple of additional comments inline. Moreover, please delete the empty values file for the moment (the one in the infrastructure folder).

[giorio94]

Looks almost ready to me. Just a few very minor comments inline. Additionally, you should fix the conflicts and double check all files to remove the trailing spaces at the end of the lines.

[giorio94]

A couple of final nits inline. Please, generalize also the commit message, then we can go ahead and merge the PR.

[giorio94]

/merge