sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adds sec context and workload isolation kyverno checks

Browse Source 
Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
This commit is contained in:
Sebastian Kawelke
2025-12-01 13:33:13 +01:00
parent 7b592a24b0
commit 56ddb422ca
21 changed files with 1062 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -28,3 +28,8 @@ logs
# Ignore backup files, e.g. created by the script that eases the local chart development
*.bak
rendered.yaml
pol.yaml
.DS_Store

20
docs/security/sec-ctx/exceptions/postfix-exception.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: postfix-exception
namespace: opendesk
spec:
exceptions:
- policyName: require-run-as-non-root-user
ruleNames:
- run-as-non-root-user
- autogen-run-as-non-root-user
match:
any:
- resources:
kinds:
- Deployment
namespaces:
- opendesk
names:
- postfix

66
docs/security/sec-ctx/kyverno-test.yaml Normal file
View File

@@ -0,0 +1,66 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: sec-ctx
policies:
- sec-ctx-001_disallow-privileged-containers.yaml
- sec-ctx-002_require-as-non-root.yaml
- sec-ctx-003_run-as-user.yaml
- sec-ctx-004_capabilities.yaml
- sec-ctx-005_seccomp.yaml
- sec-ctx-006_sysctl.yaml
- sec-ctx-007_apparmor.yaml
- sec-ctx-008_selinux.yaml
- sec-ctx-009_proc-mount.yaml
- sec-ctx-010_privilege-escalation.yaml
resources:
- ../../../rendered.yaml
exceptions:
- exceptions/postfix-exception.yaml
results:
# sec-ctx-001
- policy: disallow-privileged-containers
rule: privileged-containers
result: pass
# sec-ctx-002
- policy: require-run-as-nonroot
rule: run-as-non-root
result: pass
# sec-ctx-003
- policy: require-run-as-non-root-user
rule: run-as-non-root-user
result: pass
# sec-ctx-004
- policy: disallow-capabilities-strict
rule: require-drop-all
result: pass
- policy: disallow-capabilities-strict
rule: adding-capabilities-strict
result: pass
# sec-ctx-005
- policy: restrict-seccomp-strict
rule: check-seccomp-strict
result: pass
# sec-ctx-006
- policy: restrict-sysctls
rule: check-sysctls
result: pass
# sec-ctx-007
- policy: restrict-apparmor-profiles
rule: app-armor
result: pass
# sec-ctx-008
- policy: disallow-selinux
rule: selinux-type
result: pass
- policy: disallow-selinux
rule: selinux-user-role
result: pass
# sec-ctx-009
- policy: disallow-proc-mount
rule: check-proc-mount
result: pass
# sec-ctx-010
- policy: disallow-privilege-escalation
rule: privilege-escalation
result: pass

42
docs/security/sec-ctx/sec-ctx-001_disallow-privileged-containers.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-001
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: Privileged mode disables most security mechanisms
and must not be allowed. This policy ensures Pods do not call for privileged
mode.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow Privileged Containers
name: disallow-privileged-containers
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: privileged-containers
validate:
message: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged,
spec.initContainers[*].securityContext.privileged, and spec.ephemeralContainers[*].securityContext.privileged
must be unset or set to `false`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(privileged): "false"
=(initContainers):
- =(securityContext):
=(privileged): "false"
containers:
- =(securityContext):
=(privileged): "false"
validationFailureAction: Audit

56
docs/security/sec-ctx/sec-ctx-002_require-as-non-root.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-002
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: Containers must be required to run as non-root
users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents
a policy such as this using `anyPattern` from being persisted properly in Kubernetes
1.23.0-1.23.2.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Require runAsNonRoot
name: require-run-as-nonroot
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: run-as-non-root
validate:
anyPattern:
- spec:
=(ephemeralContainers):
- =(securityContext):
=(runAsNonRoot): "true"
=(initContainers):
- =(securityContext):
=(runAsNonRoot): "true"
containers:
- =(securityContext):
=(runAsNonRoot): "true"
securityContext:
runAsNonRoot: "true"
- spec:
=(ephemeralContainers):
- securityContext:
runAsNonRoot: "true"
=(initContainers):
- securityContext:
runAsNonRoot: "true"
containers:
- securityContext:
runAsNonRoot: "true"
message: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
must be set to `true`.
validationFailureAction: Audit

45
docs/security/sec-ctx/sec-ctx-003_run-as-user.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-003
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: Containers must be required to run as non-root
users. This policy ensures `runAsUser` is either unset or set to a number greater
than zero.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Require Run As Non-Root User
name: require-run-as-non-root-user
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: run-as-non-root-user
validate:
message: Running as root is not allowed. The fields spec.securityContext.runAsUser,
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or
set to a number greater than zero.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(runAsUser): '>0'
=(initContainers):
- =(securityContext):
=(runAsUser): '>0'
=(securityContext):
=(runAsUser): '>0'
containers:
- =(securityContext):
=(runAsUser): '>0'
validationFailureAction: Audit

120
docs/security/sec-ctx/sec-ctx-004_capabilities.yaml Normal file
View File

@@ -0,0 +1,120 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-004
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: Adding capabilities beyond those listed in the
policy must be disallowed.
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow Capabilities
name: disallow-capabilities
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: adding-capabilities
preconditions:
all:
- key: '{{ request.operation || ''BACKGROUND'' }}'
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
all:
- key: '{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[]
}}'
operator: AnyNotIn
value:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
message: Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN,
DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID,
SETPCAP, SETUID, SYS_CHROOT) are disallowed.
validationFailureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-001
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: Adding capabilities other than `NET_BIND_SERVICE`
is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow Capabilities (Strict)
name: disallow-capabilities-strict
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-drop-all
preconditions:
all:
- key: '{{ request.operation || ''BACKGROUND'' }}'
operator: NotEquals
value: DELETE
validate:
foreach:
- deny:
conditions:
all:
- key: ALL
operator: AnyNotIn
value: '{{ element.securityContext.capabilities.drop[] || `[]` }}'
list: request.object.spec.[ephemeralContainers, initContainers, containers][]
message: Containers must drop `ALL` capabilities.
- match:
any:
- resources:
kinds:
- Pod
name: adding-capabilities-strict
preconditions:
all:
- key: '{{ request.operation || ''BACKGROUND'' }}'
operator: NotEquals
value: DELETE
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element.securityContext.capabilities.add[] || `[]` }}'
operator: AnyNotIn
value:
- NET_BIND_SERVICE
- ""
list: request.object.spec.[ephemeralContainers, initContainers, containers][]
message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
validationFailureAction: Audit

113
docs/security/sec-ctx/sec-ctx-005_seccomp.yaml Normal file
View File

@@ -0,0 +1,113 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-005
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: The seccomp profile must not be explicitly set
to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that
seccomp is unset or set to `RuntimeDefault` or `Localhost`.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Restrict Seccomp
name: restrict-seccomp
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: check-seccomp
validate:
message: Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type,
spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type,
and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be
unset or set to `RuntimeDefault` or `Localhost`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
=(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
containers:
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
validationFailureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-005
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: The seccomp profile in the Restricted group must
not be explicitly set to Unconfined but additionally must also not allow an
unset value. This policy, requiring Kubernetes v1.19 or later, ensures that
seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a
policy such as this using `anyPattern` from being persisted properly in Kubernetes
1.23.0-1.23.2.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Restrict Seccomp (Strict)
name: restrict-seccomp-strict
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: check-seccomp-strict
validate:
anyPattern:
- spec:
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
containers:
- =(securityContext):
=(seccompProfile):
=(type): RuntimeDefault | Localhost
securityContext:
seccompProfile:
type: RuntimeDefault | Localhost
- spec:
=(ephemeralContainers):
- securityContext:
seccompProfile:
type: RuntimeDefault | Localhost
=(initContainers):
- securityContext:
seccompProfile:
type: RuntimeDefault | Localhost
containers:
- securityContext:
seccompProfile:
type: RuntimeDefault | Localhost
message: Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type,
spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type,
and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be
set to `RuntimeDefault` or `Localhost`.
validationFailureAction: Audit

39
docs/security/sec-ctx/sec-ctx-006_sysctl.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-006
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: Sysctls can disable security mechanisms or affect
all containers on a host, and should be disallowed except for an allowed "safe"
subset. A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same Node. This
policy ensures that only those "safe" subsets can be specified in a Pod.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Restrict sysctls
name: restrict-sysctls
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: check-sysctls
validate:
message: Setting additional sysctls above the allowed type is disallowed. The
field spec.securityContext.sysctls must be unset or not use any other names
than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, net.ipv4.ip_unprivileged_port_start,
net.ipv4.tcp_syncookies and net.ipv4.ping_group_range.
pattern:
spec:
=(securityContext):
=(sysctls):
- =(name): kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range
validationFailureAction: Audit

38
docs/security/sec-ctx/sec-ctx-007_apparmor.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-007
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: On supported hosts, the 'runtime/default' AppArmor
profile is applied by default. The default policy should prevent overriding
or disabling the policy, or restrict overrides to an allowed set of profiles.
This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default`
or `localhost/*`.
policies.kyverno.io/minversion: 1.3.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/title: Restrict AppArmor
name: restrict-apparmor-profiles
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: app-armor
validate:
message: Specifying other AppArmor profiles is disallowed. The annotation `container.apparmor.security.beta.kubernetes.io`
if defined must not be set to anything other than `runtime/default` or `localhost/*`.
pattern:
=(metadata):
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): runtime/default |
localhost/*
validationFailureAction: Audit

84
docs/security/sec-ctx/sec-ctx-008_selinux.yaml Normal file
View File

@@ -0,0 +1,84 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-008
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: SELinux options can be used to escalate privileges
and should not be allowed. This policy ensures that the `seLinuxOptions` field
is undefined.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow SELinux
name: disallow-selinux
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: selinux-type
validate:
message: Setting the SELinux type is restricted. The fields spec.securityContext.seLinuxOptions.type,
spec.containers[*].securityContext.seLinuxOptions.type, , spec.initContainers[*].securityContext.seLinuxOptions,
and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type must either
be unset or set to one of the allowed values (container_t, container_init_t,
or container_kvm_t).
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): container_t | container_init_t | container_kvm_t
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): container_t | container_init_t | container_kvm_t
=(securityContext):
=(seLinuxOptions):
=(type): container_t | container_init_t | container_kvm_t
containers:
- =(securityContext):
=(seLinuxOptions):
=(type): container_t | container_init_t | container_kvm_t
- match:
any:
- resources:
kinds:
- Pod
name: selinux-user-role
validate:
message: Setting the SELinux user or role is forbidden. The fields spec.securityContext.seLinuxOptions.user,
spec.securityContext.seLinuxOptions.role, spec.containers[*].securityContext.seLinuxOptions.user,
spec.containers[*].securityContext.seLinuxOptions.role, spec.initContainers[*].securityContext.seLinuxOptions.user,
spec.initContainers[*].securityContext.seLinuxOptions.role, spec.ephemeralContainers[*].securityContext.seLinuxOptions.user,
and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be
unset.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
X(role): "null"
X(user): "null"
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
X(role): "null"
X(user): "null"
=(securityContext):
=(seLinuxOptions):
X(role): "null"
X(user): "null"
containers:
- =(securityContext):
=(seLinuxOptions):
X(role): "null"
X(user): "null"
validationFailureAction: Audit

44
docs/security/sec-ctx/sec-ctx-009_proc-mount.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-009
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: The default /proc masks are set up to reduce
attack surface and should be required. This policy ensures nothing but the default
procMount can be specified. Note that in order for users to deviate from the
`Default` procMount requires setting a feature gate at the API server.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow procMount
name: disallow-proc-mount
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: check-proc-mount
validate:
message: Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
and spec.ephemeralContainers[*].securityContext.procMount must be unset or
set to `Default`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(procMount): Default
=(initContainers):
- =(securityContext):
=(procMount): Default
containers:
- =(securityContext):
=(procMount): Default
validationFailureAction: Audit

42
docs/security/sec-ctx/sec-ctx-010_privilege-escalation.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: sec-ctx-010
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: Privilege escalation, such as via set-user-ID
or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation`
field is set to `false`.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow Privilege Escalation
name: disallow-privilege-escalation
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: privilege-escalation
validate:
message: Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation,
spec.initContainers[*].securityContext.allowPrivilegeEscalation, and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
must be set to `false`.
pattern:
spec:
=(ephemeralContainers):
- securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- securityContext:
allowPrivilegeEscalation: "false"
containers:
- securityContext:
allowPrivilegeEscalation: "false"
validationFailureAction: Audit

18
docs/security/sec-ctx/sec-ctx.md Normal file
View File

@@ -0,0 +1,18 @@
## Pod & Container Security Context
| ID | Description | References |
|---|---|---|
| SEC-CTX-001 | Pods must run non **privileged** only to prevent excessive rights and to make persistence and further escalation more difficult. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-002 | All Containers of a pod (containers, Init-Containers and Epehmeral-Containers) must run as non-root user (**runAsNonRoot**) to make persistence and further escalation more difficult. Given a justification and only if the necessary containers of the pod set this setting to false, while all other containers keep this setting set to true, this requirement may be violated. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-003 | All containers of a pod (containers, init-containers and ephemeral-containers) must not explicitly set runAsUser to 0 (root). The **runAsUser** field must either be undefined/null or set to a non-zero UID to ensure containers run with non-root privileges and reduce the risk of privilege escalation attacks. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-004 | All containers of a pod (containers, init-containers and ephemeral-containers) must drop `ALL` **capabilities** and may only add back the `NET_BIND_SERVICE` capability to follow the principle of least privilege and minimize the attack surface. This supports preventing containers from performing privileged system operations that could lead to container escape or host compromise. Given a justification, it is tolerated to add back the followingcapabilities: `AUDIT_WRITE`, `CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `MKNOD`, `SETFCAP`, `SETGID`, `SETPCAP`, `SETUID`, `SYS_CHROOT` | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-005 | All containers of a pod (containers, init-containers and ephemeral-containers) must have a **Seccomp** profile explicitly set to either `RuntimeDefault` or `Localhost` to restrict system calls and reduce the kernel attack surface. The Unconfined profile and absence of a profile are prohibited. Container-level `seccompProfile.type` fields may be undefined only if the pod-level `seccompProfile.type` is set appropriately, and conversely, the pod-level field may be undefined only if all container-level fields are set. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-006 | Pods must only use sysctls from an allowed safe list that are namespaced and isolated from other pods and processes on the same node. Only the following **sysctls** are permitted: `kernel.shm_rmid_forced`, `net.ipv4.ip_local_port_range`, `net.ipv4.ip_unprivileged_port_start`, `net.ipv4.tcp_syncookies`, `net.ipv4.ping_group_range`, `net.ipv4.ip_local_reserved_ports`, `net.ipv4.tcp_keepalive_time`, `net.ipv4.tcp_fin_timeout`, `net.ipv4.tcp_keepalive_intvl`, and `net.ipv4.tcp_keepalive_probes`. All other sysctls are prohibited as they can disable security mechanisms or affect all containers on the host. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-007 | On **AppArmor**-supported hosts, all containers of a pod (containers, init-containers and ephemeral-containers) must use the `RuntimeDefault` AppArmor profile or a locally defined profile (`Localhost`). The Unconfined profile is prohibited. Containers may only override the default AppArmor profile with `RuntimeDefault` or `Localhost` profiles. Undefined/nil values are permitted to inherit the runtimes default behavior. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-008 | On **SELinux**-enabled hosts, all containers of a pod (containers, init-containers and ephemeral-containers) must only use approved SELinux types (`container_t`, `container_init_t`, `container_kvm_t`, or `container_engine_t`) and are prohibited from setting custom SELinux users or roles. The `seLinux-Options.user` and `seLinuxOptions.role` fields must remain undefined or empty to prevent privilege escalation through SELinux context manipulation. This ensures containers operate within predefined SELinux security boundaries. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-009 | All containers of a pod (containers, init-containers and ephemeral-containers) must use the default **`/proc`** mount type with standard masking to reduce the kernel attack surface. The `procMount` field must be either undefined/nil or explicitly set to `Default`. The Unmasked option is prohibited to prevent containers from accessing sensitive kernel information through `/proc` that could be used for container escape or information disclosure attacks. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| SEC-CTX-010 | All containers of a pod (containers, init-containers and ephemeral-containers) must set **`allowPrivilegeEscalation`** to false to prevent privilege escalation through setuid or setgid binaries. This blocks containers from gaining more privileges than their parent process and prevents exploitation of setuid/setgid executables that could lead to container escape or unauthorized privilege elevation. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
### Status
{{ .sec-ctx.status }}

34
docs/security/wld-iso/kyverno-test.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: wld-iso
policies:
- wld-iso-001_host-namespaces.yaml
- wld-iso-002_hostpath-volumes.yaml
- wld-iso-003_host-ports.yaml
- wld-iso-004_host-probes.yaml
- wld-iso-005_volume-types.yaml
resources:
- ../../../rendered.yaml
exceptions: []
results:
# wld-iso-001
- policy: disallow-host-namespaces
rule: host-namespaces
result: pass
# wld-iso-002
- policy: disallow-host-path
rule: host-path
result: pass
# wld-iso-003
- policy: disallow-host-ports
rule: host-ports-none
result: pass
# wld-iso-004
- policy: disallow-host-probes-lifecycle
rule: host-probes-lifecycle
result: pass
# wld-iso-005
- policy: restrict-volume-types
rule: restricted-volumes
result: pass

37
docs/security/wld-iso/wld-iso-001_host-namespaces.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: wld-iso-001
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: Host namespaces (Process ID namespace, Inter-Process
Communication namespace, and network namespace) allow access to shared information
and can be used to elevate privileges. Pods should not be allowed access to
host namespaces. This policy ensures fields which make use of these host namespaces
are unset or set to `false`.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow Host Namespaces
name: disallow-host-namespaces
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: host-namespaces
validate:
message: Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
pattern:
spec:
=(hostIPC): "false"
=(hostNetwork): "false"
=(hostPID): "false"
validationFailureAction: Audit

35
docs/security/wld-iso/wld-iso-002_hostpath-volumes.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: wld-iso-002
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: HostPath volumes let Pods use host directories
and volumes in containers. Using host resources can be used to access shared
data or escalate privileges and should not be allowed. This policy ensures no
hostPath volumes are in use.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/title: Disallow hostPath
name: disallow-host-path
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: host-path
validate:
message: HostPath volumes are forbidden. The field spec.volumes[*].hostPath
must be unset.
pattern:
spec:
=(volumes):
- X(hostPath): "null"
validationFailureAction: Audit

42
docs/security/wld-iso/wld-iso-003_host-ports.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: wld-iso-003
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: 'Access to host ports allows potential snooping
of network traffic and should not be allowed, or at minimum restricted to a
known list. This policy ensures the `hostPort` field is unset or set to `0`. '
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Disallow hostPorts
name: disallow-host-ports
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: host-ports-none
validate:
message: Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.
pattern:
spec:
=(ephemeralContainers):
- =(ports):
- =(hostPort): 0
=(initContainers):
- =(ports):
- =(hostPort): 0
containers:
- =(ports):
- =(hostPort): 0
validationFailureAction: Audit

115
docs/security/wld-iso/wld-iso-004_host-probes.yaml Normal file
View File

@@ -0,0 +1,115 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-probes-lifecycle
labels:
opendesk.eu/security-id: wld-iso-004
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/title: Disallow Host in Probes and Lifecycle Hooks
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
The host field in probes and lifecycle hooks allows bypassing network
policies by directing traffic to arbitrary hosts. This policy ensures
that the host field in livenessProbe, readinessProbe, startupProbe,
and lifecycle hooks (postStart/preStop) is either undefined or empty
for both containers and initContainers.
spec:
validationFailureAction: Audit
background: true
rules:
- name: host-probes-lifecycle
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
The host field in probes and lifecycle hooks must be undefined or empty.
pattern:
spec:
=(initContainers):
- =(livenessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(readinessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(startupProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(lifecycle):
=(postStart):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(preStop):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(ephemeralContainers):
- =(livenessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(readinessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(startupProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(lifecycle):
=(postStart):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(preStop):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(containers):
- =(livenessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(readinessProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(startupProbe):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(lifecycle):
=(postStart):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""
=(preStop):
=(httpGet):
=(host): ""
=(tcpSocket):
=(host): ""

53
docs/security/wld-iso/wld-iso-005_volume-types.yaml Normal file
View File

@@ -0,0 +1,53 @@
# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
labels:
opendesk.eu/security-id: wld-iso-005
annotations:
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: In addition to restricting HostPath volumes,
the restricted pod security profile limits usage of non-core volume types to
those defined through PersistentVolumes. This policy blocks any other type of
volume other than those in the allow list.
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/title: Restrict Volume Types
name: restrict-volume-types
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: restricted-volumes
preconditions:
all:
- key: '{{ request.operation || ''BACKGROUND'' }}'
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
all:
- key: '{{ request.object.spec.volumes[].keys(@)[] || '''' }}'
operator: AnyNotIn
value:
- name
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
- ""
message: 'Only the following types of volumes may be used: configMap, csi, downwardAPI,
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.'
validationFailureAction: Audit

14
docs/security/wld-iso/wld-iso.md Normal file
View File

@@ -0,0 +1,14 @@
## Workload Isolation and Configuration
| ID | Description | References |
|---|---|---|
| WLD-ISO-001 | Pods must not share **host namespaces** (`hostNetwork`, `hostPID`, `hostIPC`). These fields must be undefined/nil or explicitly set to false to prevent containers from accessing host network interfaces, process trees, or inter-process communication mechanisms, which could lead to container escape or unauthorized access to host resources. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| WLD-ISO-002 | **HostPath volumes** must be forbidden (`spec.volumes[*].hostPath` must be undefined/nil) to prevent containers from mounting directories from the host filesystem, which could enable unauthorized access to sensitive host files, container escape, or persistence mechanisms on the node. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| WLD-ISO-003 | **Host ports** must be disallowed. The `hostPort` field in all containers (containers, init-containers, and ephemeral-containers) must be undefined/nil or set to 0 to prevent bypassing network policies and exposing services directly on the host network interface, which could lead to unauthorized access or port conflicts. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| WLD-ISO-004 | The **host field in probes and lifecycle hooks** must be undefined/nil or empty string for all containers (containers and init-containers). This prevents probes and hooks from targeting the host network directly, maintaining proper network isolation between containers and the host system. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
| WLD-VOL-001 | Pods must only use **approved volume types** that maintain security boundaries. Permitted volume types are: `configMap`, `csi`, `downwardAPI`, `emptyDir`, `ephemeral`, `persistentVolumeClaim`, `projected`, and `secret`. All other volume types, particularly those that break isolation boundaries (`hostPath`, etc.), are prohibited to prevent unauthorized access to host resources or external systems. | K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening |
### Status
{{ .wld-iso.status }}