Merge pull request #66 from Peefy/add-more-container-validation-modules

feat: add more container validation modules

Author: Peefy

k8s_manifests_containers/kcl.mod

@@ -1,4 +1,4 @@
 [package]
 name = "k8s_manifests_containers"
-version = "0.1.0"
+version = "0.1.1"
 description = "`k8s_manifests_containers` can be used to get all containers resources in a Pod resource."

k8s_manifests_containers/main.k

@@ -9,7 +9,7 @@ is_exempt = lambda image: str, exemptImages: [str] = [] -> bool {
 }
 
 # Get Containers from the input resource item.
-get_containers = lambda item, exemptImages = [] -> [] {
+get_containers = lambda item: {str:}, exemptImages: [str] = [] -> [] {
     containers = []
     if item.kind == "Pod":
         containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])

required-drop-all/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`require-pod-requests-limits` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/require-pod-requests-limits)

required-drop-all/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "require-pod-requests-limits"
+version = "0.1.0"
+description = "`require-pod-requests-limits` is a KCL validation module"
+

required-drop-all/kcl.mod.lock

@@ -0,0 +1,38 @@
+"""Containers must drop `ALL` capabilities."""
+# Judge a image in a container config is exempt
+is_exempt = lambda image: str, exemptImages: [str] = [] -> bool {
+    result = False
+    if exemptImages:
+        result = any exempt_image in exemptImages {
+            (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
+        }
+    result
+}
+
+# Get Containers from the input resource item.
+get_containers = lambda item: {str:}, exemptImages: [str] = [] -> [{str:}] {
+    containers = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    containers = [c for c in containers if not is_exempt(c.image, exemptImages)]
+}
+
+validate_container = lambda container: {str:} -> bool {
+    drop: [str] = container?.securityContext?.capabilities?.drop or []
+    any d in drop {
+        d.upper() == "ALL"
+    }
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers = get_containers(item)
+    if containers:
+        container_list_disallow = [c.name for c in containers if not validate_container(c)]
+        assert len(container_list_disallow) == 0, "CPU and memory resource requests and limits are required. for containers {}".format(container_list_disallow)
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

required-drop-all/main.k

@@ -0,0 +1,7 @@
+## Introduction
+
+`required-drop-cap-net-all` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/required-drop-cap-net-all)

required-drop-cap-net-all/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "required-drop-cap-net-all"
+version = "0.1.0"
+description = "`required-drop-cap-net-all` is a KCL validation module"
+

required-drop-cap-net-all/kcl.mod

@@ -0,0 +1,38 @@
+"""Containers must drop `ALL` capabilities."""
+# Judge a image in a container config is exempt
+is_exempt = lambda image: str, exemptImages: [str] = [] -> bool {
+    result = False
+    if exemptImages:
+        result = any exempt_image in exemptImages {
+            (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
+        }
+    result
+}
+
+# Get Containers from the input resource item.
+get_containers = lambda item: {str:}, exemptImages: [str] = [] -> [{str:}] {
+    containers = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    containers = [c for c in containers if not is_exempt(c.image, exemptImages)]
+}
+
+validate_container = lambda container: {str:} -> bool {
+    drop: [str] = container?.securityContext?.capabilities?.drop or []
+    any d in drop {
+        d.upper() == "CAP_NET_RAW"
+    }
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers = get_containers(item)
+    if containers:
+        container_list_disallow = [c.name for c in containers if not validate_container(c)]
+        assert len(container_list_disallow) == 0, "CPU and memory resource requests and limits are required. for containers {}".format(container_list_disallow)
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

required-drop-cap-net-all/kcl.mod.lock

@@ -0,0 +1,7 @@
+## Introduction
+
+`require-pod-requests-limits` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/require-pod-requests-limits)

required-drop-cap-net-all/main.k

@@ -0,0 +1,5 @@
+[package]
+name = "require-pod-requests-limits"
+version = "0.1.0"
+description = "`require-pod-requests-limits` is a KCL validation module"
+

required-pod-requests-limits/README.md

@@ -0,0 +1,34 @@
+# Judge a image in a container config is exempt
+is_exempt = lambda image: str, exemptImages: [str] = [] -> bool {
+    result = False
+    if exemptImages:
+        result = any exempt_image in exemptImages {
+            (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
+        }
+    result
+}
+
+# Get Containers from the input resource item.
+get_containers = lambda item: {str:}, exemptImages: [str] = [] -> [{str:}] {
+    containers = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    containers = [c for c in containers if not is_exempt(c.image, exemptImages)]
+}
+
+validate_pod_resources = lambda container: {str:} -> bool {
+    container?.requests?.memory and container?.requests?.cpu and container?.limits?.memory
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers = get_containers(item)
+    if containers:
+        container_list_disallow = [c.name for c in containers if not validate_pod_resources(c)]
+        assert len(container_list_disallow) == 0, "CPU and memory resource requests and limits are required. for containers {}".format(container_list_disallow)
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

required-pod-requests-limits/kcl.mod

@@ -0,0 +1,7 @@
+## Introduction
+
+`required-root-fs` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/required-root-fs)

required-pod-requests-limits/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "required-root-fs"
+version = "0.1.0"
+description = "`required-root-fs` is a KCL validation module"
+

required-pod-requests-limits/main.k

@@ -0,0 +1,18 @@
+validate_root_fs = lambda container: {str:} -> bool {
+    container?.securityContext?.readOnlyRootFilesystem is True
+}
+
+# Define the validation function
+validate = lambda item {
+    containers: [{str:}] = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    if containers:
+        container_list_disallow = [c.name for c in containers if not validate_root_fs(c)]
+        assert len(container_list_disallow) == 0, "Root filesystem must be read-only for containers {}".format(container_list_disallow)
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

required-root-fs/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`restrict-image-registries` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/restrict-image-registries)

required-root-fs/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-image-registries"
+version = "0.1.0"
+description = "`restrict-image-registries` is a KCL validation module"
+

required-root-fs/kcl.mod.lock

@@ -0,0 +1,44 @@
+import yaml
+
+registries: [str] = option("params")?.registries or []
+
+validate_image_registry = lambda image: str, registries: [str] -> bool {
+    any registry in registries {
+        image.startswith(registry)
+    }
+}
+
+# Define the validation function
+validate = lambda item, registries: [str] {
+    containers: [{str:}] = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    if containers:
+        image_list_disallow = [c.image for c in containers if not validate_image_registry(c.image, registries)]
+        assert len(image_list_disallow) == 0, "container images {} is not allowed, expected {}".format(image_list_disallow, registries)
+    item
+}
+# Validate All resource
+items = [validate(i, registries) for i in option("items") or []]
+
+if option("__test__"):
+    validate(yaml.decode("""\
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02-registry
+  namespace: ir-pods-namespace
+spec:
+  initContainers:
+  - name: nginx-init
+    image: bar.io/nginx
+  - name: busybox-init
+    image: eu.foo.io/busybox
+  containers:
+  - name: k8s-nginx
+    image: bar.io/nginx
+  - name: busybox
+    image: eu.foo.io1/busybox
+    """), ["bar.io/", "eu.foo.io/"])

required-root-fs/main.k

@@ -0,0 +1,7 @@
+## Introduction
+
+`restrict-service-external-ips` is a KCL validation module
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/restrict-service-external-ips)

restrict-image-registries/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-service-external-ips"
+version = "0.1.0"
+description = "`restrict-service-external-ips` is a KCL validation module"
+

restrict-image-registries/kcl.mod

@@ -0,0 +1,37 @@
+"""Service externalIPs can be used for a MITM attack (CVE-2020-8554).
+Restrict externalIPs or limit to a known set of addresses.
+See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
+that the `externalIPs` field is not set on a Service.
+"""
+import yaml
+
+externalIPs: [str] = option("params")?.externalIPs or []
+
+# Define the validation function
+validate = lambda item, externalIPs: [str] {
+    if item.kind == "Service" and externalIPs:
+        input = item?.spec?.externalIPs or []
+        assert all ip in input {
+            ip in externalIPs
+        } if input, "externalIPs ${item?.spec?.externalIPs} are not allowed, expected ${externalIPs}"
+    item
+}
+# Validate All resource
+items = [validate(i, externalIPs) for i in option("items") or []]
+
+if option("__test__"):
+    validate(yaml.decode("""\
+apiVersion: v1
+kind: Service
+metadata:
+  name: badservice01-eip
+spec:
+  selector:
+    app: MyApp
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 9376
+  externalIPs:
+    - 127.0.0.1  # Error suite: 127.0.0.2
+    """), ["127.0.0.1"])