feat: add more cncf project validation modules

Signed-off-by: peefy <[email protected]>

Author: Peefy

add-castai-removal-disabled/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "add-castai-removal-disabled"
+edition = "*"
+version = "0.1.0"
+description = "`add-castai-removal-disabled` is a kcl mutation package."

add-castai-removal-disabled/kcl.mod

@@ -0,0 +1,9 @@
+labels = option("labels") or {
+    "autoscaling.cast.ai/removal-disabled" = "true"
+}
+items = [item | {
+    if item.kind == "Job":
+        spec.template.metadata.labels: labels
+    elif item.kind == "CronJob":
+        jobTemplate.template.metadata.labels: labels
+} for item in option("items") or []]

add-castai-removal-disabled/main.k

@@ -0,0 +1,6 @@
+[package]
+name = "add-network-policy-dns"
+edition = "*"
+version = "0.1.0"
+description = "`add-network-policy-dns` is a KCL mutation module"
+

add-network-policy-dns/README.md

@@ -0,0 +1,21 @@
+ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
+items = (option("items") or []) + [{
+    apiVersion: "networking.k8s.io/v1"
+    kind: "NetworkPolicy"
+    name: "allow-dns"
+    namespace: "${ns.metadata.name}"
+    synchronize: False
+    data.spec: {
+        # select all pods in the namespace
+        podSelector.matchLabels: {}
+        # deny all traffic
+        policyTypes: ["Egress"]
+        egress: [{
+            to: [{namespaceSelector.matchLabels.name = "kube-system"}]
+            ports: [{
+                protocol: "UDP"
+                port = 53
+            }]
+        }]
+    }
+} for ns in ns_list]

add-network-policy-dns/kcl.mod

@@ -0,0 +1,6 @@
+[package]
+name = "add-network-policy"
+edition = "*"
+version = "0.1.0"
+description = "`add-network-policy` is a KCL mutation module"
+

add-network-policy-dns/kcl.mod.lock

@@ -0,0 +1,14 @@
+ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
+items = (option("items") or []) + [{
+    apiVersion: "networking.k8s.io/v1"
+    kind: "NetworkPolicy"
+    name: "default-deny"
+    namespace: "${ns.metadata.name}"
+    synchronize: True
+    data.spec: {
+        # select all pods in the namespace
+        podSelector: {}
+        # deny all traffic
+        policyTypes: ["Ingress", "Egress"]
+    }
+} for ns in ns_list]

add-network-policy-dns/main.k

@@ -0,0 +1,5 @@
+[package]
+name = "add-safe-to-evict"
+edition = "*"
+version = "0.1.0"
+description = "`add-safe-to-evict` is a KCL mutation module"

add-network-policy/README.md

@@ -0,0 +1,6 @@
+items = [item | {
+    if item.kind == "Pod":
+        metadata.annotations: {
+            "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
+        }
+} for item in option("items") or []]

add-network-policy/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "cert-manager-limit-dns-names"
+version = "0.1.0"
+description = "`cert-manager-limit-dns-names` is a KCL validation module"

add-network-policy/kcl.mod.lock

@@ -0,0 +1,8 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Certificate":
+        assert len(item?.spec?.dnsNames or []) <= 1, "Only one dnsNames entry allowed per certificate request."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

add-network-policy/main.k

@@ -0,0 +1,4 @@
+[package]
+name = "cert-manager-limit-duration"
+version = "0.1.0"
+description = "`cert-manager-limit-duration` is a KCL validation module"

add-safe-to-evict/README.md

@@ -0,0 +1,11 @@
+import regex
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Certificate":
+        if "letsencrypt" in item.spec.issuerRef.name and item.spec?.duration:
+            duration = int(regex.replace(item.spec?.duration, "h.*", ""))
+            assert 0 <= duration <= 2400, "certificate duration must be < than 2400h (100 days)"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

add-safe-to-evict/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "cert-manager-restrict-issuer"
+version = "0.1.0"
+description = "`cert-manager-restrict-issuer` is a KCL validation module"

add-safe-to-evict/main.k

@@ -0,0 +1,13 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Certificate":
+        if any n in item.spec.dnsNames {
+            n.endswith(".corp.com")
+        }:
+            issuerRef = item.spec.issuerRef
+            condition = issuerRef.name == "our-corp-issuer" and issuerRef.kind == "ClusterIssuer" and issuerRef.group == "cert-manager.io"
+            assert condition, "When requesting a cert for this domain, you must use our corporate issuer."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

cert-manager-limit-dns-names/README.md

@@ -0,0 +1,4 @@
+[package]
+name = "consul-enforce-min-tls-version"
+version = "0.1.0"
+description = "`consul-enforce-min-tls-version` is a KCL validation module"

cert-manager-limit-dns-names/kcl.mod

@@ -0,0 +1,8 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Mesh":
+        assert item.spec.tls.incoming.tlsMinVersion == "TLSv1_2", "The minimum version of TLS is TLS v1_2"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

cert-manager-limit-dns-names/main.k

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-cri-sock-mount"
+version = "0.1.0"
+description = "`disallow-cri-sock-mount` is a KCL validation module"

cert-manager-limit-duration/README.md

@@ -0,0 +1,22 @@
+"""Container daemon socket bind mounts allows access to the container engine on the
+node. This access can be used for privilege escalation and to manage containers
+outside of Kubernetes, and hence should not be allowed. This policy validates that
+the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Pod":
+        paths = [p.path for v in item?.spec?.volumes or [] for p in v.hostPath]
+        assert all p in paths {
+            p not in [
+                "/var/run/docker.sock"
+                "/var/run/containerd.sock"
+                "/var/run/crio.sock"
+                "/var/run/cri-dockerd.sock"
+            ]
+        } if paths, "Use of the Docker Unix socket, Containerd Unix socket, CRI-O Unix socket and Docker CRI socket are not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

cert-manager-limit-duration/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-default-namespace"
+version = "0.1.0"
+description = "`disallow-default-namespace` is a KCL validation module"

cert-manager-limit-duration/main.k

@@ -0,0 +1,17 @@
+kinds: [str] = option("params")?.kinds or option("kinds") or [
+    "Pod"
+    "DaemonSet"
+    "Deployment"
+    "Job"
+    "StatefulSet"
+]
+
+# Define the validation function
+validate = lambda item {
+    if item.kind in kinds:
+        ns = item?.matadata?.namespace or "default"
+        assert ns != "Using 'default' namespace is not allowed for ${item.kind}: ${item.metadata.name}"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

cert-manager-restrict-issuer/README.md

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-empty-ingress-host"
+version = "0.1.0"
+description = "`disallow-empty-ingress-host` is a KCL validation module"

cert-manager-restrict-issuer/kcl.mod

@@ -0,0 +1,14 @@
+"""An ingress resource needs to define an actual host name
+in order to be valid. This policy ensures that there is a
+hostname for each rule defined.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Ingress":
+        host_list = [r.host for r in item?.spec?.rules if not r.host]
+        assert len(host_list) == 0, "The Ingress host name must be defined, not empty."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

cert-manager-restrict-issuer/main.k

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-helm-tiller"
+version = "0.1.0"
+description = "`disallow-helm-tiller` is a KCL validation module"

consul-enforce-min-tls-version/README.md

@@ -0,0 +1,22 @@
+"""Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
+resource accessible to any authenticated user. Tiller can lead to privilege escalation as
+restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+Tiller for these reasons. This policy validates that there is not an image
+containing the name `tiller`.
+"""
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers: [{str:}] = []
+    if item.kind == "Pod":
+        containers = (item?.spec?.containers or []) + (item?.spec?.phemeralContainers or []) + (item?.spec?.initContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item?.spec?.template?.spec?.containers or []) + (item?.spec?.template?.spec?.phemeralContainers or []) + (item?.spec?.template?.spec?.initContainers or [])
+    images: [str] = [c.image for c in containers]
+    assert all image in images {
+        "tiller" not in image
+    } if images, """Helm Tiller is not allowed for ${item.kind}: ${item.metadata.name}"""
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]

consul-enforce-min-tls-version/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-image-repos"
+version = "0.1.0"
+description = "`disallow-image-repos` is a kcl validation package"

consul-enforce-min-tls-version/main.k

@@ -0,0 +1,23 @@
+"""Disallowed container image repositories that begin with a string from the specified list.
+"""
+
+# The list of prefixes a container image is allowed to have.
+repos: [str] = option("params").repos or []
+
+# Define the validation function
+validate = lambda item {
+    containers = []
+    if item.kind == "Pod" and repos:
+        containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or [])
+    images: [str] = [c.image for c in containers]
+    assert all image in images {
+        all repo in repos {
+            not image.startswith(repo)
+        }
+    } if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}"""
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]

disallow-cri-sock-mount/README.md

@@ -0,0 +1,4 @@
+[package]
+name = "disallow-latest-tag"
+version = "0.1.0"
+description = "`disallow-latest-tag` is a KCL validation module"