-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: chipzoller <[email protected]>
- Loading branch information
1 parent
9862458
commit d6efa6c
Showing
3 changed files
with
187 additions
and
0 deletions.
There are no files selected for viewing
95 changes: 95 additions & 0 deletions
95
...ies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| --- | ||
| title: "Kubecost Proactive Cost Control" | ||
| category: Kubecost | ||
| version: 1.11.0 | ||
| subject: Deployment | ||
| policyType: "validate" | ||
| description: > | ||
| Kubecost Enterprise allows users to define budgets for Namespaces and clusters as well as predict the cost of new Deployments based on historical cost data. By combining these abilities, users can achieve proactive cost controls for clusters with Kubecost installed by denying Deployments which would exceed the remaining configured monthly budget, if applicable. This policy checks for the creation of Deployments and compares the predicted cost of the Deployment to the remaining amount in the monthly budget, if one is found. If the predicted cost is greater than the remaining budget, the Deployment is denied. This policy requires Kubecost Enterprise at a version of 1.108 or greater. | ||
| --- | ||
|
|
||
| ## Policy Definition | ||
| <a href="https://github.com/kyverno/policies/raw/main//kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml" target="-blank">/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml</a> | ||
|
|
||
| ```yaml | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: kubecost-proactive-cost-control | ||
| annotations: | ||
| policies.kyverno.io/title: Kubecost Proactive Cost Control | ||
| policies.kyverno.io/category: Kubecost | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Deployment | ||
| policies.kyverno.io/minversion: 1.11.0 | ||
| kyverno.io/kyverno-version: 1.11.4 | ||
| kyverno.io/kubernetes-version: "1.26" | ||
| policies.kyverno.io/description: >- | ||
| Kubecost Enterprise allows users to define budgets for Namespaces and clusters | ||
| as well as predict the cost of new Deployments based on historical cost data. | ||
| By combining these abilities, users can achieve proactive cost controls for | ||
| clusters with Kubecost installed by denying Deployments which would exceed the | ||
| remaining configured monthly budget, if applicable. This policy checks for the creation of | ||
| Deployments and compares the predicted cost of the Deployment to the remaining amount | ||
| in the monthly budget, if one is found. If the predicted cost is greater than the remaining | ||
| budget, the Deployment is denied. This policy requires Kubecost Enterprise | ||
| at a version of 1.108 or greater. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| rules: | ||
| - name: enforce-monthly-namespace-budget | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Deployment | ||
| operations: | ||
| - CREATE | ||
| # First, check if this Namespace is subject to a budget. | ||
| # If it is not, always allow the Deployment. | ||
| preconditions: | ||
| all: | ||
| - key: "{{ budget }}" | ||
| operator: NotEquals | ||
| value: nobudget | ||
| context: | ||
| # Get the budget of the destination Namespace. Select the first budget returned which matches the Namespace. | ||
| # If no budget is found, set budget to "nobudget". | ||
| - name: budget | ||
| apiCall: | ||
| method: GET | ||
| service: | ||
| url: http://kubecost-cost-analyzer.kubecost:9090/model/budgets | ||
| jmesPath: "data[?values.namespace[?contains(@,'{{ request.namespace }}')]] | [0] || 'nobudget'" | ||
| # Call the prediction API and pass it the Deployment from the admission request. Extract the totalMonthlyRate. | ||
| - name: predictedMonthlyCost | ||
| apiCall: | ||
| method: POST | ||
| data: | ||
| - key: apiVersion | ||
| value: "{{ request.object.apiVersion }}" | ||
| - key: kind | ||
| value: "{{ request.object.kind }}" | ||
| - key: spec | ||
| value: "{{ request.object.spec }}" | ||
| service: | ||
| url: http://kubecost-cost-analyzer.kubecost:9090/model/prediction/speccost?clusterID=cluster-one&defaultNamespace=default | ||
| jmesPath: "[0].costChange.totalMonthlyRate" | ||
| # Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit. | ||
| - name: remainingBudget | ||
| variable: | ||
| jmesPath: subtract(budget.spendLimit,budget.currentSpend) | ||
| validate: | ||
| message: >- | ||
| This Deployment, which costs ${{ round(predictedMonthlyCost, `2`) }} to run for a month, | ||
| will overrun the remaining budget of ${{ round(remainingBudget,`2`) }}. Please seek approval or request | ||
| a Policy Exception. | ||
| # Deny the request if the predictedMonthlyCost is greater than the remainingBudget. | ||
| deny: | ||
| conditions: | ||
| all: | ||
| - key: "{{ predictedMonthlyCost }}" | ||
| operator: GreaterThan | ||
| value: "{{ remainingBudget }}" | ||
|
|
||
| ``` |
46 changes: 46 additions & 0 deletions
46
...eny-secret-service-account-token-type/deny-secret-service-account-token-type.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| --- | ||
| title: "Deny Secret Service Account Token Type" | ||
| category: Security | ||
| version: | ||
| subject: Secret | ||
| policyType: "validate" | ||
| description: > | ||
| Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the type field of the Secret resource . The type kubernetes.io/service-account-token is used for legacy ServiceAccount tokens . These legacy Tokens can be of security concern and should be audited. | ||
| --- | ||
|
|
||
| ## Policy Definition | ||
| <a href="https://github.com/kyverno/policies/raw/main//other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml" target="-blank">/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml</a> | ||
|
|
||
| ```yaml | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: deny-secret-service-account-token-type | ||
| annotations: | ||
| policies.kyverno.io/title: Deny Secret Service Account Token Type | ||
| policies.kyverno.io/category: Security | ||
| kyverno.io/kubernetes-version: "1.27" | ||
| kyverno.io/kyverno-version: 1.11.1 | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Secret | ||
| policies.kyverno.io/description: >- | ||
| Before version 1.24, Kubernetes automatically generated Secret-based tokens | ||
| for ServiceAccounts. When creating a Secret, you can specify its type using the | ||
| type field of the Secret resource . The type kubernetes.io/service-account-token | ||
| is used for legacy ServiceAccount tokens . These legacy Tokens can | ||
| be of security concern and should be audited. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: deny-secret-service-account-token-type | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Secret | ||
| validate: | ||
| message: "Secret ServiceAccount token type is not allowed." | ||
| pattern: | ||
| type: "!kubernetes.io/service-account-token" | ||
| ``` |
46 changes: 46 additions & 0 deletions
46
...policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| --- | ||
| title: "Restrict Auto-Mount of Service Account Tokens in Service Account" | ||
| category: Security | ||
| version: | ||
| subject: Secret,ServiceAccount | ||
| policyType: "validate" | ||
| description: > | ||
| Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked. | ||
| --- | ||
|
|
||
| ## Policy Definition | ||
| <a href="https://github.com/kyverno/policies/raw/main//other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml" target="-blank">/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml</a> | ||
|
|
||
| ```yaml | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: restrict-sa-automount-sa-token | ||
| annotations: | ||
| policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account | ||
| policies.kyverno.io/category: Security | ||
| kyverno.io/kyverno-version: 1.11.1 | ||
| kyverno.io/kubernetes-version: "1.27" | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Secret,ServiceAccount | ||
| policies.kyverno.io/description: >- | ||
| Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. | ||
| The ServiceAccount may be assigned roles allowing Pods to access API resources. | ||
| Blocking this ability is an extension of the least privilege best practice and should | ||
| be followed if Pods do not need to speak to the API server to function. | ||
| This policy ensures that mounting of these ServiceAccount tokens is blocked. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: validate-sa-automountServiceAccountToken | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - ServiceAccount | ||
| validate: | ||
| message: "ServiceAccounts must set automountServiceAccountToken to false." | ||
| pattern: | ||
| automountServiceAccountToken: false | ||
| ``` |