From d6efa6c8f60d7dfed2c51167e5ca159ea80f8aed Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Tue, 23 Jan 2024 10:31:24 -0500 Subject: [PATCH] render policies (#1117) Signed-off-by: chipzoller --- .../kubecost-proactive-cost-control.md | 95 +++++++++++++++++++ .../deny-secret-service-account-token-type.md | 46 +++++++++ .../restrict-sa-automount-sa-token.md | 46 +++++++++ 3 files changed, 187 insertions(+) create mode 100644 content/en/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.md create mode 100644 content/en/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.md create mode 100644 content/en/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.md diff --git a/content/en/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.md b/content/en/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.md new file mode 100644 index 000000000..54526fbeb --- /dev/null +++ b/content/en/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.md @@ -0,0 +1,95 @@ +--- +title: "Kubecost Proactive Cost Control" +category: Kubecost +version: 1.11.0 +subject: Deployment +policyType: "validate" +description: > + Kubecost Enterprise allows users to define budgets for Namespaces and clusters as well as predict the cost of new Deployments based on historical cost data. By combining these abilities, users can achieve proactive cost controls for clusters with Kubecost installed by denying Deployments which would exceed the remaining configured monthly budget, if applicable. This policy checks for the creation of Deployments and compares the predicted cost of the Deployment to the remaining amount in the monthly budget, if one is found. If the predicted cost is greater than the remaining budget, the Deployment is denied. This policy requires Kubecost Enterprise at a version of 1.108 or greater. +--- + +## Policy Definition +/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kubecost-proactive-cost-control + annotations: + policies.kyverno.io/title: Kubecost Proactive Cost Control + policies.kyverno.io/category: Kubecost + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Deployment + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.4 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Kubecost Enterprise allows users to define budgets for Namespaces and clusters + as well as predict the cost of new Deployments based on historical cost data. + By combining these abilities, users can achieve proactive cost controls for + clusters with Kubecost installed by denying Deployments which would exceed the + remaining configured monthly budget, if applicable. This policy checks for the creation of + Deployments and compares the predicted cost of the Deployment to the remaining amount + in the monthly budget, if one is found. If the predicted cost is greater than the remaining + budget, the Deployment is denied. This policy requires Kubecost Enterprise + at a version of 1.108 or greater. +spec: + validationFailureAction: Audit + rules: + - name: enforce-monthly-namespace-budget + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + # First, check if this Namespace is subject to a budget. + # If it is not, always allow the Deployment. + preconditions: + all: + - key: "{{ budget }}" + operator: NotEquals + value: nobudget + context: + # Get the budget of the destination Namespace. Select the first budget returned which matches the Namespace. + # If no budget is found, set budget to "nobudget". + - name: budget + apiCall: + method: GET + service: + url: http://kubecost-cost-analyzer.kubecost:9090/model/budgets + jmesPath: "data[?values.namespace[?contains(@,'{{ request.namespace }}')]] | [0] || 'nobudget'" + # Call the prediction API and pass it the Deployment from the admission request. Extract the totalMonthlyRate. + - name: predictedMonthlyCost + apiCall: + method: POST + data: + - key: apiVersion + value: "{{ request.object.apiVersion }}" + - key: kind + value: "{{ request.object.kind }}" + - key: spec + value: "{{ request.object.spec }}" + service: + url: http://kubecost-cost-analyzer.kubecost:9090/model/prediction/speccost?clusterID=cluster-one&defaultNamespace=default + jmesPath: "[0].costChange.totalMonthlyRate" + # Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit. + - name: remainingBudget + variable: + jmesPath: subtract(budget.spendLimit,budget.currentSpend) + validate: + message: >- + This Deployment, which costs ${{ round(predictedMonthlyCost, `2`) }} to run for a month, + will overrun the remaining budget of ${{ round(remainingBudget,`2`) }}. Please seek approval or request + a Policy Exception. + # Deny the request if the predictedMonthlyCost is greater than the remainingBudget. + deny: + conditions: + all: + - key: "{{ predictedMonthlyCost }}" + operator: GreaterThan + value: "{{ remainingBudget }}" + +``` diff --git a/content/en/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.md b/content/en/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.md new file mode 100644 index 000000000..994cae1c4 --- /dev/null +++ b/content/en/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.md @@ -0,0 +1,46 @@ +--- +title: "Deny Secret Service Account Token Type" +category: Security +version: +subject: Secret +policyType: "validate" +description: > + Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the type field of the Secret resource . The type kubernetes.io/service-account-token is used for legacy ServiceAccount tokens . These legacy Tokens can be of security concern and should be audited. +--- + +## Policy Definition +/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-secret-service-account-token-type + annotations: + policies.kyverno.io/title: Deny Secret Service Account Token Type + policies.kyverno.io/category: Security + kyverno.io/kubernetes-version: "1.27" + kyverno.io/kyverno-version: 1.11.1 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret + policies.kyverno.io/description: >- + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. When creating a Secret, you can specify its type using the + type field of the Secret resource . The type kubernetes.io/service-account-token + is used for legacy ServiceAccount tokens . These legacy Tokens can + be of security concern and should be audited. +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny-secret-service-account-token-type + match: + any: + - resources: + kinds: + - Secret + validate: + message: "Secret ServiceAccount token type is not allowed." + pattern: + type: "!kubernetes.io/service-account-token" +``` diff --git a/content/en/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.md b/content/en/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.md new file mode 100644 index 000000000..2b9677166 --- /dev/null +++ b/content/en/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.md @@ -0,0 +1,46 @@ +--- +title: "Restrict Auto-Mount of Service Account Tokens in Service Account" +category: Security +version: +subject: Secret,ServiceAccount +policyType: "validate" +description: > + Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked. +--- + +## Policy Definition +/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-sa-automount-sa-token + annotations: + policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account + policies.kyverno.io/category: Security + kyverno.io/kyverno-version: 1.11.1 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret,ServiceAccount + policies.kyverno.io/description: >- + Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. + The ServiceAccount may be assigned roles allowing Pods to access API resources. + Blocking this ability is an extension of the least privilege best practice and should + be followed if Pods do not need to speak to the API server to function. + This policy ensures that mounting of these ServiceAccount tokens is blocked. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-sa-automountServiceAccountToken + match: + any: + - resources: + kinds: + - ServiceAccount + validate: + message: "ServiceAccounts must set automountServiceAccountToken to false." + pattern: + automountServiceAccountToken: false +```