diff --git a/examples/policies-no-rego.md b/examples/policies-no-rego.md index 64d173ef..6f993e83 100644 --- a/examples/policies-no-rego.md +++ b/examples/policies-no-rego.md @@ -33,7 +33,9 @@ **Severity:** Violation -**Resources:** Any Resource +**Resources:** + +- Any Resource **Parameters:** @@ -49,7 +51,12 @@ _source: [required-labels](required-labels)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Granting containers privileged capabilities on the node makes it easier for containers to escalate their privileges. As such, this is not allowed @@ -62,7 +69,12 @@ _source: [container-deny-added-caps](container-deny-added-caps)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -74,7 +86,12 @@ _source: [container-deny-escalation](container-deny-escalation)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Privileged containers can easily escalate to root privileges on the node. As such containers running as privileged or with sufficient capabilities granted @@ -87,7 +104,12 @@ _source: [container-deny-privileged](container-deny-privileged)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can change aliases in the host's /etc/hosts file can redirect traffic to malicious servers. @@ -98,7 +120,12 @@ _source: [pod-deny-host-alias](pod-deny-host-alias)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that are allowed to access the host IPC can read memory of the other containers, breaking that security boundary. @@ -110,7 +137,12 @@ _source: [pod-deny-host-ipc](pod-deny-host-ipc)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can access the host's network interfaces can potentially access and tamper with traffic the pod should not have access to. @@ -122,7 +154,12 @@ _source: [pod-deny-host-network](pod-deny-host-network)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -135,7 +172,12 @@ _source: [pod-deny-host-pid](pod-deny-host-pid)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods running as root (uid of 0) can much more easily escalate privileges to root on the node. As such, they are not allowed. @@ -147,7 +189,9 @@ _source: [pod-deny-without-runasnonroot](pod-deny-without-runasnonroot)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing containers privileged capabilities on the node makes it easier for containers to escalate their privileges. As such, this is not allowed @@ -160,7 +204,9 @@ _source: [psp-deny-added-caps](psp-deny-added-caps)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -172,7 +218,9 @@ _source: [psp-deny-escalation](psp-deny-escalation)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to can change aliases in the host's /etc/hosts file can redirect traffic to malicious servers. @@ -184,7 +232,9 @@ _source: [psp-deny-host-alias](psp-deny-host-alias)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host IPC can read memory of the other containers, breaking that security boundary. @@ -196,7 +246,9 @@ _source: [psp-deny-host-ipc](psp-deny-host-ipc)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -209,7 +261,9 @@ _source: [psp-deny-host-network](psp-deny-host-network)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -222,7 +276,9 @@ _source: [psp-deny-host-pid](psp-deny-host-pid)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -234,7 +290,12 @@ _source: [psp-deny-privileged](psp-deny-privileged)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Using the latest tag on images can cause unexpected problems in production. By specifying a pinned version we can have higher confidence that our applications are immutable and do not change unexpectedly. @@ -261,7 +322,12 @@ _source: [container-deny-latest-tag](container-deny-latest-tag)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Resource constraints on containers ensure that a given workload does not take up more resources than it requires and potentially starve other applications that need to run. @@ -273,7 +339,9 @@ _source: [container-deny-without-resource-constraints](container-deny-without-re **Severity:** Violation -**Resources:** rbac.authorization.k8s.io/Role +**Resources:** + +- rbac.authorization.k8s.io/Role Workloads not running in the exempted namespaces must not use PodSecurityPolicies with privileged permissions. @@ -284,7 +352,12 @@ _source: [role-deny-use-privileged-psp](role-deny-use-privileged-psp)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet **MatchLabels:** is-tenant=true @@ -301,7 +374,10 @@ _source: [container-deny-privileged-if-tenant](container-deny-privileged-if-tena **Severity:** Warning -**Resources:** apps/DaemonSet apps/Deployment +**Resources:** + +- apps/DaemonSet +- apps/Deployment The `extensions/v1beta1 API` has been deprecated in favor of `apps/v1`. Later versions of Kubernetes remove this API so to ensure that the Deployment or DaemonSet can be successfully deployed to the cluster, @@ -314,7 +390,12 @@ _source: [any-warn-deprecated-api-versions](any-warn-deprecated-api-versions)_ **Severity:** Warning -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet In order to prevent persistence in the case of a compromise, it is important to make the root filesystem read-only. @@ -326,7 +407,9 @@ _source: [container-warn-no-ro-fs](container-warn-no-ro-fs)_ **Severity:** Warning -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's network interfaces can potentially access and tamper with traffic the pod should not have access to. diff --git a/examples/policies.md b/examples/policies.md index 1598811b..39b88e69 100755 --- a/examples/policies.md +++ b/examples/policies.md @@ -33,7 +33,9 @@ **Severity:** Violation -**Resources:** Any Resource +**Resources:** + +- Any Resource **Parameters:** @@ -71,7 +73,12 @@ _source: [required-labels](required-labels)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Granting containers privileged capabilities on the node makes it easier for containers to escalate their privileges. As such, this is not allowed @@ -110,7 +117,12 @@ _source: [container-deny-added-caps](container-deny-added-caps)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -152,7 +164,12 @@ _source: [container-deny-escalation](container-deny-escalation)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Privileged containers can easily escalate to root privileges on the node. As such containers running as privileged or with sufficient capabilities granted @@ -195,7 +212,12 @@ _source: [container-deny-privileged](container-deny-privileged)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can change aliases in the host's /etc/hosts file can redirect traffic to malicious servers. @@ -228,7 +250,12 @@ _source: [pod-deny-host-alias](pod-deny-host-alias)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that are allowed to access the host IPC can read memory of the other containers, breaking that security boundary. @@ -260,7 +287,12 @@ _source: [pod-deny-host-ipc](pod-deny-host-ipc)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can access the host's network interfaces can potentially access and tamper with traffic the pod should not have access to. @@ -295,7 +327,12 @@ _source: [pod-deny-host-network](pod-deny-host-network)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods that can access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -331,7 +368,12 @@ _source: [pod-deny-host-pid](pod-deny-host-pid)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Pods running as root (uid of 0) can much more easily escalate privileges to root on the node. As such, they are not allowed. @@ -364,7 +406,9 @@ _source: [pod-deny-without-runasnonroot](pod-deny-without-runasnonroot)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing containers privileged capabilities on the node makes it easier for containers to escalate their privileges. As such, this is not allowed @@ -403,7 +447,9 @@ _source: [psp-deny-added-caps](psp-deny-added-caps)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -441,7 +487,9 @@ _source: [psp-deny-escalation](psp-deny-escalation)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to can change aliases in the host's /etc/hosts file can redirect traffic to malicious servers. @@ -473,7 +521,9 @@ _source: [psp-deny-host-alias](psp-deny-host-alias)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host IPC can read memory of the other containers, breaking that security boundary. @@ -508,7 +558,9 @@ _source: [psp-deny-host-ipc](psp-deny-host-ipc)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -541,7 +593,9 @@ _source: [psp-deny-host-network](psp-deny-host-network)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's process tree can view and attempt to modify processes outside of their namespace, breaking that security @@ -577,7 +631,9 @@ _source: [psp-deny-host-pid](psp-deny-host-pid)_ **Severity:** Violation -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing privileged containers can much more easily obtain root on the node. As such, they are not allowed. @@ -609,7 +665,12 @@ _source: [psp-deny-privileged](psp-deny-privileged)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Using the latest tag on images can cause unexpected problems in production. By specifying a pinned version we can have higher confidence that our applications are immutable and do not change unexpectedly. @@ -665,7 +726,12 @@ _source: [container-deny-latest-tag](container-deny-latest-tag)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet Resource constraints on containers ensure that a given workload does not take up more resources than it requires and potentially starve other applications that need to run. @@ -705,7 +771,9 @@ _source: [container-deny-without-resource-constraints](container-deny-without-re **Severity:** Violation -**Resources:** rbac.authorization.k8s.io/Role +**Resources:** + +- rbac.authorization.k8s.io/Role Workloads not running in the exempted namespaces must not use PodSecurityPolicies with privileged permissions. @@ -756,7 +824,12 @@ _source: [role-deny-use-privileged-psp](role-deny-use-privileged-psp)_ **Severity:** Violation -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet **MatchLabels:** is-tenant=true @@ -803,7 +876,10 @@ _source: [container-deny-privileged-if-tenant](container-deny-privileged-if-tena **Severity:** Warning -**Resources:** apps/DaemonSet apps/Deployment +**Resources:** + +- apps/DaemonSet +- apps/Deployment The `extensions/v1beta1 API` has been deprecated in favor of `apps/v1`. Later versions of Kubernetes remove this API so to ensure that the Deployment or DaemonSet can be successfully deployed to the cluster, @@ -836,7 +912,12 @@ _source: [any-warn-deprecated-api-versions](any-warn-deprecated-api-versions)_ **Severity:** Warning -**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet +**Resources:** + +- core/Pod +- apps/DaemonSet +- apps/Deployment +- apps/StatefulSet In order to prevent persistence in the case of a compromise, it is important to make the root filesystem read-only. @@ -878,7 +959,9 @@ _source: [container-warn-no-ro-fs](container-warn-no-ro-fs)_ **Severity:** Warning -**Resources:** policy/PodSecurityPolicy +**Resources:** + +- policy/PodSecurityPolicy Allowing pods to access the host's network interfaces can potentially access and tamper with traffic the pod should not have access to. diff --git a/internal/commands/document.go b/internal/commands/document.go index 10133877..294c8ecc 100644 --- a/internal/commands/document.go +++ b/internal/commands/document.go @@ -22,7 +22,7 @@ import ( type Header struct { Title string Description string - Resources string + Resources []string MatchLabels string Anchor string Parameters []rego.Parameter @@ -193,18 +193,20 @@ func getDocumentation(path string, outputDirectory string) (map[rego.Severity][] return nil, fmt.Errorf("parse matchers from legacy annotations: %w", err) } - var matchResources string + var matchResources []string if len(policy.AnnotationKindMatchers()) > 0 { for _, akm := range policy.AnnotationKindMatchers() { - matchResources += akm.String() + " " + s := strings.Split(akm.String(), " ") + matchResources = append(matchResources, s...) } - matchResources = strings.TrimSpace(matchResources) } else { - matchResources = legacyMatchers.KindMatchers.String() + if len(legacyMatchers.KindMatchers) > 0 { + matchResources = strings.Split(legacyMatchers.KindMatchers.String(), " ") + } } - if matchResources == "" { + if len(matchResources) == 0 { logger.Warn("No kind matchers set, this can lead to poor policy performance.") - matchResources = "Any Resource" + matchResources = append(matchResources, "Any Resource") } var matchLabels string diff --git a/internal/commands/document_template.tpl b/internal/commands/document_template.tpl index 719ea9c9..94eb596a 100644 --- a/internal/commands/document_template.tpl +++ b/internal/commands/document_template.tpl @@ -13,7 +13,10 @@ **Severity:** {{ $severity }} -**Resources:** {{ .Header.Resources }} +**Resources:** +{{ range .Header.Resources }} +- {{ . }} +{{- end }} {{- if .Header.MatchLabels }}