cel-admission-library
cel-admission-library copied to clipboard
kubescape
This projects contains pre-made policies for Kubernetes Validating Admission Policies. This policy library is based on Kubescape controls, see here a comlete list https://hub.armosec.io/docs/controls
Kubescape Validating Admission Policy library
This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies. In this library, Kubescape controls have been re-implemented in CEL for your convenience.
Using the library
Note: Kubernetes Validating Admission Policy feature _is still in its early phase. It has been released as an betav1 feature in Kubernetes 1.28, and is stable from kubernetes 1.30. Therefore if you are not using kubernetes version 1.30+ you need to enable its feature gate to be able to use it. Look here for how to set up a playground.
Install latest the release of the library:
# Install configuration CRD
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml
# Install basic configuration
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml
# Install policies
kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml
You're good to start to use it 😎
You can apply policies to objects, for example, to apply control C-0016 (deny allowPrivilegeEscalation on containers) on workloads in the namespace with label policy=enforced just run this:
# Creating a binding
kubectl apply -f - <<EOT
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: c0016-binding
spec:
policyName: kubescape-c-0016-allow-privilege-escalation
paramRef:
name: basic-control-configuration
parameterNotFoundAction: Deny
validationActions:
- Deny
matchResources:
namespaceSelector:
matchLabels:
policy: enforced
EOT
# Creating a namespace for running the example
kubectl create namespace policy-example
kubectl label namespace policy-example policy=enforced
# The next line should fail
kubectl -n policy-example run nginx --image=nginx --restart=Never
Library items
| Control ID | Name | Policy name | Configuration parameter |
|---|---|---|---|
| C-0001 | Forbidden Container Registries | kubescape-c-0001-deny-forbidden-container-registries | untrustedRegistries |
| C-0004 | Resources memory limit and request | kubescape-c-0004-deny-resources-with-memory-limit-or-request-not-set | memoryRequestMin |
| C-0009 | Resource limits | kubescape-c-0009-deny-resources-with-memory-or-cpu-limit-not-set | not configurable |
| C-0016 | Allow privilege escalation | kubescape-c-0016-allow-privilege-escalation | not configurable |
| C-0017 | Immutable container filesystem | kubescape-c-0017-deny-resources-with-mutable-container-filesystem | not configurable |
| C-0018 | Configured readiness probe | kubescape-c-0018-deny-resources-without-configured-readiness-probes | not configurable |
| C-0020 | Mount service principal | kubescape-c-0020-deny-resources-having-volumes-with-potential-access-to-known-cloud-credentials | cloudProvider |
| C-0034 | Automatic mapping of service account | kubescape-c-0034-deny-resources-with-automount-service-account-token-enabled | not configurable |
| C-0038 | Host PID/IPC privileges | kubescape-c-0038-deny-resources-with-host-ipc-or-pid-privileges | not configurable |
| C-0041 | HostNetwork access | kubescape-c-0041-deny-resources-with-host-network-access | not configurable |
| C-0042 | SSH server running inside container | kubescape-c-0042-deny-resources-with-ssh-server-running | not configurable |
| C-0044 | Container hostPort | kubescape-c-0044-deny-resources-with-host-port | not configurable |
| C-0045 | Writable hostPath mount | kubescape-c-0045-deny-workloads-with-hostpath-volumes-readonly-not-false | not configurable |
| C-0046 | Insecure capabilities | kubescape-c-0046-deny-resources-with-insecure-capabilities | insecureCapabilities |
| C-0048 | HostPath mount | kubescape-c-0048-deny-workloads-with-hostpath-mounts | not configurable |
| C-0050 | Resources CPU limit and request | kubescape-c-0050-deny-resources-with-cpu-limit-or-request-not-set | cpuLimitMin |
| C-0055 | Linux hardening | kubescape-c-0055-linux-hardening | not configurable |
| C-0056 | Configured liveness probe | kubescape-c-0056-deny-resources-without-configured-liveliness-probes | not configurable |
| C-0057 | Privileged container | kubescape-c-0057-privileged-container-denied | not configurable |
| C-0061 | Pods in default namespace | kubescape-c-0061-deny-workloads-in-default-namespace | not configurable |
| C-0062 | Sudo in container entrypoint | kubescape-c-0062-deny-resources-having-containers-with-sudo-in-entrypoint | not configurable |
| C-0073 | Naked PODs | kubescape-c-0073-deny-naked-pods | not configurable |
| C-0074 | Containers mounting Docker socket | kubescape-c-0074-resources-mounting-docker-socket-denied | not configurable |
| C-0075 | Image pull policy on latest tag | kubescape-c-0075-deny-resources-with-image-pull-policy-not-set-to-always-for-latest-tag | not configurable |
| C-0076 | Label usage for resources | kubescape-c-0076-deny-resources-without-configured-list-of-labels-not-set | recommendedLabels |
| C-0077 | K8s common labels usage | kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set | k8sRecommendedLabels |
| C-0078 | Images from allowed registry | kubescape-c-0078-only-allow-images-from-allowed-registry | imageRepositoryAllowList |
Testing Policies
Cluster
You need a cluster that supports Validating Admission Policies. You can start a simple minikube with the script scripts/setup-test-minikube-cluster.sh
Testing a single policy
You can run the tests associated with a single policy by following these steps.
cd controls/C-0016
python ../../scripts/run-control-tests.py
This script reads the tests.json file in the directory, builds the policy bindings and test objects and tests the policy with the binding against the test object.
The tests.json contains test cases where each case has a
- template object: a YAML in the test-resources directory
- field changes: what changes to be done to the template object before applying it
- expected field: what should happen when applying the object after the field changes
Learning about Validating Admission Policies
Check this out
kubescape