otomi-core icon indicating copy to clipboard operation
otomi-core copied to clipboard

Published 20 hours ago verified publisher icon redkubes

Platform security polcies

Open j-zimnowoda opened this issue 9 months ago • 0 comments

WHY

Platform apps also need to validated to ensure security posture and control the applications during the upgrades

Acceptance criteria

GIVENplatform apps (offline mode) WHENI run otomi validate-polices then THEN I can perform static validation of all the manifests rendered by otomi

GIVENplatform apps on running k8s cluster WHENI enable Kyverno THEN I can see if platform apps conform with that platform security policy baseline

Functional requirements:

  • [ ] prevent run as root user and group
  • [ ] drop all capabilities
  • [ ] enforce semver tags (no latest)
  • [ ] prevent privilege escalation
  • [ ] enforce readOnlyRootFilesystem
  • [ ] ensure runAsNonRoot
  • [ ] enforce privileged: false
  • [ ] prevent hostPath
  • [ ] prevent hostNetwork

Non-functional requirements:

  • [ ] policy exceptions are defined as app artefacts
  • [ ] use kyverno CLI instead of konstraint for policy validation

Definition of done

  • [ ] Relevant PRs are merged
  • [ ] Tested by peer
  • [ ] Updated documentation reviewed by peer
  • [ ] Short demo video recorded and stored on google drive (if applicable)

j-zimnowoda avatar May 07 '24 14:05 j-zimnowoda