Skip to content
/ gatekeeper-policies Public

Policies that are to be enforced by GateKeeper for the Cloud Native Platform

License

View license
15 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

StatCan/gatekeeper-policies

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

187 Commits

.github/workflows

.github/workflows

 
 

deprecated/ingress-hostnames-conflict

deprecated/ingress-hostnames-conflict

 
 

general

general

 
 

pod-security-policy

pod-security-policy

 
 

service-mesh

service-mesh

 
 

tests

tests

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

gatekeeper-opa-sync.yaml

gatekeeper-opa-sync.yaml

 
 

kustomization.yaml

kustomization.yaml

 
 

rego.sh

rego.sh

 
 

Repository files navigation

GateKeeper Policies

Policies that are to be enforced by GateKeeper for the Kubernetes Platform.

Note: Gatekeeper is a validating / mutating webhook that enforces CRD-based policies executed by the Open Policy Agent.

Policies

General

This repo contains general policies that can be used to enforce common Kubernetes requirements.

Control Aspect Gatekeeper Constraint Template
Container Allowed Images container-allowed-images
Container Image Must Have Digest container-image-must-have-digest
Container Limits container-limits
Deny External Users deny-external-users
Ingress No Hostnames ingress-no-hostnames
Ingress Hostnames Conflict ingress-hostnames-conflict
Load Balancer No Public IPs loadbalancer-no-public-ips
Pod Enforce Labels pod-enforce-labels
Restrict Hostnames restrict-hostnames

Pod Security Policies

This repo contains common policies replacing the deprecated PodSecurityPolicy into Constraint Templates using GateKeeper.

Control Aspect Gatekeeper Constraint Template
Allowed external ips allowed-external-ips
Allowed host paths allowed-host-paths
Allowed privilege escalation allowed-privilege-escalation
Allowed proc mount types allowed-proc-mount-types
Allowed seccomp profiles allowed-seccomp-profiles
Allowed users and groups allowed-users-groups
Allowed volume types allowed-volume-types
Block automount token block-automount-token
Block default namespace block-default-namespace
Block host namespace block-host-namespace
Container capabilities container-capabilities
Container no privilege escalation container-no-privilege-escalation
Deny Employee-Only Features deny-employee-only-features
Deny extraction deny-extraction
Deny pipelines deny-pipelines
Disk data classification disk-data-classification
Enforce apparmor profile enforce-apparmor-profile
Flexvolume drivers flexvolume-drivers
Forbidden sysctls forbidden-sysctls
Host networking and ports host-network-ports
Protected B Auth protectedb-auth
Require read only root file system read-only-root-filesystem
Metadata restrictions metadata-restrictions
Namespace guardrails namespace-guardrails
SELinux context of the container seLinux

Service Mesh

This repo contains a set of common policies that can be used to enforce specific Service Mesh features.

Control Aspect Gatekeeper Constraint Template
Gateway gateway
Peer Authentication peer-authentication
Port Naming port-naming
Traffic Policy traffic-policy

Testing

When creating a Policy, there are currently three ways of testing them:

OPA Tests

The opa CLI can be used to run tests on policies. This can be very useful since Open Policy Agent allows for easy mocking of data via the with keyword.

These types of tests are best suited for policies which require access to data not available in the AdmissionReview API but accessed via Gatekeeper's data replication features.

To take advantage of automatic test running and the automatic copying of rego into a ConstraintTemplate, the following structure needs to be followed:

  • Ensure that the ConstraintTemplate is in a file named template.yaml at the root of your policy's folder
  • Ensure that the rego files are in a folder called rego
  • Ensure that the rego that should be injected into the ConstraintTemplate is named src.rego
  • Run the rego.sh script to run tests and copy your source code into template.yaml
    • Note: requires the yq utility

Integration Tests

Integration tests are run as part of the GitHub Actions. These deploy policies to a k3s cluster using the BATS framework. It deploys the ConstraintTemplate for the policy, a single CustomResource of the CRD derived from the ConstraintTemplate, and two resources representing a passing and a failing scenario.

To take advantage of this system create the following:

  • Ensure that the ConstraintTemplate is in a file named template.yaml at the root of your policy's folder
  • Create a folder named example at the root of your policy's folder
  • In the example folder:
    • Create a file named constraint.yaml with the CustomResource representing an implemented policy
    • Create a file named allowed.yaml with a resource that should pass the policy
    • Create a file named disallowed.yaml with a resource that should not pass the policy

Gator

gator is a recent addition to Gatekeeper allowing for the creation of test suites that can be run locally.

gator test suites will be run automatically as part of the CI.

Links

Acknowledgements

About

Policies that are to be enforced by GateKeeper for the Cloud Native Platform

Topics

kubernetes opa cloud-native gatekeeper cns open-policy-agent

Resources

Readme

License

View license
Activity
Custom properties

Stars

15 stars

Watchers

6 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 13

Languages