-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #129 from nitishfy/add-policies
feat: add `kyverno-json dockerfile` policies
- Loading branch information
Showing
175 changed files
with
6,193 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
Generally, the Dockerfile should not allow to use the `--allow-unauthenticated` flag. | ||
|
||
Using the `--allow-unauthenticated` flag in a Dockerfile is generally not recommended because it disables the validation of package signatures. This flag is specific to certain package managers (like APT for Debian-based systems) and allows the installation of packages without checking their cryptographic signatures. | ||
|
||
This policy checks if the Dockerfile contains the `--allow-unauthenticated` flag and gives Failing check if it contains the `--allow-unauthenticated` flag. | ||
|
||
**In order to test this policy:** | ||
|
||
Run the `kyverno-json scan` command for the `good-payload.json` file that is present in the `test/good-test` directory. | ||
``` | ||
kyverno-json scan --payload test/good-test/good-payload.json --policy check-unauthentication-install.yaml | ||
``` | ||
Since the Dockerfile don't contain the `--allow-unauthenticated` flag, it'll give you passing checks. In order to test this policy for failing scenario, run the same command for `bad-payload.json` present in `test/bad-test` directory. |
22 changes: 22 additions & 0 deletions
22
dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: detect-unauthenticated-flag | ||
annotations: | ||
policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile | ||
policies.kyverno.io/category: Dockerfile Best Practices | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/description: >- | ||
This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag. | ||
spec: | ||
rules: | ||
- name: detect-unauthenticated-flag | ||
match: | ||
any: | ||
- (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true | ||
assert: | ||
any: | ||
- message: Dockerfile contains the '--allow-unauthenticated' which is not preferred | ||
check: | ||
~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): | ||
(contains(@, '--allow-unauthenticated') && (contains(@, 'apt-get') || contains(@, 'apt'))): false |
12 changes: 12 additions & 0 deletions
12
dockerfile-best-practices/check-authentication/test/bad-test/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
FROM ubuntu:latest | ||
|
||
RUN apt-get update && \ | ||
apt-get install -y --allow-unauthenticated yamllint | ||
|
||
WORKDIR /app | ||
|
||
COPY . /app | ||
|
||
EXPOSE 8080 | ||
|
||
CMD ["echo", "Container is running!"] |
69 changes: 69 additions & 0 deletions
69
dockerfile-best-practices/check-authentication/test/bad-test/bad-payload.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
{ | ||
"MetaArgs": null, | ||
"Stages": [ | ||
{ | ||
"Name": "", | ||
"BaseName": "ubuntu:latest", | ||
"Platform": "", | ||
"Comment": "", | ||
"SourceCode": "FROM ubuntu:latest", | ||
"Location": [ | ||
{ | ||
"Start": { | ||
"Line": 1, | ||
"Character": 0 | ||
}, | ||
"End": { | ||
"Line": 1, | ||
"Character": 0 | ||
} | ||
} | ||
], | ||
"From": { | ||
"Image": "ubuntu:latest" | ||
}, | ||
"Commands": [ | ||
{ | ||
"CmdLine": [ | ||
"apt-get update && apt-get install -y --allow-unauthenticated yamllint" | ||
], | ||
"Files": null, | ||
"FlagsUsed": [], | ||
"Name": "RUN", | ||
"PrependShell": true | ||
}, | ||
{ | ||
"Name": "WORKDIR", | ||
"Path": "/app" | ||
}, | ||
{ | ||
"Chmod": "", | ||
"Chown": "", | ||
"DestPath": "/app", | ||
"From": "", | ||
"Link": false, | ||
"Name": "COPY", | ||
"SourceContents": null, | ||
"SourcePaths": [ | ||
"." | ||
] | ||
}, | ||
{ | ||
"Name": "EXPOSE", | ||
"Ports": [ | ||
"8080" | ||
] | ||
}, | ||
{ | ||
"CmdLine": [ | ||
"echo", | ||
"Container is running!" | ||
], | ||
"Files": null, | ||
"Name": "CMD", | ||
"PrependShell": false | ||
} | ||
] | ||
} | ||
] | ||
} |
60 changes: 60 additions & 0 deletions
60
dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: good-test | ||
spec: | ||
steps: | ||
- name: kyverno-json | ||
try: | ||
- script: | ||
content: | | ||
set -e | ||
kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./good-test/good-payload.json --output json | ||
check: | ||
($error): ~ | ||
(json_parse($stdout)): | ||
- results: | ||
- policy: | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: detect-unauthenticated-flag | ||
rules: | ||
- rule: | ||
name: detect-unauthenticated-flag | ||
error: ~ | ||
violations: ~ | ||
--- | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: bad-test | ||
spec: | ||
steps: | ||
- name: kyverno-json | ||
try: | ||
- script: | ||
content: | | ||
set -e | ||
kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./bad-test/bad-payload.json --output json | ||
check: | ||
($error): ~ | ||
(json_parse($stdout)): | ||
- results: | ||
- policy: | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: detect-unauthenticated-flag | ||
rules: | ||
- rule: | ||
name: detect-unauthenticated-flag | ||
error: ~ | ||
violations: | ||
- message: Dockerfile contains the '--allow-unauthenticated' which is not preferred | ||
errors: | ||
- type: FieldValueInvalid | ||
value: true | ||
detail: 'Expected value: false' |
12 changes: 12 additions & 0 deletions
12
dockerfile-best-practices/check-authentication/test/good-test/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
FROM ubuntu:latest | ||
|
||
RUN apt-get update && \ | ||
apt-get install -y yamllint | ||
|
||
WORKDIR /app | ||
|
||
COPY . /app | ||
|
||
EXPOSE 8080 | ||
|
||
CMD ["echo", "Container is running!"] |
69 changes: 69 additions & 0 deletions
69
dockerfile-best-practices/check-authentication/test/good-test/good-payload.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
{ | ||
"MetaArgs": null, | ||
"Stages": [ | ||
{ | ||
"Name": "", | ||
"BaseName": "ubuntu:latest", | ||
"Platform": "", | ||
"Comment": "", | ||
"SourceCode": "FROM ubuntu:latest", | ||
"Location": [ | ||
{ | ||
"Start": { | ||
"Line": 1, | ||
"Character": 0 | ||
}, | ||
"End": { | ||
"Line": 1, | ||
"Character": 0 | ||
} | ||
} | ||
], | ||
"From": { | ||
"Image": "ubuntu:latest" | ||
}, | ||
"Commands": [ | ||
{ | ||
"CmdLine": [ | ||
"apt-get update && apt-get install -y yamllint" | ||
], | ||
"Files": null, | ||
"FlagsUsed": [], | ||
"Name": "RUN", | ||
"PrependShell": true | ||
}, | ||
{ | ||
"Name": "WORKDIR", | ||
"Path": "/app" | ||
}, | ||
{ | ||
"Chmod": "", | ||
"Chown": "", | ||
"DestPath": "/app", | ||
"From": "", | ||
"Link": false, | ||
"Name": "COPY", | ||
"SourceContents": null, | ||
"SourcePaths": [ | ||
"." | ||
] | ||
}, | ||
{ | ||
"Name": "EXPOSE", | ||
"Ports": [ | ||
"8080" | ||
] | ||
}, | ||
{ | ||
"CmdLine": [ | ||
"echo", | ||
"Container is running!" | ||
], | ||
"Files": null, | ||
"Name": "CMD", | ||
"PrependShell": false | ||
} | ||
] | ||
} | ||
] | ||
} |
55 changes: 55 additions & 0 deletions
55
dockerfile-best-practices/check-certificate-validation-curl/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
When you use the `--insecure` option with the curl command, you're essentially telling curl to bypass SSL certificate verification. SSL certificate verification is a security feature that ensures the authenticity of the server you are connecting to by verifying its SSL certificate against a trusted certificate authority. | ||
|
||
**Here's what happens when you use `--insecure`:** | ||
|
||
Normally, curl checks the SSL certificate presented by the server against a list of trusted certificate authorities to ensure the server's identity. If the certificate verification fails, curl returns an error. However, when you use --insecure, curl ignores any SSL certificate verification errors. | ||
|
||
By bypassing SSL certificate verification, you're opening yourself up to potential security risks. This includes the risk of connecting to a server that is not who it claims to be, potentially exposing sensitive information or becoming vulnerable to man-in-the-middle attacks. | ||
|
||
Thi policy checks whether you've disabled the certificate validation when using the *curl* command, using the `--insecure` option. If you have provided the `--insecure` option in the *curl*, the Policy will give you failing checks else Passing checks. | ||
|
||
**In order to test this policy, use the following commands:** | ||
|
||
- Make sure you have `kyverno-json` installed on the machine | ||
- Make sure you have [nctl `v3.4.0`](https://downloads.nirmata.io/nctl/downloads/) or above. | ||
|
||
|
||
1. **Extract JSON equivalent of the dockerfile:** | ||
```bash | ||
nctl scan dockerfile -r test/good-test/Dockerfile --show-json > payload.json | ||
``` | ||
|
||
2. **Test the Policy with Kyverno:** | ||
```bash | ||
kyverno-json scan --payload payload.json --policy check-certificate-validation-curl.yaml | ||
``` | ||
|
||
a. **Test Policy Against Valid Payload:** | ||
```bash | ||
kyverno-json scan --policy check-certificate-validation-curl.yaml --payload test/good-test/good-payload.json | ||
``` | ||
|
||
This produces the output: | ||
``` | ||
Loading policies ... | ||
Loading payload ... | ||
Pre processing ... | ||
Running ( evaluating 1 resource against 1 policy ) ... | ||
- check-certificate-validation-curl / check-certificate-validation-curl / PASSED | ||
Done | ||
``` | ||
|
||
b. **Test Against Invalid Payload:** | ||
```bash | ||
kyverno-json scan --policy check-certificate-validation-curl.yaml --payload test/bad-test/bad-payload.json | ||
``` | ||
|
||
This produces the output: | ||
``` | ||
Loading policies ... | ||
Loading payload ... | ||
Pre processing ... | ||
Running ( evaluating 1 resource against 1 policy ) ... | ||
- check-certificate-validation-curl / check-certificate-validation-curl / FAILED: Ensure certificate validation is enabled by not using `--insecure` option: any[0].check.~.(Stages[].Commands[?Name=='RUN'].CmdLine[][])[1].(contains(@, 'curl') && (contains(@ | ||
``` | ||
|
22 changes: 22 additions & 0 deletions
22
...e-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: check-certificate-validation-curl | ||
annotations: | ||
policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile | ||
policies.kyverno.io/category: Dockerfile Best Practices | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/description: >- | ||
This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command | ||
spec: | ||
rules: | ||
- name: check-certificate-validation-curl | ||
match: | ||
any: | ||
- (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true | ||
assert: | ||
any: | ||
- message: Ensure certificate validation is enabled by not using `--insecure` option | ||
check: | ||
~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]): | ||
((starts_with(@, 'curl ') || contains(@, ' curl ')) && (contains(@, ' --insecure'))): false |
7 changes: 7 additions & 0 deletions
7
dockerfile-best-practices/check-certificate-validation-curl/test/bad-test/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM alpine:latest | ||
|
||
RUN apk --no-cache add curl | ||
|
||
RUN curl --insecure -LO https://github.com/glasskube/glasskube/releases/download/v0.0.1/glasskube_v0.0.1_amd64.deb | ||
|
||
ENTRYPOINT ["curl"] |
Oops, something went wrong.