Skip to content

Commit

Permalink
Merge pull request #129 from nitishfy/add-policies
Browse files Browse the repository at this point in the history 
feat: add `kyverno-json dockerfile` policies
  • Loading branch information
@anusha94
anusha94 committed Apr 16, 2024
2 parents 6a31e66 + 5288a21 commit 1c3d4d2
Show file tree
Hide file tree
Showing 175 changed files with 6,193 additions and 0 deletions.
10 changes: 10 additions & 0 deletions .github/workflows/chainsaw-e2e.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Install kyverno-json
uses: kyverno/action-install-kyverno-json@4ac28215fd015ff6aa5525afc67f119f9f758957 # v0.0.1
with:
release: v0.0.3-alpha.2

- name: Prepare environment
run: |
K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster
Expand Down Expand Up @@ -55,6 +60,11 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Install kyverno-json
uses: kyverno/action-install-kyverno-json@4ac28215fd015ff6aa5525afc67f119f9f758957 # v0.0.1
with:
release: v0.0.3-alpha.2

- name: Prepare environment
run: |
K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster
Expand Down
13 changes: 13 additions & 0 deletions dockerfile-best-practices/check-authentication/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
Generally, the Dockerfile should not allow to use the `--allow-unauthenticated` flag.

Using the `--allow-unauthenticated` flag in a Dockerfile is generally not recommended because it disables the validation of package signatures. This flag is specific to certain package managers (like APT for Debian-based systems) and allows the installation of packages without checking their cryptographic signatures.

This policy checks if the Dockerfile contains the `--allow-unauthenticated` flag and gives Failing check if it contains the `--allow-unauthenticated` flag.

**In order to test this policy:**

Run the `kyverno-json scan` command for the `good-payload.json` file that is present in the `test/good-test` directory.
```
kyverno-json scan --payload test/good-test/good-payload.json --policy check-unauthentication-install.yaml
```
Since the Dockerfile don't contain the `--allow-unauthenticated` flag, it'll give you passing checks. In order to test this policy for failing scenario, run the same command for `bad-payload.json` present in `test/bad-test` directory.
22 changes: 22 additions & 0 deletions dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: detect-unauthenticated-flag
annotations:
policies.kyverno.io/title: Check for unauthenticated flag in Dockerfile
policies.kyverno.io/category: Dockerfile Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: >-
This policy ensures that Dockerfile do not contain the '--allow-unauthenticated' flag.
spec:
rules:
- name: detect-unauthenticated-flag
match:
any:
- (Stages[].Commands[?Name=='RUN'].CmdLine[] | length(@) > `0`): true
assert:
any:
- message: Dockerfile contains the '--allow-unauthenticated' which is not preferred
check:
~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
(contains(@, '--allow-unauthenticated') && (contains(@, 'apt-get') || contains(@, 'apt'))): false
12 changes: 12 additions & 0 deletions dockerfile-best-practices/check-authentication/test/bad-test/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
FROM ubuntu:latest

RUN apt-get update && \
apt-get install -y --allow-unauthenticated yamllint

WORKDIR /app

COPY . /app

EXPOSE 8080

CMD ["echo", "Container is running!"]
69 changes: 69 additions & 0 deletions dockerfile-best-practices/check-authentication/test/bad-test/bad-payload.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"MetaArgs": null,
"Stages": [
{
"Name": "",
"BaseName": "ubuntu:latest",
"Platform": "",
"Comment": "",
"SourceCode": "FROM ubuntu:latest",
"Location": [
{
"Start": {
"Line": 1,
"Character": 0
},
"End": {
"Line": 1,
"Character": 0
}
}
],
"From": {
"Image": "ubuntu:latest"
},
"Commands": [
{
"CmdLine": [
"apt-get update && apt-get install -y --allow-unauthenticated yamllint"
],
"Files": null,
"FlagsUsed": [],
"Name": "RUN",
"PrependShell": true
},
{
"Name": "WORKDIR",
"Path": "/app"
},
{
"Chmod": "",
"Chown": "",
"DestPath": "/app",
"From": "",
"Link": false,
"Name": "COPY",
"SourceContents": null,
"SourcePaths": [
"."
]
},
{
"Name": "EXPOSE",
"Ports": [
"8080"
]
},
{
"CmdLine": [
"echo",
"Container is running!"
],
"Files": null,
"Name": "CMD",
"PrependShell": false
}
]
}
]
}
60 changes: 60 additions & 0 deletions dockerfile-best-practices/check-authentication/test/chainsaw-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: good-test
spec:
steps:
- name: kyverno-json
try:
- script:
content: |
set -e
kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./good-test/good-payload.json --output json
check:
($error): ~
(json_parse($stdout)):
- results:
- policy:
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: detect-unauthenticated-flag
rules:
- rule:
name: detect-unauthenticated-flag
error: ~
violations: ~
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: bad-test
spec:
steps:
- name: kyverno-json
try:
- script:
content: |
set -e
kyverno-json scan --policy ../check-unauthentication-install.yaml --payload ./bad-test/bad-payload.json --output json
check:
($error): ~
(json_parse($stdout)):
- results:
- policy:
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: detect-unauthenticated-flag
rules:
- rule:
name: detect-unauthenticated-flag
error: ~
violations:
- message: Dockerfile contains the '--allow-unauthenticated' which is not preferred
errors:
- type: FieldValueInvalid
value: true
detail: 'Expected value: false'
12 changes: 12 additions & 0 deletions dockerfile-best-practices/check-authentication/test/good-test/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
FROM ubuntu:latest

RUN apt-get update && \
apt-get install -y yamllint

WORKDIR /app

COPY . /app

EXPOSE 8080

CMD ["echo", "Container is running!"]
69 changes: 69 additions & 0 deletions dockerfile-best-practices/check-authentication/test/good-test/good-payload.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"MetaArgs": null,
"Stages": [
{
"Name": "",
"BaseName": "ubuntu:latest",
"Platform": "",
"Comment": "",
"SourceCode": "FROM ubuntu:latest",
"Location": [
{
"Start": {
"Line": 1,
"Character": 0
},
"End": {
"Line": 1,
"Character": 0
}
}
],
"From": {
"Image": "ubuntu:latest"
},
"Commands": [
{
"CmdLine": [
"apt-get update && apt-get install -y yamllint"
],
"Files": null,
"FlagsUsed": [],
"Name": "RUN",
"PrependShell": true
},
{
"Name": "WORKDIR",
"Path": "/app"
},
{
"Chmod": "",
"Chown": "",
"DestPath": "/app",
"From": "",
"Link": false,
"Name": "COPY",
"SourceContents": null,
"SourcePaths": [
"."
]
},
{
"Name": "EXPOSE",
"Ports": [
"8080"
]
},
{
"CmdLine": [
"echo",
"Container is running!"
],
"Files": null,
"Name": "CMD",
"PrependShell": false
}
]
}
]
}
55 changes: 55 additions & 0 deletions dockerfile-best-practices/check-certificate-validation-curl/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
When you use the `--insecure` option with the curl command, you're essentially telling curl to bypass SSL certificate verification. SSL certificate verification is a security feature that ensures the authenticity of the server you are connecting to by verifying its SSL certificate against a trusted certificate authority.

**Here's what happens when you use `--insecure`:**

Normally, curl checks the SSL certificate presented by the server against a list of trusted certificate authorities to ensure the server's identity. If the certificate verification fails, curl returns an error. However, when you use --insecure, curl ignores any SSL certificate verification errors.

By bypassing SSL certificate verification, you're opening yourself up to potential security risks. This includes the risk of connecting to a server that is not who it claims to be, potentially exposing sensitive information or becoming vulnerable to man-in-the-middle attacks.

Thi policy checks whether you've disabled the certificate validation when using the *curl* command, using the `--insecure` option. If you have provided the `--insecure` option in the *curl*, the Policy will give you failing checks else Passing checks.

**In order to test this policy, use the following commands:**

- Make sure you have `kyverno-json` installed on the machine
- Make sure you have [nctl `v3.4.0`](https://downloads.nirmata.io/nctl/downloads/) or above.


1. **Extract JSON equivalent of the dockerfile:**
```bash
nctl scan dockerfile -r test/good-test/Dockerfile --show-json > payload.json
```

2. **Test the Policy with Kyverno:**
```bash
kyverno-json scan --payload payload.json --policy check-certificate-validation-curl.yaml
```

a. **Test Policy Against Valid Payload:**
```bash
kyverno-json scan --policy check-certificate-validation-curl.yaml --payload test/good-test/good-payload.json
```

This produces the output:
```
Loading policies ...
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- check-certificate-validation-curl / check-certificate-validation-curl / PASSED
Done
```

b. **Test Against Invalid Payload:**
```bash
kyverno-json scan --policy check-certificate-validation-curl.yaml --payload test/bad-test/bad-payload.json
```

This produces the output:
```
Loading policies ...
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- check-certificate-validation-curl / check-certificate-validation-curl / FAILED: Ensure certificate validation is enabled by not using `--insecure` option: any[0].check.~.(Stages[].Commands[?Name=='RUN'].CmdLine[][])[1].(contains(@, 'curl') && (contains(@
```

22 changes: 22 additions & 0 deletions ...e-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-certificate-validation-curl
annotations:
policies.kyverno.io/title: Check for certificate validation using curl in the Dockerfile
policies.kyverno.io/category: Dockerfile Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: >-
This policy checks whether certificate validation is disabled in the Dockerfile using --insecure option when running the curl command
spec:
rules:
- name: check-certificate-validation-curl
match:
any:
- (Stages[].Commands[?Name=='RUN'].CmdLine[][] | length(@) > `0`): true
assert:
any:
- message: Ensure certificate validation is enabled by not using `--insecure` option
check:
~.(Stages[].Commands[?Name=='RUN'].CmdLine[][]):
((starts_with(@, 'curl ') || contains(@, ' curl ')) && (contains(@, ' --insecure'))): false
7 changes: 7 additions & 0 deletions dockerfile-best-practices/check-certificate-validation-curl/test/bad-test/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM alpine:latest

RUN apk --no-cache add curl

RUN curl --insecure -LO https://github.com/glasskube/glasskube/releases/download/v0.0.1/glasskube_v0.0.1_amd64.deb

ENTRYPOINT ["curl"]

0 comments on commit 1c3d4d2

Please sign in to comment.