-
Notifications
You must be signed in to change notification settings - Fork 0
feat: add kyverno ecr pull requirement policy #605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
256179a
feat: add kyverno ecr pull requirement policy
rifisdfds 96e2448
Merge branch 'main' into feat/kyverno-policy-requirement-ecr
rifisdfds 8b9a95e
fix: fix ecr pull policy
rifisdfds 2e12ad4
fix: fix ecr policy
rifisdfds df1e694
fix: update url
rifisdfds 75463e4
fix: fix ecr policy
rifisdfds bb3875d
fix: add link to wiki for more info
rifisdfds 6824193
feat: allow if calls to the service fail so we don't block people dep…
rifisdfds 4f2eded
fix: better handling of check_unavailable
rifisdfds 81e59cf
chore: migrate to validatingpolicy
rifisdfds da97484
feat: attempt to warn when ecr check is not available
rifisdfds 21cbcd2
Revert "feat: attempt to warn when ecr check is not available"
rifisdfds 28cf610
fix: add Warn
rifisdfds 6a59588
fix: autogen not working properly in 1.17
rifisdfds c7d1593
fix: add extra resources to constraints
rifisdfds 4c5693f
fix: amend apigroups and variable expression
rifisdfds 565cf7d
fix: attempt to list offending containers in message
rifisdfds 7734ad4
fix: also remove daemonset from annotation
rifisdfds File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| apiVersion: policies.kyverno.io/v1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: ecr-pull-compliance | ||
| annotations: | ||
| policies.kyverno.io/title: ECR Pull Policy Compliance Check | ||
| policies.kyverno.io/category: Requirement | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Deployment,StatefulSet,Job,CronJob | ||
| policies.kyverno.io/description: >- | ||
| Validates that container images from org-owned ECR repositories have | ||
| compliant pull policies that allow cross-account access within the | ||
| AWS Organization. | ||
| spec: | ||
| # Fail-open at the webhook level: if Kyverno (or the compliance service) is | ||
| # unreachable or times out, the http.Post expression errors and the request | ||
| # is admitted rather than blocked. | ||
| # Note: this does not emit a a dedicated "admitted without verification" warning | ||
| # as it does not seem possible with the new CEL policies | ||
| failurePolicy: Ignore | ||
|
|
||
| webhookConfiguration: | ||
| timeoutSeconds: 10 | ||
|
|
||
| evaluation: | ||
| background: | ||
| enabled: true | ||
|
|
||
| validationActions: | ||
| - Audit | ||
| - Warn | ||
|
|
||
| matchConstraints: | ||
| resourceRules: | ||
| - apiGroups: ['apps'] | ||
| apiVersions: ['v1'] | ||
| operations: | ||
| - CREATE | ||
| - UPDATE | ||
| resources: | ||
| - deployments | ||
| - statefulsets | ||
| - apiGroups: ['batch'] | ||
| apiVersions: ['v1'] | ||
| operations: | ||
| - CREATE | ||
| - UPDATE | ||
| resources: | ||
| - jobs | ||
| - cronjobs | ||
|
|
||
| # Equivalent of the ClusterPolicy exclude on namespaces. | ||
| matchConditions: | ||
| - name: exclude-system-namespaces | ||
| expression: "!(object.metadata.namespace in ['kube-system', 'kyverno'])" | ||
|
|
||
| variables: | ||
| # Resolve the pod spec depending on the workload kind: | ||
| # - CronJob nests under spec.jobTemplate.spec.template.spec | ||
| # - all other supported kinds (Deployment, StatefulSet, DaemonSet, Job) | ||
| # nest under spec.template.spec | ||
| - name: podSpec | ||
| expression: >- | ||
| object.kind == 'CronJob' | ||
| ? object.spec.jobTemplate.spec.template.spec | ||
| : object.spec.template.spec | ||
|
|
||
| # Combine standard, init, and ephemeral containers into a single list. | ||
| - name: allContainers | ||
| expression: >- | ||
| variables.podSpec.containers | ||
| + variables.podSpec.?initContainers.orValue([]) | ||
| + variables.podSpec.?ephemeralContainers.orValue([]) | ||
|
|
||
| # Per-image POST to the compliance exporter, keeping only the images that | ||
| # are not allowed. Reused by both the validation expression and the | ||
| # messageExpression so the compliance check runs once per container. | ||
| - name: offendingImages | ||
| expression: >- | ||
| variables.allContainers.filter(c, | ||
| http.Post( | ||
| "http://platform-requirements-ecr-pull-compliance-exporter.ssu-mgmt-dznts.svc.cluster.local:8080/api/v1/compliance/check", | ||
| {"image": c.image}, | ||
| {"Content-Type": "application/json"} | ||
| ).allowed != true | ||
| ).map(c, c.image) | ||
|
|
||
| validations: | ||
| # Assert that no container image is non-compliant. | ||
| - expression: >- | ||
| size(variables.offendingImages) == 0 | ||
| # messageExpression lists the offending image names. The folded scalar | ||
| # collapses newlines into spaces so the result is a single line (a | ||
| # multi-line result would make Kyverno fall back to the static message). | ||
| messageExpression: >- | ||
| "The following container image(s) reference an ECR repository that does | ||
| not have a compliant pull policy: " + variables.offendingImages.join(", ") | ||
| + ". Visit https://wiki.dfds.cloud/en/playbooks/requirements/ECR for more information." | ||
| message: >- | ||
| One or more container images reference an ECR repository that does | ||
| not have a compliant pull policy. Visit | ||
| https://wiki.dfds.cloud/en/playbooks/requirements/ECR | ||
| for more information. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,3 +4,4 @@ resources: | |
| - require-external-secret-label.yaml | ||
| - require-probes.yaml | ||
| - require-hpa.yaml | ||
| - ecr-pull-policy.yaml | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can messages use the info from above expression? So that the user knows which image is violating.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good suggestion, seems simpler here than the previous type. I have added it