open-policy-agent · sozercan · Sep 4, 2024 · May 25, 2024 · May 25, 2024 · May 28, 2024
@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspapparmor
+displayName: App Armor
+createdAt: "2024-05-29T23:39:01Z"
+description: Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+digest: f8cdabe3160585e631ef4151638089f56dc276641d42ada49a12aaf8517e2441
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/apparmor
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # App Armor
+    Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/apparmor/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAppArmor
+metadata:
+  name: psp-apparmor
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    allowedProfiles:
+    - localhost/custom
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  ephemeralContainers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/custom
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Localhost"
+        localhostProfile: "custom"
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Unconfined"
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Localhost"
+        localhostProfile: "custom"
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Localhost"
+      localhostProfile: "custom"
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Localhost"
+      localhostProfile: "custom"
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Unconfined"
@@ -0,0 +1,41 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: apparmor
+tests:
+  - name: apparmor
+    template: template.yaml
+    constraint: samples/psp-apparmor/constraint.yaml
+    cases:
+      - name: example-allowed
+        object: samples/psp-apparmor/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-container
+        object: samples/psp-apparmor/example_allowed_container.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-pod
+        object: samples/psp-apparmor/example_allowed_pod.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-override
+        object: samples/psp-apparmor/example_allowed_override.yaml
+        assertions:
+          - violations: no
+      - name: example-disallowed
+        object: samples/psp-apparmor/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed-override
+        object: samples/psp-apparmor/example_disallowed_override.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed-no-profile
+        object: samples/psp-apparmor/example_disallowed_no_profile.yaml
+        assertions:
+          - violations: yes
+      - name: disallowed-ephemeral
+        object: samples/psp-apparmor/disallowed_ephemeral.yaml
+        assertions:
+          - violations: yes
@@ -0,0 +1,184 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspapparmor
+  annotations:
+    metadata.gatekeeper.sh/title: "App Armor"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Configures an allow-list of AppArmor profiles for use by containers.
+      This corresponds to specific annotations applied to a PodSecurityPolicy.
+      For information on AppArmor, see
+      https://kubernetes.io/docs/tutorials/clusters/apparmor/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPAppArmor
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Configures an allow-list of AppArmor profiles for use by containers.
+            This corresponds to specific annotations applied to a PodSecurityPolicy.
+            For information on AppArmor, see
+            https://kubernetes.io/docs/tutorials/clusters/apparmor/
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+            allowedProfiles:
+              description: "An array of AppArmor profiles. Examples: `runtime/default`, `unconfined`."
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          variables:
+          - name: containers
+            expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
+          - name: initContainers
+            expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
+          - name: ephemeralContainers
+            expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
+          - name: allContainers
+            expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
+          - name: podAppArmor
+            expression: 'has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.appArmorProfile) ? variables.anyObject.spec.securityContext.appArmorProfile : null'
+          - name: canonicalPodAppArmor
+            expression: |
+              variables.podAppArmor == null ? "runtime/default" : 
+                variables.podAppArmor.type == "RuntimeDefault" ? "runtime/default" :
+                  variables.podAppArmor.type == "Unconfined" ? "unconfined" : 
+                    variables.podAppArmor.type == "Localhost" ? "localhost/" + variables.podAppArmor.localhostProfile : ""
+          - name: appArmorByContainer
+            expression: |
+              variables.allContainers.map(container, [container.name,
+                has(container.securityContext) && has(container.securityContext.appArmorProfile) ?
+                  (container.securityContext.appArmorProfile.type == "RuntimeDefault" ? "runtime/default" :
+                    container.securityContext.appArmorProfile.type == "Unconfined" ? "unconfined" : 
+                      container.securityContext.appArmorProfile.type == "Localhost" ? "localhost/" + container.securityContext.appArmorProfile.localhostProfile : "") :
+                  has(variables.anyObject.metadata.annotations) && ("container.apparmor.security.beta.kubernetes.io/" + container.name) in variables.anyObject.metadata.annotations ?
+                    variables.anyObject.metadata.annotations["container.apparmor.security.beta.kubernetes.io/" + container.name] :
+                      variables.canonicalPodAppArmor
+              ])
+          - name: exemptImagePrefixes
+            expression: |
+              !has(variables.params.exemptImages) ? [] :
+                variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
+          - name: exemptImageExplicit
+            expression: |
+              !has(variables.params.exemptImages) ? [] : 
+                variables.params.exemptImages.filter(image, !image.endsWith("*"))
+          - name: exemptImages
+            expression: |
+              (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+                container.image in variables.exemptImageExplicit ||
+                variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+              ).map(container, container.image)
+          validations:
+          - expression: |
+              variables.allContainers.all(container,
+                (container.image in variables.exemptImages) ||
+                variables.appArmorByContainer.exists(pair, pair[0] == container.name && pair[1] in variables.params.allowedProfiles)
+              )
+            messageExpression: '"AppArmor profile is not allowed. Allowed Profiles: " + variables.params.allowedProfiles.join(", ")'
+      - engine: Rego
+        source:
+          rego: |
+            package k8spspapparmor
+
+            import data.lib.exempt_container.is_exempt
+
+            violation[{"msg": msg, "details": {}}] {
+                container := input_containers[_]
+                not is_exempt(container)
+                not input_apparmor_allowed(input.review.object, container)
+                msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles])
+            }
+
+            input_apparmor_allowed(pod, container) {
+                get_apparmor_profile(pod, container) == input.parameters.allowedProfiles[_]
+            }
+
+            input_containers[c] {
+                c := input.review.object.spec.containers[_]
+            }
+            input_containers[c] {
+                c := input.review.object.spec.initContainers[_]
+            }
+            input_containers[c] {
+                c := input.review.object.spec.ephemeralContainers[_]
+            }
+
+            get_apparmor_profile(pod, container) = out {
+                profile := object.get(container, ["securityContext", "appArmorProfile"], null)
+                profile != null
+                out := canonicalize_apparmor_profile(profile)
+            }
+
+            get_apparmor_profile(pod, container) = out {
+                profile := object.get(container, ["securityContext", "appArmorProfile"], null)
+                profile == null
+                out := pod.metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])]
+            }
+
+            get_apparmor_profile(pod, container) = out {
+                profile := object.get(container, ["securityContext", "appArmorProfile"], null)
+                profile == null
+                not pod.metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])]
+                out := canonicalize_apparmor_profile(object.get(pod, ["spec", "securityContext", "appArmorProfile"], null))
+            }
+
+            canonicalize_apparmor_profile(profile) = out {
+                profile.type == "RuntimeDefault"
+                out := "runtime/default"
+            }
+
+            canonicalize_apparmor_profile(profile) = out {
+                profile.type == "Unconfined"
+                out := "unconfined"
+            }
+
+            canonicalize_apparmor_profile(profile) = out {
+                profile.type = "Localhost"
+                out := sprintf("localhost/%s", [profile.localhostProfile])
+            }
+
+            canonicalize_apparmor_profile(profile) = out {
+                profile == null
+                out := "runtime/default"
+            }
+          libs:
+          - |
+            package lib.exempt_container
+
+            is_exempt(container) {
+                exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+                img := container.image
+                exemption := exempt_images[_]
+                _matches_exemption(img, exemption)
+            }
+
+            _matches_exemption(img, exemption) {
+                not endswith(exemption, "*")
+                exemption == img
+            }
+
+            _matches_exemption(img, exemption) {
+                endswith(exemption, "*")
+                prefix := trim_suffix(exemption, "*")
+                startswith(img, prefix)
+            }
+
@@ -9,4 +9,4 @@ spec:
         kinds: ["Pod"]
   parameters:
     allowedProfiles:
-    - runtime/default
+    - localhost/custom
@@ -4,7 +4,7 @@ metadata:
   name: nginx-apparmor-allowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/custom
   labels:
     app: nginx-apparmor
 spec: