This repository offers a comprehensive library of security policies designed to fortify Kubernetes cluster configurations. These security policies are derived from the CIS Kubernetes benchmark and rules specified by Kubesec.io. The policies are crafted in REGO, a high-level declarative language tailored for defining policies over intricate hierarchical data structures. For an in-depth understanding of REGO, refer to the Policy Language documentation.
Kubernetes Security Policies are crucial for:
-
Enhancing Security: They protect clusters against threats, misconfigurations, and vulnerabilities by applying predefined rules and best practices.
-
Ensuring Consistency: Policies enforce standardized configurations across clusters, simplifying management and reducing configuration drift.
-
Maintaining Compliance: By implementing established benchmarks like CIS Kubernetes, policies help adhere to industry-specific regulatory requirements.
-
Automating Enforcement: Policies automate the enforcement of security best practices, reducing human error and streamlining deployments.
-
Simplifying Auditing: They provide a clear approach to defining and enforcing configurations, enabling easier auditing and monitoring of clusters.
Kubernetes Security Policies are essential for a robust security strategy and promoting a proactive security culture within organizations.
The policies
directory houses numerous folders, each representing a distinct policy. Folders are named according to the benchmark standard, followed by a number to ensure differentiation. For instance, the 1.2.1 Ensure that the --anonymous-auth argument is set to false
policy from the CIS benchmark is verified by REGO files located in the CIS1.2.1
directory. To explore each policy further, consult the Policy Inventory.
Within each folder, you will find a .rego
file and a unit test .rego
file. Additionally, there is a separate lib
folder containing two .rego files that feature general functions importable into other .rego
files. The kubernetes.rego
file encompasses functions and rules employed in security control .rego
files, while the test.rego
file houses functions that can be imported into unit test files.
Each REGO policy examines the manifests of resources deployable in a Kubernetes cluster. The violation
block in each policy file typically includes:
- Identifying the resource object being examined and returning it.
- Verifying if the object breaches the controls defined in the benchmark.
- Displaying an error message if a violation is detected.
Here's a simplified example of a violation:
violation[msg] {
kubernetes.pods[pod]
not kubernetes.contains_element(params.allowedDeploymentsOrPods, kubernetes.name)
is_automount_serviceaccount_token_enabled(pod)
msg := kubernetes.format(sprintf("%v: %v - Automount Service account token must be set to false", [kubernetes.kind, kubernetes.name]))
}
The kubernetes.
prefix indicates a function call from kubernetes.rego
, which contains general functions. Control-specific logic is written in the corresponding REGO file.
Security policies use parameters to evaluate resources. These parameters can be external (e.g., defined in Gatekeeper constraints
) or embedded as default values within the file. Parameters are standardized by combining them:
params = object.union(default_parameters, kubernetes.parameters)
To validate policy accuracy, the OPA
testing framework is used. Each unit test includes functions prefixed with test
in the name, enabling opa test
to recognize them. Positive cases start with test_no_violation
and negative cases with test_violation
. Tests use policy_input
formatted like the manifests:
test_violation {
test.violations(violation) with input as policy_input(true)
}
test_no_violation {
test.no_violations(violation) with input as policy_input(false)
}
Unit test files share the same package as the REGO policy, ensuring the test verifies policy input against the violation block within the same package.
The opa test
output displays whether all tests passed:
$ opa test policies -v
data.spec_volumes_hostpath_path_var_run_docker_sock.test_no_violation: PASS (318.786µs)
data.containers_image_tag.test_violation_1: PASS (512.689µs)
data.containers_image_tag.test_violation_2: PASS (515.964µs)
data.containers_image_tag.test_no_violation: PASS (389.822µs)
data.containers_securitycontext_allowprivilegedeescalation_true.test_violation: PASS (474.668µs)
data.containers_securitycontext_allowprivilegedeescalation_true.test_no_violation: PASS (361.12µs)
--------------------------------------------------------------------------------
PASS: 5/5
This policy library is designed to be compatible with various tools, such as Conftest and Gatekeeper.
Rego policies can serve as a schema in Gatekeeper ConstraintTemplate
. Based on the template, constraints
can be deployed onto Kubernetes clusters to monitor CREATE
and UPDATE
operations against the API server. Gatekeeper also offers AUDIT
functionality to evaluate existing resources against the constraints
. To learn more about creating constraints
, visit the Gatekeeper repository.
Conftest enables the evaluation of structured YAML manifest files intended for deployment to your clusters. To use Conftest, first install Conftest and then run conftest test
on a YAML file against the policy library:
$ conftest test deployment.yaml -p policies/. --all-namespaces
The output indicates whether the tests have passed. Here's an example:
FAIL - deployment.yaml - Containers must not run as root
FAIL - deployment.yaml - Deployments are not allowed
2 tests, 0 passed, 0 warnings, 2 failure