Merge branch 'master' into forbidden-sysctls-cel

open-policy-agent · Sep 4, 2024 · 08dec09 · 08dec09
2 parents 44af349 + 598df74
commit 08dec09
Show file tree

Hide file tree

Showing 239 changed files with 6,344 additions and 764 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/scripts.yaml b/.github/workflows/scripts.yaml
@@ -22,13 +22,13 @@ jobs:
       matrix:
         folder: [artifacthub, require-sync, validate, website]
     steps:
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: '1.20'
           cache: false
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
           version: v1.55.2
           working-directory: scripts/${{ matrix.folder }}
diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
@@ -25,14 +25,14 @@ jobs:
         working-directory: website
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: "18"
 

diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -49,7 +49,7 @@ jobs:
     name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -71,7 +71,7 @@ jobs:
     steps:
       - name: Harden Runner
         if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -99,7 +99,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: ${{ always() }}
         with:
           name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
@@ -110,7 +110,7 @@ jobs:
     name: "Require a suite.yaml file alongside every template.yaml"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -123,7 +123,7 @@ jobs:
     name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
@@ -141,7 +141,7 @@ jobs:
     steps:
       - name: Harden Runner
         if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 

diff --git a/artifacthub/library/general/disallowanonymous/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/disallowanonymous/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8sdisallowanonymous
+displayName: Disallow Anonymous Access
+createdAt: "2024-08-19T17:43:37Z"
+description: Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
+digest: eef7a39c0a9dfa0ff63d357b5e0ce881b1acc388c1b991a6cf4ab3745feb3e4a
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/disallowanonymous
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Disallow Anonymous Access
+    Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/disallowanonymous/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
diff --git a/artifacthub/library/general/disallowanonymous/1.0.1/kustomization.yaml b/artifacthub/library/general/disallowanonymous/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
diff --git a/...hub/library/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/constraint.yaml b/...hub/library/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/constraint.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowAnonymous
+metadata:
+  name: no-anonymous
+spec:
+  match:
+    kinds:
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["ClusterRoleBinding"]
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["RoleBinding"]
+  parameters:
+    allowedRoles: 
+      - cluster-role-1
diff --git a/...ibrary/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/example_allowed.yaml b/...ibrary/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/example_allowed.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-role-binding-1
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-role-1
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
diff --git a/...ary/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/example_disallowed.yaml b/...ary/general/disallowanonymous/1.0.1/samples/no-anonymous-bindings/example_disallowed.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-role-binding-2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-role-2
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
diff --git a/artifacthub/library/general/disallowanonymous/1.0.1/suite.yaml b/artifacthub/library/general/disallowanonymous/1.0.1/suite.yaml
@@ -0,0 +1,17 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: disallowanonymous
+tests:
+- name: disallow-anonymous
+  template: template.yaml
+  constraint: samples/no-anonymous-bindings/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/no-anonymous-bindings/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/no-anonymous-bindings/example_disallowed.yaml
+    assertions:
+    - violations: yes
diff --git a/artifacthub/library/general/disallowanonymous/1.0.1/template.yaml b/artifacthub/library/general/disallowanonymous/1.0.1/template.yaml
@@ -0,0 +1,48 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowanonymous
+  annotations:
+    metadata.gatekeeper.sh/title: "Disallow Anonymous Access"
+    metadata.gatekeeper.sh/version: 1.0.1
+    description: Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowAnonymous
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            allowedRoles:
+              description: >-
+                The list of ClusterRoles and Roles that may be associated
+                with the `system:unauthenticated` group and `system:anonymous`
+                user.
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sdisallowanonymous
+
+        violation[{"msg": msg}] {
+          not is_allowed(input.review.object.roleRef, object.get(input, ["parameters", "allowedRoles"], []))
+          review(input.review.object.subjects[_])
+          msg := sprintf("Unauthenticated user reference is not allowed in %v %v ", [input.review.object.kind, input.review.object.metadata.name])
+        }
+
+        is_allowed(role, allowedRoles) {
+          role.name == allowedRoles[_]
+        }
+
+        review(subject) = true {
+          subject.name == "system:unauthenticated"
+        }
+
+        review(subject) = true {
+          subject.name == "system:anonymous"
+        }
diff --git a/artifacthub/library/general/disallowanonymous/1.1.0/artifacthub-pkg.yml b/artifacthub/library/general/disallowanonymous/1.1.0/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8sdisallowanonymous
+displayName: Disallow Anonymous Access
+createdAt: "2024-08-21T21:13:49Z"
+description: Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
+digest: 8de75985d7841ab683cf095d1b86934a3d3278b20816c0bb2a10680d25ddd740
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/disallowanonymous
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Disallow Anonymous Access
+    Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/disallowanonymous/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
diff --git a/artifacthub/library/general/disallowanonymous/1.1.0/kustomization.yaml b/artifacthub/library/general/disallowanonymous/1.1.0/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
diff --git a/...hub/library/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/constraint.yaml b/...hub/library/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/constraint.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowAnonymous
+metadata:
+  name: no-anonymous
+spec:
+  match:
+    kinds:
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["ClusterRoleBinding"]
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["RoleBinding"]
+  parameters:
+    allowedRoles: 
+      - cluster-role-1
diff --git a/...ibrary/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/example_allowed.yaml b/...ibrary/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/example_allowed.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-role-binding-1
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-role-1
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
diff --git a/...ary/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/example_disallowed.yaml b/...ary/general/disallowanonymous/1.1.0/samples/no-anonymous-bindings/example_disallowed.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-role-binding-2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-role-2
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:anonymous