-
Notifications
You must be signed in to change notification settings - Fork 52
/
restrict-nodes-proxy.yaml
68 lines (68 loc) · 2.98 KB
/
restrict-nodes-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: cis-k8s-v1.7.1-restrict-nodes-proxy
labels:
policycontroller.gke.io/bundleName: cis-k8s-v1.7.1
annotations:
policycontroller.gke.io/bundleVersion: 202403.0-preview
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'cis-k8s-v1.7.1',
bundleDisplayName: 'CIS Kubernetes Benchmark v1.7.1',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-k8s-benchmark',
bundleVersion: '202403.0-preview',
bundleDescription: 'Use the CIS Kubernetes Benchmark 1.7.1 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS Kubernetes Benchmark, which is a set of recommendations for configuring Kubernetes to support a robust security posture.',
controlNumbers: '[5.1.10]',
severity: 'UNSPECIFIED',
description: 'Restricts the access to the proxy sub-resource of nodes in `Roles` and `ClusterRoles`.',
remediation: 'The access to nodes/proxy in Roles and ClusterRoles is restricted. Remove all access rules for nodes/proxy from your Roles and ClusterRoles. See "RoleBinding and ClusterRoleBinding" for more information: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding',
minimumTemplateLibraryVersion: '1.15.2',
constraintHash: '46141fee31ae7ffb35a4b046eec1eeef4561eee6e183cae2fba712b316ed2dd9'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- Role
- ClusterRole
parameters:
disallowedRules:
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- create
- update
- patch
exemptions:
clusterRoles:
- name: admin
- name: cluster-admin
- name: config-management-operator
- name: gatekeeper-manager-role
- name: kubelet-api-admin
- name: metering
- name: system:cloud-controller-manager
- name: system:controller:generic-garbage-collector
- name: system:controller:namespace-controller
- name: system:controller:resourcequota-controller
- name: system:gke-common-webhooks
- name: system:kube-controller-manager
- name: system:kubelet-api-admin
- name: system:kubestore-collector
roles:
- name: agent-updater
namespace: gke-connect