-
Notifications
You must be signed in to change notification settings - Fork 52
/
restrict-webhook-config.yaml
62 lines (62 loc) · 2.78 KB
/
restrict-webhook-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: cis-k8s-v1.7.1-restrict-webhook-config
labels:
policycontroller.gke.io/bundleName: cis-k8s-v1.7.1
annotations:
policycontroller.gke.io/bundleVersion: 202403.0-preview
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'cis-k8s-v1.7.1',
bundleDisplayName: 'CIS Kubernetes Benchmark v1.7.1',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-k8s-benchmark',
bundleVersion: '202403.0-preview',
bundleDescription: 'Use the CIS Kubernetes Benchmark 1.7.1 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS Kubernetes Benchmark, which is a set of recommendations for configuring Kubernetes to support a robust security posture.',
controlNumbers: '[5.1.12]',
severity: 'UNSPECIFIED',
description: 'Restricts the access to webhook configuration objects in `Roles` and `ClusterRoles`.',
remediation: 'The creation, modification, and deletion of webhook configuration objects in Roles and ClusterRoles is restricted. Remove all access rules for webhook configuration objects from your Roles and ClusterRoles. See "RoleBinding and ClusterRoleBinding" for more information: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding',
minimumTemplateLibraryVersion: '1.15.2',
constraintHash: '216ba7e3991e81a1d28d2ee46eee48452c41180ab47667626ccd2ce12f5bc911'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- Role
- ClusterRole
parameters:
disallowedRules:
- apiGroups:
- ""
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- create
- delete
- update
- patch
- deletecollection
exemptions:
clusterRoles:
- name: admin
- name: cluster-admin
- name: config-management-operator
- name: system:controller:generic-garbage-collector
- name: system:controller:namespace-controller
roles:
- name: agent-updater
namespace: gke-connect