-
Notifications
You must be signed in to change notification settings - Fork 0
/
datree-policies.yaml
150 lines (150 loc) · 13.7 KB
/
datree-policies.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
apiVersion: v1
customRules: null
policies:
- name: Starter
isDefault: true
rules:
# - identifier: DEPLOYMENT_INCORRECT_REPLICAS_VALUE
# messageOnFailure: Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service
- identifier: CONTAINERS_MISSING_MEMORY_REQUEST_KEY
messageOnFailure: Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization
- identifier: CONTAINERS_MISSING_LIVENESSPROBE_KEY
messageOnFailure: Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks
- identifier: CONTAINERS_MISSING_READINESSPROBE_KEY
messageOnFailure: Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic
- identifier: CONTAINERS_MISSING_MEMORY_LIMIT_KEY
messageOnFailure: Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization
- identifier: CONTAINERS_MISSING_CPU_LIMIT_KEY
messageOnFailure: Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization
- identifier: CONTAINERS_MISSING_CPU_REQUEST_KEY
messageOnFailure: Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
- identifier: CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE
messageOnFailure: Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host
- identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION
messageOnFailure: Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future
- identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST
messageOnFailure: Incorrect value for key `image` - add a digest tag (beginning with `@sha256:`) to represent an immutable version of the image
- identifier: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE
messageOnFailure: Incorrect value for key `hostPID` - running on the host's PID namespace enables access to sensitive information from processes running outside the container
- identifier: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE
messageOnFailure: Incorrect value for key `hostIPC` - running on the host’s IPC namespace can be (maliciously) used to interact with other processes running outside the container
- identifier: CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE
messageOnFailure: Incorrect value for key `hostNetwork` - running on the host’s network namespace can allow a compromised container to sniff network traffic
- identifier: CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID
messageOnFailure: Incorrect value for key `runAsUser` - value should be above 9999 to reduce the likelihood that the UID is already taken
- identifier: CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET
messageOnFailure: Incorrect value for key `path` - avoid mounting the docker.socket becasue it can allow container breakout
- identifier: CONTAINERS_INCORRECT_SECCOMP_PROFILE
messageOnFailure: Incorrect value for key `seccompProfile` - set an explicit value to prevent malicious use of system calls within the container
- identifier: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE
messageOnFailure: Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks
- identifier: CONTAINERS_INCORRECT_KEY_HOSTPATH
messageOnFailure: Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host
- identifier: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION
messageOnFailure: Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges
- identifier: CONTAINERS_INCORRECT_KEY_HOSTPORT
messageOnFailure: Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload
- identifier: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT
messageOnFailure: Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)
- identifier: INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE
messageOnFailure: Incorrect value for key `host` - specify host instead of using a wildcard character ("*")
- identifier: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT
messageOnFailure: Incorrect value for key `type` - `NodePort` will open a port on all nodes where it can be reached by the network external to the cluster
- identifier: CRONJOB_INVALID_SCHEDULE_VALUE
messageOnFailure: "Incorrect value for key `schedule` - the (cron) schedule expressions is not valid and, therefore, will not work as expected"
- identifier: WORKLOAD_INVALID_LABELS_VALUE
messageOnFailure: Incorrect value for key(s) under `labels` - the vales syntax is not valid so the Kubernetes engine will not accept it
- identifier: WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS
messageOnFailure: Incorrect value for key `restartPolicy` - any other value than `Always` is not supported by this resource
- identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE
messageOnFailure: "Incorrect value/s for key 'addresses' - address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)"
- identifier: CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY
messageOnFailure: Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume
- identifier: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY
messageOnFailure: Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed
- identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE
messageOnFailure: Missing property object `allow-snippet-annotations` - set it to 'false' to override default behaviour
- identifier: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID
messageOnFailure: Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership
- identifier: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE
messageOnFailure: Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers
- identifier: CONTAINERS_INVALID_CAPABILITIES_VALUE
messageOnFailure: Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components
- identifier: ALL_EXPOSED_SECRET_BITBUCKET
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_DATADOG
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_GCP
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_AWS
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_GITHUB
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_GITLAB
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_TERRAFORM
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_HEROKU
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_JWT
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_LAUNCHDARKLY
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_NEWRELIC
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_NPM
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_OKTA
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_STRIPE
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_SUMOLOGIC
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_TWILIO
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_VAULT
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: ALL_EXPOSED_SECRET_PRIVATEKEY
messageOnFailure: Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen
- identifier: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE
messageOnFailure: Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges
- identifier: CIS_INVALID_VALUE_BIND_IMPERSONATE_ESCALATE
messageOnFailure: Invalid value for key `verbs` - do not use `bind`/`impersonate`/`escalate` to prevent privilege escalation
- identifier: CIS_INVALID_VALUE_SYSTEM_MASTERS
messageOnFailure: Invalid value for key `subjects[].name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API
- identifier: CIS_MISSING_VALUE_DROP_NET_RAW
messageOnFailure: Invalid value for key `drop` - prohibit the potentially dangerous NET_RAW capability
- identifier: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN
messageOnFailure: Invalid value for key `automountServiceAccountToken` - set to `false` to ensure rights can be more easily audited
- identifier: CIS_INVALID_VALUE_CREATE_POD
messageOnFailure: Invalid value for key `resources`/`verbs` - prohibit creating pods to prevent undesired privilege escalation
- identifier: CIS_MISSING_KEY_SECURITYCONTEXT
messageOnFailure: Missing key `securityContext` - set to enforce your containers' security and stability
# - identifier: CIS_INVALID_VALUE_SECCOMP_PROFILE
# messageOnFailure: Invalid value for key `seccomp.security.alpha.kubernetes.io/pod` - set to docker/default or runtime/default to ensure restricted privileges
- identifier: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF
messageOnFailure: Incorrect key `secretKeyRef`/`secretRef` - mount secrets as files and not as env variables to avoid exposing sensitive data
- identifier: CIS_INVALID_WILDCARD_ROLE
messageOnFailure: Incorrect value for key `apiGroups`/`resources`/`verbs` - wildcards may provide excessive rights and should only be used when necessary
- identifier: CIS_INVALID_VERB_SECRETS
messageOnFailure: Incorrect value/s for key `verbs` - access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation
- identifier: CIS_INVALID_ROLE_CLUSTER_ADMIN
messageOnFailure: Incorrect value for key `name` - the RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where needed
- identifier: EKS_INVALID_HOSTPATH_MOUNT_READONLY_VALUE
messageOnFailure: Invalid key `readOnly` - set to 'true' to prevent potential attacks on the host filesystem
- identifier: EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE
messageOnFailure: Invalid key `role` - refrain from setting this key to prevent potential access to the host filesystem
- identifier: EKS_INVALID_SELINUXOPTIONS_USER_VALUE
messageOnFailure: Invalid key `user` - refrain from setting this key to prevent potential access to the host filesystem
- identifier: EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE
messageOnFailure: Invalid value for key `type` - set to a predefined type to prevent unnecessary privileges
- identifier: EKS_INVALID_HOSTPROCESS_VALUE
messageOnFailure: Incorrect value for key `hostProcess` - don't set or set to false to prevent unnecessary privileges
- identifier: EKS_MISSING_KEY_TOPOLOGYKEY
messageOnFailure: Missing key `topologyKey` - add it to ensure replicas are spread across multiple nodes
- identifier: EKS_INVALID_CAPABILITIES_EKS
messageOnFailure: Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components
- identifier: K8S_INCORRECT_KIND_VALUE_POD
messageOnFailure: Incorrect value for key `kind` - raw pod won't be rescheduled in the event of a node failure
- identifier: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE
messageOnFailure: Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account