From 0ea90a94b379158f766c6942445439b81254a176 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Thu, 5 Sep 2024 11:51:21 -0700 Subject: [PATCH] Create restrict-secret-verbs-in-roles --- .../restrict-secret-verbs-in-roles | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rbac-best-practices/restrict-secret-verbs-in-roles diff --git a/rbac-best-practices/restrict-secret-verbs-in-roles b/rbac-best-practices/restrict-secret-verbs-in-roles new file mode 100644 index 00000000..4825af3b --- /dev/null +++ b/rbac-best-practices/restrict-secret-verbs-in-roles @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-secret-role-verbs + annotations: + policies.kyverno.io/title: Restrict Secret Verbs in Roles + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Role, ClusterRole, RBAC + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively + allows Secrets to be read which may expose sensitive information. This policy prevents + a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to + fully implement this control, it is recommended to pair this policy with another which + also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets + or when also using a wildcard in the base API group. +spec: + validationFailureAction: audit + background: true + rules: + - name: secret-verbs + match: + any: + - resources: + kinds: + - Role + - ClusterRole + validate: + message: "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden." + deny: + conditions: + any: + - key: ["get","list","watch"] + operator: AnyIn + value: "{{ request.object.rules[?resources.contains(@,'secrets')].verbs[] }}"