Skip to content

feat: Convert policies to v1 #2467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shimonp21 merged 1 commit into from
Oct 6, 2022
Merged

feat: Convert policies to v1 #2467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions plugins/source/k8s/policies/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Deprecation Notice

These are the policy files for CloudQuery **v0.x.x**. Please use the [policies_v1/](../policies_v1/) directory for CloudQuery v1.x.x policies.

# CloudQuery Policies

CloudQuery SQL Policies for Kubernetes
Expand Down
33 changes: 33 additions & 0 deletions plugins/source/k8s/policies_v1/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# CloudQuery Policies

CloudQuery SQL Policies for Kubernetes

## Policies and Compliance Frameworks Available

- [Kubernetes NSA CISA v1](./nsa_cisa_v1/policy.sql)

## Running

You can execute policies with `psql`. For example:

```bash
# Set DSN to your PostgreSQL populated by CloudQuery
export DSN=postgres://postgres:pass@localhost:5432/postgres
# Execute the NSA CISA Policy
psql ${DSN} -f ./nsa_cisa_v1/policy.sql
```

This will create all the results in `k8s_policy_results` table which you can query directly, connect to any BI system (Grafana, Preset, AWS QuickSight, PowerBI, …).

You can also output it into CSV or HTML with the following built-in `psql` commands:

```bash
# Set DSN to your PostgreSQL populated by CloudQuery
export DSN=postgres://postgres:pass@localhost:5432/postgres
# default tabular output
psql ${DSN} -c "select * from k8s_policy_results"
# CSV output
psql ${DSN} -c "select * from k8s_policy_results" --csv
# HTML output
psql ${DSN} -c "select * from k8s_policy_results" --html
```
12 changes: 12 additions & 0 deletions plugins/source/k8s/policies_v1/create_k8s_policy_results.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
create table if not exists k8s_policy_results
(
execution_time timestamp with time zone,
framework varchar(255),
check_id varchar(255),
title text,
context text,
namespace text,
resource_id varchar(1024),
resource_name text,
status varchar(16)
)
Empty file added plugins/source/k8s/policies_v1/nsa_cisa_v1/README.md
View file
Open in desktop
Empty file.
132 changes: 132 additions & 0 deletions plugins/source/k8s/policies_v1/nsa_cisa_v1/network_hardening.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
\echo "Executing K8S Network Hardening NSA CISA v1"

\echo "Enforce CPU resource limits"

\echo "Deamonsets enforce cpu limit"
\set check_id "daemonset_cpu_limit"
\ir ../queries/network_hardening/daemonset_cpu_limit.sql

\echo "Deployments enforce cpu limit"
\set check_id "deployment_cpu_limit"
\ir ../queries/network_hardening/deployment_cpu_limit.sql

\echo "Jobs enforce cpu limit"
\set check_id "job_cpu_limit"
\ir ../queries/network_hardening/job_cpu_limit.sql


\echo "Namespaces CPU limit range default"
\set check_id "namespace_limit_range_default_cpu_limit"
\ir ../queries/network_hardening/namespace_limit_range_default_cpu_limit.sql


\echo "Namespaces CPU limit resource quota"
\set check_id "namespace_resource_quota_cpu_limit"
\ir ../queries/network_hardening/namespace_resource_quota_cpu_limit.sql


\echo "ReplciaSets enforce cpu limit"
\set check_id "replicaset_cpu_limit"
\ir ../queries/network_hardening/replicaset_cpu_limit.sql


\echo "Enforce CPU request"

\echo "Deamonsets enforce cpu request"
\set check_id "daemonset_cpu_request"
\ir ../queries/network_hardening/daemonset_cpu_request.sql

\echo "Deployments enforce cpu request"
\set check_id "deployment_cpu_request"
\ir ../queries/network_hardening/deployment_cpu_request.sql

\echo "Jobs enforce cpu request"
\set check_id "job_cpu_limit"
\ir ../queries/network_hardening/job_cpu_limit.sql


\echo "Namespaces CPU request range default"
\set check_id "namespace_limit_range_default_cpu_request"
\ir ../queries/network_hardening/namespace_limit_range_default_cpu_request.sql


\echo "Namespaces CPU request resource quota"
\set check_id "namespace_resource_quota_cpu_request"
\ir ../queries/network_hardening/namespace_resource_quota_cpu_request.sql


\echo "ReplciaSets enforce cpu request"
\set check_id "replicaset_cpu_request"
\ir ../queries/network_hardening/replicaset_cpu_request.sql

\echo "Ensure memory limits set"

\echo "Deamonsets enforce memory limit"
\set check_id "daemonset_memory_limit"
\ir ../queries/network_hardening/daemonset_memory_limit.sql

\echo "Deployments enforce memory limit"
\set check_id "deployment_memory_limit"
\ir ../queries/network_hardening/deployment_memory_limit.sql

\echo "Jobs enforce memory limit"
\set check_id "job_memory_limit"
\ir ../queries/network_hardening/job_memory_limit.sql


\echo "Namespaces CPU memory range default"
\set check_id "namespace_limit_range_default_memory_limit"
\ir ../queries/network_hardening/namespace_limit_range_default_memory_limit.sql


\echo "Namespaces CPU memory resource quota"
\set check_id "namespace_resource_quota_memory_limit"
\ir ../queries/network_hardening/namespace_resource_quota_memory_limit.sql


\echo "ReplciaSets enforce memory limit"
\set check_id "replicaset_memory_limit"
\ir ../queries/network_hardening/replicaset_memory_limit.sql


\echo "Enforce Memory request"

\echo "Deamonsets enforce memory request"
\set check_id "daemonset_memory_request"
\ir ../queries/network_hardening/daemonset_memory_request.sql

\echo "Deployments enforce memory request"
\set check_id "deployment_memory_request"
\ir ../queries/network_hardening/deployment_memory_request.sql

\echo "Jobs enforce memory request"
\set check_id "job_memory_request"
\ir ../queries/network_hardening/job_memory_request.sql


\echo "Namespaces Memory request range default"
\set check_id "namespace_limit_range_default_memory_request"
\ir ../queries/network_hardening/namespace_limit_range_default_memory_request.sql


\echo "Namespaces Memory request resource quota"
\set check_id "namespace_resource_quota_memory_request"
\ir ../queries/network_hardening/namespace_resource_quota_memory_request.sql


\echo "ReplciaSets enforce cpu request"
\set check_id "replicaset_memory_request"
\ir ../queries/network_hardening/replicaset_memory_request.sql


\echo "Enforce default deny network policy"

\echo "Network policy default deny egress"
\set check_id "network_policy_default_deny_egress"
\ir ../queries/network_hardening/network_policy_default_deny_egress.sql


\echo "Network policy default deny ingress"
\set check_id "network_policy_default_deny_ingress"
\ir ../queries/network_hardening/network_policy_default_deny_ingress.sql

152 changes: 152 additions & 0 deletions plugins/source/k8s/policies_v1/nsa_cisa_v1/pod_security.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
\echo "Executing K8S Pod Security NSA CISA v1"

\set check_id "container_disallow_host_path"
\echo "Disallow host path access"
\ir ../queries/pod_security/pod_volume_host_path.sql

\echo "Verify containers have privileged access disabled"

\echo "Deamonset privileges disabled"
\set check_id "daemonset_container_privilege_disabled"
\ir ../queries/pod_security/daemonset_container_privilege_disabled.sql

\echo "Deployment containers privileged access disabled"
\set check_id "deployment_container_privilege_disabled"
\ir ../queries/pod_security/deployment_container_privilege_disabled.sql

\echo "Jobs container privileged access disabled"
\set check_id "job_container_privilege_disabled"
\ir ../queries/pod_security/job_container_privilege_disabled.sql

\echo "Pod container privileged access disabled"
\set check_id "pod_container_privilege_disabled"
\ir ../queries/pod_security/pod_container_privilege_disabled.sql

\echo "ReplicaSet container privileged access disabled"
\set check_id "replicaset_container_privilege_disabled"
\ir ../queries/pod_security/replicaset_container_privilege_disabled.sql

\echo "Container privileged escalation disabled"

\echo "DaemonSet container privileged escalation disabled"
\set check_id "daemonset_container_privilege_escalation_disabled"
\ir ../queries/pod_security/daemonset_container_privilege_escalation_disabled.sql

\echo "Deployment container privileged escalation disabled"
\set check_id "deployment_container_privilege_escalation_disabled"
\ir ../queries/pod_security/deployment_container_privilege_escalation_disabled.sql

\echo "Job container privileged escalation disabled"
\set check_id "job_container_privilege_escalation_disabled"
\ir ../queries/pod_security/job_container_privilege_escalation_disabled.sql

\echo "Pod container privileged escalation disabled"
\set check_id "pod_container_privilege_escalation_disabled"
\ir ../queries/pod_security/pod_container_privilege_escalation_disabled.sql

\echo "ReplicaSet container privileged escalation disabled"
\set check_id "replicaset_container_privilege_escalation_disabled"
\ir ../queries/pod_security/replicaset_container_privilege_escalation_disabled.sql


\echo "Host network access disabled"

\echo "DaemonSet container hostNetwork disabled"
\set check_id "daemonset_host_network_access_disabled"
\ir ../queries/pod_security/daemonset_host_network_access_disabled.sql

\echo "Deployment container hostNetwork disabled"
\set check_id "deployment_host_network_access_disabled"
\ir ../queries/pod_security/deployment_host_network_access_disabled.sql

\echo "Job container hostNetwork disabled"
\set check_id "job_host_network_access_disabled"
\ir ../queries/pod_security/job_host_network_access_disabled.sql

\echo "Pod container hostNetwork disabled"
\set check_id "pod_container_privilege_escalation_disabled"
\ir ../queries/pod_security/pod_host_network_access_disabled.sql

\echo "ReplicaSet container hostNetwork disabled"
\set check_id "replicaset_container_privilege_escalation_disabled"
\ir ../queries/pod_security/replicaset_host_network_access_disabled.sql


\echo "HostPID and HostIPC sharing disabled"

\echo "DeamonSet containers HostPID and HostIPC sharing disabled"
\set check_id "daemonset_hostpid_hostipc_sharing_disabled"
\ir ../queries/pod_security/daemonset_hostpid_hostipc_sharing_disabled.sql

\echo "Deployment containers HostPID and HostIPC sharing disabled"
\set check_id "deployment_hostpid_hostipc_sharing_disabled"
\ir ../queries/pod_security/deployment_hostpid_hostipc_sharing_disabled.sql

\echo "Job containers HostPID and HostIPC sharing disabled"
\set check_id "job_hostpid_hostipc_sharing_disabled"
\ir ../queries/pod_security/job_hostpid_hostipc_sharing_disabled.sql

\echo "Pod containers HostPID and HostIPC sharing disabled"
\set check_id "pod_hostpid_hostipc_sharing_disabled"
\ir ../queries/pod_security/pod_hostpid_hostipc_sharing_disabled.sql

\echo "ReplicaSet containers HostPID and HostIPC sharing disabled"
\set check_id "replicaset_hostpid_hostipc_sharing_disabled"
\ir ../queries/pod_security/replicaset_hostpid_hostipc_sharing_disabled.sql

\echo "Containers root file system is read-only"

\echo "DeamonSet containers root file system is read-only"
\set check_id "daemonset_immutable_container_filesystem"
\ir ../queries/pod_security/daemonset_immutable_container_filesystem.sql

\echo "Deployment containers root file system is read-only"
\set check_id "deployment_immutable_container_filesystem"
\ir ../queries/pod_security/deployment_immutable_container_filesystem.sql

\echo "Job containers root file system is read-only"
\set check_id "job_immutable_container_filesystem"
\ir ../queries/pod_security/job_immutable_container_filesystem.sql

\echo "Pod containers root file system is read-only"
\set check_id "pod_immutable_container_filesystem"
\ir ../queries/pod_security/pod_immutable_container_filesystem.sql

\echo "ReplicaSet containers root file system is read-only"
\set check_id "replicaset_immutable_container_filesystem"
\ir ../queries/pod_security/replicaset_immutable_container_filesystem.sql


\echo "Enforce containers to run as non-root"

\echo "DeamonSet containers to run as non-root"
\set check_id "daemonset_non_root_container"
\ir ../queries/pod_security/daemonset_non_root_container.sql

\echo "Deployment containers to run as non-root"
\set check_id "deployment_non_root_container"
\ir ../queries/pod_security/deployment_non_root_container.sql

\echo "Job containers to run as non-root"
\set check_id "job_non_root_container"
\ir ../queries/pod_security/job_non_root_container.sql

\echo "Pod containers to run as non-root"
\set check_id "pod_non_root_container"
\ir ../queries/pod_security/pod_non_root_container.sql

\echo "ReplicaSet containers to run as non-root"
\set check_id "replicaset_non_root_container"
\ir ../queries/pod_security/replicaset_non_root_container.sql


\echo "Automatic mapping of the service account tokens disabled"

\echo "Pod service account tokens disabled"
\set check_id "pod_service_account_token_disabled"
\ir ../queries/pod_security/pod_service_account_token_disabled.sql

\echo "Service account tokens disabled"
\set check_id "service_account_token_disabled"
\ir ../queries/pod_security/service_account_token_disabled.sql

15 changes: 15 additions & 0 deletions plugins/source/k8s/policies_v1/nsa_cisa_v1/policy.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
\set ON_ERROR_STOP on
SET TIME ZONE 'UTC';
-- neat trick to set execution_time if not already set
-- https://stackoverflow.com/questions/32582600/only-set-variable-in-psql-script-if-not-specified-on-the-command-line
\set execution_time :execution_time
SELECT CASE
WHEN :'execution_time' = ':execution_time' THEN to_char(now(), 'YYYY-MM-dd HH24:MI:SS.US')
ELSE :'execution_time'
END AS "execution_time" \gset

\set framework 'cis_v1.2.0'

\ir ../create_k8s_policy_results.sql
\ir ./network_hardening.sql
\ir ./pod_security.sql
11 changes: 11 additions & 0 deletions plugins/source/k8s/policies_v1/policy.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
\set ON_ERROR_STOP on
SET TIME ZONE 'UTC';
-- neat trick to set execution_time if not already set
-- https://stackoverflow.com/questions/32582600/only-set-variable-in-psql-script-if-not-specified-on-the-command-line
\set execution_time :execution_time
SELECT CASE
WHEN :'execution_time' = ':execution_time' THEN to_char(now(), 'YYYY-MM-dd HH24:MI:SS.US')
ELSE :'execution_time'
END AS "execution_time" \gset

\ir nsa_cisa_v1/policy.sql
25 changes: 25 additions & 0 deletions plugins/source/k8s/policies_v1/queries/network_hardening/daemonset_cpu_limit.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-- Join every row in the daemonset table with its json array of containers.
WITH daemonset_containers AS (SELECT uid, value AS container
FROM k8s_apps_daemon_sets
CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers') AS value)

INSERT INTO k8s_policy_results (resource_id, execution_time, framework, check_id, title, context, namespace,
resource_name, status)
select uid AS resource_id,
:'execution_time'::timestamp AS execution_time,
:'framework' AS framework,
:'check_id' AS check_id,
'Daemonset enforces cpu limits' AS title,
context AS context,
namespace AS namespace,
name AS resource_name,
CASE
WHEN
-- Every container needs to have a CPU limit for the check to pass
(SELECT COUNT(*) FROM daemonset_containers WHERE daemonset_containers.uid = k8s_apps_daemon_sets.uid AND
daemonset_containers.container->'resources'->'limits'->>'cpu' IS NULL) > 0
THEN 'fail'
ELSE 'pass'
END AS status
FROM k8s_apps_daemon_sets

Loading