├── README.md ├── enforce-ciliumnetworkpolicy-annotations.yaml ├── enforce-endpoint-security.yaml ├── enforce-least-privilege.yaml ├── enforce-specified-ports.yaml ├── limit-endpoint-count.yaml ├── limit-ciliumnetworkpolicy-scope.yaml ├── restrict-egress-ports.yaml └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | # cilium-kyverno 2 | This repository offers a curated set of Kyverno policies designed to provide granular governance over the creation and modification of Cilium Network Policies. 3 | -------------------------------------------------------------------------------- /enforce-ciliumnetworkpolicy-annotations.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-ciliumnetworkpolicy-annotations 5 | spec: 6 | validationFailureAction: Enforce 7 | background: false 8 | rules: 9 | - name: check-annotations 10 | match: 11 | any: 12 | - resources: 13 | kinds: 14 | - CiliumNetworkPolicy 15 | validate: 16 | message: "Missing required annotation" 17 | pattern: 18 | metadata: 19 | annotations: 20 | purpose: "?*" 21 | owner: "?*" 22 | -------------------------------------------------------------------------------- /enforce-endpoint-security.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-endpoint-security 5 | spec: 6 | validationFailureAction: enforce 7 | background: false 8 | rules: 9 | - name: deny-external-ingress 10 | match: 11 | any: 12 | - resources: 13 | kinds: 14 | - CiliumNetworkPolicy 15 | validate: 16 | message: "CiliumNetworkPolicy must deny ingress from external IPs" 17 | pattern: 18 | spec: 19 | ingress: 20 | - fromCIDR: 21 | - "!192.168.0.0/16" 22 | -------------------------------------------------------------------------------- /enforce-least-privilege.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-least-privilege 5 | spec: 6 | validationFailureAction: enforce 7 | rules: 8 | - name: check-least-privilege 9 | match: 10 | any: 11 | - resources: 12 | kinds: 13 | - CiliumNetworkPolicy 14 | validate: 15 | message: "Using 'allow-all' is not permitted." 16 | deny: 17 | conditions: 18 | all: 19 | - key: "{{ request.object.spec.ingress[0].fromEndpoints }}" 20 | operator: Equals 21 | value: "[{}]" 22 | -------------------------------------------------------------------------------- /enforce-specified-ports.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-specified-ports 5 | spec: 6 | validationFailureAction: enforce 7 | rules: 8 | - name: check-specified-ports 9 | match: 10 | any: 11 | - resources: 12 | kinds: 13 | - CiliumNetworkPolicy 14 | validate: 15 | message: "Only traffic on specified ports is allowed." 16 | pattern: 17 | spec: 18 | ingress: 19 | - toPorts: 20 | - ports: 21 | - port: "443" 22 | protocol: "TCP" 23 | -------------------------------------------------------------------------------- /limit-endpoint-count.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-endpoint-count 5 | spec: 6 | validationFailureAction: enforce 7 | rules: 8 | - name: check-endpoint-count 9 | match: 10 | any: 11 | - resources: 12 | kinds: 13 | - CiliumNetworkPolicy 14 | validate: 15 | message: "Policy applies to too many endpoints; limit is 10." 16 | deny: 17 | conditions: 18 | all: 19 | - key: "{{ length(request.object.spec.endpointSelector.matchLabels) }}" 20 | operator: GreaterThan 21 | value: 10 22 | -------------------------------------------------------------------------------- /limit-ciliumnetworkpolicy-scope.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-ciliumnetworkpolicy-scope 5 | spec: 6 | validationFailureAction: enforce 7 | background: false 8 | rules: 9 | - name: limit-scope 10 | match: 11 | any: 12 | - resources: 13 | kinds: 14 | - CiliumNetworkPolicy 15 | validate: 16 | message: "CiliumNetworkPolicy can only be applied to specific namespaces" 17 | anyPattern: 18 | - spec: 19 | endpointSelector: 20 | matchLabels: 21 | namespace: "allowed-namespace-1" 22 | - spec: 23 | endpointSelector: 24 | matchLabels: 25 | namespace: "allowed-namespace-2" 26 | -------------------------------------------------------------------------------- /restrict-egress-ports.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-egress-ports 5 | spec: 6 | validationFailureAction: enforce 7 | rules: 8 | - name: check-egress-ports 9 | match: 10 | any: 11 | - resources: 12 | kinds: 13 | - CiliumNetworkPolicy 14 | preconditions: 15 | all: 16 | - key: "{{ request.object.spec.egress }}" 17 | operator: NotEquals 18 | value: null 19 | validate: 20 | message: "Egress to port 22 is not allowed." 21 | deny: 22 | conditions: 23 | all: 24 | - key: "{{ request.object.spec.egress[0].toPorts[0].ports[0].port }}" 25 | operator: In 26 | value: ["22"] 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Stéphane Karagulmez 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | --------------------------------------------------------------------------------