block-tmp-execution

Signed-off-by: gwg313 <gwg313@pm.me>

platform/kyverno/policies/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - disallow-latest-tag.yaml
   - kyverno-cilium-rbac.yaml
   - generate-ns-network-baseline.yaml
+  - require-requests-limits.yaml

platform/kyverno/policies/require-requests-limits.yaml

@@ -0,0 +1,48 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-requests-limits
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+    policies.kyverno.io/title: Enforce Resource Requests and Limits
+    policies.kyverno.io/description: >-
+      Guarantees cluster stability by requiring all application containers 
+      to explicitly declare CPU and Memory requests and limits.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-resources
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - default
+                - kube-system
+                - kube-public
+                - kube-node-lease
+                - argocd
+                - kyverno
+                - cilium-ingress
+                - cilium-secrets
+                - cert-manager
+                - sealed-secrets
+                - nfs-subdir-external-provisioner
+      validate:
+        message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
+        pattern:
+          spec:
+            containers:
+              - name: "*"
+                resources:
+                  requests:
+                    cpu: "?*"    # Must not be empty
+                    memory: "?*" # Must not be empty
+                  limits:
+                    cpu: "?*"    # Must not be empty
+                    memory: "?*" # Must not be empty

platform/tetragon/policies/block-tmp-execution.yaml

@@ -0,0 +1,37 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: block-tmp-execution
+  namespace: kube-system
+spec:
+  podSelector:
+    matchExpressions:
+      - key: "io.kubernetes.pod.namespace"
+        operator: "NotIn"
+        values:
+          - kube-system
+          - kube-public
+          - kube-node-lease
+          - argocd
+          - kyverno
+          - cilium-ingress
+          - cilium-secrets
+          - cert-manager
+          - sealed-secrets
+          - nfs-subdir-external-provisioner
+  kprobes:
+    - call: "sys_execve"
+      syscall: true
+      args:
+        - index: 0
+          type: "string"
+      selectors:
+        - matchArgs:
+            - index: 0
+              operator: "Prefix"
+              values:
+                - "/tmp/"
+                - "/var/tmp/"
+                - "/dev/shm/"
+          matchActions:
+            - action: Sigkill

platform/tetragon/policies/example.yaml

@@ -1,21 +0,0 @@
-apiVersion: cilium.io/v1alpha1
-kind: TracingPolicy
-metadata:
-  name: "fd-install"
-spec:
-  kprobes:
-  - call: "fd_install"
-    syscall: false
-    args:
-    - index: 0
-      type: "int"
-    - index: 1
-      type: "file"
-    selectors:
-    - matchArgs:
-      - index: 1
-        operator: "Equal"
-        values:
-        - "/tmp/tetragon"
-      matchActions:
-      - action: Sigkill

platform/tetragon/policies/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - example.yaml
+  - block-tmp-execution.yaml