Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/compliance/policy-opa/assets/k8s-pod-security.rego
+++ b/skills/compliance/policy-opa/assets/k8s-pod-security.rego
@@ -0,0 +1,90 @@
+package kubernetes.admission
+
+import future.keywords.contains
+import future.keywords.if
+
+# Deny privileged containers
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    container := input.request.object.spec.containers[_]
+    container.securityContext.privileged == true
+    msg := sprintf("Privileged container is not allowed: %v", [container.name])
+}
+
+# Enforce non-root user
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    container := input.request.object.spec.containers[_]
+    not container.securityContext.runAsNonRoot
+    msg := sprintf("Container must run as non-root user: %v", [container.name])
+}
+
+# Require read-only root filesystem
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    container := input.request.object.spec.containers[_]
+    not container.securityContext.readOnlyRootFilesystem
+    msg := sprintf("Container must use read-only root filesystem: %v", [container.name])
+}
+
+# Deny host namespaces
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    input.request.object.spec.hostPID == true
+    msg := "Sharing the host PID namespace is not allowed"
+}
+
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    input.request.object.spec.hostIPC == true
+    msg := "Sharing the host IPC namespace is not allowed"
+}
+
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    input.request.object.spec.hostNetwork == true
+    msg := "Sharing the host network namespace is not allowed"
+}
+
+# Deny hostPath volumes
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    volume := input.request.object.spec.volumes[_]
+    volume.hostPath
+    msg := sprintf("hostPath volumes are not allowed: %v", [volume.name])
+}
+
+# Require dropping ALL capabilities
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    container := input.request.object.spec.containers[_]
+    not drops_all_capabilities(container)
+    msg := sprintf("Container must drop ALL capabilities: %v", [container.name])
+}
+
+drops_all_capabilities(container) {
+    container.securityContext.capabilities.drop[_] == "ALL"
+}
+
+# Deny dangerous capabilities
+dangerous_capabilities := [
+    "CAP_SYS_ADMIN",
+    "CAP_NET_ADMIN",
+    "CAP_SYS_PTRACE",
+    "CAP_SYS_MODULE",
+]
+
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    container := input.request.object.spec.containers[_]
+    capability := container.securityContext.capabilities.add[_]
+    dangerous_capabilities[_] == capability
+    msg := sprintf("Capability %v is not allowed for container: %v", [capability, container.name])
+}
+
+# Require seccomp profile
+deny[msg] {
+    input.request.kind.kind == "Pod"
+    not input.request.object.spec.securityContext.seccompProfile
+    msg := "Pod must define a seccomp profile"
+}