Kubewarden policy image-cve-policy

WARNING: This policy is currently in the sandbox phase. This means that it is not yet ready for production use. The policy is under active development and may change significantly.

Description

This policy is used to enforce a maximum number of vulnerabilities of a certain severity level in an image.

The policy can be configured to allow a certain number of vulnerabilities of a certain severity level. When the threshold is exceeded, the image is not allowed to be deployed.

It's possible to provide a list of CVEs that are always allowed or denied, regardless of their severity level.

By default the policy will deny the usage of images that have not been scanned for vulnerabilities. This behavior can be changed by setting ignoreMissingVulnerabilityReport to true.

Deployment Requirements

SBOMScanner

This policy relies on the SBOMScanner project being installed in the cluster.

Warning: the policy currently supports SBOMScanner version 0.7.0 or later.

This project scans images for vulnerabilities and stores the results in a custom resource called VulnerabilityReport.

RBAC rules for Policy Server

The Policy Server that runs this policy must have the GET, LIST and WATCH privileges over the VulnerabilityReport resource.

This can be achieved by creating the following RBAC resources:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sbomscanner-vulnerability-reports-viewer
rules:
  - apiGroups:
      - storage.sbomscanner.kubewarden.io
    resources:
      - vulnerabilityreports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sbomscanner-vulnerabilility-reports-viewer-policy-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sbomscanner-vulnerability-reports-viewer
subjects:
  - kind: ServiceAccount
    name: policy-server
    namespace: kubewarden

Warning: the binding above grants access only to the ServiceAccount named policy-server that is defined inside of the kubewarden namespace.

Configuration

This is a context aware policy, hence it must be deployed as a ClusterAdmissionPolicy and it must be granted access to the VulnerabilityReport resources.

The VulnerabilityReport resources are namespaced, hence the configuration of the policy must include the namespace where the VulnerabilityReport resources have been created.

Policy Evaluation Time

Currently, this policy is a bit slower compared to the other Kubewarden policies. This is caused by the lookup of VulnerabilityReport resources. This can be visible when the cache used by the Policy Server is cold.

Because of that, it's recommended to raise the policy evaluation timeout value.

Starting with Kubewarden 1.29.0, this value can be configured on a per policy basis.

It's recommended to set this value to 10 seconds:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: image-cves
spec:
  module: registry://ghcr.io/kubewarden/policies/image-cve-policy:latest
  timeoutEvalSeconds: 10

Settings

This policy can be configured using the following settings:

maxSeverity:
  critical: # total and totalWithoutFixes are mutually exclusive
    total: 10 # maximum number of critical CVEs that are allowed
    totalWithoutFixes: 5 # max number of critical CVEs without fixes that are allowed
  high: # total and totalWithoutFixes are mutually exclusive
    total: 20 # maximum number of high CVEs that are allowed
    totalWithoutFixes: 10 # max number of high CVEs without fixes that are allowed
  medium: # total and totalWithoutFixes are mutually exclusive
    total: 30 # maximum number of medium CVEs that are allowed
    totalWithoutFixes: 15 # max number of medium CVEs without fixes that are allowed
  low: # total and totalWithoutFixes are mutually exclusive
    total: 40 # maximum number of low CVEs that are allowed
    totalWithoutFixes: 20 # max number of low CVEs without fixes that are allowed
  unknown: # total and totalWithoutFixes are mutually exclusive
    total: 40 # maximum number of unknown CVEs that are allowed
    totalWithoutFixes: 20 # max number of unknown CVEs without fixes that are allowed

# List of CVEs that are always allowed, they do not count towards the
# max_cve_severity
allowAlways:
  - CVE-2020-1234
  - CVE-2020-5678

# List of CVEs that are always denied, they do not count towards the
# max_cve_severity
denyAlways:
  - CVE-2020-1234
  - CVE-2020-5678

# What to do if the image has not been scanned for CVEs
# Setting to true will accept the image, setting to false will reject the image
# Default is false
ignoreMissingVulnerabilityReport: true | false

# Namespace where VulnerabilityReport CRDs are stored
vulnerabilityReportNamespace: sbomscanner

# Ignore data produced applying VEX profiles.
# Setting this to true will cause vulnerabilities that have been suppressed by
# a VEX profile to be considered.
#
# Default is false.
#
# It's recommended to use the default value to avoid false positives.
ignoreVexStatus: true | false

# Optional - defines which platform has to be checked when the image is
# a multi architecture one.
#
# When not specified, the policy will use the platform of the node running
# the Policy Server instance that hosts the policy.
platform:
  # mandatory - Must use values listed in the Go Language document for GOARCH (e.g.: amd64, arm64, s390x).
  arch: amd64

  # mandatory - Must use values listed in the Go Language document for GOOS (e.g.: linux, windows, darwin).
  os: linux

  # optional - the version of the operating system targeted
  # It's safe to omit
  # os_version: "10.0.14393.1066" # example of a windows value

  # optional - the OCI spec currently supports only the `win32k` value - to be used only with windows images
  # os_features: "win32k"

  # OPTIONAL - specifies the variant of the CPU.
  # Variant values listed in the [Platform Variants](https://github.com/opencontainers/image-spec/blob/main/image-index.md#platform-variants) table.
  # variant: "v7" # example of variant to be used together with `arm` architecture

Examples

The following policy is running in monitor mode and has strict criteria for critical and high vulnerabilities. Paired with Kubewarden's Audit Scanner, this policy provides a way to find the vulnerable workloads that are running inside of your cluster.

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: Resource validation
    io.kubewarden.policy.severity: high
  name: image-cve-strict
spec:
  module: registry://ghcr.io/kubewarden/policies/image-cve-policy:latest
  timeoutEvalSeconds: 10
  rules:
    - apiGroups:
        - apps
      apiVersions:
        - v1
      resources:
        - deployments
        - replicasets
        - statefulsets
        - daemonsets
      operations:
        - CREATE
    - apiGroups:
        - batch
      apiVersions:
        - v1
      resources:
        - jobs
        - cronjobs
      operations:
        - CREATE
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
  mode: monitor
  failurePolicy: Ignore
  mutating: false
  contextAwareResources:
    - apiVersion: storage.sbomscanner.kubewarden.io/v1alpha1
      kind: VulnerabilityReport
  settings:
    ignoreMissingVulnerabilityReport: true
    vulnerabilityReportNamespace: sbomscanner
    maxSeverity:
      critical:
        total: 0
      high:
        total: 0
      medium:
        total: 5
      low:
        total: 10