{"id":22423847,"url":"https://github.com/statcan/gatekeeper-policies","last_synced_at":"2025-09-04T18:21:55.911Z","repository":{"id":38041095,"uuid":"199915601","full_name":"StatCan/gatekeeper-policies","owner":"StatCan","description":"Policies that are to be enforced by GateKeeper for the Cloud Native Platform","archived":false,"fork":false,"pushed_at":"2024-02-01T01:34:16.000Z","size":78364,"stargazers_count":16,"open_issues_count":10,"forks_count":12,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-07-30T19:43:52.361Z","etag":null,"topics":["cloud-native","cns","gatekeeper","kubernetes","opa","open-policy-agent"],"latest_commit_sha":null,"homepage":"","language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/StatCan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-31T19:18:40.000Z","updated_at":"2024-06-28T19:04:20.000Z","dependencies_parsed_at":"2023-10-17T01:22:29.176Z","dependency_job_id":"6d4e0fd8-e4e1-44d0-b270-a924820c7cc7","html_url":"https://github.com/StatCan/gatekeeper-policies","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StatCan%2Fgatekeeper-policies","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StatCan%2Fgatekeeper-policies/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StatCan%2Fgatekeeper-policies/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StatCan%2Fgatekeeper-policies/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/StatCan","download_url":"https://codeload.github.com/StatCan/gatekeeper-policies/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228348339,"owners_count":17905899,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","cns","gatekeeper","kubernetes","opa","open-policy-agent"],"created_at":"2024-12-05T18:13:16.263Z","updated_at":"2024-12-05T18:13:17.063Z","avatar_url":"https://github.com/StatCan.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GateKeeper Policies\n\nPolicies that are to be enforced by [GateKeeper](https://github.com/open-policy-agent/gatekeeper) for the Kubernetes Platform.\n\n\u003e Note: Gatekeeper is a validating / mutating webhook that enforces CRD-based policies executed by the Open Policy Agent.\n\n## Policies\n\n### General\n\nThis repo contains general policies that can be used to enforce common Kubernetes requirements.\n\n| Control Aspect                   | Gatekeeper Constraint Template                                               |\n| -------------------------------- | ---------------------------------------------------------------------------- |\n| Container Allowed Images         | [container-allowed-images](general/container-allowed-images)                 |\n| Container Image Must Have Digest | [container-image-must-have-digest](general/container-image-must-have-digest) |\n| Container Limits                 | [container-limits](general/container-limits)                                 |\n| Deny External Users              | [deny-external-users](general/deny-external-users)                                 |\n| Ingress No Hostnames             | [ingress-no-hostnames](general/ingress-no-hostnames)                         |\n| Ingress Hostnames Conflict       | [ingress-hostnames-conflict](general/ingress-hostnames-conflict)             |\n| Load Balancer No Public IPs      | [loadbalancer-no-public-ips](general/loadbalancer-no-public-ips)             |\n| Pod Enforce Labels               | [pod-enforce-labels](general/pod-enforce-labels)                             |\n| Restrict Hostnames               | [restrict-hostnames](general/restrict-hostnames/)                            |\n\n### Pod Security Policies\n\nThis repo contains common policies replacing the deprecated `PodSecurityPolicy` into Constraint Templates using [GateKeeper](https://github.com/open-policy-agent/gatekeeper).\n\n| Control Aspect                     | Gatekeeper Constraint Template                                                             |\n| ---------------------------------- | ------------------------------------------------------------------------------------------ |\n| Allowed external ips               | [allowed-external-ips](pod-security-policy/allowed-external-ips)                           |\n| Allowed host paths                 | [allowed-host-paths](pod-security-policy/allowed-host-paths)                               |\n| Allowed privilege escalation       | [allowed-privilege-escalation](pod-security-policy/allowed-privilege-escalation)           |\n| Allowed proc mount types           | [allowed-proc-mount-types](pod-security-policy/allowed-proc-mount-types)                   |\n| Allowed seccomp profiles           | [allowed-seccomp-profiles](pod-security-policy/allowed-seccomp-profiles)                   |\n| Allowed users and groups           | [allowed-users-groups](pod-security-policy/allowed-users-groups)                           |\n| Allowed volume types               | [allowed-volume-types](pod-security-policy/allowed-volume-types)                           |\n| Block automount token              | [block-automount-token](pod-security-policy/block-automount-token)                         |\n| Block default namespace            | [block-default-namespace](pod-security-policy/block-default-namespace)                     |\n| Block host namespace               | [block-host-namespace](pod-security-policy/block-host-namespace)                           |\n| Container capabilities             | [container-capabilities](pod-security-policy/container-capabilities)                       |\n| Container no privilege escalation  | [container-no-privilege-escalation](pod-security-policy/container-no-privilege-escalation) |\n| Deny Employee-Only Features        | [deny-employee-only-features](pod-security-policy/deny-employee-only-features)             |\n| Deny extraction                    | [deny-extraction](pod-security-policy/deny-extraction)                                     |\n| Deny pipelines                     | [deny-pipelines](pod-security-policy/deny-pipelines)                                       |\n| Disk data classification           | [disk-data-classification](pod-security-policy/disk-data-classification)                   |\n| Enforce apparmor profile           | [enforce-apparmor-profile](pod-security-policy/enforce-apparmor-profile)                   |\n| Flexvolume drivers                 | [flexvolume-drivers](pod-security-policy/flexvolume-drivers)                               |\n| Forbidden sysctls                  | [forbidden-sysctls](pod-security-policy/forbidden-sysctls-interfaces)                      |\n| Host networking and ports          | [host-network-ports](pod-security-policy/host-network-ports)                               |\n| Protected B Auth                   | [protectedb-auth](pod-security-policy/protectedb-auth)                                     |\n| Require read only root file system | [read-only-root-filesystem](pod-security-policy/read-only-root-filesystem)                 |\n| Metadata restrictions              | [metadata-restrictions](pod-security-policy/metadata-restrictions)                         |\n| Namespace guardrails               | [namespace-guardrails](pod-security-policy/namespace-guardrails)                           |\n| SELinux context of the container   | [seLinux](pod-security-policy/selinux)                                                     |\n\n### Service Mesh\n\nThis repo contains a set of common policies that can be used to enforce specific Service Mesh features.\n\n| Control Aspect      | Gatekeeper Constraint Template                          |\n| ------------------- | ------------------------------------------------------- |\n| Gateway             | [gateway](service-mesh/gateway)                         |\n| Peer Authentication | [peer-authentication](service-mesh/peer-authentication) |\n| Port Naming         | [port-naming](service-mesh/port-naming)                 |\n| Traffic Policy      | [traffic-policy](service-mesh/traffic-policy)           |\n\n## Testing\n\nWhen creating a Policy, there are currently three ways of testing them:\n\n### OPA Tests\n\nThe `opa` CLI can be used to run [tests](https://www.openpolicyagent.org/docs/latest/policy-testing) on policies.\nThis can be very useful since Open Policy Agent allows for easy mocking of data via the [`with` keyword](https://www.openpolicyagent.org/docs/latest/policy-testing/#data-and-function-mocking).\n\n\u003e These types of tests are best suited for policies which require access to data not available in the [`AdmissionReview`](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response) API but accessed via [Gatekeeper's data replication features](https://open-policy-agent.github.io/gatekeeper/website/docs/sync).\n\nTo take advantage of automatic test running and the automatic copying of `rego` into a  `ConstraintTemplate`, the following structure needs to be followed:\n- Ensure that the `ConstraintTemplate` is in a file named `template.yaml` at the root of your policy's folder\n- Ensure that the `rego` files are in a folder called `rego`\n  - For example: [general/restrict-hostnames/rego](./general/restrict-hostnames/rego/)\n- Ensure that the `rego` that should be injected into the `ConstraintTemplate` is named `src.rego`\n- Run the [`rego.sh`](./rego.sh) script to run tests and copy your source code into `template.yaml`\n  - Note: requires the [`yq`](https://github.com/mikefarah/yq) utility\n\n### Integration Tests\n\nIntegration tests are run as part of the GitHub Actions. These deploy policies to a `k3s` cluster using the [BATS](https://github.com/bats-core/bats-core) framework. It deploys the `ConstraintTemplate` for the policy, a single CustomResource of the CRD derived from the `ConstraintTemplate`, and two resources representing a passing and a failing scenario.\n\nTo take advantage of this system create the following:\n- Ensure that the `ConstraintTemplate` is in a file named `template.yaml` at the root of your policy's folder\n- Create a folder named `example` at the root of your policy's folder\n- In the `example` folder:\n  - Create a file named `constraint.yaml` with the `CustomResource` representing an implemented policy\n  - Create a file named `allowed.yaml` with a resource that should pass the policy\n  - Create a file named `disallowed.yaml` with a resource that should not pass the policy\n\n### Gator\n\n[`gator`](https://open-policy-agent.github.io/gatekeeper/website/docs/gator) is a recent addition to Gatekeeper allowing for the creation of test suites that can be run locally.\n\n[`gator` test suites](https://open-policy-agent.github.io/gatekeeper/website/docs/gator#writing-test-suites) will be run automatically as part of the CI.\n\n## Links\n\n- [Rego Playground](https://play.openpolicyagent.org/)\n\n## Acknowledgements\n\n- [Anthos](https://github.com/GoogleCloudPlatform/acm-policy-controller-library)\n- [Azure Policy](https://github.com/Azure/azure-policy/tree/master/built-in-references/Kubernetes)\n- [Community Policy](https://github.com/Azure/Community-Policy)\n- [Open Policy Agent](https://github.com/open-policy-agent/gatekeeper-library)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstatcan%2Fgatekeeper-policies","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstatcan%2Fgatekeeper-policies","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstatcan%2Fgatekeeper-policies/lists"}