diff --git a/5gsec/oai-core/ksp-core-amf-zero-trust.yaml b/5gsec/oai-core/ksp-core-amf-zero-trust.yaml new file mode 100644 index 00000000..ca748750 --- /dev/null +++ b/5gsec/oai-core/ksp-core-amf-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-amf-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-amf/etc/ + recursive: true + action: Block + - dir: /openair-amf/etc/ + recursive: true + fromSource: + - path: /openair-amf/bin/oai_amf + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-amf/bin/oai_amf + matchPaths: + - path: /openair-amf/etc/amf.yaml + action: Block + - path: /openair-amf/etc/amf.yaml + fromSource: + - path: /openair-amf/bin/oai_amf + + + network: + matchProtocols: + - fromSource: + - path: /openair-amf/bin/oai_amf + protocol: raw + - fromSource: + - path: /openair-amf/bin/oai_amf + protocol: tcp + - fromSource: + - path: /openair-amf/bin/oai_amf + protocol: udp + process: + matchPaths: + - path: /openair-amf/bin/oai_amf + selector: + matchLabels: + workload.nephio.org/oai: amf + severity: 1 diff --git a/5gsec/oai-core/ksp-core-ausf-zero-trust.yaml b/5gsec/oai-core/ksp-core-ausf-zero-trust.yaml new file mode 100644 index 00000000..527ad9b6 --- /dev/null +++ b/5gsec/oai-core/ksp-core-ausf-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-ausf-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-ausf/etc/ + recursive: true + action: Block + - dir: /openair-ausf/etc/ + recursive: true + fromSource: + - path: /openair-ausf/bin/oai_ausf + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-ausf/bin/oai_ausf + matchPaths: + - path: /openair-ausf/etc/ausf.yaml + action: Block + - path: /openair-ausf/etc/ausf.yaml + fromSource: + - path: /openair-ausf/bin/oai_ausf + + + network: + matchProtocols: + - fromSource: + - path: /openair-ausf/bin/oai_ausf + protocol: raw + - fromSource: + - path: /openair-ausf/bin/oai_ausf + protocol: tcp + - fromSource: + - path: /openair-ausf/bin/oai_ausf + protocol: udp + process: + matchPaths: + - path: /openair-ausf/bin/oai_ausf + selector: + matchLabels: + workload.nephio.org/oai: ausf + severity: 1 \ No newline at end of file diff --git a/5gsec/oai-core/ksp-core-nrf-zero-trust.yaml b/5gsec/oai-core/ksp-core-nrf-zero-trust.yaml new file mode 100644 index 00000000..53448141 --- /dev/null +++ b/5gsec/oai-core/ksp-core-nrf-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-nrf-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-nrf/etc/ + recursive: true + action: Block + - dir: /openair-nrf/etc/ + recursive: true + fromSource: + - path: /openair-nrf/bin/oai_nrf + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-nrf/bin/oai_nrf + matchPaths: + - path: /openair-nrf/etc/nrf.yaml + action: Block + - path: /openair-nrf/etc/nrf.yaml + fromSource: + - path: /openair-nrf/bin/oai_nrf + + + network: + matchProtocols: + - fromSource: + - path: /openair-nrf/bin/oai_nrf + protocol: raw + - fromSource: + - path: /openair-nrf/bin/oai_nrf + protocol: tcp + - fromSource: + - path: /openair-nrf/bin/oai_nrf + protocol: udp + process: + matchPaths: + - path: /openair-nrf/bin/oai_nrf + selector: + matchLabels: + workload.nephio.org/oai: nrf + severity: 1 diff --git a/5gsec/oai-core/ksp-core-smf-zero-trust.yaml b/5gsec/oai-core/ksp-core-smf-zero-trust.yaml new file mode 100644 index 00000000..27a5623b --- /dev/null +++ b/5gsec/oai-core/ksp-core-smf-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-smf-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-smf/etc/ + recursive: true + action: Block + - dir: /openair-smf/etc/ + recursive: true + fromSource: + - path: /openair-smf/bin/oai_smf + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-smf/bin/oai_smf + matchPaths: + - path: /openair-smf/etc/smf.yaml + action: Block + - path: /openair-smf/etc/smf.yaml + fromSource: + - path: /openair-smf/bin/oai_smf + + + network: + matchProtocols: + - fromSource: + - path: /openair-smf/bin/oai_smf + protocol: raw + - fromSource: + - path: /openair-smf/bin/oai_smf + protocol: tcp + - fromSource: + - path: /openair-smf/bin/oai_smf + protocol: udp + process: + matchPaths: + - path: /openair-smf/bin/oai_smf + selector: + matchLabels: + workload.nephio.org/oai: smf + severity: 1 diff --git a/5gsec/oai-core/ksp-core-udm-zero-trust.yaml b/5gsec/oai-core/ksp-core-udm-zero-trust.yaml new file mode 100644 index 00000000..0c5a347b --- /dev/null +++ b/5gsec/oai-core/ksp-core-udm-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-udm-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-udm/etc/ + recursive: true + action: Block + - dir: /openair-udm/etc/ + recursive: true + fromSource: + - path: /openair-udm/bin/oai_udm + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-udm/bin/oai_udm + matchPaths: + - path: /openair-udm/etc/udm.yaml + action: Block + - path: /openair-udm/etc/udm.yaml + fromSource: + - path: /openair-udm/bin/oai_udm + + + network: + matchProtocols: + - fromSource: + - path: /openair-udm/bin/oai_udm + protocol: raw + - fromSource: + - path: /openair-udm/bin/oai_udm + protocol: tcp + - fromSource: + - path: /openair-udm/bin/oai_udm + protocol: udp + process: + matchPaths: + - path: /openair-udm/bin/oai_udm + selector: + matchLabels: + workload.nephio.org/oai: udm + severity: 1 diff --git a/5gsec/oai-core/ksp-core-udr-zero-trust.yaml b/5gsec/oai-core/ksp-core-udr-zero-trust.yaml new file mode 100644 index 00000000..a321715b --- /dev/null +++ b/5gsec/oai-core/ksp-core-udr-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-udr-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-udr/etc/ + recursive: true + action: Block + - dir: /openair-udr/etc/ + recursive: true + fromSource: + - path: /openair-udr/bin/oai_udr + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-udr/bin/oai_udr + matchPaths: + - path: /openair-udr/etc/udr.yaml + action: Block + - path: /openair-udr/etc/udr.yaml + fromSource: + - path: /openair-udr/bin/oai_udr + + + network: + matchProtocols: + - fromSource: + - path: /openair-udr/bin/oai_udr + protocol: raw + - fromSource: + - path: /openair-udr/bin/oai_udr + protocol: tcp + - fromSource: + - path: /openair-udr/bin/oai_udr + protocol: udp + process: + matchPaths: + - path: /openair-udr/bin/oai_udr + selector: + matchLabels: + workload.nephio.org/oai: udr + severity: 1 diff --git a/5gsec/oai-core/ksp-core-upf-zero-trust.yaml b/5gsec/oai-core/ksp-core-upf-zero-trust.yaml new file mode 100644 index 00000000..68ad6236 --- /dev/null +++ b/5gsec/oai-core/ksp-core-upf-zero-trust.yaml @@ -0,0 +1,51 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-core-upf-zero-trust + namespace: oai-core +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /openair-upf/etc/ + recursive: true + action: Block + - dir: /openair-upf/etc/ + recursive: true + fromSource: + - path: /openair-upf/bin/oai_upf + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /openair-upf/bin/oai_upf + matchPaths: + - path: /openair-upf/etc/upf.yaml + action: Block + - path: /openair-upf/etc/upf.yaml + fromSource: + - path: /openair-upf/bin/oai_upf + + + network: + matchProtocols: + - fromSource: + - path: /openair-upf/bin/oai_upf + protocol: raw + - fromSource: + - path: /openair-upf/bin/oai_upf + protocol: tcp + - fromSource: + - path: /openair-upf/bin/oai_upf + protocol: udp + process: + matchPaths: + - path: /openair-upf/bin/oai_upf + selector: + matchLabels: + workload.nephio.org/oai: upf + severity: 1 diff --git a/5gsec/oai-core/kyverno-core-readonly-volume-mounts.yaml b/5gsec/oai-core/kyverno-core-readonly-volume-mounts.yaml new file mode 100644 index 00000000..b6f84213 --- /dev/null +++ b/5gsec/oai-core/kyverno-core-readonly-volume-mounts.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-core-readonly-volume-mounts +spec: + validationFailureAction: enforce + rules: + - name: check-readonly-volumes + match: + resources: + kinds: + - Pod + namespaces: + - oai-core + validate: + message: "All volume mounts must be read-only." + pattern: + spec: + containers: + - volumeMounts: + - readOnly: true diff --git a/5gsec/oai-core/kyverno-core-restrict-sa-automount-sa-token.yaml b/5gsec/oai-core/kyverno-core-restrict-sa-automount-sa-token.yaml new file mode 100644 index 00000000..35e6b76e --- /dev/null +++ b/5gsec/oai-core/kyverno-core-restrict-sa-automount-sa-token.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-core-restrict-sa-automount-sa-token + annotations: + policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account + policies.kyverno.io/category: Security + kyverno.io/kyverno-version: 1.11.1 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret,ServiceAccount + policies.kyverno.io/description: >- + Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. + The ServiceAccount may be assigned roles allowing Pods to access API resources. + Blocking this ability is an extension of the least privilege best practice and should + be followed if Pods do not need to speak to the API server to function. + This policy ensures that mounting of these ServiceAccount tokens is blocked. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-sa-automountServiceAccountToken + match: + any: + - resources: + kinds: + - ServiceAccount + validate: + message: "ServiceAccounts must set automountServiceAccountToken to false." + pattern: + automountServiceAccountToken: false diff --git a/5gsec/oai-core/netpol-core-amf.yaml b/5gsec/oai-core/netpol-core-amf.yaml new file mode 100644 index 00000000..d7d0ccdb --- /dev/null +++ b/5gsec/oai-core/netpol-core-amf.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-core-amf + namespace: oai-core +spec: + podSelector: + matchLabels: + workload.nephio.org/oai: amf # Applies to pods with label 'app=pod1' + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + workload.nephio.org/oai: ausf # Allows traffic to pods with label 'app=pod2' + ports: + - protocol: TCP + port: 80 + - protocol: SCTP + port: 38412 # Example port (e.g., HTTP) \ No newline at end of file diff --git a/5gsec/oai-core/netpol-core-smf.yaml b/5gsec/oai-core/netpol-core-smf.yaml new file mode 100644 index 00000000..a91cf501 --- /dev/null +++ b/5gsec/oai-core/netpol-core-smf.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-core-smf + namespace: oai-core +spec: + podSelector: + matchLabels: + workload.nephio.org/oai: smf # Applies to pods with label 'app=pod1' + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + workload.nephio.org/oai: upf # Allows traffic to pods with label 'app=pod2' + ports: + - protocol: TCP + port: 80 + - protocol: UDP + port: 8085 # n4 \ No newline at end of file diff --git a/5gsec/oai-core/netpol-core-udr.yaml b/5gsec/oai-core/netpol-core-udr.yaml new file mode 100644 index 00000000..e8838a08 --- /dev/null +++ b/5gsec/oai-core/netpol-core-udr.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-core-udr + namespace: oai-core +spec: + podSelector: + matchLabels: + workload.nephio.org/oai: udr + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + workload.nephio.org/oai: udm + ports: + - protocol: TCP + port: 80 # Example port (e.g., HTTP) \ No newline at end of file diff --git a/5gsec/oai-ran/ksp-oran-cuup-zero-trust.yaml b/5gsec/oai-ran/ksp-oran-cuup-zero-trust.yaml new file mode 100644 index 00000000..804d8e89 --- /dev/null +++ b/5gsec/oai-ran/ksp-oran-cuup-zero-trust.yaml @@ -0,0 +1,42 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-oran-cuup-zero-trust + namespace: oai-ran-cuup +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /opt/oai-gnb/bin/nr-cuup + matchPaths: + - path: /opt/oai-gnb/etc/gnb.conf + action: Block + - path: /opt/oai-gnb/etc/gnb.conf + fromSource: + - path: /opt/oai-gnb/bin/nr-cuup + network: + matchProtocols: + - fromSource: + - path: /opt/oai-gnb/bin/nr-cuup + protocol: raw + - fromSource: + - path: /opt/oai-gnb/bin/nr-cuup + protocol: tcp + - fromSource: + - path: /opt/oai-gnb/bin/nr-cuup + protocol: udp + process: + matchPaths: + - path: /opt/oai-gnb/bin/nr-cuup + selector: + matchLabels: + app.kubernetes.io/name: oai-gnb-cu-up + severity: 1 diff --git a/5gsec/oai-ran/ksp-oran-du-zero-trust.yaml b/5gsec/oai-ran/ksp-oran-du-zero-trust.yaml new file mode 100644 index 00000000..5c643a87 --- /dev/null +++ b/5gsec/oai-ran/ksp-oran-du-zero-trust.yaml @@ -0,0 +1,44 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-oran-du-zero-trust + namespace: oai-ran-du +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Block + message: unauthorized access to kubernetes service account + - dir: /run/secrets/kubernetes.io/serviceaccount/ + action: Allow + fromSource: + - path: /opt/oai-gnb/bin/nr-softmodem + matchPaths: + - path: /opt/oai-gnb/etc/gnb.conf + action: Block + - path: /opt/oai-gnb/etc/gnb.conf + fromSource: + - path: /opt/oai-gnb/bin/nr-softmodem + + + network: + matchProtocols: + - fromSource: + - path: /opt/oai-gnb/bin/nr-softmodem + protocol: raw + - fromSource: + - path: /opt/oai-gnb/bin/nr-softmodem + protocol: tcp + - fromSource: + - path: /opt/oai-gnb/bin/nr-softmodem + protocol: udp + process: + matchPaths: + - path: /opt/oai-gnb/bin/nr-softmodem + selector: + matchLabels: + app.kubernetes.io/name: oai-gnb-du + severity: 1 diff --git a/5gsec/oai-ran/kyverno-oran-readonly-volume-mounts.yaml b/5gsec/oai-ran/kyverno-oran-readonly-volume-mounts.yaml new file mode 100644 index 00000000..568d8048 --- /dev/null +++ b/5gsec/oai-ran/kyverno-oran-readonly-volume-mounts.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-oran-readonly-volume-mounts +spec: + validationFailureAction: enforce + rules: + - name: check-readonly-volumes + match: + resources: + kinds: + - Pod + namespaces: + - oai-ran-cuup + - oai-ran-du + - oai-ran-operators + - oai-ue + - oai-cn-operators + validate: + message: "All volume mounts must be read-only." + pattern: + spec: + containers: + - volumeMounts: + - readOnly: true diff --git a/5gsec/oai-ran/kyverno-oran-restrict-sa-automount-sa-token.yaml b/5gsec/oai-ran/kyverno-oran-restrict-sa-automount-sa-token.yaml new file mode 100644 index 00000000..4f3a6bdb --- /dev/null +++ b/5gsec/oai-ran/kyverno-oran-restrict-sa-automount-sa-token.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-oran-restrict-sa-automount-sa-token + annotations: + policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account + policies.kyverno.io/category: Security + kyverno.io/kyverno-version: 1.11.1 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret,ServiceAccount + policies.kyverno.io/description: >- + Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. + The ServiceAccount may be assigned roles allowing Pods to access API resources. + Blocking this ability is an extension of the least privilege best practice and should + be followed if Pods do not need to speak to the API server to function. + This policy ensures that mounting of these ServiceAccount tokens is blocked. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-sa-automountServiceAccountToken + match: + any: + - resources: + kinds: + - ServiceAccount + validate: + message: "ServiceAccounts must set automountServiceAccountToken to false." + pattern: + automountServiceAccountToken: false