feat: block-kubectl-cp-by-pod-label policy

other/block-kubectl-cp-by-pod-label/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: block-kubectl-cp-by-pod-label
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../block-kubectl-cp-by-pod-label.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns.yaml
+    - apply:
+        file: pods.yaml
+  - name: step-03
+    try:
+    - sleep:
+        duration: 5s
+  - name: step-04
+    try:
+    - script:
+        content: if kubectl cp -n bkc-podlabel-ns pod03:/test3.txt ./test3.txt; then exit 1;else
+          exit 0; fi
+    - script:
+        content: kubectl cp -n bkc-podlabel-ns pod01:/test1.txt ./test1.txt; exit 0;
+    - script:
+        content: kubectl cp -n bkc-podlabel-ns pod02:/test2.txt ./test2.txt; exit 0;
+    - script:
+        content: kubectl cp -n bkc-podlabel-ns pod04:/test4.txt ./test4.txt; exit 0;
+  - name: step-05
+    try:
+      - script:
+          content: rm -rf ./test1.txt
+      - script:
+          content: rm -rf ./test2.txt
+      - script:
+          content: rm -rf ./test3.txt
+      - script:
+          content: rm -rf ./test4.txt

other/block-kubectl-cp-by-pod-label/.chainsaw-test/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bkc-podlabel-ns

other/block-kubectl-cp-by-pod-label/.chainsaw-test/pods.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod01
+  namespace: bkc-podlabel-ns
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: ["/bin/sh", "-c"]
+    args:
+      - touch /test1.txt
+      - sleep 300
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    foo: bar
+  name: pod02
+  namespace: bkc-podlabel-ns
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: [ "/bin/sh", "-c" ]
+    args:
+      - touch /test2.txt
+      - sleep 300
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    foo: bar
+    cp: "false"
+  name: pod03
+  namespace: bkc-podlabel-ns
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: [ "/bin/sh", "-c" ]
+    args:
+      - touch /test3.txt
+      - sleep 300
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    cp: "true"
+    foo: bar
+  name: pod04
+  namespace: bkc-podlabel-ns
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: [ "/bin/sh", "-c" ]
+    args:
+      - touch /test4.txt
+      - sleep 300

other/block-kubectl-cp-by-pod-label/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-kubectl-cp-by-pod-label
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

other/block-kubectl-cp-by-pod-label/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: block-kubectl-cp-by-pod-label
+version: 1.0.0
+displayName: Block "kubectl cp" by Pod Label
+createdAt: "2025-01-11T00:00:00.000Z"
+description: >-
+  The `kubectl cp` command allows copying files between a local machine and a Pod's container, which may introduce security risks. This policy blocks the use of the `kubectl cp` command for Pods with the label `block-kubectl-cp=true`, preventing unauthorized data transfers.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml
+keywords:
+  - kyverno
+  - kubectl
+  - other
+readme: |
+  The kubectl cp command allows copying files between a local machine and a Pod's container, but it can be misused for unauthorized data transfers. 
+  This policy blocks the kubectl cp command for Pods labeled with block-kubectl-cp=true.
+annotations:
+  kyverno/category: "Sample"
+  kyverno/kubernetesVersion: "1.23"
+  kyverno/subject: "Pod"
+digest: 9ccb5a049bc00f179d1a59a50fd0b6d479705f90d34ea1f461f0ca33bd55f20c

other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml

@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-kubectl-cp-by-pod-label
+  annotations:
+    policies.kyverno.io/title: Block "kubectl cp" by Pod Label
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      The kubectl cp command is used to copy files between a local machine and a Pod's container. 
+      While this functionality is useful for transferring data, it may introduce security risks, 
+      such as unauthorized data exfiltration or modification. This policy blocks the use of the 
+      kubectl cp command on all Pods with label `block-kubectl-cp=true`, ensuring that sensitive 
+      workloads are protected from unintended file transfers. Other kubectl operations are unaffected, 
+      allowing for normal Pod management while preventing potential misuse of file copy capabilities.
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: block-kubectl-cp-by-pod-label
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod/exec
+      context:
+        - name: podcplabel
+          apiCall:
+            urlPath: "/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}"
+            jmesPath: "metadata.labels.cp || ''"
+      preconditions:
+        all:
+          - key: "{{ request.operation || 'BACKGROUND' }}"
+            operator: Equals
+            value: CONNECT
+      validate:
+        message: "Cannot use `kubectl cp` on pods with label `cp: false`"
+        deny:
+          conditions:
+            all:
+              - key: "{{ request.object.command[0] }}"
+                operator: Equals
+                value: "tar"
+              - key: "{{ request.object.command[1] }}"
+                operator: Equals
+                value: "cf"
+              - key: "{{ podcplabel }}"
+                operator: Equals
+                value: "false"