feat: add kyverno policy for denying SCR based on packages (#20)

Author: ayuskauskas

README.md

@@ -48,6 +48,30 @@ Part of how the operator works is the [skyhook-agent](agent/README.md). Packages
 └── config.json
 ```
 
+## Example Kyverno Policy
+
+This repository includes an example Kyverno policy that demonstrates how to restrict the images that can be used in Skyhook packages. While this is not a complete policy, it serves as a template that end users can modify to fit their security needs.
+
+The policy prevents the creation of Skyhook resources that contain packages with restricted image patterns. Specifically, it blocks:
+- Images containing 'shellscript:' anywhere in the image name
+- Images from Docker Hub (matching 'docker.io/*')
+
+If you are going to use kyverno make sure to turn on the creation of the skyhook-viewer-role in the values file for the operator. (rbac.createSkyhookViewerRole: true) and then bind kyverno to that role. Example policy:
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-skyhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: skyhook-viewer-role
+subjects:
+- kind: ServiceAccount
+  name: kyverno-reports-controller
+  namespace: kyverno
+```
+
 ## [Skyhook-Operator](operator/README.md)
 The operator is a kbuernetes operator that monitors cluster events and coordinates the installation and lifecycle of Skyhook packages.
 

kyverno/README.md

@@ -0,0 +1,75 @@
+# Skyhook Kyverno Policies
+
+This directory contains example [Kyverno](https://kyverno.io/) policies for Skyhook. These policies can be used to enforce security and best practices for Skyhook packages.
+
+## Prerequisites
+
+Before applying any policies, you need to have Kyverno installed in your cluster. You can install it using one of the following methods:
+
+### Helm Installation (Recommended) 
+
+```bash
+helm repo add kyverno https://kyverno.github.io/kyverno/
+helm install kyverno kyverno/kyverno -n kyverno --create-namespace
+```
+
+### Manual Installation
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/install.yaml
+```
+
+## Available Policies
+
+### Restrict Package Images
+The `disable_packages.yaml` policy demonstrates how to restrict which container images can be used in Skyhook packages. This is particularly useful for:
+- Preventing the use of potentially dangerous images (e.g., those containing shell scripts)
+- Enforcing the use of approved container registries
+- Maintaining security standards across your cluster
+
+To apply the policy:
+
+```bash
+kubectl apply -f disable_packages.yaml
+```
+
+The policy will prevent the creation of Skyhook resources that contain packages with restricted image patterns. Currently, it blocks:
+- Images containing 'shellscript' anywhere in the image name
+- Images from Docker Hub (matching 'docker.io/*')
+
+## Testing the Policy
+
+You can test the policy by trying to create a Skyhook resource with a restricted image. For example:
+
+```yaml
+apiVersion: skyhook.nvidia.com/v1alpha1
+kind: Skyhook
+metadata:
+  labels:
+    app.kubernetes.io/part-of: skyhook-operator
+    app.kubernetes.io/created-by: skyhook-operator
+  name: test-scr
+spec:
+  packages:
+    shellscript:
+      configMap:
+        config.sh: |-
+          #!/bin/bash
+          echo "hello"
+      image: shellscript
+      version: 1.3.2
+
+ # This will be blocked by the policy
+```
+
+The creation will be denied with an appropriate error message.
+
+## Customizing Policies
+
+The example policies are templates that you can modify to fit your security needs. Common customizations include:
+- Adding additional restricted image patterns
+- Modifying the validation rules
+- Adjusting the failure action (warn vs enforce)
+
+See the [Kyverno documentation](https://kyverno.io/docs/) for more details on policy customization.
+

kyverno/disable_packages.yaml

@@ -0,0 +1,38 @@
+# This is an example to show how to restrict the images that can be used in a Skyhook package.
+# It is not a complete policy and it is expected end users will alter rules to fit their security needs.
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-skyhook-images
+  annotations:
+    policies.kyverno.io/title: Restrict Skyhook Package Images
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy prevents the creation of Skyhook resources that contain packages with
+      restricted image patterns. Specifically, it blocks images containing 'shellscript'
+      and images coming from docker hub.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-package-images
+      match:
+        any:
+        - resources:
+            kinds:
+              - Skyhook
+            operations:
+              - CREATE
+              - UPDATE
+      validate:
+        message: "Package image matches restricted pattern. Images containing 'shellscript' or starting with 'docker.io/' are not allowed."
+        deny:
+          conditions:
+            any:
+              - key: "{{ regex_match('nvcr.io/nvidian/swgpu-baseos/shellscript', '{{request.object.spec.packages.*.image}}' ) }}"
+                operator: Equals
+                value: true
+              - key: "{{ regex_match('docker.io/.*', '{{request.object.spec.packages.*.image}}' ) }}"
+                operator: Equals
+                value: true

kyverno/skyhook-viewer-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-skyhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: skyhook-viewer-role
+subjects:
+- kind: ServiceAccount
+  name: kyverno-reports-controller
+  namespace: kyverno