From ddfa4267a51cd355f91d9a0da6fb50df6f95fff4 Mon Sep 17 00:00:00 2001
From: Darkhood148 <ujjwal.sharma9999999@gmail.com>
Date: Sat, 11 Jan 2025 11:56:27 +0530
Subject: [PATCH] feat: block-kubectl-cp-by-pod-label policy

---
 .../block-kubectl-cp-by-pod-label.yaml        | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml

diff --git a/other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml b/other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml
new file mode 100644
index 000000000..c38c5cf31
--- /dev/null
+++ b/other/block-kubectl-cp-by-pod-label/block-kubectl-cp-by-pod-label.yaml
@@ -0,0 +1,50 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-kubectl-cp-by-pod-label
+  annotations:
+    policies.kyverno.io/title: Block "kubectl cp" by Pod Label
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      The kubectl cp command is used to copy files between a local machine and a Pod's container. 
+      While this functionality is useful for transferring data, it may introduce security risks, 
+      such as unauthorized data exfiltration or modification. This policy blocks the use of the 
+      kubectl cp command on all Pods with label `block-kubectl-cp=true`, ensuring that sensitive 
+      workloads are protected from unintended file transfers. Other kubectl operations are unaffected, 
+      allowing for normal Pod management while preventing potential misuse of file copy capabilities.
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: block-kubectl-cp-by-pod-label
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod/exec
+      context:
+        - name: podcplabel
+          apiCall:
+            urlPath: "/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}"
+            jmesPath: "metadata.labels.cp || ''"
+      preconditions:
+        all:
+          - key: "{{ request.operation || 'BACKGROUND' }}"
+            operator: Equals
+            value: CONNECT
+      validate:
+        message: "Cannot use `kubectl cp` on pods with label `cp: false`"
+        deny:
+          conditions:
+            all:
+              - key: "{{ request.object.command[0] }}"
+                operator: Equals
+                value: "tar"
+              - key: "{{ request.object.command[1] }}"
+                operator: Equals
+                value: "cf"
+              - key: "{{ podcplabel }}"
+                operator: Equals
+                value: "false"