Skip to content

Commit

Permalink
chore: adding CEL for psp-host-filesystem (open-policy-agent#547)
Browse files Browse the repository at this point in the history
* chore: adding CEL for psp-host-filesystem

Signed-off-by: Jaydip Gabani <[email protected]>

* updating cel, updating labels on example

Signed-off-by: Jaydip Gabani <[email protected]>

* removing blank lines

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing CEL error

Signed-off-by: Jaydip Gabani <[email protected]>

---------

Signed-off-by: Jaydip Gabani <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>
  • Loading branch information
JaydipGabani and sozercan authored Sep 4, 2024
1 parent cd8f2ec commit 7983a1d
Show file tree
Hide file tree
Showing 25 changed files with 636 additions and 252 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
ephemeralContainers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
ephemeralContainers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
ephemeralContainers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.1.0
name: k8spsphostfilesystem
displayName: Host Filesystem
createdAt: "2024-06-05T20:31:16Z"
description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
digest: 3883941aac9b7598a79c9bf6517c77a401b99d165bf584dce604a00eef79f8e7
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Host Filesystem
Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
spec:
ephemeralContainers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /foo/bar
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: host-filesystem
tests:
- name: host-filesystem
template: template.yaml
constraint: samples/psp-host-filesystem/constraint.yaml
cases:
- name: example-disallowed
object: samples/psp-host-filesystem/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
object: samples/psp-host-filesystem/example_allowed.yaml
assertions:
- violations: no
- name: disallowed-ephemeral
object: samples/psp-host-filesystem/disallowed_ephemeral.yaml
assertions:
- violations: yes
- name: update
object: samples/psp-host-filesystem/update.yaml
assertions:
- violations: no
Loading

0 comments on commit 7983a1d

Please sign in to comment.