-
Notifications
You must be signed in to change notification settings - Fork 327
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: adding CEL for psp-host-namespaces
Signed-off-by: Jaydip Gabani <[email protected]>
- Loading branch information
1 parent
fd2b020
commit 1c04d37
Showing
12 changed files
with
253 additions
and
55 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.1.0 | ||
name: k8spsphostnamespace | ||
displayName: Host Namespace | ||
createdAt: "2024-06-04T20:21:50Z" | ||
description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
digest: 5e4f8501fb48a18710d435ac83273b74420023033265ca8f5eb385aec4c345f7 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Host Namespace | ||
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/host-namespaces/1.1.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
9 changes: 9 additions & 0 deletions
9
...rary/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPHostNamespace | ||
metadata: | ||
name: psp-host-namespace | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] |
12 changes: 12 additions & 0 deletions
12
...pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-namespace-allowed | ||
labels: | ||
app: nginx-host-namespace | ||
spec: | ||
hostPID: false | ||
hostIPC: false | ||
containers: | ||
- name: nginx | ||
image: nginx |
12 changes: 12 additions & 0 deletions
12
...-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-namespace-disallowed | ||
labels: | ||
app: nginx-host-namespace | ||
spec: | ||
hostPID: true | ||
hostIPC: true | ||
containers: | ||
- name: nginx | ||
image: nginx |
17 changes: 17 additions & 0 deletions
17
.../library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1beta1 | ||
request: | ||
operation: "UPDATE" | ||
object: | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-namespace-disallowed | ||
labels: | ||
app: nginx-host-namespace | ||
spec: | ||
hostPID: true | ||
hostIPC: true | ||
containers: | ||
- name: nginx | ||
image: nginx |
21 changes: 21 additions & 0 deletions
21
artifacthub/library/pod-security-policy/host-namespaces/1.1.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: host-namespaces | ||
tests: | ||
- name: host-namespace | ||
template: template.yaml | ||
constraint: samples/psp-host-namespace/constraint.yaml | ||
cases: | ||
- name: example-allowed | ||
object: samples/psp-host-namespace/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed | ||
object: samples/psp-host-namespace/example_disallowed.yaml | ||
assertions: | ||
- violations: yes | ||
- name: update | ||
object: samples/psp-host-namespace/update.yaml | ||
assertions: | ||
- violations: no |
66 changes: 66 additions & 0 deletions
66
artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spsphostnamespace | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Host Namespace" | ||
metadata.gatekeeper.sh/version: 1.1.0 | ||
description: >- | ||
Disallows sharing of host PID and IPC namespaces by pod containers. | ||
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. | ||
For more information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPHostNamespace | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Disallows sharing of host PID and IPC namespaces by pod containers. | ||
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. | ||
For more information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
code: | ||
- engine: K8sNativeValidation | ||
source: | ||
variables: | ||
- name: sharingNamespace | ||
expression: | | ||
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false | ||
validations: | ||
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' | ||
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' | ||
- engine: Rego | ||
source: | ||
rego: | | ||
package k8spsphostnamespace | ||
import data.lib.exclude_update.is_update | ||
violation[{"msg": msg, "details": {}}] { | ||
# spec.hostPID and spec.hostIPC fields are immutable. | ||
not is_update(input.review) | ||
input_share_hostnamespace(input.review.object) | ||
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) | ||
} | ||
input_share_hostnamespace(o) { | ||
o.spec.hostPID | ||
} | ||
input_share_hostnamespace(o) { | ||
o.spec.hostIPC | ||
} | ||
libs: | ||
- | | ||
package lib.exclude_update | ||
is_update(review) { | ||
review.operation == "UPDATE" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
variables: | ||
- name: sharingNamespace | ||
expression: | | ||
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false | ||
validations: | ||
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' | ||
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters