Skip to content

Commit

Permalink
chore: adding CEL for psp-host-namespaces
Browse files Browse the repository at this point in the history
Signed-off-by: Jaydip Gabani <[email protected]>
  • Loading branch information
JaydipGabani committed Oct 2, 2024
1 parent fd2b020 commit 1c04d37
Show file tree
Hide file tree
Showing 12 changed files with 253 additions and 55 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.1.0
name: k8spsphostnamespace
displayName: Host Namespace
createdAt: "2024-06-04T20:21:50Z"
description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
digest: 5e4f8501fb48a18710d435ac83273b74420023033265ca8f5eb385aec4c345f7
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Host Namespace
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-namespace-allowed
labels:
app: nginx-host-namespace
spec:
hostPID: false
hostIPC: false
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-namespace-disallowed
labels:
app: nginx-host-namespace
spec:
hostPID: true
hostIPC: true
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-namespace-disallowed
labels:
app: nginx-host-namespace
spec:
hostPID: true
hostIPC: true
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: host-namespaces
tests:
- name: host-namespace
template: template.yaml
constraint: samples/psp-host-namespace/constraint.yaml
cases:
- name: example-allowed
object: samples/psp-host-namespace/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/psp-host-namespace/example_disallowed.yaml
assertions:
- violations: yes
- name: update
object: samples/psp-host-namespace/update.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
For more information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
spec:
crd:
spec:
names:
kind: K8sPSPHostNamespace
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
For more information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
variables:
- name: sharingNamespace
expression: |
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'
- engine: Rego
source:
rego: |
package k8spsphostnamespace
import data.lib.exclude_update.is_update
violation[{"msg": msg, "details": {}}] {
# spec.hostPID and spec.hostIPC fields are immutable.
not is_update(input.review)
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}
libs:
- |
package lib.exclude_update
is_update(review) {
review.operation == "UPDATE"
}
56 changes: 34 additions & 22 deletions library/pod-security-policy/host-namespaces/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
metadata.gatekeeper.sh/version: 1.0.1
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
Expand All @@ -26,29 +26,41 @@ spec:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8spsphostnamespace
code:
- engine: K8sNativeValidation
source:
variables:
- name: sharingNamespace
expression: |
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'
- engine: Rego
source:
rego: |
package k8spsphostnamespace
import data.lib.exclude_update.is_update
import data.lib.exclude_update.is_update
violation[{"msg": msg, "details": {}}] {
# spec.hostPID and spec.hostIPC fields are immutable.
not is_update(input.review)
violation[{"msg": msg, "details": {}}] {
# spec.hostPID and spec.hostIPC fields are immutable.
not is_update(input.review)
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}
libs:
- |
package lib.exclude_update
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}
libs:
- |
package lib.exclude_update
is_update(review) {
review.operation == "UPDATE"
}
is_update(review) {
review.operation == "UPDATE"
}
18 changes: 12 additions & 6 deletions src/pod-security-policy/host-namespaces/constraint.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
metadata.gatekeeper.sh/version: 1.0.1
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
Expand All @@ -26,8 +26,14 @@ spec:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
code:
- engine: K8sNativeValidation
source:
{{ file.Read "src/pod-security-policy/host-namespaces/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }}
- engine: Rego
source:
rego: |
{{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }}
libs:
- |
{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 14 | strings.TrimSuffix "\n" }}
7 changes: 7 additions & 0 deletions src/pod-security-policy/host-namespaces/src.cel
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
variables:
- name: sharingNamespace
expression: |
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'
66 changes: 39 additions & 27 deletions website/docs/validation/host-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
metadata.gatekeeper.sh/version: 1.0.1
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
Expand All @@ -38,32 +38,44 @@ spec:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8spsphostnamespace
import data.lib.exclude_update.is_update
violation[{"msg": msg, "details": {}}] {
# spec.hostPID and spec.hostIPC fields are immutable.
not is_update(input.review)
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}
libs:
- |
package lib.exclude_update
is_update(review) {
review.operation == "UPDATE"
}
code:
- engine: K8sNativeValidation
source:
variables:
- name: sharingNamespace
expression: |
has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'
- engine: Rego
source:
rego: |
package k8spsphostnamespace
import data.lib.exclude_update.is_update
violation[{"msg": msg, "details": {}}] {
# spec.hostPID and spec.hostIPC fields are immutable.
not is_update(input.review)
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}
libs:
- |
package lib.exclude_update
is_update(review) {
review.operation == "UPDATE"
}
```
Expand Down

0 comments on commit 1c04d37

Please sign in to comment.