From 1c04d37af3ce7c3fbc4f254c8a11917e3c1c7d0b Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Tue, 4 Jun 2024 20:38:49 +0000 Subject: [PATCH] chore: adding CEL for psp-host-namespaces Signed-off-by: Jaydip Gabani --- .../host-namespaces/1.1.0/artifacthub-pkg.yml | 22 +++++++ .../host-namespaces/1.1.0/kustomization.yaml | 2 + .../psp-host-namespace/constraint.yaml | 9 +++ .../psp-host-namespace/example_allowed.yaml | 12 ++++ .../example_disallowed.yaml | 12 ++++ .../samples/psp-host-namespace/update.yaml | 17 +++++ .../host-namespaces/1.1.0/suite.yaml | 21 ++++++ .../host-namespaces/1.1.0/template.yaml | 66 +++++++++++++++++++ .../host-namespaces/template.yaml | 56 +++++++++------- .../host-namespaces/constraint.tmpl | 18 +++-- .../host-namespaces/src.cel | 7 ++ website/docs/validation/host-namespaces.md | 66 +++++++++++-------- 12 files changed, 253 insertions(+), 55 deletions(-) create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/update.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml create mode 100644 src/pod-security-policy/host-namespaces/src.cel diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml new file mode 100644 index 000000000..1d8d6ddb5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.0 +name: k8spsphostnamespace +displayName: Host Namespace +createdAt: "2024-06-04T20:21:50Z" +description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: 5e4f8501fb48a18710d435ac83273b74420023033265ca8f5eb385aec4c345f7 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Namespace + Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/kustomization.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/constraint.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/constraint.yaml new file mode 100644 index 000000000..5b3ebba3a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNamespace +metadata: + name: psp-host-namespace +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_allowed.yaml new file mode 100644 index 000000000..f765f5b4d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-allowed + labels: + app: nginx-host-namespace +spec: + hostPID: false + hostIPC: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_disallowed.yaml new file mode 100644 index 000000000..b979e8134 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace +spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/update.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/update.yaml new file mode 100644 index 000000000..29e17f13a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/samples/psp-host-namespace/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/suite.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/suite.yaml new file mode 100644 index 000000000..b8e853d5f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-namespaces +tests: + - name: host-namespace + template: template.yaml + constraint: samples/psp-host-namespace/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-host-namespace/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-host-namespace/example_disallowed.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-namespace/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml new file mode 100644 index 000000000..5de67e9c4 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml @@ -0,0 +1,66 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnamespace + annotations: + metadata.gatekeeper.sh/title: "Host Namespace" + metadata.gatekeeper.sh/version: 1.1.0 + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNamespace + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + targets: + - target: admission.k8s.gatekeeper.sh + code: + - engine: K8sNativeValidation + source: + variables: + - name: sharingNamespace + expression: | + has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false + validations: + - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' + messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' + - engine: Rego + source: + rego: | + package k8spsphostnamespace + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml index a8b87e419..5de67e9c4 100644 --- a/library/pod-security-policy/host-namespaces/template.yaml +++ b/library/pod-security-policy/host-namespaces/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -26,29 +26,41 @@ spec: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces targets: - target: admission.k8s.gatekeeper.sh - rego: | - package k8spsphostnamespace + code: + - engine: K8sNativeValidation + source: + variables: + - name: sharingNamespace + expression: | + has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false + validations: + - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' + messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' + - engine: Rego + source: + rego: | + package k8spsphostnamespace - import data.lib.exclude_update.is_update + import data.lib.exclude_update.is_update - violation[{"msg": msg, "details": {}}] { - # spec.hostPID and spec.hostIPC fields are immutable. - not is_update(input.review) + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) - input_share_hostnamespace(input.review.object) - msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) - } + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } - input_share_hostnamespace(o) { - o.spec.hostPID - } - input_share_hostnamespace(o) { - o.spec.hostIPC - } - libs: - - | - package lib.exclude_update + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } + libs: + - | + package lib.exclude_update - is_update(review) { - review.operation == "UPDATE" - } + is_update(review) { + review.operation == "UPDATE" + } diff --git a/src/pod-security-policy/host-namespaces/constraint.tmpl b/src/pod-security-policy/host-namespaces/constraint.tmpl index 7ee044381..6f81465ff 100644 --- a/src/pod-security-policy/host-namespaces/constraint.tmpl +++ b/src/pod-security-policy/host-namespaces/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -26,8 +26,14 @@ spec: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces targets: - target: admission.k8s.gatekeeper.sh - rego: | -{{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} - libs: - - | -{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + code: + - engine: K8sNativeValidation + source: +{{ file.Read "src/pod-security-policy/host-namespaces/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - engine: Rego + source: + rego: | +{{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 14 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-namespaces/src.cel b/src/pod-security-policy/host-namespaces/src.cel new file mode 100644 index 000000000..6a8e06df8 --- /dev/null +++ b/src/pod-security-policy/host-namespaces/src.cel @@ -0,0 +1,7 @@ +variables: +- name: sharingNamespace + expression: | + has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false +validations: +- expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' + messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' \ No newline at end of file diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 1a8c6d26e..811cdbbea 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -38,32 +38,44 @@ spec: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces targets: - target: admission.k8s.gatekeeper.sh - rego: | - package k8spsphostnamespace - - import data.lib.exclude_update.is_update - - violation[{"msg": msg, "details": {}}] { - # spec.hostPID and spec.hostIPC fields are immutable. - not is_update(input.review) - - input_share_hostnamespace(input.review.object) - msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) - } - - input_share_hostnamespace(o) { - o.spec.hostPID - } - input_share_hostnamespace(o) { - o.spec.hostIPC - } - libs: - - | - package lib.exclude_update - - is_update(review) { - review.operation == "UPDATE" - } + code: + - engine: K8sNativeValidation + source: + variables: + - name: sharingNamespace + expression: | + has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false + validations: + - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace' + messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace' + - engine: Rego + source: + rego: | + package k8spsphostnamespace + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ```