feat: Update apparmor: add CEL, support securityContext (#533)

* feat: Update apparmor: add CEL, support securityContext

Signed-off-by: Max Smythe <[email protected]>

* Test no profile

Signed-off-by: Max Smythe <[email protected]>

* fix securitycontext path root for pod in rego

Signed-off-by: Max Smythe <[email protected]>

* update minor version

Signed-off-by: Max Smythe <[email protected]>

* remove metadata var

Signed-off-by: Max Smythe <[email protected]>

* Fix Rego lint

Signed-off-by: Max Smythe <[email protected]>

* Treat each container type separately

Signed-off-by: Max Smythe <[email protected]>

---------

Signed-off-by: Max Smythe <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>

artifacthub/library/pod-security-policy/apparmor/1.1.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspapparmor
+displayName: App Armor
+createdAt: "2024-05-29T23:39:01Z"
+description: Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+digest: d77b1285f65085153e6a6e6ac86dc32195591df467c3162abe8cc6c806cab69a
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/apparmor
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # App Armor
+    Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/apparmor/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/pod-security-policy/apparmor/1.1.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/constraint.yaml

@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAppArmor
+metadata:
+  name: psp-apparmor
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    allowedProfiles:
+    - localhost/custom

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/disallowed_ephemeral.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  ephemeralContainers:
+  - name: nginx
+    image: nginx

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/custom
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed_container.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Localhost"
+        localhostProfile: "custom"

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed_override.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Unconfined"
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Localhost"
+        localhostProfile: "custom"

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_allowed_pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Localhost"
+      localhostProfile: "custom"
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_disallowed.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_disallowed_no_profile.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/pod-security-policy/apparmor/1.1.0/samples/psp-apparmor/example_disallowed_override.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  labels:
+    app: nginx-apparmor
+spec:
+  securityContext:
+    appArmorProfile:
+      type: "Localhost"
+      localhostProfile: "custom"
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      appArmorProfile:
+        type: "Unconfined"

artifacthub/library/pod-security-policy/apparmor/1.1.0/suite.yaml

@@ -0,0 +1,41 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: apparmor
+tests:
+  - name: apparmor
+    template: template.yaml
+    constraint: samples/psp-apparmor/constraint.yaml
+    cases:
+      - name: example-allowed
+        object: samples/psp-apparmor/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-container
+        object: samples/psp-apparmor/example_allowed_container.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-pod
+        object: samples/psp-apparmor/example_allowed_pod.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-override
+        object: samples/psp-apparmor/example_allowed_override.yaml
+        assertions:
+          - violations: no
+      - name: example-disallowed
+        object: samples/psp-apparmor/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed-override
+        object: samples/psp-apparmor/example_disallowed_override.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed-no-profile
+        object: samples/psp-apparmor/example_disallowed_no_profile.yaml
+        assertions:
+          - violations: yes
+      - name: disallowed-ephemeral
+        object: samples/psp-apparmor/disallowed_ephemeral.yaml
+        assertions:
+          - violations: yes