-
Notifications
You must be signed in to change notification settings - Fork 327
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into psp-host-filesystem
- Loading branch information
Showing
42 changed files
with
855 additions
and
18 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.1.4 | ||
name: k8spsphostnetworkingports | ||
displayName: Host Networking Ports | ||
createdAt: "2024-08-30T22:03:40Z" | ||
description: Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
digest: 5e295f3ee2762996e89f926faae128ca3ae86166aac8fb9e518433ba1300deec | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Host Networking Ports | ||
Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
11 changes: 11 additions & 0 deletions
11
...y/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPHostNetworkingPorts | ||
metadata: | ||
name: psp-host-network | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
hostNetwork: false |
15 changes: 15 additions & 0 deletions
15
...ity-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPHostNetworkingPorts | ||
metadata: | ||
name: psp-host-network-ports | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
hostNetwork: false | ||
min: 80 | ||
max: 9000 | ||
exemptImages: | ||
- "safeimages.com/*" |
14 changes: 14 additions & 0 deletions
14
..._range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-hn-ok-bad-port | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: safeimages.com/nginx | ||
ports: | ||
- containerPort: 9001 | ||
hostPort: 9001 |
14 changes: 14 additions & 0 deletions
14
...ples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-disallowed | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 9001 | ||
hostPort: 9001 |
15 changes: 15 additions & 0 deletions
15
...d-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPHostNetworkingPorts | ||
metadata: | ||
name: psp-host-network-ports | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
hostNetwork: true | ||
min: 80 | ||
max: 9000 | ||
exemptImages: | ||
- "safeimages.com/*" |
14 changes: 14 additions & 0 deletions
14
...-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-disallowed | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
ephemeralContainers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 9001 | ||
hostPort: 9001 |
13 changes: 13 additions & 0 deletions
13
...icy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-allowed | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 9000 | ||
hostPort: 80 |
11 changes: 11 additions & 0 deletions
11
...icy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-disallowed | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: nginx |
9 changes: 9 additions & 0 deletions
9
...rts/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-network-false | ||
spec: | ||
hostNetwork: false | ||
containers: | ||
- name: nginx | ||
image: nginx |
9 changes: 9 additions & 0 deletions
9
...orts/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-network-true | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: nginx |
14 changes: 14 additions & 0 deletions
14
...ork-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-exempted | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: safeimages.com/nginx | ||
ports: | ||
- containerPort: 9001 | ||
hostPort: 9001 |
19 changes: 19 additions & 0 deletions
19
...y/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1beta1 | ||
request: | ||
operation: "UPDATE" | ||
object: | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-host-networking-ports-disallowed | ||
labels: | ||
app: nginx-host-networking-ports | ||
spec: | ||
hostNetwork: true | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 9001 | ||
hostPort: 9001 |
69 changes: 69 additions & 0 deletions
69
artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: host-network-ports | ||
tests: | ||
- name: port-range-with-host-network-allowed | ||
template: template.yaml | ||
constraint: samples/psp-host-network-ports/constraint.yaml | ||
cases: | ||
- name: out-of-range | ||
object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-allowed | ||
object: samples/psp-host-network-ports/example_allowed_in_range.yaml | ||
assertions: | ||
- violations: no | ||
- name: out-of-range-ephemeral | ||
object: samples/psp-host-network-ports/disallowed_ephemeral.yaml | ||
assertions: | ||
- violations: yes | ||
- name: update | ||
object: samples/psp-host-network-ports/update.yaml | ||
assertions: | ||
- violations: no | ||
- name: no-ports-specified | ||
object: samples/psp-host-network-ports/example_allowed_no_ports.yaml | ||
assertions: | ||
- violations: no | ||
- name: port-violation-exempted | ||
object: samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml | ||
assertions: | ||
- violations: no | ||
- name: host-network-forbidden | ||
template: template.yaml | ||
constraint: samples/block_host_network/constraint.yaml | ||
cases: | ||
- name: hostnetwork-true | ||
object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml | ||
assertions: | ||
- violations: yes | ||
- name: hostnetwork-false | ||
object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml | ||
assertions: | ||
- violations: no | ||
- name: port-range-with-host-network-forbidden | ||
template: template.yaml | ||
constraint: samples/port_range_block_host_network/constraint.yaml | ||
cases: | ||
- name: out-of-range-and-host-network-true | ||
object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml | ||
assertions: | ||
- violations: yes | ||
- name: exempted-image-still-violates-on-hostnetwork | ||
object: samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml | ||
assertions: | ||
- violations: yes | ||
- name: in-range-host-network-false | ||
object: samples/psp-host-network-ports/example_allowed_in_range.yaml | ||
assertions: | ||
- violations: no | ||
- name: disallowed-ephemeral | ||
object: samples/psp-host-network-ports/disallowed_ephemeral.yaml | ||
assertions: | ||
- violations: yes | ||
- name: update | ||
object: samples/psp-host-network-ports/update.yaml | ||
assertions: | ||
- violations: no |
Oops, something went wrong.