diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml
new file mode 100644
index 000000000..24366190f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.4
+name: k8spsphostnetworkingports
+displayName: Host Networking Ports
+createdAt: "2024-08-30T22:03:40Z"
+description: Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+digest: 5e295f3ee2762996e89f926faae128ca3ae86166aac8fb9e518433ba1300deec
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Host Networking Ports
+ Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml
new file mode 100644
index 000000000..b5f2e9f44
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+ name: psp-host-network
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ hostNetwork: false
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml
new file mode 100644
index 000000000..c315f9e23
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+ name: psp-host-network-ports
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ hostNetwork: false
+ min: 80
+ max: 9000
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
new file mode 100644
index 000000000..0056f9b1d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-hn-ok-bad-port
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
new file mode 100644
index 000000000..9a496cd60
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml
new file mode 100644
index 000000000..b6176404c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+ name: psp-host-network-ports
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ hostNetwork: true
+ min: 80
+ max: 9000
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..7a4fa3114
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml
new file mode 100644
index 000000000..2b4f7c926
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-allowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9000
+ hostPort: 80
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml
new file mode 100644
index 000000000..e009decf9
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml
new file mode 100644
index 000000000..8c0b0ef57
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-network-false
+spec:
+ hostNetwork: false
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml
new file mode 100644
index 000000000..91cd7f4cd
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-network-true
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
new file mode 100644
index 000000000..e4d013447
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-exempted
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml
new file mode 100644
index 000000000..231096430
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml
@@ -0,0 +1,19 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+ spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml
new file mode 100644
index 000000000..8879f7fc9
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml
@@ -0,0 +1,69 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: host-network-ports
+tests:
+- name: port-range-with-host-network-allowed
+ template: template.yaml
+ constraint: samples/psp-host-network-ports/constraint.yaml
+ cases:
+ - name: out-of-range
+ object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-host-network-ports/example_allowed_in_range.yaml
+ assertions:
+ - violations: no
+ - name: out-of-range-ephemeral
+ object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-host-network-ports/update.yaml
+ assertions:
+ - violations: no
+ - name: no-ports-specified
+ object: samples/psp-host-network-ports/example_allowed_no_ports.yaml
+ assertions:
+ - violations: no
+ - name: port-violation-exempted
+ object: samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
+ assertions:
+ - violations: no
+- name: host-network-forbidden
+ template: template.yaml
+ constraint: samples/block_host_network/constraint.yaml
+ cases:
+ - name: hostnetwork-true
+ object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml
+ assertions:
+ - violations: yes
+ - name: hostnetwork-false
+ object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml
+ assertions:
+ - violations: no
+- name: port-range-with-host-network-forbidden
+ template: template.yaml
+ constraint: samples/port_range_block_host_network/constraint.yaml
+ cases:
+ - name: out-of-range-and-host-network-true
+ object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
+ assertions:
+ - violations: yes
+ - name: exempted-image-still-violates-on-hostnetwork
+ object: samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
+ assertions:
+ - violations: yes
+ - name: in-range-host-network-false
+ object: samples/psp-host-network-ports/example_allowed_in_range.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-host-network-ports/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml
new file mode 100644
index 000000000..c310ffcbb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml
@@ -0,0 +1,166 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spsphostnetworkingports
+ annotations:
+ metadata.gatekeeper.sh/title: "Host Networking Ports"
+ metadata.gatekeeper.sh/version: 1.1.4
+ description: >-
+ Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
+ ports must be specified. Corresponds to the `hostNetwork` and
+ `hostPorts` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPHostNetworkingPorts
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
+ ports must be specified. Corresponds to the `hostNetwork` and
+ `hostPorts` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ hostNetwork:
+ description: "Determines if the policy allows the use of HostNetwork in the pod spec."
+ type: boolean
+ min:
+ description: "The start of the allowed port range, inclusive."
+ type: integer
+ max:
+ description: "The end of the allowed port range, inclusive."
+ type: integer
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ code:
+ - engine: K8sNativeValidation
+ source:
+ variables:
+ - name: containers
+ expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
+ - name: initContainers
+ expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
+ - name: ephemeralContainers
+ expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
+ - name: exemptImagePrefixes
+ expression: |
+ !has(variables.params.exemptImages) ? [] :
+ variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
+ - name: exemptImageExplicit
+ expression: |
+ !has(variables.params.exemptImages) ? [] :
+ variables.params.exemptImages.filter(image, !image.endsWith("*"))
+ - name: exemptImages
+ expression: |
+ (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+ container.image in variables.exemptImageExplicit ||
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
+ - name: badContainers
+ expression: |
+ (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+ !(container.image in variables.exemptImages) && has(container.ports) &&
+ (
+ (container.ports.all(port, has(port.hostPort) && has(variables.params.min) && port.hostPort < variables.params.min)) ||
+ (container.ports.all(port, has(port.hostPort) && has(variables.params.max) && port.hostPort > variables.params.max))
+ )
+ )
+ - name: isUpdate
+ expression: has(request.operation) && request.operation == "UPDATE"
+ - name: hostNetworkAllowed
+ expression: has(variables.params.hostNetwork) && variables.params.hostNetwork
+ - name: hostNetworkEnabled
+ expression: has(variables.anyObject.spec.hostNetwork) && variables.anyObject.spec.hostNetwork
+ - name: hostNetworkViolation
+ expression: variables.hostNetworkEnabled && !variables.hostNetworkAllowed
+ validations:
+ - expression: 'variables.isUpdate || size(variables.badContainers) == 0'
+ messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name'
+ - expression: variables.isUpdate || !variables.hostNetworkViolation
+ messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name'
+ - engine: Rego
+ source:
+ rego: |
+ package k8spsphostnetworkingports
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.hostNetwork field is immutable.
+ not is_update(input.review)
+
+ input_share_hostnetwork(input.review.object)
+ msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
+ }
+
+ input_share_hostnetwork(o) {
+ not input.parameters.hostNetwork
+ o.spec.hostNetwork
+ }
+
+ input_share_hostnetwork(_) {
+ hostPort := input_containers[_].ports[_].hostPort
+ hostPort < input.parameters.min
+ }
+
+ input_share_hostnetwork(_) {
+ hostPort := input_containers[_].ports[_].hostPort
+ hostPort > input.parameters.max
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ not is_exempt(c)
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ not is_exempt(c)
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ not is_exempt(c)
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..5f2dffd89
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.1
+name: k8spspprivilegedcontainer
+displayName: Privileged Container
+createdAt: "2024-08-30T22:14:08Z"
+description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+digest: 5d9b2b840bb1f530d3e66cb44d4ab170e7d4b7895d722a51999134a032b61c6f
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Privileged Container
+ Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml
new file mode 100644
index 000000000..bf2fe519d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPPrivilegedContainer
+metadata:
+ name: psp-privileged-container
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ excludedNamespaces: ["kube-system"]
+ parameters:
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..e8c8b9945
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml
new file mode 100644
index 000000000..bb65a2c0e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-allowed
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: false
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml
new file mode 100644
index 000000000..782a6036a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-allowed-exempt
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml
new file mode 100644
index 000000000..936a24f8e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml
new file mode 100644
index 000000000..08f36044c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml
new file mode 100644
index 000000000..3dd4ff863
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml
@@ -0,0 +1,29 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: privileged-containers
+tests:
+- name: privileged-containers-disallowed
+ template: template.yaml
+ constraint: samples/psp-privileged-container/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-privileged-container/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-privileged-container/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-privileged-container/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-privileged-container/update.yaml
+ assertions:
+ - violations: no
+ - name: exempted-image
+ object: samples/psp-privileged-container/example_allowed_exempt.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml
new file mode 100644
index 000000000..c5a09674c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml
@@ -0,0 +1,129 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspprivilegedcontainer
+ annotations:
+ metadata.gatekeeper.sh/title: "Privileged Container"
+ metadata.gatekeeper.sh/version: 1.1.1
+ description: >-
+ Controls the ability of any container to enable privileged mode.
+ Corresponds to the `privileged` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPPrivilegedContainer
+ validation:
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the ability of any container to enable privileged mode.
+ Corresponds to the `privileged` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ code:
+ - engine: K8sNativeValidation
+ source:
+ variables:
+ - name: containers
+ expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
+ - name: initContainers
+ expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
+ - name: ephemeralContainers
+ expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
+ - name: exemptImagePrefixes
+ expression: |
+ !has(variables.params.exemptImages) ? [] :
+ variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
+ - name: exemptImageExplicit
+ expression: |
+ !has(variables.params.exemptImages) ? [] :
+ variables.params.exemptImages.filter(image, !image.endsWith("*"))
+ - name: exemptImages
+ expression: |
+ (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+ container.image in variables.exemptImageExplicit ||
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
+ - name: badContainers
+ expression: |
+ (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+ !(container.image in variables.exemptImages) &&
+ (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
+ ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
+ - name: isUpdate
+ expression: has(request.operation) && request.operation == "UPDATE"
+ validations:
+ - expression: variables.isUpdate || size(variables.badContainers) == 0
+ messageExpression: 'variables.badContainers.join("\n")'
+ - engine: Rego
+ source:
+ rego: |
+ package k8spspprivileged
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.privileged field is immutable.
+ not is_update(input.review)
+
+ c := input_containers[_]
+ not is_exempt(c)
+ c.securityContext.privileged
+ msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml
index 46e16454c..c315f9e23 100644
--- a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml
+++ b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml
@@ -11,3 +11,5 @@ spec:
hostNetwork: false
min: 80
max: 9000
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
new file mode 100644
index 000000000..0056f9b1d
--- /dev/null
+++ b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-hn-ok-bad-port
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml
index aba7c24e7..b6176404c 100644
--- a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml
+++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml
@@ -10,4 +10,6 @@ spec:
parameters:
hostNetwork: true
min: 80
- max: 9000
\ No newline at end of file
+ max: 9000
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
new file mode 100644
index 000000000..e4d013447
--- /dev/null
+++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-exempted
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml
index 44bbab1be..8879f7fc9 100644
--- a/library/pod-security-policy/host-network-ports/suite.yaml
+++ b/library/pod-security-policy/host-network-ports/suite.yaml
@@ -27,6 +27,10 @@ tests:
object: samples/psp-host-network-ports/example_allowed_no_ports.yaml
assertions:
- violations: no
+ - name: port-violation-exempted
+ object: samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
+ assertions:
+ - violations: no
- name: host-network-forbidden
template: template.yaml
constraint: samples/block_host_network/constraint.yaml
@@ -47,6 +51,10 @@ tests:
object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
assertions:
- violations: yes
+ - name: exempted-image-still-violates-on-hostnetwork
+ object: samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
+ assertions:
+ - violations: yes
- name: in-range-host-network-false
object: samples/psp-host-network-ports/example_allowed_in_range.yaml
assertions:
@@ -59,4 +67,3 @@ tests:
object: samples/psp-host-network-ports/update.yaml
assertions:
- violations: no
-
diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml
index 036a3e045..c310ffcbb 100644
--- a/library/pod-security-policy/host-network-ports/template.yaml
+++ b/library/pod-security-policy/host-network-ports/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.1.3
+ metadata.gatekeeper.sh/version: 1.1.4
description: >-
Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
ports must be specified. Corresponds to the `hostNetwork` and
@@ -68,7 +68,8 @@ spec:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml
index b246b244a..bf2fe519d 100644
--- a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml
+++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml
@@ -8,3 +8,6 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
+ parameters:
+ exemptImages:
+ - "safeimages.com/*"
diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml
new file mode 100644
index 000000000..782a6036a
--- /dev/null
+++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-allowed-exempt
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ securityContext:
+ privileged: true
diff --git a/library/pod-security-policy/privileged-containers/suite.yaml b/library/pod-security-policy/privileged-containers/suite.yaml
index c2e484fc5..3dd4ff863 100644
--- a/library/pod-security-policy/privileged-containers/suite.yaml
+++ b/library/pod-security-policy/privileged-containers/suite.yaml
@@ -23,3 +23,7 @@ tests:
object: samples/psp-privileged-container/update.yaml
assertions:
- violations: no
+ - name: exempted-image
+ object: samples/psp-privileged-container/example_allowed_exempt.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml
index bd8452e67..c5a09674c 100644
--- a/library/pod-security-policy/privileged-containers/template.yaml
+++ b/library/pod-security-policy/privileged-containers/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.1.0
+ metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
@@ -58,15 +58,18 @@ spec:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
+ - name: isUpdate
+ expression: has(request.operation) && request.operation == "UPDATE"
validations:
- - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
+ - expression: variables.isUpdate || size(variables.badContainers) == 0
messageExpression: 'variables.badContainers.join("\n")'
- engine: Rego
source:
diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl
index d5f714682..51637ed2b 100644
--- a/src/pod-security-policy/host-network-ports/constraint.tmpl
+++ b/src/pod-security-policy/host-network-ports/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.1.3
+ metadata.gatekeeper.sh/version: 1.1.4
description: >-
Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
ports must be specified. Corresponds to the `hostNetwork` and
diff --git a/src/pod-security-policy/host-network-ports/src.cel b/src/pod-security-policy/host-network-ports/src.cel
index 8d0fe507e..a78f54985 100644
--- a/src/pod-security-policy/host-network-ports/src.cel
+++ b/src/pod-security-policy/host-network-ports/src.cel
@@ -17,7 +17,8 @@ variables:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl
index d5c87bb9d..4711137dd 100644
--- a/src/pod-security-policy/privileged-containers/constraint.tmpl
+++ b/src/pod-security-policy/privileged-containers/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.1.0
+ metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
diff --git a/src/pod-security-policy/privileged-containers/src.cel b/src/pod-security-policy/privileged-containers/src.cel
index 99c7b4a45..b0c77fbc4 100644
--- a/src/pod-security-policy/privileged-containers/src.cel
+++ b/src/pod-security-policy/privileged-containers/src.cel
@@ -17,13 +17,16 @@ variables:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
+- name: isUpdate
+ expression: has(request.operation) && request.operation == "UPDATE"
validations:
-- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
- messageExpression: 'variables.badContainers.join("\n")'
\ No newline at end of file
+- expression: variables.isUpdate || size(variables.badContainers) == 0
+ messageExpression: 'variables.badContainers.join("\n")'
diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md
index 549b37380..8dd053f9b 100644
--- a/website/docs/validation/host-network-ports.md
+++ b/website/docs/validation/host-network-ports.md
@@ -16,7 +16,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.1.3
+ metadata.gatekeeper.sh/version: 1.1.4
description: >-
Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
ports must be specified. Corresponds to the `hostNetwork` and
@@ -80,7 +80,8 @@ spec:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
@@ -203,6 +204,9 @@ spec:
hostNetwork: true
min: 80
max: 9000
+ exemptImages:
+ - "safeimages.com/*"
+
```
Usage
@@ -320,6 +324,34 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_no_ports.yaml
```
+
+
+port-violation-exempted
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-exempted
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml
+```
+
@@ -420,6 +452,8 @@ spec:
hostNetwork: false
min: 80
max: 9000
+ exemptImages:
+ - "safeimages.com/*"
```
@@ -458,6 +492,34 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml
```
+
+
+exempted-image-still-violates-on-hostnetwork
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-hn-ok-bad-port
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml
+```
+
in-range-host-network-false
diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md
index bf0d8717f..8354c1976 100644
--- a/website/docs/validation/privileged-containers.md
+++ b/website/docs/validation/privileged-containers.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.1.0
+ metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
@@ -70,15 +70,18 @@ spec:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
- variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+ variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
+ ).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
+ - name: isUpdate
+ expression: has(request.operation) && request.operation == "UPDATE"
validations:
- - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
+ - expression: variables.isUpdate || size(variables.badContainers) == 0
messageExpression: 'variables.badContainers.join("\n")'
- engine: Rego
source:
@@ -161,6 +164,9 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
+ parameters:
+ exemptImages:
+ - "safeimages.com/*"
```
@@ -249,6 +255,32 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml
```
+
+
+exempted-image
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-allowed-exempt
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: safeimages.com/nginx
+ securityContext:
+ privileged: true
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml
+```
+