diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml new file mode 100644 index 000000000..24366190f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.4 +name: k8spsphostnetworkingports +displayName: Host Networking Ports +createdAt: "2024-08-30T22:03:40Z" +description: Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: 5e295f3ee2762996e89f926faae128ca3ae86166aac8fb9e518433ba1300deec +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Networking Ports + Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml new file mode 100644 index 000000000..b5f2e9f44 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/block_host_network/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: + name: psp-host-network +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: false diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml new file mode 100644 index 000000000..c315f9e23 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: + name: psp-host-network-ports +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: false + min: 80 + max: 9000 + exemptImages: + - "safeimages.com/*" diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml new file mode 100644 index 000000000..0056f9b1d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-hn-ok-bad-port + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml new file mode 100644 index 000000000..9a496cd60 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml new file mode 100644 index 000000000..b6176404c --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: + name: psp-host-network-ports +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: true + min: 80 + max: 9000 + exemptImages: + - "safeimages.com/*" diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml new file mode 100644 index 000000000..7a4fa3114 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/disallowed_ephemeral.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + ephemeralContainers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml new file mode 100644 index 000000000..2b4f7c926 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_in_range.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-allowed + labels: + app: nginx-host-networking-ports +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9000 + hostPort: 80 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml new file mode 100644 index 000000000..e009decf9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml new file mode 100644 index 000000000..8c0b0ef57 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-network-false +spec: + hostNetwork: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml new file mode 100644 index 000000000..91cd7f4cd --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-network-true +spec: + hostNetwork: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml new file mode 100644 index 000000000..e4d013447 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-exempted + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml new file mode 100644 index 000000000..231096430 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/samples/psp-host-network-ports/update.yaml @@ -0,0 +1,19 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml new file mode 100644 index 000000000..8879f7fc9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/suite.yaml @@ -0,0 +1,69 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-network-ports +tests: +- name: port-range-with-host-network-allowed + template: template.yaml + constraint: samples/psp-host-network-ports/constraint.yaml + cases: + - name: out-of-range + object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-host-network-ports/example_allowed_in_range.yaml + assertions: + - violations: no + - name: out-of-range-ephemeral + object: samples/psp-host-network-ports/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no + - name: no-ports-specified + object: samples/psp-host-network-ports/example_allowed_no_ports.yaml + assertions: + - violations: no + - name: port-violation-exempted + object: samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml + assertions: + - violations: no +- name: host-network-forbidden + template: template.yaml + constraint: samples/block_host_network/constraint.yaml + cases: + - name: hostnetwork-true + object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_true.yaml + assertions: + - violations: yes + - name: hostnetwork-false + object: samples/psp-host-network-ports/example_allowed_no_ports_host_network_false.yaml + assertions: + - violations: no +- name: port-range-with-host-network-forbidden + template: template.yaml + constraint: samples/port_range_block_host_network/constraint.yaml + cases: + - name: out-of-range-and-host-network-true + object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml + assertions: + - violations: yes + - name: exempted-image-still-violates-on-hostnetwork + object: samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml + assertions: + - violations: yes + - name: in-range-host-network-false + object: samples/psp-host-network-ports/example_allowed_in_range.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-host-network-ports/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml new file mode 100644 index 000000000..c310ffcbb --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.1.4/template.yaml @@ -0,0 +1,166 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnetworkingports + annotations: + metadata.gatekeeper.sh/title: "Host Networking Ports" + metadata.gatekeeper.sh/version: 1.1.4 + description: >- + Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNetworkingPorts + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + hostNetwork: + description: "Determines if the policy allows the use of HostNetwork in the pod spec." + type: boolean + min: + description: "The start of the allowed port range, inclusive." + type: integer + max: + description: "The end of the allowed port range, inclusive." + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + code: + - engine: K8sNativeValidation + source: + variables: + - name: containers + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + - name: initContainers + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + - name: ephemeralContainers + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + - name: exemptImagePrefixes + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + - name: exemptImageExplicit + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImages + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) + - name: badContainers + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + !(container.image in variables.exemptImages) && has(container.ports) && + ( + (container.ports.all(port, has(port.hostPort) && has(variables.params.min) && port.hostPort < variables.params.min)) || + (container.ports.all(port, has(port.hostPort) && has(variables.params.max) && port.hostPort > variables.params.max)) + ) + ) + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" + - name: hostNetworkAllowed + expression: has(variables.params.hostNetwork) && variables.params.hostNetwork + - name: hostNetworkEnabled + expression: has(variables.anyObject.spec.hostNetwork) && variables.anyObject.spec.hostNetwork + - name: hostNetworkViolation + expression: variables.hostNetworkEnabled && !variables.hostNetworkAllowed + validations: + - expression: 'variables.isUpdate || size(variables.badContainers) == 0' + messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name' + - expression: variables.isUpdate || !variables.hostNetworkViolation + messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name' + - engine: Rego + source: + rego: | + package k8spsphostnetworkingports + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update(input.review) + + input_share_hostnetwork(input.review.object) + msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) + } + + input_share_hostnetwork(o) { + not input.parameters.hostNetwork + o.spec.hostNetwork + } + + input_share_hostnetwork(_) { + hostPort := input_containers[_].ports[_].hostPort + hostPort < input.parameters.min + } + + input_share_hostnetwork(_) { + hostPort := input_containers[_].ports[_].hostPort + hostPort > input.parameters.max + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + not is_exempt(c) + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml new file mode 100644 index 000000000..5f2dffd89 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.1 +name: k8spspprivilegedcontainer +displayName: Privileged Container +createdAt: "2024-08-30T22:14:08Z" +description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +digest: 5d9b2b840bb1f530d3e66cb44d4ab170e7d4b7895d722a51999134a032b61c6f +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Privileged Container + Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml new file mode 100644 index 000000000..bf2fe519d --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPPrivilegedContainer +metadata: + name: psp-privileged-container +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + excludedNamespaces: ["kube-system"] + parameters: + exemptImages: + - "safeimages.com/*" diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml new file mode 100644 index 000000000..e8c8b9945 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml new file mode 100644 index 000000000..bb65a2c0e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: false diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml new file mode 100644 index 000000000..782a6036a --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed-exempt + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: safeimages.com/nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml new file mode 100644 index 000000000..936a24f8e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml new file mode 100644 index 000000000..08f36044c --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml new file mode 100644 index 000000000..3dd4ff863 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml @@ -0,0 +1,29 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: privileged-containers +tests: +- name: privileged-containers-disallowed + template: template.yaml + constraint: samples/psp-privileged-container/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-privileged-container/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-privileged-container/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-privileged-container/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-privileged-container/update.yaml + assertions: + - violations: no + - name: exempted-image + object: samples/psp-privileged-container/example_allowed_exempt.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml new file mode 100644 index 000000000..c5a09674c --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml @@ -0,0 +1,129 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspprivilegedcontainer + annotations: + metadata.gatekeeper.sh/title: "Privileged Container" + metadata.gatekeeper.sh/version: 1.1.1 + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +spec: + crd: + spec: + names: + kind: K8sPSPPrivilegedContainer + validation: + openAPIV3Schema: + type: object + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + code: + - engine: K8sNativeValidation + source: + variables: + - name: containers + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + - name: initContainers + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + - name: ephemeralContainers + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + - name: exemptImagePrefixes + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + - name: exemptImageExplicit + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImages + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) + - name: badContainers + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + !(container.image in variables.exemptImages) && + (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) + ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" + validations: + - expression: variables.isUpdate || size(variables.badContainers) == 0 + messageExpression: 'variables.badContainers.join("\n")' + - engine: Rego + source: + rego: | + package k8spspprivileged + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + c.securityContext.privileged + msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml index 46e16454c..c315f9e23 100644 --- a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml +++ b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/constraint.yaml @@ -11,3 +11,5 @@ spec: hostNetwork: false min: 80 max: 9000 + exemptImages: + - "safeimages.com/*" diff --git a/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml new file mode 100644 index 000000000..0056f9b1d --- /dev/null +++ b/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-hn-ok-bad-port + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml index aba7c24e7..b6176404c 100644 --- a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml +++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/constraint.yaml @@ -10,4 +10,6 @@ spec: parameters: hostNetwork: true min: 80 - max: 9000 \ No newline at end of file + max: 9000 + exemptImages: + - "safeimages.com/*" diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml new file mode 100644 index 000000000..e4d013447 --- /dev/null +++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-exempted + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml index 44bbab1be..8879f7fc9 100644 --- a/library/pod-security-policy/host-network-ports/suite.yaml +++ b/library/pod-security-policy/host-network-ports/suite.yaml @@ -27,6 +27,10 @@ tests: object: samples/psp-host-network-ports/example_allowed_no_ports.yaml assertions: - violations: no + - name: port-violation-exempted + object: samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml + assertions: + - violations: no - name: host-network-forbidden template: template.yaml constraint: samples/block_host_network/constraint.yaml @@ -47,6 +51,10 @@ tests: object: samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml assertions: - violations: yes + - name: exempted-image-still-violates-on-hostnetwork + object: samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml + assertions: + - violations: yes - name: in-range-host-network-false object: samples/psp-host-network-ports/example_allowed_in_range.yaml assertions: @@ -59,4 +67,3 @@ tests: object: samples/psp-host-network-ports/update.yaml assertions: - violations: no - diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml index 036a3e045..c310ffcbb 100644 --- a/library/pod-security-policy/host-network-ports/template.yaml +++ b/library/pod-security-policy/host-network-ports/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.1.3 + metadata.gatekeeper.sh/version: 1.1.4 description: >- Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -68,7 +68,8 @@ spec: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml index b246b244a..bf2fe519d 100644 --- a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml +++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/constraint.yaml @@ -8,3 +8,6 @@ spec: - apiGroups: [""] kinds: ["Pod"] excludedNamespaces: ["kube-system"] + parameters: + exemptImages: + - "safeimages.com/*" diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml new file mode 100644 index 000000000..782a6036a --- /dev/null +++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed-exempt + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: safeimages.com/nginx + securityContext: + privileged: true diff --git a/library/pod-security-policy/privileged-containers/suite.yaml b/library/pod-security-policy/privileged-containers/suite.yaml index c2e484fc5..3dd4ff863 100644 --- a/library/pod-security-policy/privileged-containers/suite.yaml +++ b/library/pod-security-policy/privileged-containers/suite.yaml @@ -23,3 +23,7 @@ tests: object: samples/psp-privileged-container/update.yaml assertions: - violations: no + - name: exempted-image + object: samples/psp-privileged-container/example_allowed_exempt.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml index bd8452e67..c5a09674c 100644 --- a/library/pod-security-policy/privileged-containers/template.yaml +++ b/library/pod-security-policy/privileged-containers/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -58,15 +58,18 @@ spec: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, !(container.image in variables.exemptImages) && (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" validations: - - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' + - expression: variables.isUpdate || size(variables.badContainers) == 0 messageExpression: 'variables.badContainers.join("\n")' - engine: Rego source: diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl index d5f714682..51637ed2b 100644 --- a/src/pod-security-policy/host-network-ports/constraint.tmpl +++ b/src/pod-security-policy/host-network-ports/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.1.3 + metadata.gatekeeper.sh/version: 1.1.4 description: >- Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and diff --git a/src/pod-security-policy/host-network-ports/src.cel b/src/pod-security-policy/host-network-ports/src.cel index 8d0fe507e..a78f54985 100644 --- a/src/pod-security-policy/host-network-ports/src.cel +++ b/src/pod-security-policy/host-network-ports/src.cel @@ -17,7 +17,8 @@ variables: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl index d5c87bb9d..4711137dd 100644 --- a/src/pod-security-policy/privileged-containers/constraint.tmpl +++ b/src/pod-security-policy/privileged-containers/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more diff --git a/src/pod-security-policy/privileged-containers/src.cel b/src/pod-security-policy/privileged-containers/src.cel index 99c7b4a45..b0c77fbc4 100644 --- a/src/pod-security-policy/privileged-containers/src.cel +++ b/src/pod-security-policy/privileged-containers/src.cel @@ -17,13 +17,16 @@ variables: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, !(container.image in variables.exemptImages) && (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) +- name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" validations: -- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' - messageExpression: 'variables.badContainers.join("\n")' \ No newline at end of file +- expression: variables.isUpdate || size(variables.badContainers) == 0 + messageExpression: 'variables.badContainers.join("\n")' diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 549b37380..8dd053f9b 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.1.3 + metadata.gatekeeper.sh/version: 1.1.4 description: >- Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -80,7 +80,8 @@ spec: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, @@ -203,6 +204,9 @@ spec: hostNetwork: true min: 80 max: 9000 + exemptImages: + - "safeimages.com/*" + ``` Usage @@ -320,6 +324,34 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_no_ports.yaml ``` + +
+port-violation-exempted + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-exempted + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_out_of_range_exempted.yaml +``` +
@@ -420,6 +452,8 @@ spec: hostNetwork: false min: 80 max: 9000 + exemptImages: + - "safeimages.com/*" ``` @@ -458,6 +492,34 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_out_of_range_host_network_true.yaml ``` + +
+exempted-image-still-violates-on-hostnetwork + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-hn-ok-bad-port + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: safeimages.com/nginx + ports: + - containerPort: 9001 + hostPort: 9001 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/port_range_block_host_network/example_disallowed_exempted_container_host_network_enabled.yaml +``` +
in-range-host-network-false diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index bf0d8717f..8354c1976 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -16,7 +16,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -70,15 +70,18 @@ spec: expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, container.image in variables.exemptImageExplicit || - variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) + ).map(container, container.image) - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, !(container.image in variables.exemptImages) && (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) + - name: isUpdate + expression: has(request.operation) && request.operation == "UPDATE" validations: - - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' + - expression: variables.isUpdate || size(variables.badContainers) == 0 messageExpression: 'variables.badContainers.join("\n")' - engine: Rego source: @@ -161,6 +164,9 @@ spec: - apiGroups: [""] kinds: ["Pod"] excludedNamespaces: ["kube-system"] + parameters: + exemptImages: + - "safeimages.com/*" ``` @@ -249,6 +255,32 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml ``` +
+
+exempted-image + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed-exempt + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: safeimages.com/nginx + securityContext: + privileged: true + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml +``` +