Skip to content

Commit

Permalink
formatting CEL code for better readability
Browse files Browse the repository at this point in the history 
Signed-off-by: Jaydip Gabani <[email protected]>
  • Loading branch information
@JaydipGabani
JaydipGabani committed Oct 1, 2024
1 parent d86f00d commit 7d0f8dc
Show file tree
Hide file tree
Showing 6 changed files with 365 additions and 49 deletions.
2 changes: 1 addition & 1 deletion artifacthub/library/pod-security-policy/users/1.1.0/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: k8spspallowedusers
displayName: Allowed Users
createdAt: "2024-05-30T00:06:50Z"
description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
digest: 89647a76a0f751668fd9ef9630c8a2ddf6fda516eadd14067a3fd98988e13210
digest: b2ee8625cdff505db43a6c1cd1148bebac7f0281d150ddb6b1e589f7c1d621e6
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users
keywords:
Expand Down
103 changes: 91 additions & 12 deletions artifacthub/library/pod-security-policy/users/1.1.0/template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,40 +157,120 @@ spec:
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
- name: podRunAsUser
expression: |
variables.anyObject.kind == "Pod" && has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.runAsUser) ? variables.anyObject.spec.securityContext.runAsUser : null
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.runAsUser) ? variables.anyObject.spec.securityContext.runAsUser : null
- name: podSupplementalGroups
expression: |
variables.anyObject.kind == "Pod" && has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.supplementalGroups) ? variables.anyObject.spec.securityContext.supplementalGroups : null
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.supplementalGroups) ? variables.anyObject.spec.securityContext.supplementalGroups : null
- name: podRunAsGroup
expression: |
variables.anyObject.kind == "Pod" && has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.runAsGroup) ? variables.anyObject.spec.securityContext.runAsGroup : null
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.runAsGroup) ? variables.anyObject.spec.securityContext.runAsGroup : null
- name: podFsGroup
expression: |
variables.anyObject.kind == "Pod" && has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.fsGroup) ? variables.anyObject.spec.securityContext.fsGroup : null
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.fsGroup) ? variables.anyObject.spec.securityContext.fsGroup : null
- name: nonExemptContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, !(container.image in variables.exemptImages))
- name: missingRunAsNonRootGlobal
expression: |
!has(variables.anyObject.securityContext) || ((!has(variables.anyObject.securityContext.runAsNonRoot) || !variables.anyObject.securityContext.runAsNonRoot) && (!has(variables.anyObject.securityContext.runAsUser) || variables.anyObject.securityContext.runAsUser == 0))
!has(variables.anyObject.securityContext) || ((!has(variables.anyObject.securityContext.runAsNonRoot) ||
!variables.anyObject.securityContext.runAsNonRoot) && (!has(variables.anyObject.securityContext.runAsUser) ||
variables.anyObject.securityContext.runAsUser == 0))
- name: violatingMustOrMayRunAsUser
expression: |
has(variables.params.runAsUser) && has(variables.params.runAsUser.rule) && variables.params.runAsUser.rule == "MustRunAs" ? variables.nonExemptContainers.filter(container, (!has(container.securityContext) || !has(container.securityContext.runAsUser)) && variables.podRunAsUser == null).map(container, "Container " + container.name + " is attempting to run without a required securityContext/runAsUser") + variables.nonExemptContainers.filter(container, (has(container.securityContext) && has(container.securityContext.runAsUser) ? !variables.params.runAsUser.ranges.exists(range, container.securityContext.runAsUser >= range.min && container.securityContext.runAsUser <= range.max) : variables.podRunAsUser != null && !variables.params.runAsUser.ranges.exists(range, variables.podRunAsUser >= range.min && variables.podRunAsUser <= range.max))).map(container, "Container " + container.name + " is attempting to run as disallowed user. Allowed runAsUser: {ranges: [" + variables.params.runAsUser.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.runAsUser.rule + "}") : []
has(variables.params.runAsUser) && has(variables.params.runAsUser.rule) && variables.params.runAsUser.rule == "MustRunAs" ?
variables.nonExemptContainers.filter(container,
(!has(container.securityContext) || !has(container.securityContext.runAsUser)) && variables.podRunAsUser == null
).map(container, "Container " + container.name + " is attempting to run without a required securityContext/runAsUser") +
variables.nonExemptContainers.filter(container,
(has(container.securityContext) && has(container.securityContext.runAsUser) ?
!variables.params.runAsUser.ranges.exists(range,
container.securityContext.runAsUser >= range.min && container.securityContext.runAsUser <= range.max) :
variables.podRunAsUser != null && !variables.params.runAsUser.ranges.exists(range,
variables.podRunAsUser >= range.min && variables.podRunAsUser <= range.max)
)
).map(container,
"Container " + container.name + " is attempting to run as disallowed user. Allowed runAsUser: {ranges: [" +
variables.params.runAsUser.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.runAsUser.rule + "}"
) :
[]
- name: violatingMustOrMayRunAsGroup
expression: |
has(variables.params.runAsGroup) && has(variables.params.runAsGroup.rule) && (variables.params.runAsGroup.rule == "MustRunAs" || variables.params.runAsGroup.rule == "MayRunAs") ? variables.nonExemptContainers.filter(container, (!has(container.securityContext) || !has(container.securityContext.runAsGroup)) && variables.podRunAsGroup == null).map(container, "Container " + container.name + " is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {ranges: [" + variables.params.runAsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.runAsGroup.rule + "}") + variables.nonExemptContainers.filter(container, (has(container.securityContext) && has(container.securityContext.runAsGroup)) ? !variables.params.runAsGroup.ranges.exists(range, container.securityContext.runAsGroup >= range.min && container.securityContext.runAsGroup <= range.max) : variables.podRunAsGroup != null && !variables.params.runAsGroup.ranges.exists(range, variables.podRunAsGroup >= range.min && variables.podRunAsGroup <= range.max)).map(container, "Container " + container.name + " is attempting to run as disallowed group. Allowed runAsGroup: {ranges: [" + variables.params.runAsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.runAsGroup.rule + "}") : []
has(variables.params.runAsGroup) && has(variables.params.runAsGroup.rule) && (variables.params.runAsGroup.rule == "MustRunAs" || variables.params.runAsGroup.rule == "MayRunAs") ?
variables.nonExemptContainers.filter(container,
(!has(container.securityContext) || !has(container.securityContext.runAsGroup)) && variables.podRunAsGroup == null
).map(container,
"Container " + container.name + " is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {ranges: [" +
variables.params.runAsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " +
variables.params.runAsGroup.rule + "}"
) +
variables.nonExemptContainers.filter(container,
(has(container.securityContext) && has(container.securityContext.runAsGroup)) ?
!variables.params.runAsGroup.ranges.exists(range,
container.securityContext.runAsGroup >= range.min && container.securityContext.runAsGroup <= range.max) :
variables.podRunAsGroup != null && !variables.params.runAsGroup.ranges.exists(range,
variables.podRunAsGroup >= range.min && variables.podRunAsGroup <= range.max)
).map(container,
"Container " + container.name + " is attempting to run as disallowed group. Allowed runAsGroup: {ranges: [" +
variables.params.runAsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.runAsGroup.rule + "}"
) :
[]
- name: violatingMustOrMayRunAsFsGroup
expression: |
has(variables.params.fsGroup) && has(variables.params.fsGroup.rule) && (variables.params.fsGroup.rule == "MustRunAs" || variables.params.fsGroup.rule == "MayRunAs" )? variables.nonExemptContainers.filter(container, (!has(container.securityContext) || !has(container.securityContext.fsGroup)) && variables.podFsGroup == null).map(container, "Container " + container.name + " is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {ranges: [" + variables.params.fsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.fsGroup.rule + "}") + variables.nonExemptContainers.filter(container, (has(container.securityContext) && has(container.securityContext.fsGroup)) ? !variables.params.fsGroup.ranges.exists(range, container.securityContext.fsGroup >= range.min && container.securityContext.fsGroup <= range.max) : variables.podFsGroup != null && !variables.params.fsGroup.ranges.exists(range, variables.podFsGroup >= range.min && variables.podFsGroup <= range.max)).map(container, "Container " + container.name + " is attempting to run as disallowed fsGroup. Allowed fsGroup: {ranges: [" + variables.params.fsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.fsGroup.rule + "}") : []
has(variables.params.fsGroup) && has(variables.params.fsGroup.rule) && (variables.params.fsGroup.rule == "MustRunAs" || variables.params.fsGroup.rule == "MayRunAs" ) ?
variables.nonExemptContainers.filter(container,
(!has(container.securityContext) || !has(container.securityContext.fsGroup)) && variables.podFsGroup == null
).map(container,
"Container " + container.name + " is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {ranges: [" +
variables.params.fsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.fsGroup.rule + "}"
) +
variables.nonExemptContainers.filter(container, (has(container.securityContext) && has(container.securityContext.fsGroup)) ?
!variables.params.fsGroup.ranges.exists(range,
container.securityContext.fsGroup >= range.min && container.securityContext.fsGroup <= range.max) :
variables.podFsGroup != null && !variables.params.fsGroup.ranges.exists(range,
variables.podFsGroup >= range.min && variables.podFsGroup <= range.max)
).map(container, "Container " + container.name + " is attempting to run as disallowed fsGroup. Allowed fsGroup: {ranges: [" +
variables.params.fsGroup.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.fsGroup.rule + "}")
: []
- name: violatingMustOrMayRunAsSupplementalGroups
expression: |
has(variables.params.supplementalGroups) && has(variables.params.supplementalGroups.rule) && (variables.params.supplementalGroups.rule == "MustRunAs" || variables.params.supplementalGroups.rule == "MayRunAs") ? variables.nonExemptContainers.filter(container, (!has(container.securityContext) || !has(container.securityContext.supplementalGroups)) && variables.podSupplementalGroups == null).map(container, "Container " + container.name + " is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {ranges: [" + variables.params.supplementalGroups.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.supplementalGroups.rule + "}") + variables.nonExemptContainers.filter(container, (has(container.securityContext) && has(container.securityContext.supplementalGroups)) ? !variables.params.supplementalGroups.ranges.exists(range, container.securityContext.supplementalGroups.all(gp, gp >= range.min && gp <= range.max)) : variables.podSupplementalGroups != null && !variables.params.supplementalGroups.ranges.exists(range, variables.podSupplementalGroups.all(gp, gp >= range.min && gp <= range.max))).map(container, "Container " + container.name + " is attempting to run with disallowed supplementalGroups. Allowed supplementalGroups: {ranges: [" + variables.params.supplementalGroups.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") + ", rule: " + variables.params.supplementalGroups.rule + "}") : []
has(variables.params.supplementalGroups) && has(variables.params.supplementalGroups.rule) && (variables.params.supplementalGroups.rule == "MustRunAs" || variables.params.supplementalGroups.rule == "MayRunAs") ?
variables.nonExemptContainers.filter(container,
(!has(container.securityContext) || !has(container.securityContext.supplementalGroups)) && variables.podSupplementalGroups == null
).map(container,
"Container " + container.name + " is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {ranges: [" +
variables.params.supplementalGroups.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.supplementalGroups.rule + "}"
) +
variables.nonExemptContainers.filter(container,
(has(container.securityContext) && has(container.securityContext.supplementalGroups)) ?
!variables.params.supplementalGroups.ranges.exists(range,
container.securityContext.supplementalGroups.all(gp, gp >= range.min && gp <= range.max)) :
variables.podSupplementalGroups != null && !variables.params.supplementalGroups.ranges.exists(range,
variables.podSupplementalGroups.all(gp, gp >= range.min && gp <= range.max))
).map(container,
"Container " + container.name + " is attempting to run with disallowed supplementalGroups. Allowed supplementalGroups: {ranges: [" +
variables.params.supplementalGroups.ranges.map(range, "{max: " + string(range.max) + ", min: " + string(range.min) + "}").join(", ") +
", rule: " + variables.params.supplementalGroups.rule + "}")
: []
- name: violatingMustRunAsNonRoot
expression: |
variables.nonExemptContainers.filter(container, (has(variables.params.runAsUser) && has(variables.params.runAsUser.rule) && variables.params.runAsUser.rule == "MustRunAsNonRoot") && (!has(container.securityContext) || (!has(container.securityContext.runAsNonRoot) || !container.securityContext.runAsNonRoot) && (!has(container.securityContext.runAsUser) || container.securityContext.runAsUser == 0)) && variables.missingRunAsNonRootGlobal).map(container, "Container " + container.name + " is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0")
variables.nonExemptContainers.filter(container,
(has(variables.params.runAsUser) && has(variables.params.runAsUser.rule) && variables.params.runAsUser.rule == "MustRunAsNonRoot") &&
(!has(container.securityContext) || (!has(container.securityContext.runAsNonRoot) || !container.securityContext.runAsNonRoot) &&
(!has(container.securityContext.runAsUser) || container.securityContext.runAsUser == 0)) && variables.missingRunAsNonRootGlobal
).map(container,
"Container " + container.name + " is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0")
- name: violations
expression: |
variables.violatingMustRunAsNonRoot + variables.violatingMustOrMayRunAsUser + variables.violatingMustOrMayRunAsGroup + variables.violatingMustOrMayRunAsFsGroup + variables.violatingMustOrMayRunAsSupplementalGroups
variables.violatingMustRunAsNonRoot +
variables.violatingMustOrMayRunAsUser +
variables.violatingMustOrMayRunAsGroup +
variables.violatingMustOrMayRunAsFsGroup +
variables.violatingMustOrMayRunAsSupplementalGroups
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violations) == 0'
messageExpression: 'variables.violations.join(", ")'
Expand Down Expand Up @@ -292,7 +372,6 @@ spec:
# If no container level exists, use pod level
get_field_value(field, container, review) = out {
not has_seccontext_field(field, container)
review.kind.kind == "Pod"
pod_value := get_seccontext_field(field, review.object.spec)
out := pod_value
}
Expand Down
Loading

0 comments on commit 7d0f8dc

Please sign in to comment.