Add cel to forbidden-sysctls

Signed-off-by: Rita Zhang <[email protected]>

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/README.md

@@ -0,0 +1,36 @@
+# Forbidden Sysctls security context policy
+
+The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`.
+
+## Parameters
+
+`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+## Examples
+
+```yaml
+parameters:
+  allowedSysctls: ['*']
+  forbiddenSysctls:
+    - kernel.msg*
+    - net.core.somaxconn
+```
+
+```yaml
+parameters:
+  allowedSysctls:
+    - kernel.shm_rmid_forced
+    - net.ipv4.ip_local_port_range
+    - net.ipv4.tcp_syncookies
+    - net.ipv4.ping_group_range
+  forbiddenSysctls: []
+```
+
+*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided.
+
+## References
+
+* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core)

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.2.0
+name: k8spspforbiddensysctls
+displayName: Forbidden Sysctls
+createdAt: "2024-05-10T05:44:00Z"
+description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+digest: 53ce322a6055a6badb700f675cbb262a2f9e37390655460ee8a3370c39a99a80
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Forbidden Sysctls
+    Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint.yaml

@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls:
+    - "*" # allows all sysctls. allowedSysctls is optional.

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-forbidden-sysctls-disallowed
+  labels:
+    app: nginx-forbidden-sysctls
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+  securityContext:
+    sysctls:
+      - name: net.core.somaxconn
+        value: "1024"

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_disallowed.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-forbidden-sysctls-disallowed
+  labels:
+    app: nginx-forbidden-sysctls
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+  securityContext:
+    sysctls:
+      - name: kernel.msgmax
+        value: "65536"
+      - name: net.core.somaxconn
+        value: "1024"

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/update.yaml

@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx-forbidden-sysctls-disallowed
+      labels:
+        app: nginx-forbidden-sysctls
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+      securityContext:
+        sysctls:
+          - name: kernel.msgmax
+            value: "65536"
+          - name: net.core.somaxconn
+            value: "1024"

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml

@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: forbidden-sysctls
+tests:
+  - name: forbidden-sysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no

artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml

@@ -0,0 +1,121 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspforbiddensysctls
+  annotations:
+    metadata.gatekeeper.sh/title: "Forbidden Sysctls"
+    metadata.gatekeeper.sh/version: 1.2.0
+    description: >-
+      Controls the `sysctl` profile used by containers. Corresponds to the
+      `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
+      When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
+      The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
+      For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPForbiddenSysctls
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls the `sysctl` profile used by containers. Corresponds to the
+            `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
+            When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
+            The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
+            For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+          properties:
+            allowedSysctls:
+              type: array
+              description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter."
+              items:
+                type: string
+            forbiddenSysctls:
+              type: array
+              description: "A disallow-list of sysctls. `*` forbids all sysctls."
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          variables:
+          - name: sysctls
+            expression: '!has(object.spec.securityContext) ? [] : !has(object.spec.securityContext.sysctls) ? [] : object.spec.securityContext.sysctls'
+          - name: forbiddenSysctls
+            expression: |
+              !has(variables.params.forbiddenSysctls) ? [] :
+              variables.sysctls.filter(sysctl,
+                  variables.params.forbiddenSysctls.exists(forbiddenSysctl, sysctl.name == forbiddenSysctl || (forbiddenSysctl.endsWith("*") && string(sysctl.name).matches("^" + string(forbiddenSysctl).replace("*", ".*") + "$"))))
+          - name: allowedSysctls
+            expression: |
+              !has(variables.params.allowedSysctls) ? [] :
+              variables.sysctls.filter(sysctl,
+                  variables.params.allowedSysctls.exists(allowedSysctl, sysctl.name == allowedSysctl || (allowedSysctl == "*") || (string(sysctl.name).matches("^" + allowedSysctl + "$"))))
+          validations:
+          - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.sysctls) == 0 || size(variables.forbiddenSysctls) == 0 && (size(variables.allowedSysctls) == 0 || size(variables.allowedSysctls) == size(variables.sysctls))'
+            messageExpression: '"The sysctl is not allowed for pod: " + object.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c.name).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c.name).join(", ") '
+      - engine: Rego
+        source:
+          rego: |
+            package k8spspforbiddensysctls
+
+            import data.lib.exclude_update.is_update
+
+            # Block if forbidden
+            violation[{"msg": msg, "details": {}}] {
+                # spec.securityContext.sysctls field is immutable.
+                not is_update(input.review)
+
+                sysctl := input.review.object.spec.securityContext.sysctls[_].name
+                forbidden_sysctl(sysctl)
+                msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
+            }
+
+            # Block if not explicitly allowed
+            violation[{"msg": msg, "details": {}}] {
+                not is_update(input.review)
+                sysctl := input.review.object.spec.securityContext.sysctls[_].name
+                not allowed_sysctl(sysctl)
+                msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
+            }
+
+            # * may be used to forbid all sysctls
+            forbidden_sysctl(_) {
+                input.parameters.forbiddenSysctls[_] == "*"
+            }
+
+            forbidden_sysctl(sysctl) {
+                input.parameters.forbiddenSysctls[_] == sysctl
+            }
+
+            forbidden_sysctl(sysctl) {
+                forbidden := input.parameters.forbiddenSysctls[_]
+                endswith(forbidden, "*")
+                startswith(sysctl, trim_suffix(forbidden, "*"))
+            }
+
+            # * may be used to allow all sysctls
+            allowed_sysctl(_) {
+                input.parameters.allowedSysctls[_] == "*"
+            }
+
+            allowed_sysctl(sysctl) {
+                input.parameters.allowedSysctls[_] == sysctl
+            }
+
+            allowed_sysctl(sysctl) {
+                allowed := input.parameters.allowedSysctls[_]
+                endswith(allowed, "*")
+                startswith(sysctl, trim_suffix(allowed, "*"))
+            }
+          libs:
+            - |
+              package lib.exclude_update
+
+              is_update(review) {
+                  review.operation == "UPDATE"
+              }