Skip to content

Commit

Permalink
update rego for unspecified allowedSysctls
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
  • Loading branch information
ritazh committed Dec 14, 2024
1 parent 9ac982b commit 8f9a027
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls
displayName: Forbidden Sysctls
createdAt: "2024-07-05T17:47:31Z"
description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
digest: 6e64cb0e325f6894b153216cc2f1b30f2ea4de6d62dced4f7b59209207394ce3
digest: f17aa53b0129445cc5899d534c3c3904f8843c517cc401a13b5f07aaa6e0cca8
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
keywords:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@ spec:
not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
allowmsg := allowed_sysctl_string()
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg])
}
# * may be used to forbid all sysctls
Expand Down Expand Up @@ -129,6 +130,17 @@ spec:
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}
allowed_sysctl(_) {
not input.parameters.allowedSysctls
}
allowed_sysctl_string() = out {
not input.parameters.allowedSysctls
out = "unspecified"
}
allowed_sysctl_string() = out {
out = input.parameters.allowedSysctls
}
libs:
- |
package lib.exclude_update
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down
14 changes: 13 additions & 1 deletion library/pod-security-policy/forbidden-sysctls/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@ spec:
not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
allowmsg := allowed_sysctl_string()
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg])
}
# * may be used to forbid all sysctls
Expand Down Expand Up @@ -129,6 +130,17 @@ spec:
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}
allowed_sysctl(_) {
not input.parameters.allowedSysctls
}
allowed_sysctl_string() = out {
not input.parameters.allowedSysctls
out = "unspecified"
}
allowed_sysctl_string() = out {
out = input.parameters.allowedSysctls
}
libs:
- |
package lib.exclude_update
Expand Down
14 changes: 13 additions & 1 deletion src/pod-security-policy/forbidden-sysctls/src.rego
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ violation[{"msg": msg, "details": {}}] {
not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
allowmsg := allowed_sysctl_string()
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg])
}

# * may be used to forbid all sysctls
Expand Down Expand Up @@ -49,3 +50,14 @@ allowed_sysctl(sysctl) {
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}

allowed_sysctl(_) {
not input.parameters.allowedSysctls
}
allowed_sysctl_string() = out {
not input.parameters.allowedSysctls
out = "unspecified"
}
allowed_sysctl_string() = out {
out = input.parameters.allowedSysctls
}
24 changes: 18 additions & 6 deletions website/docs/validation/forbidden-sysctls.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,8 @@ spec:
not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
allowmsg := allowed_sysctl_string()
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg])
}
# * may be used to forbid all sysctls
Expand Down Expand Up @@ -141,6 +142,17 @@ spec:
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}
allowed_sysctl(_) {
not input.parameters.allowedSysctls
}
allowed_sysctl_string() = out {
not input.parameters.allowedSysctls
out = "unspecified"
}
allowed_sysctl_string() = out {
out = input.parameters.allowedSysctls
}
libs:
- |
package lib.exclude_update
Expand Down Expand Up @@ -226,7 +238,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down Expand Up @@ -318,7 +330,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down Expand Up @@ -411,7 +423,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down Expand Up @@ -503,7 +515,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down Expand Up @@ -595,7 +607,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
name: nginx-forbidden-sysctls-allowed
labels:
app: nginx-forbidden-sysctls
spec:
Expand Down

0 comments on commit 8f9a027

Please sign in to comment.