diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml index 70229c760..6ecb28c2c 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls displayName: Forbidden Sysctls createdAt: "2024-07-05T17:47:31Z" description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ -digest: 6e64cb0e325f6894b153216cc2f1b30f2ea4de6d62dced4f7b59209207394ce3 +digest: f17aa53b0129445cc5899d534c3c3904f8843c517cc401a13b5f07aaa6e0cca8 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls keywords: diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml index 4b6cc4b66..5cb66a42c 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml index 6c9ea66bd..3fc2bda73 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml @@ -97,7 +97,8 @@ spec: not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) - msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + allowmsg := allowed_sysctl_string() + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg]) } # * may be used to forbid all sysctls @@ -129,6 +130,17 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + + allowed_sysctl(_) { + not input.parameters.allowedSysctls + } + allowed_sysctl_string() = out { + not input.parameters.allowedSysctls + out = "unspecified" + } + allowed_sysctl_string() = out { + out = input.parameters.allowedSysctls + } libs: - | package lib.exclude_update diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml index 4b6cc4b66..5cb66a42c 100644 --- a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index 6c9ea66bd..3fc2bda73 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -97,7 +97,8 @@ spec: not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) - msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + allowmsg := allowed_sysctl_string() + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg]) } # * may be used to forbid all sysctls @@ -129,6 +130,17 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + + allowed_sysctl(_) { + not input.parameters.allowedSysctls + } + allowed_sysctl_string() = out { + not input.parameters.allowedSysctls + out = "unspecified" + } + allowed_sysctl_string() = out { + out = input.parameters.allowedSysctls + } libs: - | package lib.exclude_update diff --git a/src/pod-security-policy/forbidden-sysctls/src.rego b/src/pod-security-policy/forbidden-sysctls/src.rego index 135603aa1..6c0e8e086 100644 --- a/src/pod-security-policy/forbidden-sysctls/src.rego +++ b/src/pod-security-policy/forbidden-sysctls/src.rego @@ -17,7 +17,8 @@ violation[{"msg": msg, "details": {}}] { not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) - msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + allowmsg := allowed_sysctl_string() + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg]) } # * may be used to forbid all sysctls @@ -49,3 +50,14 @@ allowed_sysctl(sysctl) { endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + +allowed_sysctl(_) { + not input.parameters.allowedSysctls +} +allowed_sysctl_string() = out { + not input.parameters.allowedSysctls + out = "unspecified" +} +allowed_sysctl_string() = out { + out = input.parameters.allowedSysctls +} diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index c85ad40d3..cbbdd36b6 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -109,7 +109,8 @@ spec: not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) - msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + allowmsg := allowed_sysctl_string() + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg]) } # * may be used to forbid all sysctls @@ -141,6 +142,17 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + + allowed_sysctl(_) { + not input.parameters.allowedSysctls + } + allowed_sysctl_string() = out { + not input.parameters.allowedSysctls + out = "unspecified" + } + allowed_sysctl_string() = out { + out = input.parameters.allowedSysctls + } libs: - | package lib.exclude_update @@ -226,7 +238,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: @@ -318,7 +330,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: @@ -411,7 +423,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: @@ -503,7 +515,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: @@ -595,7 +607,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-forbidden-sysctls-disallowed + name: nginx-forbidden-sysctls-allowed labels: app: nginx-forbidden-sysctls spec: