fixing CEL error

Signed-off-by: Jaydip Gabani <[email protected]>

artifacthub/library/pod-security-policy/host-filesystem/1.1.0/artifacthub-pkg.yml

@@ -3,7 +3,7 @@ name: k8spsphostfilesystem
 displayName: Host Filesystem
 createdAt: "2024-06-05T20:31:16Z"
 description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
-digest: d414daa954ca9553d81c63e57c6fc3674ab3cd70975f6ebaf47782a1a0f05da0
+digest: 3883941aac9b7598a79c9bf6517c77a401b99d165bf584dce604a00eef79f8e7
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem
 keywords:

artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml

@@ -53,7 +53,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -66,7 +66,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'

library/pod-security-policy/host-filesystem/template.yaml

@@ -53,7 +53,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -66,7 +66,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'

src/pod-security-policy/host-filesystem/src.cel

@@ -9,7 +9,7 @@ variables:
   expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
 - name: allowedPaths
   expression: |
-    !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+    !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
 - name: volumes
   expression: |
     variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -22,7 +22,7 @@ variables:
           (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
             (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
             c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-    ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+    ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
 validations:
 - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
   messageExpression: 'variables.badHostPaths.join("\n")'

website/docs/validation/host-filesystem.md

@@ -65,7 +65,7 @@ spec:
             expression: 'variables.containers + variables.initContainers + variables.ephemeralContainers'
           - name: allowedPaths
             expression: |
-              !has(variables.params) ? [] : (!has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths)
+              !has(variables.params.allowedHostPaths) ? [] : variables.params.allowedHostPaths
           - name: volumes
             expression: |
               variables.anyObject.spec.volumes.filter(volume, has(volume.hostPath))
@@ -78,7 +78,7 @@ spec:
                     (!has(allowedPath.readOnly) || !(allowedPath.readOnly)) ||
                       (has(allowedPath.readOnly) && allowedPath.readOnly && !variables.allContainers.exists(c, 
                       c.volumeMounts.exists(m, m.name == volume.name && (!has(m.readOnly) || !m.readOnly)))))))
-              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path, "{ pathPrefix: " + path.pathPrefix + ", readOnly: " + path.readOnly + "}").join(", "))
+              ).map(volume, "{ hostPath: { path : " + volume.hostPath.path + " }, name: " + volume.name + "}").map(volume, "HostPath volume " + volume + " is not allowed, pod: " + object.metadata.name + ". Allowed path: " + variables.allowedPaths.map(path,  path.pathPrefix + ", readOnly: " + (path.readOnly ? "true" : "false") + "}").join(", "))
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badHostPaths) == 0'
             messageExpression: 'variables.badHostPaths.join("\n")'