Skip to content

Commit

Permalink
add tests and update messageExpression
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
  • Loading branch information
ritazh committed Dec 14, 2024
1 parent 386428f commit 9ac982b
Show file tree
Hide file tree
Showing 13 changed files with 346 additions and 30 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls
displayName: Forbidden Sysctls
createdAt: "2024-07-05T17:47:31Z"
description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
digest: c34167b32bcd5b55b48a68614ad4b20cd26294d17be559738f01735ab719f621
digest: 6e64cb0e325f6894b153216cc2f1b30f2ea4de6d62dced4f7b59209207394ce3
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
keywords:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ spec:
# - "*" # * may be used to forbid all sysctls
- kernel.*
allowedSysctls:
- "net.*" # allows all sysctls. allowedSysctls is optional.
- "net.*"
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- kernel.*
allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- kernel.*
# unspecified allowedSysctls will not place any restrictions
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,15 @@ tests:
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls2
- name: forbidden-sysctls-wildcard
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint2.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: yes
Expand All @@ -51,3 +51,35 @@ tests:
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls4-empty-allowedSysctls
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint4.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: yes
- name: update
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls5-unspecified-allowedSysctls
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint5.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: no
- name: update
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ spec:
- engine: K8sNativeValidation
source:
variables:
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
- name: sysctls
expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
- name: allowedSysctlPrefixes
Expand All @@ -59,19 +61,20 @@ spec:
expression: |
!has(variables.params.forbiddenSysctls) ? [] :
variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
- name: allAllowed
expression: '!has(variables.params.allowedSysctls) ? true : false'
- name: allowedSysctlsString
expression: |
!has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
- name: violatingSysctls
expression: |
(variables.sysctls.filter(sysctl,
(sysctl.name in variables.forbiddenSysctlExplicit ||
variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
(!variables.allAllowed &&
(has(variables.params.allowedSysctls) &&
!(sysctl.name in variables.allowedSysctlExplicit) &&
!variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
- expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
- engine: Rego
source:
rego: |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ spec:
# - "*" # * may be used to forbid all sysctls
- kernel.*
allowedSysctls:
- "net.*" # allows all sysctls. allowedSysctls is optional.
- "net.*"
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- kernel.*
allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- kernel.*
# unspecified allowedSysctls will not place any restrictions
36 changes: 34 additions & 2 deletions library/pod-security-policy/forbidden-sysctls/suite.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,15 @@ tests:
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls2
- name: forbidden-sysctls-wildcard
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint2.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: yes
Expand All @@ -51,3 +51,35 @@ tests:
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls4-empty-allowedSysctls
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint4.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: yes
- name: update
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
- name: forbidden-sysctls5-unspecified-allowedSysctls
template: template.yaml
constraint: samples/psp-forbidden-sysctls/constraint5.yaml
cases:
- name: example-disallowed
object: samples/psp-forbidden-sysctls/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: no
- name: update
object: samples/psp-forbidden-sysctls/update.yaml
assertions:
- violations: no
13 changes: 8 additions & 5 deletions library/pod-security-policy/forbidden-sysctls/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ spec:
- engine: K8sNativeValidation
source:
variables:
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
- name: sysctls
expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
- name: allowedSysctlPrefixes
Expand All @@ -59,19 +61,20 @@ spec:
expression: |
!has(variables.params.forbiddenSysctls) ? [] :
variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
- name: allAllowed
expression: '!has(variables.params.allowedSysctls) ? true : false'
- name: allowedSysctlsString
expression: |
!has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
- name: violatingSysctls
expression: |
(variables.sysctls.filter(sysctl,
(sysctl.name in variables.forbiddenSysctlExplicit ||
variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
(!variables.allAllowed &&
(has(variables.params.allowedSysctls) &&
!(sysctl.name in variables.allowedSysctlExplicit) &&
!variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
- expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
- engine: Rego
source:
rego: |
Expand Down
13 changes: 8 additions & 5 deletions src/pod-security-policy/forbidden-sysctls/src.cel
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
variables:
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
- name: sysctls
expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
- name: allowedSysctlPrefixes
Expand All @@ -15,16 +17,17 @@ variables:
expression: |
!has(variables.params.forbiddenSysctls) ? [] :
variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
- name: allAllowed
expression: '!has(variables.params.allowedSysctls) ? true : false'
- name: allowedSysctlsString
expression: |
!has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
- name: violatingSysctls
expression: |
(variables.sysctls.filter(sysctl,
(sysctl.name in variables.forbiddenSysctlExplicit ||
variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
(!variables.allAllowed &&
(has(variables.params.allowedSysctls) &&
!(sysctl.name in variables.allowedSysctlExplicit) &&
!variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
- expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
Loading

0 comments on commit 9ac982b

Please sign in to comment.