diff --git a/artifacthub/library/pod-security-policy/selinux/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.1.0/artifacthub-pkg.yml index ca721aa92..7c7cfa8ef 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.1.0/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/selinux/1.1.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspselinuxv2 displayName: SELinux V2 createdAt: "2024-05-20T18:10:16Z" description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux -digest: eba35fa7bc8ccf1110732549d7eeabaee17bc8d3f100aac7cba42913578285a2 +digest: 896e8db9085d4346d6ad611b60932ce2b5a4c16126cf8f747f6eca14ff00bb1b license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux keywords: diff --git a/artifacthub/library/pod-security-policy/selinux/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.1.0/template.yaml index d558968b0..c4452e137 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.1.0/template.yaml +++ b/artifacthub/library/pod-security-policy/selinux/1.1.0/template.yaml @@ -62,22 +62,22 @@ spec: variables: - name: notViolatingSELinuxOptions expression: | - has(object.spec.securityContext) && has(object.spec.securityContext.seLinuxOptions) ? + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ? (has(variables.params.allowedSELinuxOptions) ? ( - (has(variables.params.allowedSELinuxOptions.level) && has(object.spec.securityContext.seLinuxOptions.level) && (object.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && - (has(variables.params.allowedSELinuxOptions.role) && has(object.spec.securityContext.seLinuxOptions.role) && (object.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && - (has(variables.params.allowedSELinuxOptions.type) && has(object.spec.securityContext.seLinuxOptions.type) && (object.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && - (has(variables.params.allowedSELinuxOptions.user) && has(object.spec.securityContext.seLinuxOptions.user) && (object.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) + (has(variables.params.allowedSELinuxOptions.level) && has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && (variables.anyObject.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && + (has(variables.params.allowedSELinuxOptions.role) && has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && (variables.anyObject.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && + (has(variables.params.allowedSELinuxOptions.type) && has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && (variables.anyObject.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && + (has(variables.params.allowedSELinuxOptions.user) && has(variables.anyObject.spec.securityContext.seLinuxOptions.user) && (variables.anyObject.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) ) : - (!has(object.spec.securityContext.seLinuxOptions.level) && !has(object.spec.securityContext.seLinuxOptions.role) && !has(object.spec.securityContext.seLinuxOptions.type) && !has(object.spec.securityContext.seLinuxOptions.user))) + (!has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.user))) : true - name: containers - expression: 'has(object.spec.containers) ? object.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: initContainers - expression: 'has(object.spec.initContainers) ? object.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: ephemeralContainers - expression: 'has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: exemptImagePrefixes expression: | !has(variables.params.exemptImages) ? [] : @@ -105,9 +105,9 @@ spec: )) validations: - expression: '(has(request.operation) && request.operation == "UPDATE") || variables.notViolatingSELinuxOptions' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' - engine: Rego source: rego: | diff --git a/artifacthub/library/pod-security-policy/volumes/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.1.0/artifacthub-pkg.yml index 28b97d66f..ca79b7c88 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.1.0/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/volumes/1.1.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspvolumetypes displayName: Volume Types createdAt: "2024-05-14T00:55:44Z" description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: f27f6759e3fc2969cddea91ad3b1b0d06554d63c6b9137e35e89a5e8dbd458d9 +digest: cf81297bf562f15dc11e9c56a6e78c7e0345934cea0ae6285735d9bc66a366f1 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes keywords: diff --git a/artifacthub/library/pod-security-policy/volumes/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.1.0/template.yaml index 4e6233966..28a7db6f4 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.1.0/template.yaml +++ b/artifacthub/library/pod-security-policy/volumes/1.1.0/template.yaml @@ -37,13 +37,13 @@ spec: source: variables: - name: volumes - expression: 'has(object.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? object.spec.volumes : []' + expression: 'has(variables.anyObject.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? variables.anyObject.spec.volumes : []' - name: badVolumes expression: | variables.params.volumes.exists(entry, entry == "*") ? [] : variables.volumes.map(e, e.map(k, k != "name", k)).map(k, k[0]).filter(entry, !(entry in variables.params.volumes)) validations: - expression: 'size(variables.badVolumes) == 0' - messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + object.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' + messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' - engine: Rego source: rego: | diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml index d558968b0..c4452e137 100644 --- a/library/pod-security-policy/selinux/template.yaml +++ b/library/pod-security-policy/selinux/template.yaml @@ -62,22 +62,22 @@ spec: variables: - name: notViolatingSELinuxOptions expression: | - has(object.spec.securityContext) && has(object.spec.securityContext.seLinuxOptions) ? + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ? (has(variables.params.allowedSELinuxOptions) ? ( - (has(variables.params.allowedSELinuxOptions.level) && has(object.spec.securityContext.seLinuxOptions.level) && (object.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && - (has(variables.params.allowedSELinuxOptions.role) && has(object.spec.securityContext.seLinuxOptions.role) && (object.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && - (has(variables.params.allowedSELinuxOptions.type) && has(object.spec.securityContext.seLinuxOptions.type) && (object.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && - (has(variables.params.allowedSELinuxOptions.user) && has(object.spec.securityContext.seLinuxOptions.user) && (object.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) + (has(variables.params.allowedSELinuxOptions.level) && has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && (variables.anyObject.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && + (has(variables.params.allowedSELinuxOptions.role) && has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && (variables.anyObject.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && + (has(variables.params.allowedSELinuxOptions.type) && has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && (variables.anyObject.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && + (has(variables.params.allowedSELinuxOptions.user) && has(variables.anyObject.spec.securityContext.seLinuxOptions.user) && (variables.anyObject.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) ) : - (!has(object.spec.securityContext.seLinuxOptions.level) && !has(object.spec.securityContext.seLinuxOptions.role) && !has(object.spec.securityContext.seLinuxOptions.type) && !has(object.spec.securityContext.seLinuxOptions.user))) + (!has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.user))) : true - name: containers - expression: 'has(object.spec.containers) ? object.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: initContainers - expression: 'has(object.spec.initContainers) ? object.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: ephemeralContainers - expression: 'has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: exemptImagePrefixes expression: | !has(variables.params.exemptImages) ? [] : @@ -105,9 +105,9 @@ spec: )) validations: - expression: '(has(request.operation) && request.operation == "UPDATE") || variables.notViolatingSELinuxOptions' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' - engine: Rego source: rego: | diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml index 4e6233966..28a7db6f4 100644 --- a/library/pod-security-policy/volumes/template.yaml +++ b/library/pod-security-policy/volumes/template.yaml @@ -37,13 +37,13 @@ spec: source: variables: - name: volumes - expression: 'has(object.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? object.spec.volumes : []' + expression: 'has(variables.anyObject.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? variables.anyObject.spec.volumes : []' - name: badVolumes expression: | variables.params.volumes.exists(entry, entry == "*") ? [] : variables.volumes.map(e, e.map(k, k != "name", k)).map(k, k[0]).filter(entry, !(entry in variables.params.volumes)) validations: - expression: 'size(variables.badVolumes) == 0' - messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + object.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' + messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' - engine: Rego source: rego: | diff --git a/src/pod-security-policy/selinux/src.cel b/src/pod-security-policy/selinux/src.cel index 0a0d04a79..96028c4c4 100644 --- a/src/pod-security-policy/selinux/src.cel +++ b/src/pod-security-policy/selinux/src.cel @@ -1,22 +1,22 @@ variables: - name: notViolatingSELinuxOptions expression: | - has(object.spec.securityContext) && has(object.spec.securityContext.seLinuxOptions) ? + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ? (has(variables.params.allowedSELinuxOptions) ? ( - (has(variables.params.allowedSELinuxOptions.level) && has(object.spec.securityContext.seLinuxOptions.level) && (object.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && - (has(variables.params.allowedSELinuxOptions.role) && has(object.spec.securityContext.seLinuxOptions.role) && (object.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && - (has(variables.params.allowedSELinuxOptions.type) && has(object.spec.securityContext.seLinuxOptions.type) && (object.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && - (has(variables.params.allowedSELinuxOptions.user) && has(object.spec.securityContext.seLinuxOptions.user) && (object.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) + (has(variables.params.allowedSELinuxOptions.level) && has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && (variables.anyObject.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && + (has(variables.params.allowedSELinuxOptions.role) && has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && (variables.anyObject.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && + (has(variables.params.allowedSELinuxOptions.type) && has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && (variables.anyObject.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && + (has(variables.params.allowedSELinuxOptions.user) && has(variables.anyObject.spec.securityContext.seLinuxOptions.user) && (variables.anyObject.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) ) : - (!has(object.spec.securityContext.seLinuxOptions.level) && !has(object.spec.securityContext.seLinuxOptions.role) && !has(object.spec.securityContext.seLinuxOptions.type) && !has(object.spec.securityContext.seLinuxOptions.user))) + (!has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.user))) : true - name: containers - expression: 'has(object.spec.containers) ? object.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: initContainers - expression: 'has(object.spec.initContainers) ? object.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: ephemeralContainers - expression: 'has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: exemptImagePrefixes expression: | !has(variables.params.exemptImages) ? [] : @@ -44,6 +44,6 @@ variables: )) validations: - expression: '(has(request.operation) && request.operation == "UPDATE") || variables.notViolatingSELinuxOptions' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' diff --git a/src/pod-security-policy/volumes/src.cel b/src/pod-security-policy/volumes/src.cel index cc51735a6..fbadb8135 100644 --- a/src/pod-security-policy/volumes/src.cel +++ b/src/pod-security-policy/volumes/src.cel @@ -1,9 +1,9 @@ variables: - name: volumes - expression: 'has(object.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? object.spec.volumes : []' + expression: 'has(variables.anyObject.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? variables.anyObject.spec.volumes : []' - name: badVolumes expression: | variables.params.volumes.exists(entry, entry == "*") ? [] : variables.volumes.map(e, e.map(k, k != "name", k)).map(k, k[0]).filter(entry, !(entry in variables.params.volumes)) validations: - expression: 'size(variables.badVolumes) == 0' - messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + object.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' + messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index 247a7afac..2fcb34c6a 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -74,22 +74,22 @@ spec: variables: - name: notViolatingSELinuxOptions expression: | - has(object.spec.securityContext) && has(object.spec.securityContext.seLinuxOptions) ? + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ? (has(variables.params.allowedSELinuxOptions) ? ( - (has(variables.params.allowedSELinuxOptions.level) && has(object.spec.securityContext.seLinuxOptions.level) && (object.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && - (has(variables.params.allowedSELinuxOptions.role) && has(object.spec.securityContext.seLinuxOptions.role) && (object.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && - (has(variables.params.allowedSELinuxOptions.type) && has(object.spec.securityContext.seLinuxOptions.type) && (object.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && - (has(variables.params.allowedSELinuxOptions.user) && has(object.spec.securityContext.seLinuxOptions.user) && (object.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) + (has(variables.params.allowedSELinuxOptions.level) && has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && (variables.anyObject.spec.securityContext.seLinuxOptions.level == variables.params.allowedSELinuxOptions.level)) && + (has(variables.params.allowedSELinuxOptions.role) && has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && (variables.anyObject.spec.securityContext.seLinuxOptions.role == variables.params.allowedSELinuxOptions.role)) && + (has(variables.params.allowedSELinuxOptions.type) && has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && (variables.anyObject.spec.securityContext.seLinuxOptions.type == variables.params.allowedSELinuxOptions.type)) && + (has(variables.params.allowedSELinuxOptions.user) && has(variables.anyObject.spec.securityContext.seLinuxOptions.user) && (variables.anyObject.spec.securityContext.seLinuxOptions.user == variables.params.allowedSELinuxOptions.user)) ) : - (!has(object.spec.securityContext.seLinuxOptions.level) && !has(object.spec.securityContext.seLinuxOptions.role) && !has(object.spec.securityContext.seLinuxOptions.type) && !has(object.spec.securityContext.seLinuxOptions.user))) + (!has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.type) && !has(variables.anyObject.spec.securityContext.seLinuxOptions.user))) : true - name: containers - expression: 'has(object.spec.containers) ? object.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: initContainers - expression: 'has(object.spec.initContainers) ? object.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: ephemeralContainers - expression: 'has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers.filter(c, has(c.securityContext) && has(c.securityContext.seLinuxOptions)) : []' - name: exemptImagePrefixes expression: | !has(variables.params.exemptImages) ? [] : @@ -117,9 +117,9 @@ spec: )) validations: - expression: '(has(request.operation) && request.operation == "UPDATE") || variables.notViolatingSELinuxOptions' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed options: " + variables.params.allowedSELinuxOptions' - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' - messageExpression: '"SELinux options is not allowed, pod: " + object.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' + messageExpression: '"SELinux options is not allowed, pod: " + variables.anyObject.metadata.name + ", container: " + variables.badContainers.map(c, c.name).join(", ")' - engine: Rego source: rego: | diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index b15db2af3..070f152ee 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -49,13 +49,13 @@ spec: source: variables: - name: volumes - expression: 'has(object.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? object.spec.volumes : []' + expression: 'has(variables.anyObject.spec.volumes) && has(request.operation) && request.operation != "UPDATE" ? variables.anyObject.spec.volumes : []' - name: badVolumes expression: | variables.params.volumes.exists(entry, entry == "*") ? [] : variables.volumes.map(e, e.map(k, k != "name", k)).map(k, k[0]).filter(entry, !(entry in variables.params.volumes)) validations: - expression: 'size(variables.badVolumes) == 0' - messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + object.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' + messageExpression: '"The volume type " + variables.badVolumes.join(", ") + " is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed volume types: " + variables.params.volumes.join(", ")' - engine: Rego source: rego: |